Re: [tcpm] question about TCP-AO and rekeying
Joe Touch <touch@ISI.EDU> Fri, 19 June 2009 16:26 UTC
Return-Path: <touch@ISI.EDU>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CB5873A6A0B for <tcpm@core3.amsl.com>; Fri, 19 Jun 2009 09:26:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Level:
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[AWL=0.151, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2R8-c5mKOgQW for <tcpm@core3.amsl.com>; Fri, 19 Jun 2009 09:26:26 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id 662863A69BB for <tcpm@ietf.org>; Fri, 19 Jun 2009 09:26:26 -0700 (PDT)
Received: from [192.168.1.46] (pool-71-105-84-152.lsanca.dsl-w.verizon.net [71.105.84.152]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id n5JGQMVp020371; Fri, 19 Jun 2009 09:26:24 -0700 (PDT)
Message-ID: <4A3BBC2E.9040100@isi.edu>
Date: Fri, 19 Jun 2009 09:26:22 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: Eric Rescorla <ekr@networkresonance.com>
References: <4A2AB973.3030203@isi.edu> <20090616131807.75C481BC6EB@kilo.networkresonance.com> <4A37A202.9020500@isi.edu> <20090617054551.A4E0C1BCA23@kilo.networkresonance.com> <4A388C37.3030703@isi.edu> <20090617140939.A3AB61BCC72@kilo.networkresonance.com> <4A390EC0.6070003@isi.edu> <20090617161518.5276C50822@romeo.rtfm.com> <4A3917B7.20301@isi.edu> <20090617232813.1C49D50822@romeo.rtfm.com> <4A39C800.2030901@isi.edu> <20090618051622.719361BDC6B@kilo.networkresonance.com> <4A39CE62.9050201@isi.edu> <20090618135721.164F31BDF06@kilo.networkresonance.com> <4A3A4A5D.2060504@isi.edu> <20090619043328.6C06E1BE12E@kilo.networkresonance.com> <4A3B3290.9020906@isi.edu> <20090619132135.0DF111BE198@kilo.networkresonance.com> <4A3BB16A.1000508@isi.edu> <20090619161614.EFC4850822@romeo.rtfm.com>
In-Reply-To: <20090619161614.EFC4850822@romeo.rtfm.com>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: tcpm Extensions WG <tcpm@ietf.org>
Subject: Re: [tcpm] question about TCP-AO and rekeying
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jun 2009 16:26:28 -0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eric Rescorla wrote: > At Fri, 19 Jun 2009 08:40:26 -0700, > Joe Touch wrote: >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> >> Eric Rescorla wrote: >> ... >>>> If that's where we put that logic, what happens when we don't have a >>>> KMP? How do we know that both ends will do the same thing with a set of >>>> manually entered keys? >>> It was my understanding that the consensus was that we were not >>> going to design a system that attempted to prevent user error. >> Oh, absolutely, agreed. >> >> This is the kind of error where two ends install the keys correctly, but >> internally the two implementations resolve overlap in different ways, so >> keying fails. >> >>> Given that typographical errors in key entry seem far more likely >>> than this kind of misconfiguration, if our intent is to prevent >>> user error, then we should be attacking that first. >> As above, this isn't a user error issue. This is a case where leaving >> something to the implementer is what is causing the problem. > > Then I don't understand what you're talking about. > > The user installs two MKTs, one of which covers all ports and > one of which covers port 521 (randomly chosen). Either of these > MKTs is valid and either end can use either one to secure > the connection independently. It doesn't matter what the > prioritization schemes are on either end. If we just require that each segment maps to exactly one MKT, then one end can do this by: - first entered, first picked The other end can do this by: - longest match So both sides are complying with "match only one MKT", but users can easily install keys on both ends that would still not work. > If you're saying that the installation of a more specific MKT > should not only take priority over but actually disable a > less specific MKT for that port, then I think that's a pretty > clear bug. I'm saying that the way in which we resolve overlapping MKTs matters. a) disallow entry of overlapping MKTs this means that valid MKTs for a connection might not be able to be entered if there are more general keys entered this also incurs computation during key entry (manual or otherwise); is there a standard efficient alg. for determining overlap? Note that we could be talking about masks, ranges, etc. b) allow overlapping MKTs this means we need to indicate the resolution mechanism i.e., longest match, ordered match, etc. Joe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAko7vC0ACgkQE5f5cImnZrsVWQCdEcynyPinkrPrUjI+UOxxoaD8 QLwAn2y+9mCmQ2yOO/QSC8ReglbQNx6J =5OEU -----END PGP SIGNATURE-----
- [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Eddy, Wesley M. (GRC-MS00)[Verizon]
- Re: [tcpm] question about TCP-AO and rekeying Eric Rescorla
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch
- Re: [tcpm] question about TCP-AO and rekeying Joe Touch