Re: [tcpm] question about TCP-AO and rekeying

Eric Rescorla <ekr@networkresonance.com> Wed, 17 June 2009 23:24 UTC

Return-Path: <ekr@networkresonance.com>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 70EEF3A69B2 for <tcpm@core3.amsl.com>; Wed, 17 Jun 2009 16:24:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.618
X-Spam-Level:
X-Spam-Status: No, score=-1.618 tagged_above=-999 required=5 tests=[AWL=0.981, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JKZisf6ewnE9 for <tcpm@core3.amsl.com>; Wed, 17 Jun 2009 16:24:43 -0700 (PDT)
Received: from romeo.rtfm.com (romeo.rtfm.com [74.95.2.173]) by core3.amsl.com (Postfix) with ESMTP id 946EB3A689D for <tcpm@ietf.org>; Wed, 17 Jun 2009 16:24:43 -0700 (PDT)
Received: from romeo.rtfm.com (localhost.rtfm.com [127.0.0.1]) by romeo.rtfm.com (Postfix) with ESMTP id 1C49D50822; Wed, 17 Jun 2009 16:28:13 -0700 (PDT)
Date: Wed, 17 Jun 2009 16:28:13 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: Joe Touch <touch@ISI.EDU>
In-Reply-To: <4A3917B7.20301@isi.edu>
References: <4A2AB973.3030203@isi.edu> <20090616131807.75C481BC6EB@kilo.networkresonance.com> <4A37A202.9020500@isi.edu> <20090617054551.A4E0C1BCA23@kilo.networkresonance.com> <4A388C37.3030703@isi.edu> <20090617140939.A3AB61BCC72@kilo.networkresonance.com> <4A390EC0.6070003@isi.edu> <20090617161518.5276C50822@romeo.rtfm.com> <4A3917B7.20301@isi.edu>
User-Agent: Wanderlust/2.14.0 (Africa) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20090617232813.1C49D50822@romeo.rtfm.com>
Cc: tcpm Extensions WG <tcpm@ietf.org>
Subject: Re: [tcpm] question about TCP-AO and rekeying
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jun 2009 23:24:44 -0000

At Wed, 17 Jun 2009 09:20:07 -0700,
Joe Touch wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> 
> Eric Rescorla wrote:
> > At Wed, 17 Jun 2009 08:41:52 -0700,
> > Joe Touch wrote:
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >>
> >>
> >> Eric Rescorla wrote:
> >>> At Tue, 16 Jun 2009 23:24:55 -0700,
> >>> Joe Touch wrote:
> >>>> Eric Rescorla wrote:
> >>>> ...
> >>>>>> However, the invariant is twofold:
> >>>>>>
> >>>>>> 	a) for a given packet, only one MKT applies
> >>>>>>
> >>>>>> 	b) for two endpoints with multiple MKTs,
> >>>>>> 	the *same* MKT applies.
> >>>>> I don't see that this is true. As I understand the current design
> >>>>> there's no reason that both sides can't use different MKTs
> >>>>> indefinitely.
> >>>> Each side can use a different MKT to transmit. However, if side A uses
> >>>> MKT X to transmit, then side B needs to know to use MKT X to receive. If
> >>>> side A matches MKT X on transmit and side B matches MKT Y on receive,
> >>>> then there's a problem for that connection.
> >>>>
> >>>> So let's rephrase, recognizing that there are two MKTs at any given time
> >>>> (one for transmit on each side, and the same pair for receive on the
> >>>> opposite side).
> >>>>
> >>>> b) for two endpoints, if a given packet matches MKT on one side during
> >>>> transmit, it must match the corresponding MKT on the other side during
> >>>> receive.
> >>> Right, but this doesn't require ordering or non-overlapping, as far as
> >>> I can tell.  It merely requires that at any time there only be one MKT
> >>> corresponding to any given socketpair/key-id.
> >> That is only possible with either non-overlapping or ordering to resolve
> >> overlaps.
> > 
> > I don't see why this is true. Any time a new key is entered, you
> > find all other keys that overlap with it and verify that they
> > have distinct key-ids.
> 
> That is a very expensive operation that I am hoping we can avoid.

It's not a very expensive operation unless you have a truly
fantastic number of keys, which can only happen if you
have an automatic key management protocol which can 
be designed not to create this situation. 


> > If so, the entry fails. If that's what
> > you mean by "prohibit overlaps", yes, I think we should
> > prohibit overlaps. 
> > 
> > If what you mean is that two MKTs with different key-ids can't overlap
> > the same socket pair space, I don't see a problem with that.
> 
> That is a problem for outgoing SYNs. For those, either the connection
> has to know a-priori which ID to use, or we need to make sure MKTs can't
> overlap at all (ignoring keyIDs).

I'm sorry, but I don't see why. 

-Ekr