[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Death to AH (was Re: SA identification)
In message <3ABBB2C4.BE527C4A@storm.ca>, Sandy Harris writes:
>Pekka Nikander wrote:
>>
>> ... I know, most of this has been discussed to death before,
>> but for me the exact reason for killing AH seems unclear.
>
>One set of reasons are given in the Schneier and Ferguson analysis at:
>http://www.counterpane.com/ipsec.pdf
I don't think they adequately took into account some network
architecture issues.
>
>I'd say several of their recommendations were absolute no-brainers:
>
>1) eliminate transport mode
No. Transport mode is for secure packets; tunnel mode creates secure
wires. It creates all sorts of interesting routing table entries,
makes certain checks (or attacks, in their absence -- what if the inner
header has source and destination addresses of 127.0.0.1?) necessary,
creates many more multi-homed hosts -- which we don't handle that cleanly
in the first place, etc. And that's not even talking about bandwidth
issues.
>2) eliminate AH
Agreed, but I've said my piece on that long ago.
>3) make authentication mandatory for ESP
Agreed.
>5) remove the weak key checks; just don't use algorithms where weak keys are a
> risk
As a number of people have pointed out (I think that Bill Simpson said
it first), ignore the question. Statistically, you'll never hit them
anyway, so how will your test your code? Besides, unless an attacker knows
that you've picked a weak key, there's no risk to you.
>
>In my view, we should just do all of these.
>
>As for their other recommendations:
>
>4) modify ESP to ensure it authenticates all data used in deciphering
I don't have the paper handy, but how is this different from (3)?
>6) modify KEYMAT derivation
>7) modify hashing
>8) modify phase 2 KEYMAT derivation
Anything to simplify IKE!
--Steve Bellovin, http://www.research.att.com/~smb
Follow-Ups: