IETF Logo Mail Archive

Re: [tcpm] question about TCP-AO and rekeying

Joe Touch <touch@ISI.EDU> Fri, 19 June 2009 16:26 UTC

Return-Path: <touch@ISI.EDU>
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CB5873A6A0B for <tcpm@core3.amsl.com>; Fri, 19 Jun 2009 09:26:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.448
X-Spam-Level:
X-Spam-Status: No, score=-2.448 tagged_above=-999 required=5 tests=[AWL=0.151, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2R8-c5mKOgQW for <tcpm@core3.amsl.com>; Fri, 19 Jun 2009 09:26:26 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id 662863A69BB for <tcpm@ietf.org>; Fri, 19 Jun 2009 09:26:26 -0700 (PDT)
Received: from [192.168.1.46] (pool-71-105-84-152.lsanca.dsl-w.verizon.net [71.105.84.152]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id n5JGQMVp020371; Fri, 19 Jun 2009 09:26:24 -0700 (PDT)
Message-ID: <4A3BBC2E.9040100@isi.edu>
Date: Fri, 19 Jun 2009 09:26:22 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: Eric Rescorla <ekr@networkresonance.com>
References: <4A2AB973.3030203@isi.edu> <20090616131807.75C481BC6EB@kilo.networkresonance.com> <4A37A202.9020500@isi.edu> <20090617054551.A4E0C1BCA23@kilo.networkresonance.com> <4A388C37.3030703@isi.edu> <20090617140939.A3AB61BCC72@kilo.networkresonance.com> <4A390EC0.6070003@isi.edu> <20090617161518.5276C50822@romeo.rtfm.com> <4A3917B7.20301@isi.edu> <20090617232813.1C49D50822@romeo.rtfm.com> <4A39C800.2030901@isi.edu> <20090618051622.719361BDC6B@kilo.networkresonance.com> <4A39CE62.9050201@isi.edu> <20090618135721.164F31BDF06@kilo.networkresonance.com> <4A3A4A5D.2060504@isi.edu> <20090619043328.6C06E1BE12E@kilo.networkresonance.com> <4A3B3290.9020906@isi.edu> <20090619132135.0DF111BE198@kilo.networkresonance.com> <4A3BB16A.1000508@isi.edu> <20090619161614.EFC4850822@romeo.rtfm.com>
In-Reply-To: <20090619161614.EFC4850822@romeo.rtfm.com>
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: tcpm Extensions WG <tcpm@ietf.org>
Subject: Re: [tcpm] question about TCP-AO and rekeying
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jun 2009 16:26:28 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Eric Rescorla wrote:
> At Fri, 19 Jun 2009 08:40:26 -0700,
> Joe Touch wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>>
>>
>> Eric Rescorla wrote:
>> ...
>>>> If that's where we put that logic, what happens when we don't have a
>>>> KMP? How do we know that both ends will do the same thing with a set of
>>>> manually entered keys?
>>> It was my understanding that the consensus was that we were not 
>>> going to design a system that attempted to prevent user error.
>> Oh, absolutely, agreed.
>>
>> This is the kind of error where two ends install the keys correctly, but
>> internally the two implementations resolve overlap in different ways, so
>> keying fails.
>>
>>> Given that typographical errors in key entry seem far more likely
>>> than this kind of misconfiguration, if our intent is to prevent
>>> user error, then we should be attacking that first.
>> As above, this isn't a user error issue. This is a case where leaving
>> something to the implementer is what is causing the problem.
> 
> Then I don't understand what you're talking about.
> 
> The user installs two MKTs, one of which covers all ports and
> one of which covers port 521 (randomly chosen). Either of these
> MKTs is valid and either end can use either one to secure
> the connection independently. It doesn't matter what the
> prioritization schemes are on either end.

If we just require that each segment maps to exactly one MKT, then one
end can do this by:

	- first entered, first picked

The other end can do this by:

	- longest match

So both sides are complying with "match only one MKT", but users can
easily install keys on both ends that would still not work.

> If you're saying that the installation of a more specific MKT
> should not only take priority over but actually disable a
> less specific MKT for that port, then I think that's a pretty
> clear bug.

I'm saying that the way in which we resolve overlapping MKTs matters.

a) disallow entry of overlapping MKTs

	this means that valid MKTs for a connection might not
	be able to be entered if there are more general
	keys entered

	this also incurs computation during key entry (manual
	or otherwise); is there a standard efficient alg. for
	determining overlap? Note that we could be talking about
	masks, ranges, etc.

b) allow overlapping MKTs

	this means we need to indicate the resolution mechanism
	i.e., longest match, ordered match, etc.

Joe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAko7vC0ACgkQE5f5cImnZrsVWQCdEcynyPinkrPrUjI+UOxxoaD8
QLwAn2y+9mCmQ2yOO/QSC8ReglbQNx6J
=5OEU
-----END PGP SIGNATURE-----

v2.23.0 | Report a Bug | By Email