[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ESP revisions straw poll

To: ipsec@tis.com
Subject: Re: ESP revisions straw poll
From: Steven Bellovin <smb@research.att.com>
Date: Wed, 21 May 1997 11:51:34 -0400
Sender: owner-ipsec@ex.tis.com
	 In message <3.0.32.19970521113228.00890250@127.0.0.1>, "Steven M. Bell
	ovin" wri
	 tes:
	 >
	 >Both, actually.  Encryptionless ESP is the way AH should have been de
	signed.
	 >(I objected to the current scheme at least as far back as Stockholm.)
	  But
	 >yes, I'm tired of arguing.  I'll settle for something that's ugly, le
	ss
	 >efficient, and unclean if it's here *now*...
	 
	 Several people have mentioned that what the AH computation
	 covers could be negotiated (wether it's the current scheme or
	 just hte payload) by the key management layer. I don't think
	 there would be many objections to that.

Well, count at least one...  We should try very hard not to add extra
complexity.  My objection to the current AH specification is that it is
complex to implement.  Adding a negotiated variant would just add to
the complexity.  Besides, each variant would need to be analyzed for
safety.

Hmm -- we could make the scope of the authentication programmable.

	AH-scope: {
		bytes=1-5 byte-order=network bits=2-4 bit-order=intel base=ip
		bytes=7-8 byte-order=ibm bits=* base=udp
		bytes=* base=ip-options filter=java::ip_optionfilt(type,len)
	}

Never mind, I'm feeling grouchy this morning...  Let me be a bit more
blunt than usual.

	*) I don't like complexity.  Apart from the esthetics -- and
	those are important -- complex structures are buggy.
	Cryptographic protocols are *hard* to get right; the more of
	them we have, the less assurance we have that any of them
	individually are correct.  More to the point, we have no
	assurance that arbitrary combinations are correct.  We've
	already seen that the order of AH and ESP can be important (for
	example, against short-block guessing attacks).

	*) I don't like complex code.  It's likely to be buggy.

	*) I don't like unnecessary multiplication of mechanism.  This
	is especially true when there's no clear guidance -- especially
	guidance amenable to programmed decisions -- about when to use
	which variant.  In this particular case, someone has suggested
	negotiating what AH covers.  What is the basis for making the
	decision?

	*) I don't like mutating protocols.  The problem with AH is
	that some fields are sometimes modified in transit.  This is
	not under control of the end systems.  In fact, it's rarely
	knowable to the users of the end systems, since they don't
	control what happens in the network cloud.  The solution, such
	as it is, was to decree that certain fields have to be zeroed
	before the MAC computation.  Leaving out the layering violation
	(see the point about code complexity above), in the 21 months
	since RFC 1826 the network cloud has changed its behavior.
	Section 3.2.3.1.1 of the Kent/Atkinson AH draft notes (with
	appropriate snideness) that the TOS field should now be zeroed,
	too, since some router vendors have chosen to violate RFC 791
	and diddle those bits.  And it's going to get worse -- see
	Section 3.2.3.1.2 for examples of what I mean.

	*) I don't like layering violations.  AH requires that the IP
	header be calculated first, then AH called to fill in data that
	follows the IP header.

	*) I don't like meaningless cryptography.  Almost two years
	ago, I posted a field-by-field analysis.  I showed that the IP
	header fields are either irrelevant for security purposes,
	changed en route (and hence not protectable), or are or should
	be bound to the security association, and hence need not be
	authenticated on a per-packet basis.

That's all well and good.  It's also irrelevant -- others disagreed
with me, for good and sufficient reason, and their arguments (and
needs) carried the day.  I've kept quiet about the issue since then,
because I have another dislike:

	*) I don't like working groups that drag on forever,
	fine-tuning a protocol to the point of irrelevancy.  Folks,
	we're under a deadline.  There are real products out there that
	implement some version of IPSEC.  There are things like PPTP
	that also include authentication and encryption.  We need to
	finish *now*.

The only reason we're discussing this again is because we realized that
encryption almost always requires authentication.  This may not be
sufficient reason to reopen the question, especially given the
immediately preceeding point.  But yes, in an ideal world I'd opt
for a clean AH, aka encryptionless ESP.

		--Steve Bellovin
Prev by Date: Re: ESP revisions straw poll -Reply
Next by Date: AH-Lite
Prev by thread: Re: ESP revisions straw poll
Next by thread: Re: ESP revisions straw poll
Index(es):
- Main
- Thread