Re: [tcpm] tcp-auth-opt issue: support for NATs
Joe Touch <touch@ISI.EDU> Wed, 13 August 2008 20:04 UTC
Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AA0243A6B7F; Wed, 13 Aug 2008 13:04:39 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4871A3A6D01 for <tcpm@core3.amsl.com>; Wed, 13 Aug 2008 13:04:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HFNlX3UOTtpr for <tcpm@core3.amsl.com>; Wed, 13 Aug 2008 13:04:32 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id D04253A6928 for <tcpm@ietf.org>; Wed, 13 Aug 2008 13:04:32 -0700 (PDT)
Received: from [75.214.62.35] (35.sub-75-214-62.myvzw.com [75.214.62.35]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id m7DK3qtC019892 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 13 Aug 2008 13:03:55 -0700 (PDT)
Message-ID: <48A33DFD.7060502@isi.edu>
Date: Wed, 13 Aug 2008 13:03:09 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.16 (Windows/20080708)
MIME-Version: 1.0
To: Ted Faber <faber@ISI.EDU>
References: <48A08295.8090903@juniper.net> <20080811184214.B300B50846@romeo.rtfm.com> <03d901c8fbe9$05673220$23d946ab@cisco.com> <20080811234626.GB2194@zod.isi.edu>
In-Reply-To: <20080811234626.GB2194@zod.isi.edu>
X-Enigmail-Version: 0.95.6
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: 'Adam Langley' <agl@imperialviolet.org>, tcpm@ietf.org, Dan Wing <dwing@cisco.com>
Subject: Re: [tcpm] tcp-auth-opt issue: support for NATs
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, all, <indiv hat on> I think the discussion on the issue of keyID uniqueness and the size of the keyID space indicates a deeper issue about keyIDs, as well as the TCP-AO option. The keyID is currently only an *intra-connection* identifier. It's sole purpose is to avoid testing multiple concurrent keys and configurations on a single connection, as would occur during rekeying. The primary security association identifier for a connection is the socket pair (addr/port pair). The TCP-AO option provides authentication; it does not provide automated ~ key or parameter negotiation. IMO, that is better left to an automated KMS. - --- There are certainly a number of issues that all appear to require more than simple, static keying in TCP-AO can handle: - dynamic endpoint address assignment - NATs - passive open with floating source IP address IMO, these can - and should - be handled more easily by an automated KMS. This would leave TCP-AO much simpler and easier to validate. The alternatives are problematic: - create and manage our own unique connection ID space - test all concurrently overlapping keys/configurations until each connection is resolved I thus feel that it's OK to say that the simplest static key configuration of TCP-AO solves some problems and not others. The problems we can solve (or have already solved) are: - unique per-connection keys (based on ISNs) - replay prevention using automated key rollover - passive open with floating source port only Solving NATs, dynamic IP address assignments, and full passive opens for statically configured keys will, AFAICT, require relaxing authentication to the point where we will end up developing an in-band KMS in the SYN packet, which I feel is complexity we can avoid. Joe -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkijPfwACgkQE5f5cImnZrtyvwCgs+QPQ0rBD+rm8sx5Um75/Dss eFIAoLeNaG8fZh7DjIHJsCUYorqKOUki =0aQt -----END PGP SIGNATURE----- _______________________________________________ tcpm mailing list tcpm@ietf.org https://www.ietf.org/mailman/listinfo/tcpm
- [tcpm] tcp-auth-opt issue: support for NATs Joe Touch
- Re: [tcpm] tcp-auth-opt issue: support for NATs Adam Langley
- Re: [tcpm] tcp-auth-opt issue: support for NATs Joe Touch
- Re: [tcpm] tcp-auth-opt issue: support for NATs Adam Langley
- Re: [tcpm] tcp-auth-opt issue: support for NATs Joe Touch
- Re: [tcpm] tcp-auth-opt issue: support for NATs Adam Langley
- Re: [tcpm] tcp-auth-opt issue: support for NATs Eric Rescorla
- Re: [tcpm] tcp-auth-opt issue: support for NATs Adam Langley
- Re: [tcpm] tcp-auth-opt issue: support for NATs Eric Rescorla
- Re: [tcpm] tcp-auth-opt issue: support for NATs Adam Langley
- Re: [tcpm] tcp-auth-opt issue: support for NATs Eric Rescorla
- Re: [tcpm] tcp-auth-opt issue: support for NATs Adam Langley
- Re: [tcpm] tcp-auth-opt issue: support for NATs Joe Touch
- Re: [tcpm] tcp-auth-opt issue: support for NATs Eric Rescorla
- Re: [tcpm] tcp-auth-opt issue: support for NATs Eric Rescorla
- Re: [tcpm] tcp-auth-opt issue: support for NATs Joe Touch
- Re: [tcpm] tcp-auth-opt issue: support for NATs Eric Rescorla
- Re: [tcpm] tcp-auth-opt issue: support for NATs Joe Touch
- Re: [tcpm] tcp-auth-opt issue: support for NATs Eric Rescorla
- Re: [tcpm] tcp-auth-opt issue: support for NATs Joe Touch
- Re: [tcpm] tcp-auth-opt issue: support for NATs Adam Langley
- Re: [tcpm] tcp-auth-opt issue: support for NATs Eric Rescorla
- Re: [tcpm] tcp-auth-opt issue: support for NATs Eric Rescorla
- Re: [tcpm] tcp-auth-opt issue: support for NATs Anantha Ramaiah (ananth)
- Re: [tcpm] tcp-auth-opt issue: support for NATs Dan Wing
- Re: [tcpm] tcp-auth-opt issue: support for NATs Dan Wing
- Re: [tcpm] tcp-auth-opt issue: support for NATs Ron Bonica
- Re: [tcpm] tcp-auth-opt issue: support for NATs Eric Rescorla
- Re: [tcpm] tcp-auth-opt issue: support for NATs Dan Wing
- Re: [tcpm] tcp-auth-opt issue: support for NATs Ted Faber
- Re: [tcpm] tcp-auth-opt issue: support for NATs Dan Wing
- Re: [tcpm] tcp-auth-opt issue: support for NATs Joe Touch