[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Comments on draft-ietf-ipsec-arch-sec-02.txt

To: "D. Hugh Redelmeier" <hugh@mimosa.com>
Subject: Re: Comments on draft-ietf-ipsec-arch-sec-02.txt
From: Lewis McCarthy <lmccarth@cs.umass.edu>
Date: Tue, 24 Feb 1998 02:20:00 -0500
CC: IP Security List <ipsec@tis.com>
Organization: UMass-Amherst Theoretical Computer Science Group, <http://www.cs.umass.edu/~thtml/>
References: <199802240331.WAA11793@mimosa.com>
Sender: owner-ipsec@ex.tis.com

D. Hugh Redelmeier writes:
> Section 4.3 states:
> 
>            o Transport adjacency refers to applying more than one security
>              protocol to the same IP datagram, without invoking tunneling.
>              This approach to combining AH and ESP allows for only one
>              level of combination; further nesting yields no added benefit
>              since the processing is performed at one IPsec instance the
>              (ultimate) destination.
> 
> This statement must be assuming that two composed ESP transforms are
> no more secure than a single one (otherwise the conclusion is false).
> Similarly, it must assume that two AHs don't lead to more confidence.
> I think that neither of these assumptions is true.  

For each of {ESP, AH} the IPsec suite allows for SAs whose transforms
involve combinations of algorithms, modes, and keylengths that are
believed to offer high levels of long-term security. If you accept 
these cryptographic judgments then you have cause to expect that a 
single application of the transforms in an appropriately-chosen 
ESP (respectively AH) SA in transport mode provides the desired level of
security. Once a portion of a system is "secure enough" w.r.t. the 
anticipated threat model, efforts to "strengthen" that portion of the
system don't actually increase the security of the system. So an
additional adjacent transport mode application of ESP (resp. AH) 
transforms is no more secure than the solo case.

If you reject some of the cryptographic assumptions underlying the 
defined set of algorithms, etc., then multiple adjacent applications 
_might_ offer you greater security than any single application. This 
would depend upon the nature and complexity of the additional attacks 
to which you believe the affected algorithm(s) is (are) susceptible.

> On the other hand,
> one approach available is to add a new AH or ESP that is equivalent to
> the compositions of interest.

Right. At various times it will probably happen that some existing 
algorithms fall into cryptographic disfavor, and people will see the 
need to define some new ones. However at any given time the operative
premise is that the available algorithms offer sufficient security 
guarantees without multiple adjacent applications. Those who aren't
content with the status quo can define the protocol use of algorithms 
with which they feel more comfortable. 

Architectural support for composition of algorithms via adjacent 
applications of transforms from multiple SAs would therefore be 
redundant, as far as I can see.

> I'm not quibbling with the decision to limit adjacency.  I just think
> that the quoted text isn't precisely correct.

-Lewis  <pseudonym@acm.org>  <http://www.cs.umass.edu/~lmccarth>

References:

Comments on draft-ietf-ipsec-arch-sec-02.txt

From: hugh@mimosa.com ("D. Hugh Redelmeier")

Prev by Date: Re: comments on draft-ietf-ipsec-isakmp-oakley-06.txt
Next by Date: RE: Certificate Requesting
Prev by thread: Comments on draft-ietf-ipsec-arch-sec-02.txt
Next by thread: Re: Comments on draft-ietf-ipsec-arch-sec-02.txt
Index(es):
- Main
- Thread