[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IPsec Minutes from Montreal
The minutes of the last IPsec Working Group were posted to the IETF weeks ago
and have yet to appear in the official archive. For those of you that missed
attending the meeting in Montreal the minutes are attached below.
Regards,
Paul
--------------------------------------------------------------
IPSEC WG Meeting Notes, Montreal IETF, June 1996
The co-chairs would like to thank Steve Kent for contributing his
personal notes on the meeting, which were used as the basis for these minutes.
The co-chairs edited the notes somewhat, so any errors are their
responsibility.
SESSION 1, Tuesday: AH/ESP and existing IPsec documents
Jim Hughes presented his Combined ESP transform with HMAC and
anti-replay. Steve Kent suggested changing the proposal to rely on a
negotiated anti-replay window size, to accept all packets within the window
unless they are replays, and to not try to reduce the overhead by relying on a
constructed IV. All three suggestions were adopted. Note that this protocol
requires distinct simplex channel keys, derived from a master key for the SA.
RSA reported on their S/WAN interoperability testing: TIS, NSA,
Raptor, SCC, and others worked well together. The next test session will
require Oakley/ISAKMP, and optionally SKIP, for key management, in support of
AH and ESP.
John Gilmore argued for widespread, near term deployment to protect
against passive wiretapping. His goal is 5% of Internet traffic by the end of
1996. His personal agenda is to counter government (not just US Government)
efforts for key-escrow initiatives. His proposal is to put crypto-walls in
place (devices that don't even do packet filtering and don't rely on
authenticated keys). His tactic is to leverage freely available software in
order to build such crypto-walls, define new DNS records for unauthenticated
key storage, avoid export controls by developing software outside of the US.
A firewall vendor gave a talk on using IPSEC with firewalls, as a
followup to mobile IP problem of getting mobile IP traffic out of a foreign
domain. Asssume a model where presence of valid AH is required for firewall
traversal, in either direction. The initially presented model looks at
traversing a single firewall, nominally at the home agent permieter. The
second model presented shows foreign and home firewalls. The talk points out
the need for multiple, layered SAs, from MN-to-firewall-1, then maybe between
firewalls, then from HA to firewall-2, and eventually one SA above these to
carry forwarded traffic from HA to MN. Speaker notes the problems of being
able to transmit the mobile IP messages, ICMP messages, and key management
messages through firewalls as a precursor to establishing SAs in this complex
environment. The bottom line is that one has to look carefully at the rules
that firewalls employ to determine what traffic will be allowed across, as
this might cause serious problems for SA establishment, especially for mobile
IP case. However, the proposed solution is pretty complex and there are
easier approaches to dealing with this problem in the mobile IP case, e.g.,
co-locating FAs and HAs with firewalls, or establishing long term SAs, between
HAs and FAs and their local firewalls, to facilitate forwarding of mobile IP
traffic.
Ran Atkinson spoke about the standards process and it's applicability
to the IPSEC RFCs. Because some of the 1825-29 RFCs are being replaced, and
because all of them cross reference one another, the group cannot be advanced
from Proposed Standard to Draft Standard until 6 months elapses after the last
of the inter-related documents have been updated. Ran also discussed his
revised IPSEC Security Architecture document, a replacement for RFC-1825.
Steve Kent suggested that the WG revisit AH to remove its two-different modes
of use, given the new ESP options that incorporate autehntication and thus
obviate the need for the embedded AH mode (ESP followed directly by AH).
Steve also suggested that the WG revise ESP to add in optional, variable
length fields for IVs, integrity checks, etc. so that the transform documents
are independent of one another and don't grow geometrically as new algorithms
are added. The WG adopted both suggestions and Steve Kent agreed to work with
the WG co-chairs to provide suitable text for the revised RFCs.
Session 2, Wednesday: Key Management Issues
Bob Moskowitz (Chrysler) challenged the group to solve a network layer
security problem for communication among automotive parts suppliers and
manufacturers, but with a lot of nasty residual problems, e.g., misuse of net
numbers by particiants, diverse set of existing firewalls, etc. Bob's goal is
to start deploying IPsec by the end of 1996.
Ashar Aziz presented SKIP. Note the use of the SKIP header
between IP header and AH or ESP. Two modes of use: the first mode has no
setup messages once the master keys are in place, no Perfect Forward Secrecy,
and has significant per-message overhead. This mode relies on pre-positioned
D-H master keys from which unicast keys are derived. The second mode uses
ephemeral Diffie-Hellman, with certificates, in a 4-6 message exchange, with
approximate PFS, anonymity, etc. Claimed multicast mode support is based on a
group co-ordinator creating a group key (distribution of the private key to
group members is not described here and is potentially hard to implement or
scale) which the sender uses as the target for Diffie-Hellman computation.
