[tcpm] Review of draft-ietf-tcpm-tcp-auth-opt-05
Eric Rescorla <ekr@networkresonance.com> Sun, 26 July 2009 23:23 UTC
Return-Path: <ekr@networkresonance.com>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1D2013A68CF for <tcpm@core3.amsl.com>; Sun, 26 Jul 2009 16:23:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.496
X-Spam-Level:
X-Spam-Status: No, score=-1.496 tagged_above=-999 required=5 tests=[AWL=1.103, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UQUF6tx-9xrP for <tcpm@core3.amsl.com>; Sun, 26 Jul 2009 16:23:36 -0700 (PDT)
Received: from romeo.rtfm.com (romeo.rtfm.com [74.95.2.173]) by core3.amsl.com (Postfix) with ESMTP id AAD2E3A683C for <tcpm@ietf.org>; Sun, 26 Jul 2009 16:23:35 -0700 (PDT)
Received: from romeo.rtfm.com (localhost.rtfm.com [127.0.0.1]) by romeo.rtfm.com (Postfix) with ESMTP id 30A7650822 for <tcpm@ietf.org>; Sun, 26 Jul 2009 16:27:11 -0700 (PDT)
Date: Sun, 26 Jul 2009 16:27:11 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: tcpm@ietf.org
User-Agent: Wanderlust/2.14.0 (Africa) Emacs/22.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20090726232711.30A7650822@romeo.rtfm.com>
Subject: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt-05
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Jul 2009 23:23:38 -0000
$Id: draft-ietf-tcpm-tcp-auth-opt-05-rev-real.txt,v 1.1 2009/07/26 22:18:40 ekr Exp $ This draft seems to resolve all my major technical issues. The comments below are primarily editorial. TECHNICAL The relationship between MKTs and traffic keys is shown in Figure Figure 3. Traffic keys are indicated with a "*". Note that every MKT derives all four traffic keys, regardless of whether all four are needed for a given connection. Section 7.2 provides further details on how traffic keys are derived. This seems like an unwarranted requirement. The keys are generated independently, so why make implementations gnerate keys they don't need? S 8.2. When a segment is received, the following algorithm (written in C) computes the SNE used in the MAC; an equivalent algorithm can be applied to the "SND" side: I know it seems like I'm nitpicking about this, but this algorithm is *not* valid C: # is not a comment character and C identifiers may not contain .s in the name. I suppose for the latter you could be arguing that these are structs, but then where's the defn of those? This seems like perfectly legitimate pseudocode, but if you're going to claim it's C, it really needs to be valid C. I would remove the claim. S 9.5. As I read this description, if an implementation receives a TCP segment with TCP-AO but it doesn't match any existing MKT, it should silently accept it. I don't agree with this. It should discard it. It's clearly not valid. i. If lengths differ, silently discard the segment. Log and/or signal the event as indicated in Section 9.3. I observe that this logging suggestion has the possibility to be a DoS in and of itself. If we're going to recommend logging, we need to recommend log throttling. EDITORIAL Abstract protects against replays even for long-lived TCP connections, and s/protects against replays/detects replayed segments/ set of MACs with minimal other system and operational changes. TCP-AO uses its own option identifier, even though used mutually exclusive of TCP MD5 on a given TCP connection. TCP-AO supports IPv6, and is I would just remove "even though..." This wording is clumsy and it probably isn't necessary at the level of the abstract S 2. Section 9.6). This document obsoletes the TCP MD5 option with a more general TCP Authentication Option (TCP-AO), to support the use of s/obsoletes/replaces/ This document is not intended to replace the use of the IPsec suite (IPsec and IKE) to protect TCP connections [RFC4301][RFC4306]. In fact, we recommend the use of IPsec and IKE, especially where IKE's level of existing support for parameter negotiation, session key negotiation, or rekeying are desired. TCP-AO is intended for use only where the IPsec suite would not be feasible, e.g., as has been suggested is the case to support some routing protocols, or in cases where keys need to be tightly coordinated with individual transport sessions [Be07]. I would remove this paragraph entirely, but if you with to retain it, I don't think it does that great a job of explaining the relationship here. Fundamentally people