[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SMBs "Problem Areas for the IP Security Protocols"--where do we go from here?



-----BEGIN PGP SIGNED MESSAGE-----

Having read Steve Bellovins thoughtful paper, I'm not as depressed as I
  could be.

Some things become clear after reading the paper:

  If you care about confidentiality, then you must also care about
    integrity/authenticity.

  Replay is definitely a problem, particularly in light of UDP socket re-use.
  Because of this, replay protection would need to be built into all three
    of AH only, ESP only, AH+ESP.

It's likely that a combined ESP transform that provides all three of:

   Confidentiality
   Integrity/Authenticity
   Replay protection

   Would be a useful thing for us to do as a WG.  Jim Hughes' document
   is almost there, except for unkeyed MD5.

   Bill Simpson has an all-in-one document that, at least superficially,
   seems OK.  I haven't seen any discussion of his document, I suspect due
   to censure by the WG chairs.


Ran had said that Photuris, as it stands now, does not address all of the
  requirements of a key-management protocol for endorsement by the
  IETF.  I'd Ran to review his perceptions of what those requirements are.
  I know that I'm no longer clear on what the "hard" requirements are,
  and I believe that there is some confusion about those requirements.

In view of Steve Bellovins recent paper, a new requirement has emerged of
  a "special case" of rapid-rekey in that a block of SPIs (and associated
  keying material) could potentially be negotiated in a single key management
  exchange.  This seems to me to be a useful model to investigate; particularly
  in those situations where a given host may need to rapidly establish
  security associations to a number of other hosts, but security requirements
  indicate that per-connection/session keying is desirable.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQBVAwUBMVLLNap9EtiCAjydAQEZvAH9GcI7zjTwTpxzPFUlztyqsYma5S6DaozP
rPoU2pc5voD44NpNmWn055W5WSty37KFQCon+eH9tdE6tNfkzAlYQQ==
=+NA0
-----END PGP SIGNATURE-----

--
----------------------------------------------------------------------
Marcus Leech                   Mail: Dept 4C16, MS 238, CAR
Systems Security Architect     Phone   : (ESN) 395-4901  (613) 763-9145
Systems Security Services      Fax     : (ESN) 393-7679  (613) 763-7679
Nortel Technologies            mleech@bnr.ca
-----------------Expressed opinions are my own, not my employers------


Follow-Ups: