Re: [trill] TRILL IPsec encapsulation
Donald Eastlake <d3e3e3@gmail.com> Thu, 23 July 2015 10:49 UTC
Return-Path: <d3e3e3@gmail.com>
X-Original-To: trill@ietfa.amsl.com
Delivered-To: trill@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE9A51A1A34 for <trill@ietfa.amsl.com>; Thu, 23 Jul 2015 03:49:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h7dQvwaSJmvP for <trill@ietfa.amsl.com>; Thu, 23 Jul 2015 03:49:35 -0700 (PDT)
Received: from mail-ob0-x22f.google.com (mail-ob0-x22f.google.com [IPv6:2607:f8b0:4003:c01::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B8E31A1A06 for <trill@ietf.org>; Thu, 23 Jul 2015 03:49:35 -0700 (PDT)
Received: by obdeg2 with SMTP id eg2so55565278obd.0 for <trill@ietf.org>; Thu, 23 Jul 2015 03:49:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=WjgDhJv/DIyT/3eAovOvQwsYQJ2Dl9HXtYNwwwRL4WY=; b=eGff0SZYXDdUCVkOdzESSjYETLCdhjNKaNj+mEg/CvKb8CreE9/YabAT/+I22ptdlj b+xY0Z5/kowJjc682doC+J/nUfF69bapb3y2sXbakKjvAjkdi4o2C9JMojm0lGA0/xYN EXbwezklh2w88qkCksq5wETpO7VdG+qEQk9WHlAXtkMAGXjqctprs2R4XwUdBJmemR4T kv6MqJKYAfr5vKBRP55hAj/pRV0bMUOnwmRYmCU/QP2Fso+a9SUOePfnovyauQrHMCqc t/AGcqT37t0JG17P5qsEk8yTgJYhEMduMhAdp1STs5UfLNaB4F9+lOQ/p/JgrH9Ik5Q6 qObg==
X-Received: by 10.182.39.194 with SMTP id r2mr7591063obk.20.1437648574842; Thu, 23 Jul 2015 03:49:34 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.76.173.3 with HTTP; Thu, 23 Jul 2015 03:49:20 -0700 (PDT)
In-Reply-To: <55AFD772.1010700@gmail.com>
References: <55AFD772.1010700@gmail.com>
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Thu, 23 Jul 2015 06:49:20 -0400
Message-ID: <CAF4+nEH3zNsQRKrr2NTKpay8KqLY4tv676kAmQ9yf5uM9LSFvA@mail.gmail.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/trill/WLYgNx7fAFyf-z-Igt5Y32pIq_A>
Cc: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, "trill@ietf.org" <trill@ietf.org>
Subject: Re: [trill] TRILL IPsec encapsulation
X-BeenThere: trill@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Developing a hybrid router/bridge." <trill.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trill>, <mailto:trill-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trill/>
List-Post: <mailto:trill@ietf.org>
List-Help: <mailto:trill-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trill>, <mailto:trill-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jul 2015 10:49:37 -0000
Hi Yaron, Thanks for these comments. Below are a few immediate thoughts of mine. On Wed, Jul 22, 2015 at 1:48 PM, Yaron Sheffer <yaronf.ietf@gmail.com> wrote: > I have read the TRILL-over-IP draft (draft-ietf-trill-over-ip-03) as a kind > of early SecDir review, focusing on its use of IPsec. Thanks to Donald > Eastlake who graciously provided me with a crash course on TRILL. He's not > responsible for any stupidity on my part, of course. You're welcome. Sorry I was still a bit fuzzy from 12 time zone jet lag when we got together. > So here are some comments: > > - The draft currently uses IPsec but not IKE or any kind of key management. > The end result is that data is being encrypted by very long-lived keys, not > enjoying the benefit of forward secrecy etc. Please use IKEv2 and do NOT use > IPsec directly. RFC 4107 explains why. > - There is in fact IPsec-with-multicast, but it's not widely deployed and is > based on the obsolete IKEv1. Instead, I suggest to use unicast encapsulation > with IKEv2. I suppose this means that you'd want to only encapsulate data > but not IS-IS frames. I've been thinking about this. TRILL supports broadcast links and handles multicast data also. There are several different cases but, on a broadcast (non-point-to-point) TRILL link, there is an elected designated TRILL router (called the DRB or Designated RBridge) that, in some sense, is in charge of the link. Perhaps the DRB could generate a group key and send it to the other TRILL routers/RBridges on the link using pairwise security between the DRB and the other RBridges.Of course, if the link is actually configured as point-to-point, then you know there will only be two RBridges on it and only need straightforward pairwise security. > - The draft currently derives encryption keys from IS-IS keys. This is > problematic at several levels: TRILL tries hard to default to be minimum configuration so it defaults to bootstrapping from IS-IS keys. This is not meant to prohibit other techniques if the network manager wants to use them. > * The IS-IS key is common to a large group of devices (a.k.a. "a group > key") and so is likely to be compromised. IS-IS has both area wide keying, for authentication of link state PDUs that are flooded area wide, and link scoped keying for link local IS-IS PDUs such as Hellos. Link scoped IS-IS keying should be what TRILL bootstraps from by default. > * The key is used directly for encryption, as noted. > * The key is derived using HMAC, which is specified incorrectly in the > draft (one parameter instead of two). Sorry, the concatenation sign should have been a comma. > * The derived key is identical for all routers/links. > - I would suggest to use a derived key for authentication only, and to > derive it differently for each link - although I realize that this does not > raise the security level significantly. Something like: link-psk = > HMAC(IS-IS-key, 6-byte-system-id-1 | 6-byte-system-id-2). Right. Since our discussion, it has occurred to me that that is not quite adequate because you can have multiple point-to-point links between the same pair of RBridges for which you would get the same pair of 6-byte IS-IS System IDs. Actually, pairwise security will be between two RBridge ports and an RBridge post is uniquely identified by the System ID of the RBridge and the locally unique Port ID of the port. So we could go for something like HMAC ( IS-IS key, System ID1 | Port ID1 | System ID2 | Port ID2 ) (Of course, you also need a rules so both ends get the IDs in the same order, such as using numeric order treating the System IDs as unsigned integers.) > - Note that IKE generates a different encryption key for each link even if > everybody is using the same authentication key (pre-shared secret). But it's > still a bad practice for all principals to have the same key... > - Longer term it would improve security hugely if each router had an > authenticated identity of its own. In other words, its own certificate and > private key. > - Please don't define your own MTI algorithms. Just use RFC 7321. Thanks, Donald ============================= Donald E. Eastlake 3rd +1-508-333-2270 (cell) 155 Beaver Street, Milford, MA 01757 USA d3e3e3@gmail.com > Thanks, > Yaron > > _______________________________________________ > trill mailing list > trill@ietf.org > https://www.ietf.org/mailman/listinfo/trill >
- [trill] TRILL IPsec encapsulation Yaron Sheffer
- Re: [trill] TRILL IPsec encapsulation Stephen Farrell
- Re: [trill] TRILL IPsec encapsulation Donald Eastlake
- Re: [trill] TRILL IPsec encapsulation Yaron Sheffer