have complained that IPSec is too heavyweight. I would rewrite this as: This document is not intended to replace the use of the IPsec suite (IPsec and IKE) to protect TCP connections [RFC4301][RFC4306]. Rather, it is intended for the limited goal of providing traffic integrity and denial of service (DoS) protection for TCP connections in settings where a simpler solution than IPsec/IKE is desired. S 2.1 o TCP-AO ensures per-connection traffic keys as unique as the TCP connection itself, using TCP's initial sequence numbers (ISNs) for s/ensures/provides/ s/as unique/which are as unique/ o TCP-AO forces a change of computed MACs when a connection restarts, even when reusing a TCP socket pair (IP addresses and port numbers) [Be07]. I think I know what this is supposed to mean, but I think it's getting off into the weeds. However, if you want to say it, try: TCP-AO does not allow packets from one TCP connection to be replayed on another TCP connection, even if the connection parameters (IP addess and port numbers) are the same. S 4.2. The new TCP-AO option provides a superset of the capabilities of TCP MD5, and is minimal in the spirit of SP4 [SDNS88]. TCP-AO uses a new Kind field, and similar Length field to TCP MD5, a KeyID field, and a NextKeyID field as shown in Figure 2. Isn't a similar length field a requirement of the TCP options layout. I would also observe that SP4 is now over 20 years old and was never widely deployed even then, so references to the spirit of SP4 feel anachronistic. Values of 4 and other small values larger than 4 (e.g., indicating MACs of very short length) are of dubious utility but are not specifically prohibited. It's probably worth stating explicitly here that the MAC length is dictated by the MKT, not the option. S 5. I would rewrite this first paragraph as follows: TCP-AO makes use of two sets of keys: - Master Key Tuples (MKTs) are managed either manually or by a (future) key management protocols. They comprise a master key, the set of cryptographic algorithms to be used with that key, and the TCP connection identifiers to which the MKT applies. MKTs are never used directly to protect data but rather are used to derive traffic keys. Multiple MKTs may apply to a given connection, and are distinguished by a key identifier (key-id). - Traffic keys are used to compute the MAC for each TCP segment. Each TCP connection has a fresh set(s) of traffic keys which are automatically derived from the appropriate MKT(s) for that connection. The traffic key derivation function includes the TCP Initial Sequence numbers, resulting in a high probability that traffic keys will be unique, even if the IP address and TCP port are reused. S 5.1. >> MKT IDs MUST support any value, 0-255 inclusive. There are no reserved ID values. MKTs don't support anything. TCP-AO implementations do. This construct appears in a number of places in the document and should be replaced with "Implementations MUST suupport" Implementations are advised to keep master key values in a private, protected area of memory or other storage. I'm curious if anyone has a concrete notion of what this means. As I understand the situation, Cisco routers (for example) are a single monolothic process. How would you do this for a Cisco? >> The IDs of MKTs MUST NOT overlap where their TCP connection identifiers overlap. IDs aren't ranges. I would rewrite as: Any two MKTs with overlapping TCP connection identifiers [could we use "specifications" here more generally] MUST have distinct MKT IDs. S 5.2. MKTs don't derive (see above). I'm not sure this taxonomy and the use of send/receive is that useful here, since each side has its own send and receive. It gets doubly confusing when you say Note that the keys are directional. A given connection typically uses only three of these keys, because only one of the SYN keys is typically used. All four are used only when a connection goes through 'simultaneous open' [RFC793]. But as a practical matter, if Alice does an active open (connect) to Bob, she will generate: o Send_SYN_traffic_key o Send_other_traffic_key o Receive_other_traffic_key And Bob will generate: o Receive_SYN_traffic_key o Send_other_traffic_key o Receive_other_traffic_key But Bob's Receive keys are Alice's send keys and vice versa. So, I think for clarity, this should be rewritten not to talk about