Re: [tcpm] "The SYN trick"
Brian Weis <bew@cisco.com> Tue, 11 March 2008 19:58 UTC
Return-Path: <tcpm-bounces@ietf.org>
X-Original-To: ietfarch-tcpm-archive@core3.amsl.com
Delivered-To: ietfarch-tcpm-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6611D28C47B; Tue, 11 Mar 2008 12:58:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.822
X-Spam-Level:
X-Spam-Status: No, score=-100.822 tagged_above=-999 required=5 tests=[AWL=-0.385, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KYAKTqk1m5gx; Tue, 11 Mar 2008 12:57:54 -0700 (PDT)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7D86B28C376; Tue, 11 Mar 2008 12:57:54 -0700 (PDT)
X-Original-To: tcpm@core3.amsl.com
Delivered-To: tcpm@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D2F9028C473 for <tcpm@core3.amsl.com>; Tue, 11 Mar 2008 12:57:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N6l6E9AjSTL8 for <tcpm@core3.amsl.com>; Tue, 11 Mar 2008 12:57:50 -0700 (PDT)
Received: from sj-iport-3.cisco.com (sj-iport-3.cisco.com [171.71.176.72]) by core3.amsl.com (Postfix) with ESMTP id B863D28C42D for <tcpm@ietf.org>; Tue, 11 Mar 2008 12:57:04 -0700 (PDT)
Received: from sj-dkim-4.cisco.com ([171.71.179.196]) by sj-iport-3.cisco.com with ESMTP; 11 Mar 2008 12:54:45 -0700
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-4.cisco.com (8.12.11/8.12.11) with ESMTP id m2BJsixY032671; Tue, 11 Mar 2008 12:54:44 -0700
Received: from xbh-rtp-211.amer.cisco.com (xbh-rtp-211.cisco.com [64.102.31.102]) by sj-core-2.cisco.com (8.12.10/8.12.6) with ESMTP id m2BJsWh2015867; Tue, 11 Mar 2008 19:54:44 GMT
Received: from xfe-rtp-202.amer.cisco.com ([64.102.31.21]) by xbh-rtp-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 11 Mar 2008 15:54:43 -0400
Received: from [10.150.135.191] ([10.82.241.146]) by xfe-rtp-202.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 11 Mar 2008 15:54:43 -0400
In-Reply-To: <20080311183651.BE37B1ACED8@kilo.rtfm.com>
References: <20080311183651.BE37B1ACED8@kilo.rtfm.com>
Mime-Version: 1.0 (Apple Message framework v753)
Message-Id: <3FD0E4F5-8AA3-427E-BE87-EACAE62AA78D@cisco.com>
From: Brian Weis <bew@cisco.com>
Date: Tue, 11 Mar 2008 15:55:29 -0400
To: Eric Rescorla <ekr@networkresonance.com>
X-Mailer: Apple Mail (2.753)
X-OriginalArrivalTime: 11 Mar 2008 19:54:43.0497 (UTC) FILETIME=[C012D990:01C883B1]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1487; t=1205265284; x=1206129284; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=bew@cisco.com; z=From:=20Brian=20Weis=20<bew@cisco.com> |Subject:=20Re=3A=20[tcpm]=20=22The=20SYN=20trick=22 |Sender:=20; bh=zmb1nerIHbnUR2jspcjWUkTOKUtgJKwZsjfpLmyiiPk=; b=l/v0/kp2k7a8LCmztHfAqu+zn7LtYuV9P9MIDvZ+qDwCFRfgSEhwZh6tEi J65H+UedsWBr21ZpIosjJuGTROvzw59fm5UTrQbR/Fox5RiChOYG7CcTa1sc Bvgq36SirD;
Authentication-Results: sj-dkim-4; header.From=bew@cisco.com; dkim=pass ( sig from cisco.com/sjdkim4002 verified; );
Cc: tcpm@ietf.org
Subject: Re: [tcpm] "The SYN trick"
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tcpm-bounces@ietf.org
Errors-To: tcpm-bounces@ietf.org
Hi Eric, I like the simplicity of this approach. But using the ISNs to generate keys requires that the ISN values be generated from good random numbers (to avoid the generation of predicable keys). I think most systems today do happen to use a good RNG for generating the ISN, but there's no guarantee. This implies to me that ISN generation must be a service of the TCP- AO module, else the TCP-AO key generation process will not be guaranteed to generate good quality K_connection keys. I don't know if that's a requirement that can be made in the TCP-AO draft though. Thanks, Brian On Mar 11, 2008, at 2:36 PM, Eric Rescorla wrote: > I'd suggested using the ISNs as an implicit diversifier for > a single master shared key. > > E.g., > > K_connection = HMAC(K_master, ISN_i, ISN_r) > > As Joe points out if you use ISNs as an implicit diversifier > for a shared connection key. Obviously, you can't use the > ISN sound in the SYN/ACK to key the initial SYN. The natural > thing to do here is: > > - For the initial SYN use K_connection = HMAC(K_master, ISN_i, 0) > - For subsequent packets use K_connection = HMAC(K_master, ISN_i, > ISN_r) > > -Ekr > > _______________________________________________ > tcpm mailing list > tcpm@ietf.org > https://www.ietf.org/mailman/listinfo/tcpm -- Brian Weis Advanced Security Development, Security Technology Group, Cisco Systems Telephone: +1 408 526 4796 Email: bew@cisco.com _______________________________________________ tcpm mailing list tcpm@ietf.org https://www.ietf.org/mailman/listinfo/tcpm
- [tcpm] "The SYN trick" Eric Rescorla
- Re: [tcpm] "The SYN trick" Brian Weis
- Re: [tcpm] "The SYN trick" Eric Rescorla
- Re: [tcpm] "The SYN trick" Brian Weis
- Re: [tcpm] "The SYN trick" Eric Rescorla