Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt-01
Joe Touch <touch@ISI.EDU> Mon, 28 July 2008 06:39 UTC
Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9778528C131; Sun, 27 Jul 2008 23:39:22 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DC34728C131 for <tcpm@core3.amsl.com>; Sun, 27 Jul 2008 23:39:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.619
X-Spam-Level:
X-Spam-Status: No, score=-1.619 tagged_above=-999 required=5 tests=[AWL=-0.980, BAYES_00=-2.599, RCVD_IN_BL_SPAMCOP_NET=1.96]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DVxk0ln0yUcd for <tcpm@core3.amsl.com>; Sun, 27 Jul 2008 23:39:16 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id 6D5613A69DF for <tcpm@ietf.org>; Sun, 27 Jul 2008 23:39:16 -0700 (PDT)
Received: from [172.16.7.194] (guestroom-nat.meeting.ietf.org [130.129.64.64]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id m6S6d7DN014093 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sun, 27 Jul 2008 23:39:11 -0700 (PDT)
Message-ID: <488D6968.9010102@isi.edu>
Date: Sun, 27 Jul 2008 23:38:32 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.16 (Windows/20080708)
MIME-Version: 1.0
To: Eric Rescorla <ekr@networkresonance.com>
References: <20080728042451.C7A174B7AD3@kilo.rtfm.com>
In-Reply-To: <20080728042451.C7A174B7AD3@kilo.rtfm.com>
X-Enigmail-Version: 0.95.6
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: tcpm@ietf.org
Subject: Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt-01
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Eric (et al.), We'll have time to discuss these issues in detail later today at the TCPM meeting. Here is some potential context for that... Joe Eric Rescorla wrote: | $Id: draft-ietf-tcpm-tcp-auth-01-rev.txt,v 1.1 2008/07/28 03:06:22 ekr Exp $ | | I've reviewed the latest version of this document and while it | seems to incorporate some improvements over the -00 version, | I still have a number of concerns: | | - The document seems to assume an (unspecified) external key management | mechanism. That seems less than maximally useful The split of this work into separate key management and TCP extension documents was a prerequisite to the design team's output. The WG chairs and/or ADs can speak to it more directly. | - There's discussion of a "per-connection nonce" in S 3.2, | but it's non-normative and does not completely specify how | the nonce is to be used: | | MACs typically benefit from a per-connection nonce, notably in | avoiding the impact of key reuse. The presence of TCP's pair of | Initial Sequence Numbers presents a nonce that may be useful in that | case. Such a nonce could be computed as the concatenation of the ISNs | (initiator, responder), and the socket pair (addresses, ports): | | o Nonce = ISN_i, ISN_r, IP_address_i, IP_address_r, port_i, port_r | | The initial SYN would not know ISN_r, so that packet's nonce would | use ISN_r = 0. Use of these nonces avoids the need to avoid key reuse | on a per connection basis. | | >> ISN and socket pair nonces MUST be used to generate unique per- | session keys. | | I don't see in the draft where it actually describes how this is | intended to work. The nonce would be used by the external session key management mechanism. This part of the document may move to that other specification. | - The discussion of key rollover seems incomplete | | >> TCP-AO implementations SHOULD change keys for a connection at | least every 2^31 bytes, to avoid resending segments with the same | TCP sequence number, data, and length under the same key. | | How is this intended to work? The key management mechanism should react to sequence numbers rolling over the ISN (perhaps masking out the high bit to roll over twice as often). | It seems to me that a useful system needs to describe a complete set | of mechanisms that allow the establishment of a single static key which | can be used to secure multiple connections. I don't see that this | document does that. This document does not specify a key management mechanism; that mechanism would use a single static key to generate per-session keys. | Previous comments which I believe remain outstanding: | S 1. | there have been escalating attacks on the algorithm itself [Be05] | [Bu06]. TCP MD5 also lacks both key management and algorithm | | These citations should be to the original papers, not the summaries | (not that I mind you citing Steve's and my paper...) | | [New: you've added a cite to Burr's paper, but you should be | citing Wang et al.] Thanks - that will be updated. | S 1.1. | I don't see a lot of value in pre-specifying two MAC algorithms | as MTI. There's no reason to believe one isn't plenty, as used | in other protocols. The need for two required algorithms mirrors the intent of RFC4305's "SHOULD+", which requires one, but suggests that two algs may be required in the future. The design team suggested that requiring two algorithms now would be prudent, notably so that if one were compromised (either entirely, or