the connection but about the implementation's view. E.g., Each side of the connection needs up to four traffic keys: o Send_SYN_traffic_key o Receive_SYN_traffic_key o Send_other_traffic_key o Receive_other_traffic_key The only time when the *_SYN keys are used is when sending a SYN before having seen any packets from the other side. A given side typically uses only three of these keys, because only one of the SYN keys is typically used: either that node will be doing an active open and will need the Send_SYN_traffic key or will be doing a passive open and will need the Send_SYN_traffic key. All four are used only when a connection goes through 'simultaneous open' [RFC793]. S 5.3. This whole discussion of how many MKTs can match seems confusing and self-contradictory. My understanding of the rules is as follows: - Any outgoing packet, which has not yet been processed by TCP-AO, may match any number of MKTs, but each MKT must have a distinct key-id. Once that packet has been processed by AO, it must match only one MKT, determined by key-id. - Any incoming packet must match either one or zero MKTs. Is there any disagreement that this is correct? If so, I recommend rewriting the text to contain more or less just this. S 6. Current_Key and Next_Key seem confusing here because we're punning on the use of key. - Conenctions must store the current traffic keys (or enough information to regenerate them). They must also store the key-id needed to indicate those traffic keys. - The SNEs. There is no need to *store* Next_Key. It can be regenerated every time. What's required is simply that it appear on the wire. I don't see any need to store the MKTs with the connection either. They're "associated" in that they match, I suppose... S 7.1. o MAC_truncation - the number of bytes to truncate the output of the MAC to. This is indicated by the MAC algorithm, as specified in [ao-crypto]. I don't think it makes sense to talk about truncation here. The MACs produce a value that is crammed into the packet. If there's a separate spec that describes the MACs, it's not AO's business whether those MACs were produced by a truncation process. S 7.2. o Output_length - The desired output length of the KDF, i.e., the length to which the KDF's output will be truncated. In TCP-AO, the output_length is the PRF_truncation value of the MKT. This is specified by the KDF as described in [ao-crypto]. Everything from i.e., seems (1) superfluous and (2) isnufficiently general. Who says the PRF is truncated? The data used as input to the KDF combines TCP socket pair with the endpoint initial sequence numbers (ISNs) of a connection. This s/TCP socket/the TCP socket/ Traffic keys are directional, so "source" and "destaination" are s/destaination/destination/ S 7.3. of the TCP-AO option), or for coordinating rekeying during a connection. We assume out-of-band mechanisms for MKT establishment, It does now... We encourage users of TCP-AO to apply known techniques for generating appropriate MKTs, including the use of reasonable master key lengths, limited traffic key sharing, and limiting the duration of MKT use [RFC3562]. This also includes the use of per-connection nonces, as suggested in Section 7.2. This seems like old text. We don't encoruage people to use per-connection nonces, it's part of the protocol. I don't agree that a recommendation to limit lifetime is really that sensible. I would simply remove this entirely. S 9.5. a. Optionally, set a timer on the MKT indicated by the current_key and segment socket pair to ensure that the MKT cannot be deleted for 2*MSL. If a timer has already been set, reset the timer. This timer is advisory only. Removing MKTs with unexpired timers can result in a user-level warning, but is not prohibited. Implementation of timers is not required. b. Set Current_key to the NextKeyID MKT. I would reverse the order of these, since (a) is required and (b) is optional. S 10. Was TCP-MD5 Mandatory to Implement? If not, this shouldn't be either. Even if so, this seems like kind of an unwarranted requirement. -Ekr
- [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt-05 Eric Rescorla
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Eric Rescorla
- [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt-05 Eric Rescorla
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Eric Rescorla