IETF Logo Mail Archive

Re: [tcpm] tcp-auth-opt issue: support for NATs

Joe Touch <touch@ISI.EDU> Wed, 13 August 2008 20:04 UTC

Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: tcpm-archive@megatron.ietf.org
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AA0243A6B7F; Wed, 13 Aug 2008 13:04:39 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4871A3A6D01 for <tcpm@core3.amsl.com>; Wed, 13 Aug 2008 13:04:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HFNlX3UOTtpr for <tcpm@core3.amsl.com>; Wed, 13 Aug 2008 13:04:32 -0700 (PDT)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) by core3.amsl.com (Postfix) with ESMTP id D04253A6928 for <tcpm@ietf.org>; Wed, 13 Aug 2008 13:04:32 -0700 (PDT)
Received: from [75.214.62.35] (35.sub-75-214-62.myvzw.com [75.214.62.35]) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id m7DK3qtC019892 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 13 Aug 2008 13:03:55 -0700 (PDT)
Message-ID: <48A33DFD.7060502@isi.edu>
Date: Wed, 13 Aug 2008 13:03:09 -0700
From: Joe Touch <touch@ISI.EDU>
User-Agent: Thunderbird 2.0.0.16 (Windows/20080708)
MIME-Version: 1.0
To: Ted Faber <faber@ISI.EDU>
References: <48A08295.8090903@juniper.net> <20080811184214.B300B50846@romeo.rtfm.com> <03d901c8fbe9$05673220$23d946ab@cisco.com> <20080811234626.GB2194@zod.isi.edu>
In-Reply-To: <20080811234626.GB2194@zod.isi.edu>
X-Enigmail-Version: 0.95.6
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Cc: 'Adam Langley' <agl@imperialviolet.org>, tcpm@ietf.org, Dan Wing <dwing@cisco.com>
Subject: Re: [tcpm] tcp-auth-opt issue: support for NATs
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/tcpm>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi, all,

<indiv hat on>

I think the discussion on the issue of keyID uniqueness and the size of
the keyID space indicates a deeper issue about keyIDs, as well as the
TCP-AO option.

The keyID is currently only an *intra-connection* identifier. It's sole
purpose is to avoid testing multiple concurrent keys and configurations
on a single connection, as would occur during rekeying. The primary
security association identifier for a connection is the socket pair
(addr/port pair).

The TCP-AO option provides authentication; it does not provide automated
~ key or parameter negotiation. IMO, that is better left to an automated
KMS.

- ---

There are certainly a number of issues that all appear to require more
than simple, static keying in TCP-AO can handle:
	- dynamic endpoint address assignment
	- NATs
	- passive open with floating source IP address

IMO, these can - and should - be handled more easily by an automated
KMS. This would leave TCP-AO much simpler and easier to validate. The
alternatives are problematic:
	- create and manage our own unique connection ID space
	- test all concurrently overlapping keys/configurations
	until each connection is resolved

I thus feel that it's OK to say that the simplest static key
configuration of TCP-AO solves some problems and not others. The
problems we can solve (or have already solved) are:

	- unique per-connection keys (based on ISNs)
	- replay prevention using automated key rollover
	- passive open with floating source port only

Solving NATs, dynamic IP address assignments, and full passive opens for
statically configured keys will, AFAICT, require relaxing authentication
to the point where we will end up developing an in-band KMS in the SYN
packet, which I feel is complexity we can avoid.


Joe
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkijPfwACgkQE5f5cImnZrtyvwCgs+QPQ0rBD+rm8sx5Um75/Dss
eFIAoLeNaG8fZh7DjIHJsCUYorqKOUki
=0aQt
-----END PGP SIGNATURE-----
_______________________________________________
tcpm mailing list
tcpm@ietf.org
https://www.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email