[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: weakness in IKE/DOI specs
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> From: Paul Koning [mailto:pkoning@xedia.com]
> >>>>> "Heyman," == Heyman, Michael <Michael_Heyman@nai.com> writes:
> >> From: John Shriver [mailto:jas@shiva.com]
> >>
> >> [SNIP] I think it is perfectly appropriate to limit these to 32
> >> bits, with the range being 0 to (2^32)-1. I don't think there
> is
> >> any sensible justification to allow 64 bit values, that's just
> too
> >> long a lifetime.
> >>
> Heyman,> Hmmm,
>
> Heyman,> Imagine in the near future (even now?) we have terabit
> Heyman,> networks. That is 2^40 bits/second. Protecting 2^32KBytes
> Heyman,> (=2^45 bits) gives me 32 seconds of coverage before a
> rekey
> Heyman,> is needed.
>
> Heyman,> In my opinion, 2^32, while more then adequate for today
> and
> Heyman,> probably :-) adequate for time based rekeying, is a bit
> Heyman,> small for the foreseeable future with respect to KByte
> Heyman,> lifetimes.
>
> I don't agree with this argument. The fact that links are getting
> faster is NOT a reason to increase the byte count life limits on
> keys. The appropriate value for the byte limit depends on the
> cipher used, and is independent of the link speed.
>
I agree that the cipher and not the link speed should dictate the
limit. Part of the problem is that know one knows a good limit based
upon the cipher. I think the limit is much larger then it seems you
are implying.
Take DES, which has been broken by brute force attacks. I believe the
best known plaintext attack takes 2^47 plaintext/ciphertext block
pairs. This is 2^40KBytes. Already greater then a 4 byte integer can
hold and this is for a broken algorithm. Also, this means _all_ the
plaintext is known, in which case there is no reason to look for a
key.
>
> By the way, while backbone links may scale that high, it's not
> clear to me that edge to edge or end system to end system paths
> will run anywhere near that fast anytime soon. SAs typically
> terminate near the network edge, not right in the core.
>
How long is IKE supposed to last? 10 years? 20 years? 30 years? By
Moore's law I should have terabit networking to my home in 22 years
(assuming network speeds increase at the same rate as computer
speeds). I want my hi-res 3D interactive home entertainment system by
Holodeck Corp. secured by IPsec/IKE :-).
I think that real world implementations can max out at 32 bits now
(if that is the natural integer size) and re-write for 64 bits later
when that becomes common. I don't think it is worth developing a
system now that can handle all allowed attribute formats.
- -Michael Heyman
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1b23
iQA/AwUBN6CmWLXbkJfuXzRQEQJvMgCg0KybnkiBZ31vZHhAB/q090cYA8QAnidD
25XxAiU+VbYJdwcUMITLOpyH
=nmUS
-----END PGP SIGNATURE-----