Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt-01
Eric Rescorla <ekr@networkresonance.com> Mon, 28 July 2008 13:05 UTC
Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4FCFD3A6813; Mon, 28 Jul 2008 06:05:23 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 668043A6808 for <tcpm@core3.amsl.com>; Mon, 28 Jul 2008 06:05:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.557
X-Spam-Level:
X-Spam-Status: No, score=-0.557 tagged_above=-999 required=5 tests=[AWL=-0.062, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3UHjwgua3n6S for <tcpm@core3.amsl.com>; Mon, 28 Jul 2008 06:05:21 -0700 (PDT)
Received: from kilo.rtfm.com (unknown [74.95.2.169]) by core3.amsl.com (Postfix) with ESMTP id 2B7133A6813 for <tcpm@ietf.org>; Mon, 28 Jul 2008 06:05:21 -0700 (PDT)
Received: from kilo-2.local (localhost [127.0.0.1]) by kilo.rtfm.com (Postfix) with ESMTP id AB1A94B8883; Mon, 28 Jul 2008 06:05:32 -0700 (PDT)
Date: Mon, 28 Jul 2008 06:05:32 -0700
From: Eric Rescorla <ekr@networkresonance.com>
To: Joe Touch <touch@ISI.EDU>
In-Reply-To: <488D6968.9010102@isi.edu>
References: <20080728042451.C7A174B7AD3@kilo.rtfm.com> <488D6968.9010102@isi.edu>
User-Agent: Wanderlust/2.15.5 (Almost Unreal) Emacs/22.1 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Message-Id: <20080728130532.AB1A94B8883@kilo.rtfm.com>
Cc: tcpm@ietf.org
Subject: Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt-01
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org
At Sun, 27 Jul 2008 23:38:32 -0700, Joe Touch wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi, Eric (et al.), > > We'll have time to discuss these issues in detail later today at the > TCPM meeting. Here is some potential context for that... I'm not in Dublin. I plan to make some attempt to follow via audio and Jabber but I don't know if I'll actually be able to make that work, both for technical and logistical reasons (i.e., I'm at a conference at the same time and I don't know how well the network will work or if I'll have to do something else). > Eric Rescorla wrote: > | $Id: draft-ietf-tcpm-tcp-auth-01-rev.txt,v 1.1 2008/07/28 03:06:22 ekr > Exp $ > | > | I've reviewed the latest version of this document and while it > | seems to incorporate some improvements over the -00 version, > | I still have a number of concerns: > | > | - The document seems to assume an (unspecified) external key management > | mechanism. That seems less than maximally useful > > The split of this work into separate key management and TCP extension > documents was a prerequisite to the design team's output. The WG chairs > and/or ADs can speak to it more directly. That may be so, but it seems to me that it's unwise regardless. As I indicated in PHL, this protocol as it stands isn't really useful in the absence of a key management protocol. Since no such protocol appears to be on the horizon... With that in mind, I've elided the detailed comments below relative to that. > | S 1.1. > | I don't see a lot of value in pre-specifying two MAC algorithms > | as MTI. There's no reason to believe one isn't plenty, as used > | in other protocols. > > The need for two required algorithms mirrors the intent of RFC4305's > "SHOULD+", which requires one, but suggests that two algs may be > required in the future. The design team suggested that requiring two > algorithms now would be prudent, notably so that if one were compromised > (either entirely, or effectively weakened due to computational > exploits), the other would be pre-deployed. The two could also trade > strength for performance, depending on which algorithms are recommended > by SAAG. Yes, as I've now said several times, this strikes me as massive overkill. If SHA-1 is ever weakened to the point where HMAC-SHA1 is implicated, we'll have problems far, far, more serious than the occasional attack on TCP AO. > | S 2.2. > | Figure 2 is kind of hard to read since the length of the kind > | field is 16 bits, but kinds are 8 bits, rigth? > > The length of the field is wide due to the text; that will be fixed to > be proportional to the bit width (8 bits, as you note). > > | S 3. > | >> At least one direction (inbound/outbound) SHOULD have > | a non-NONE MAC in practice, but this MUST NOT be strictly > | required by an implementation. > | > | 1. This seems like a bad idea. It's very hard to analyze the security > | properties of a connection when only one side is protected. To take > | one case that is obviously bad, if you're worried about DoS attacks > | and you use TCP-AO, then forging packets in either direction can > | bring it down. I would reverse this and require MACs in both directions. > | > | 2. Even if we stipulate that this might be an OK idea, it's not > | appropriate to require implementations to support it. > > We discussed the utility of asymmetry in Philadelphia last March. The > point is to require implementations to allow the user to request > connections configured this way; we can add that connections MUST > default to using a real MAC in both directions by default. Does that > address your concern? Well, as I recall, you asserted it the value of it and I disagreed. As I recall, the example you offered was the one-way authentication in TLS, which is really not that apropos, since it only applies to the key management protocol, not to the data, which is authenticated in both directions. So, no, this does not address my concern. I think the world would be far simpler if you simply required both sides to generate MACs. (and certainly I can't imagine why you would *require* implementations to allow neither side to do so). Perhaps you could restate your rationale for this? -Ekr _______________________________________________ tcpm mailing list tcpm@ietf.org https://www.ietf.org/mailman/listinfo/tcpm
- [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt-01 Eric Rescorla
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Eric Rescorla
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Eric Rescorla
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Eric Rescorla
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Adam Langley
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Eric Rescorla
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Eric Rescorla
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Adam Langley
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Eric Rescorla
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Eric Rescorla
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Adam Langley
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Eric Rescorla
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Anantha Ramaiah (ananth)
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Eric Rescorla
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Anantha Ramaiah (ananth)
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Anantha Ramaiah (ananth)
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Eric Rescorla
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Caitlin Bestler
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Joe Touch
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Lars Eggert
- Re: [tcpm] Review of draft-ietf-tcpm-tcp-auth-opt… Eric Rescorla
- [tcpm] tcp-auth-opt issue: replay protection Joe Touch
- Re: [tcpm] tcp-auth-opt issue: replay protection Adam Langley
- Re: [tcpm] tcp-auth-opt issue: replay protection Joe Touch
- Re: [tcpm] tcp-auth-opt issue: replay protection Adam Langley
- Re: [tcpm] tcp-auth-opt issue: replay protection Eric Rescorla
- Re: [tcpm] tcp-auth-opt issue: replay protection Joe Touch
- Re: [tcpm] tcp-auth-opt issue: replay protection Adam Langley
- Re: [tcpm] tcp-auth-opt issue: replay protection Joe Touch
- Re: [tcpm] tcp-auth-opt issue: replay protection Lars Eggert
- Re: [tcpm] tcp-auth-opt issue: replay protection Eric Rescorla
- Re: [tcpm] tcp-auth-opt issue: replay protection Lars Eggert
- Re: [tcpm] tcp-auth-opt issue: replay protection Anantha Ramaiah (ananth)
- Re: [tcpm] tcp-auth-opt issue: replay protection Joe Touch
- Re: [tcpm] tcp-auth-opt issue: replay protection Eddy, Wesley M. (GRC-RCN0)[VZ]
- Re: [tcpm] tcp-auth-opt issue: replay protection Adam Langley
- Re: [tcpm] tcp-auth-opt issue: replay protection Caitlin Bestler
- Re: [tcpm] tcp-auth-opt issue: replay protection Joe Touch
- Re: [tcpm] tcp-auth-opt issue: replay protection Ron Bonica