[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: SOI QUESTIONS: 2.4 Number of crypto operations

To: "Stephane Beaulieu" <stephane@cisco.com>
Subject: RE: SOI QUESTIONS: 2.4 Number of crypto operations
From: Michael Thomas <mat@cisco.com>
Date: Mon, 24 Jun 2002 09:57:20 -0700 (PDT)
Cc: "Michael Thomas" <mat@cisco.com>, "Theodore Ts'o" <tytso@mit.edu>, <ipsec@lists.tislabs.com>
In-Reply-To: <MDEJLHMEAJPNHKAIJCHKEELOCMAA.stephane@cisco.com>
References: <15639.18284.540151.162309@thomasm-u1.cisco.com><MDEJLHMEAJPNHKAIJCHKEELOCMAA.stephane@cisco.com>
Sender: owner-ipsec@lists.tislabs.com

Stephane Beaulieu writes:
 > 
 > >  > > Please discuss and answer this question.....
 > >  > >
 > >  > > 2.4 Number of crypto operations
 > >  > >
 > >  > > 2.4.A) JFK requires substantially more cryptographic operations for
 > >  > > rekeying (two more signatures, two more signature validations, and
 > >  > > three more hashes).  Is this a problem?  More generally,
 > > does SOI need
 > >  > > to be able to support "fast" rekeying?
 > >  >
 > >  > Yes.
 > >  >
 > >  > To be more precise, SOI should have a 2 phases.  This will
 > > help with fast
 > >  > rekeying, fast tunnel setup (for multiple tunnels), and better tunnel
 > >  > management (this was the BIGGEST problem with IKEv1, IMO).
 > >
 > > Perhaps a more sensible balance would be have the
 > > initial exchange be able to produce a real IPsec
 > > SA (ie self-contained), and be able to specify a
 > > zero life for the SOI SA. That way, a compliant
 > > implementation could choose not to implement
 > > "quick mode" where there's no particular need.
 > >
 > > I propose the following requirement:
 > >
 > > "If SOI defines subsequent SOI exchanges derived
 > >  by the shared state of an initial SOI exchange,
 > >  the protocol MUST make these subsequent exchanges
 > >  optional to both parties. A minimal SOI
 > >  implementation MUST NOT be required to implement
 > >  the subsequent exchanges."
 > 
 > That would defeat the purpose of the Management Channel I spoke of.  If your
 > SOI SA goes away immediately (or doesn't get created at all), it gets much
 > harder to detect / correct error conditions (black holes for example),
 > without opening yourself up to a bunch of DoS attacks.

   Huh? The DoS protection is conferred by the
   phase 1 DoS protection. All I'm saying is that
   phase 1 should be necessary and sufficient in
   SOI. This is not the case in IKE, but is part
   of the SOI requirements. Thus there is no
   reason for phase 2 to be mandatory.

 > We have lots of bad experiences with this in IKEv1, which is why (I
 > think...) that Dan et al, added a mgt channel to IKEv2.

   IKE has a "management" channel, it's just that
   it was poorly designed. That channel is Quick 
   Mode.

 > Dangling SAs (what you're advocating) and Mgt Channel (what I'm advocating)
 > don't play together very well (at least not in the real world, where packets
 > get dropped, and VPN boxes reboot).

   I'm advocating no such thing. If you have a
   problem which is only solvable by having a 
   phase 2, you haven't met the necessary and
   sufficient requirements for phase 1.

	      Mike

Follow-Ups:
- RE: SOI QUESTIONS: 2.4 Number of crypto operations
  - From: "Stephane Beaulieu" <stephane@cisco.com>

References:
- RE: SOI QUESTIONS: 2.4 Number of crypto operations
  - From: Michael Thomas <mat@cisco.com>
- RE: SOI QUESTIONS: 2.4 Number of crypto operations
  - From: "Stephane Beaulieu" <stephane@cisco.com>

Prev by Date: RE: SOI QUESTIONS: 2.6 Formal proofs of security
Next by Date: RE: SOI QUESTION: 3.1 DoS protection
Prev by thread: RE: SOI QUESTIONS: 2.4 Number of crypto operations
Next by thread: RE: SOI QUESTIONS: 2.4 Number of crypto operations
Index(es):
- Date
- Thread