effectively weakened due to computational exploits), the other would be pre-deployed. The two could also trade strength for performance, depending on which algorithms are recommended by SAAG. | S 2.2. | Figure 2 is kind of hard to read since the length of the kind | field is 16 bits, but kinds are 8 bits, rigth? The length of the field is wide due to the text; that will be fixed to be proportional to the bit width (8 bits, as you note). | S 3. | >> At least one direction (inbound/outbound) SHOULD have | a non-NONE MAC in practice, but this MUST NOT be strictly | required by an implementation. | | 1. This seems like a bad idea. It's very hard to analyze the security | properties of a connection when only one side is protected. To take | one case that is obviously bad, if you're worried about DoS attacks | and you use TCP-AO, then forging packets in either direction can | bring it down. I would reverse this and require MACs in both directions. | | 2. Even if we stipulate that this might be an OK idea, it's not | appropriate to require implementations to support it. We discussed the utility of asymmetry in Philadelphia last March. The point is to require implementations to allow the user to request connections configured this way; we can add that connections MUST default to using a real MAC in both directions by default. Does that address your concern? | S 9. | TCP-AO does not expose the MAC algorithm used to authenticate a | particular connection; that information is kept in the TSAD at the | endpoints, and is not indicated in the header. | | This seems to be of extremely marginal security benefit. There | are likely to be <5 algorithms in use. So, searching all of them | increases the effective key size by <3 bits. | | [New: Again, this isn't a security issue] The text should be updated to note that the primary and sufficient reason for omitting it is space conservation and the fact that there is no utility in including it. The number of algorithms doesn't merely augment the key space, though - it an algorithm is known weak(er), indicating it in the header is a signal in the clear that the packet stream is more vulnerable. Joe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkiNaWgACgkQE5f5cImnZrtTgACg12PIYHDfLrSm4CnTySFFLXSp EucAn0uZKkNNsMp3axP1gzzO7bDA8wBT =JOdm -----END PGP SIGNATURE----- _______________________________________________ tcpm mailing list tcpm@ietf.org https://www.ietf.org/mailman/listinfo/tcpm
- [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt-01 Eric Rescorla
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Eric Rescorla
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Eric Rescorla
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Eric Rescorla
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Adam Langley
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Eric Rescorla
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Eric Rescorla
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Adam Langley
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Eric Rescorla
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Eric Rescorla
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Adam Langley
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Eric Rescorla
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Anantha Ramaiah (ananth)
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Eric Rescorla
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Anantha Ramaiah (ananth)
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Anantha Ramaiah (ananth)
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Eric Rescorla
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Caitlin Bestler
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Lars Eggert
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Eric Rescorla
- [tcpm] tcp-auth-opt issue: replay protection Joe Touch
- Re: [tcpm] tcp-auth-opt issue: replay protection Adam Langley
- Re: [tcpm] tcp-auth-opt issue: replay protection Joe Touch
- Re: [tcpm] tcp-auth-opt issue: replay protection Adam Langley
- Re: [tcpm] tcp-auth-opt issue: replay protection Eric Rescorla
- Re: [tcpm] tcp-auth-opt issue: replay protection Joe Touch
- Re: [tcpm] tcp-auth-opt issue: replay protection Adam Langley
- Re: [tcpm] tcp-auth-opt issue: replay protection Joe Touch
- Re: [tcpm] tcp-auth-opt issue: replay protection Lars Eggert
- Re: [tcpm] tcp-auth-opt issue: replay protection Eric Rescorla
- Re: [tcpm] tcp-auth-opt issue: replay protection Lars Eggert
- Re: [tcpm] tcp-auth-opt issue: replay protection Anantha Ramaiah (ananth)
- Re: [tcpm] tcp-auth-opt issue: replay protection Joe Touch
- Re: [tcpm] tcp-auth-opt issue: replay protection Eddy, Wesley M. (GRC-RCN0)[VZ]
- Re: [tcpm] tcp-auth-opt issue: replay protection Adam Langley
- Re: [tcpm] tcp-auth-opt issue: replay protection Caitlin Bestler
- Re: [tcpm] tcp-auth-opt issue: replay protection Joe Touch
- Re: [tcpm] tcp-auth-opt issue: replay protection Ron Bonica