[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: weakness in IKE/DOI specs

To: ipsec@lists.tislabs.com
Subject: RE: weakness in IKE/DOI specs
From: "Heyman, Michael" <Michael_Heyman@nai.com>
Date: Thu, 29 Jul 1999 12:06:40 -0700
Sender: owner-ipsec@lists.tislabs.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> From: Paul Koning [mailto:pkoning@xedia.com]
> >>>>> "Heyman," == Heyman, Michael <Michael_Heyman@nai.com> writes:
>  >> From: John Shriver [mailto:jas@shiva.com]
>  >> 
>  >> [SNIP] I think it is perfectly appropriate to limit these to 32
>  >> bits, with the range being 0 to (2^32)-1.  I don't think there
> is 
>  >> any sensible justification to allow 64 bit values, that's just
> too 
>  >> long a lifetime.
>  >> 
>  Heyman,> Hmmm,
> 
>  Heyman,> Imagine in the near future (even now?) we have terabit
>  Heyman,> networks. That is 2^40 bits/second. Protecting 2^32KBytes
>  Heyman,> (=2^45 bits) gives me 32 seconds of coverage before a
> rekey 
>  Heyman,> is needed.
> 
>  Heyman,> In my opinion, 2^32, while more then adequate for today
> and 
>  Heyman,> probably :-) adequate for time based rekeying, is a bit
>  Heyman,> small for the foreseeable future with respect to KByte
>  Heyman,> lifetimes.
> 
> I don't agree with this argument.  The fact that links are getting
> faster is NOT a reason to increase the byte count life limits on
> keys.  The appropriate value for the byte limit depends on the
> cipher used, and is independent of the link speed.  
> 
I agree that the cipher and not the link speed should dictate the
limit. Part of the problem is that know one knows a good limit based
upon the cipher. I think the limit is much larger then it seems you
are implying.

Take DES, which has been broken by brute force attacks. I believe the
best known plaintext attack takes 2^47 plaintext/ciphertext block
pairs. This is 2^40KBytes. Already greater then a 4 byte integer can
hold and this is for a broken algorithm. Also, this means _all_ the
plaintext is known, in which case there is no reason to look for a
key.
>
> By the way, while backbone links may scale that high, it's not
> clear to me that edge to edge or end system to end system paths
> will run anywhere near that fast anytime soon.  SAs typically
> terminate near the network edge, not right in the core. 
>
How long is IKE supposed to last? 10 years? 20 years? 30 years? By
Moore's law I should have terabit networking to my home in 22 years
(assuming network speeds increase at the same rate as computer
speeds). I want my hi-res 3D interactive home entertainment system by
Holodeck Corp. secured by IPsec/IKE :-).

I think that real world implementations can max out at 32 bits now
(if that is the natural integer size) and re-write for 64 bits later
when that becomes common. I don't think it is worth developing a
system now that can handle all allowed attribute formats.

- -Michael Heyman

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1b23

iQA/AwUBN6CmWLXbkJfuXzRQEQJvMgCg0KybnkiBZ31vZHhAB/q090cYA8QAnidD
25XxAiU+VbYJdwcUMITLOpyH
=nmUS
-----END PGP SIGNATURE-----

Prev by Date: Re: weakness in IKE/DOI specs
Next by Date: Using Legacy Authentication for IPSRA (was : xauth requirements: vulnerabilities)
Prev by thread: Re: weakness in IKE/DOI specs
Next by thread: RE: Using Legacy Authentication for IPSRA (was : xauth requirements: vulnerabilities)
Index(es):
- Main
- Thread