Re: [tcpm] question about TCP-AO and rekeying

[Eric Rescorla <ekr@networkresonance.com>]

At Sat, 06 Jun 2009 11:46:11 -0700,
Joe Touch wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Hi, all,
> 
> One open issue remaining is how to express what was formerly a database
> with a particular structure (TAPD, previously TSAD) in ways that impact
> rekeying and possibly future master key management protocols. We decided
> at the last meeting in SFO to do as follows:
> 
> 	- require that each segment match only one key
> 		- segments for established connections must match
> 		only one connection key
> 		- segments for new connections (SYNs) must match
> 		only one master key
> 
> Connection keys never overlap; there would never be two connection keys
> with the same keyID and socket pair. The open issue focuses on master
> keys, which would more likely be specified with wildcards, masks, or
> ranges, esp. for remote port numbers, but also potentially for addresses
> or local port numbers. This issue is particularly relevant for rekeying
> - - adding new master keys that would result in new connection keys being
> derived for existing connections - and how an endpoint would be able to
> ensure uniqueness as above.
> 
> Do we need additional constraints to ensure that master key descriptions
> never overlap?
>
> As review, the previous description of keys as a database also implied,
> by its structure, constraints on wildcards/masks/ranges. Each TAPD entry
> was:
> 
>     a socket pair descriptor
>         which may include wildcards or masks
> 
>     one or more MKTs, each of which includes:
>         sendID
>         recvID
>         crypto info:
>             master key
>             MAC info
>             KDF info
> 
> The TAPD was defined so that a segment matched at most one socket pair
> descriptor, and that MKTs within that descriptor had distinct sendIDs
> and recvIDs.
> 
> If we remove that data structure, it would most obviously be replaced
> with MKTs with their own socket descriptors, i.e.:
> 
>     MKT
>         socket pair descriptor (may include wildcards/masks)
>         sendID
>         recvID
>         crypto info
> 
> The question that remains is whether MKTs that match a segment all have
> identical socket pair descriptors, even down to their
> wildcards/ranges/masks (which was previously required). If
> not, then how do we ensure that MKTs don't interfere?

I don't understand why this is a problem. The invariant that
the system needs to enforce is that for any given packet 
there be at most one valid MKT with a given key-id, right?
There are a number of ways to enforce this, including:

1. Having some kind of database.
2. Tying MKTs to sockets directly at the time of instantiation
   (including half-open sockets).


> If we throw our hands up and say this is "implementation detail", then
> IMO we could be hobbling any KMP, since there would be no common data
> for the KMP to coordinate.

I don't see this. Obviously, any KMP will need some model for
how it thinks about keys and any particular implementation of
a KMP will need to interact with the system on which it is
implemented in order to match that model to the system's
implementation, but I don't see how that's a problem. It's
not like we're defining a C API for the KMP implementations
to call.

-Ekr