Re: [tcpm] I-D Action:draft-ietf-tcpm-tcp-auth-opt-01.txt
Joe Touch <touch@ISI.EDU> Mon, 21 July 2008 20:45 UTC
Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 865B73A6AA8; Mon, 21 Jul 2008 13:45:31 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B497D3A6A76 for <tcpm@core3.amsl.com>; Mon, 21 Jul 2008 13:45:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I779FMoV1i1T for <tcpm@core3.amsl.com>; Mon, 21 Jul 2008 13:45:19 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id 4F5EE3A68C2 for <tcpm@ietf.org>; Mon, 21 Jul 2008 13:45:15 -0700 (PDT)
Received: from [70.213.139.181] (181.sub-70-213-139.myvzw.com [70.213.139.181]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id m6LKjO08021133 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 21 Jul 2008 13:45:27 -0700 (PDT)
Message-ID: <4884F548.4060208@isi.edu>
Date: Mon, 21 Jul 2008 13:44:56 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.14 (Windows/20080421)
MIME-Version: 1.0
To: Adam Langley <agl@imperialviolet.org>
References: <20080714234502.AC4793A69F4@core3.amsl.com> <396556a20807211243w673e2638r74b19af48d07e19d@mail.gmail.com>
In-Reply-To: <396556a20807211243w673e2638r74b19af48d07e19d@mail.gmail.com>
X-Enigmail-Version: 0.95.6
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: tcpm@ietf.org
Subject: Re: [tcpm] I-D Action:draft-ietf-tcpm-tcp-auth-opt-01.txt
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Adam, Adam Langley wrote: | 2008/7/14 <Internet-Drafts@ietf.org>: |> A New Internet-Draft is available from the on-line Internet-Drafts directories. |> Title : The TCP Authentication Option |> Author(s) : J. Touch, et al. |> Filename : draft-ietf-tcpm-tcp-auth-opt-01.txt | | An item which I believe is unclear in the spec: | | Are KeyIDs specific to a single direction? E.g if A and B are | transmitting with different keys, could they both call them KeyID 0? | At the moment the wording around the TSAD seems to allow this | (specifically 6.1). Yes. | Also, comments on the linux netdev mailing list got me thinking more | about key rotation and I think the spec probably needs a sentence or | two advising about the use of key rotation. How often would be in the key management document; we don't specify that. | The spec currently suggests that rotation occur every 2**31 bytes | sent. It's not clear if the keys for each direction are assumed to | rotate independently or not. They are. The purpose of key rotation based on 2**31 is replay attacks, not frequency of rotation for other reasons. Others have noted that such rotation may not be needed with modern HMACs. | If the directions are independent then a large one-way transfer allows | an attacker to build up a dictionary of valid ACKs. Since the transfer | is only one way, the ACKing side will never rotate keys. Thus an | attacker could step in and convince the sender that everything was | fine even if the true destination was dead. The ACKing side needs to rotate keys only when its seqnums rollover, not the ones it's ACKing. | If the keys rotate after 2**31 bytes sent or recved there is a | possible window issue. Consider a host which is sending with a very | large window over a high delay link. It transmits several key | rotations worth of data before the first ack comes back from the other | side. Since this ack was elicited by the beginning of the data, it | will be transmitted with the first key. If the first key is still | active, everything is fine, but if the key window has rotated to the | point where old keys are getting evicted then the ACK will be | rejected. The key rotations are supposed to be reasonably synchronized and/or overlapped to avoid such issues. | This currently shouldn't be a problem because the max window size is | 1GB, which is less than 2**31 bytes. At some point in the future, if | window scaling is allowed to grow past 2**14, then key rotation could | limit the window size. This isn't an issue of window scaling; it's an issue of replaying. Keys are rotated per 2**31 (recommended, at least) based on the rollover of the seqno; they can be rotated for other reasons as well. | Given all these questions, I think the spec should make some advisory remarks. | | I'm not too sure, but I think I like rotating a per-direction key | better. The ACK dictionary attack is unfortunate, but if we aren't | having real sequence numbers then our security is limited at best | anyway. Based on that I'd suggest a 2-key pair, where, for a | half-connection from A to B: B RX enables key 1 at 2**30 bytes | received, A switches to key 1 at 2**31 bytes, B RX enables a new key 0 | at 2**31 + 2**30 bytes, A switches to new key 0 at 2**32 etc. That | would also mean that KeyIDs are specific to a given half-connection. They should already be; the TSAD entries are specified per-direction for that reason. Joe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkiE9UgACgkQE5f5cImnZrudaQCgzwgXYSauxf9kwmIvkpAQFZje 82kAn3mVEgGOOcBKiaOC71JKtPdepwaw =6DCJ -----END PGP SIGNATURE----- _______________________________________________ tcpm mailing list tcpm@ietf.org https://www.ietf.org/mailman/listinfo/tcpm
- [tcpm] I-D Action:draft-ietf-tcpm-tcp-auth-opt-01… Internet-Drafts
- Re: [tcpm] I-D Action:draft-ietf-tcpm-tcp-auth-op… Adam Langley
- Re: [tcpm] I-D Action:draft-ietf-tcpm-tcp-auth-op… Joe Touch
- Re: [tcpm] I-D Action:draft-ietf-tcpm-tcp-auth-op… Adam Langley
- Re: [tcpm] I-D Action:draft-ietf-tcpm-tcp-auth-op… Joe Touch
- Re: [tcpm] I-D Action:draft-ietf-tcpm-tcp-auth-op… Adam Langley
- Re: [tcpm] I-D Action:draft-ietf-tcpm-tcp-auth-op… Joe Touch
- Re: [tcpm] I-D Action:draft-ietf-tcpm-tcp-auth-op… Adam Langley
- Re: [tcpm] I-D Action:draft-ietf-tcpm-tcp-auth-op… Joe Touch
- Re: [tcpm] I-D Action:draft-ietf-tcpm-tcp-auth-op… Adam Langley
- Re: [tcpm] I-D Action:draft-ietf-tcpm-tcp-auth-op… Joe Touch
- Re: [tcpm] I-D Action:draft-ietf-tcpm-tcp-auth-op… Adam Langley
- Re: [tcpm] I-D Action:draft-ietf-tcpm-tcp-auth-op… Joe Touch
- Re: [tcpm] I-D Action:draft-ietf-tcpm-tcp-auth-op… Stefanos Harhalakis
- Re: [tcpm] I-D Action:draft-ietf-tcpm-tcp-auth-op… Adam Langley
- Re: [tcpm] I-D Action:draft-ietf-tcpm-tcp-auth-op… Stefanos Harhalakis
- Re: [tcpm] I-D Action:draft-ietf-tcpm-tcp-auth-op… touch
- Re: [tcpm] I-D Action:draft-ietf-tcpm-tcp-auth-op… Adam Langley
- Re: [tcpm] I-D Action:draft-ietf-tcpm-tcp-auth-op… Joe Touch