Checkpoint, Toshiba, ETH, Sun have interoperable implementations of SKIP,
based on recent testing. Some gaps in the SKIP-06 spec were uncovered, and
are being fixed in the next draft. Ashar pushed for adoption of the
certificate discovery protocol (CDP) independent of SKIP. Also can move CRLs
as well as certificates, not just X.509 certificates, but PGP too.
Doug Maughan reported on ISAKMP. Free software is available via MIT
server at http://web.mit.edu/network/isakmp. cisco has also worked on an
ISAKMP with Oakley implementation, also freely available from cisco and MIT
web sites. There is also an implementation by the UK Defence Research Agency.
ISAKMP provides very general KMP framework, capable of supporting various key
exchange algorithms, authentication, security association management, and
denial of service protection. Recent I-D changes: moved from request/response
to chained payload format (for better performance and/or more flexible for
multi-exchange protocols), can negotiate multiple SPIs at the same time (for
greater efficiency and flexibility), and an expanded set of authentication
payload types (for better support of more exchnage types). Format is more
complex now, because of support of multiple paylodas per message, negotiating
multiple protocols at one time, etc. See version 5 specification I-D for
details. Jon Millen's analysis notes that cookies don't buy much
Denial-of-Service protection, and that authentication and key exchange is
sufficiently decoupled to require further analysis. Interoperability testing,
using Oakley, is now going on between cisco and DRA. Work will continue to
add other key exchange algorithms, commercial and government.
Hilarie Orman described Oakley briefly. Oakley is quite flexible: can
use Diffie-Hellman exchange and/or pre-positioned keys or Public Key (RSA)
encryption ; authentication via RSA encryption, signatures or predistributed
shared secrets; integrity is available but can be omitted, and Perfect Forward
Secrecy is available but can be omitted. Minimal message exchange is 3
messages, though more round-trips can also occur. She has also published the
group paramaters for several bases, yielding 90-bit strength key outputs.
ISAKMP integration is almost complete. She suggested having the ESP and AH
transforms define how the necessary key bits are extracted from the output of
the Oakley computation. Basically, a general collection of modules that can
meet lots of different requirements, using a consistent syntax.
Dan Harkins reported on the status of the ISAKMP-Oakley integration
effort. A new Internet-Draft is out with a coherent profile of ISAKMP and
Oakley when used together. The first two ISAKMP messages establish an SA,
then the parties negotiate SAs for their clients. Four modes of Oakley are
specified: Main Mode (for ISAKMP phase 1 exchange, four messages); Agressive
Mode (quick, but no identity protection, an alternate phase 1 exchange in 3
messages); Quick Mode ( a phase 2 exchange, in 3 messages, but can be repeated
multiple times after a phase 1 exchange); Group Mode (for changing from one
group to another, over time). cisco's free ISAKMP+Oakley code will be
implementing this specification.
Hugo made some comments on Oakley/ISAKMP. He likes the overall
framework, but sees a need to refine the specs to remove some ambiguity and
facilitate interoperability. From a cryptographic standpoint he has some
suggestions, but lacked time to go into details. From a capability
perspective, he would like to see a support for pre-positioned or
centrally-distributed symetric keys, with PFS, which Oakley does allow. cisco
has indicated that they would accommodate that request. Hugo doesn't like the
reliance on Diffie-Hellman in the new Oakley/ISAKMP profile, relative to the
broader capabilities of Oakley. Finally, Hugo expressed some concerns about
the differences in types of attacks one might mount in the public key
vs. symmetric key arena. The bottom line is that the ISAKMP and Oakley
protocols accommodate all of these suggestions, it's just an issue of of
getting the cisco implementation to incorporate these features.
Very brief, surprizing comments from John Gilmore, announcing that he
has purchased all of Bill Simpson's rights, including copyright, for Photuris,
to ensure that it is considered as a viable contender in the key management
protocol sweepstakes. However, he has not obtained any rights to Photuris
from Phil Karn. Further, there is no new draft available addressing the
previously discussed deficiencies of Photuris. There was no evidence of
broad support for Photuris at this meeting.
There was a short talk on Eliptical Curve Cryptography (ECC)
technology, for both Diffie-Hellman exchanges and DSA- & RSA-equivalent
(signature with recovery, but not excatly RSA) signautues. A major benefit is
that shorter key lengths are security equivalent to larger key lengths. The
IEEE P1363 specifications were mentioned and there was some discussion of
patents relative to the use of ECC. There are some ECC-related patents, in
addition to the general public key patent, but they relate mostly to
implementations not to the basic math. The speaker is from Certicom, which
holds some of these implementation patents.
Closing discussions were process oriented, i.e., how will the WG
decide what will become the default key management standard for IPSEC ? Jeff
Schiller conducted straw polls which showed significant differences of opinion
between Oakley/ISAKMP and SKIP, although everyone wants a quick resolution to
the issue! Jeff suggests having a special committee come back with a
justifiable resolution.
--
Follow-Ups: