[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: draft-ietf-ipsec-ciph-aes-ctr-00.txt

To: "David A. Mcgrew" <mcgrew@cisco.com>
Subject: RE: draft-ietf-ipsec-ciph-aes-ctr-00.txt
From: Stephen Kent <kent@bbn.com>
Date: Tue, 6 Aug 2002 15:15:54 -0400
Cc: <ipsec@lists.tislabs.com>
In-Reply-To: <FPELKLHKCBJLMMMNOGDFGEBMDMAA.mcgrew@cisco.com>
References: <FPELKLHKCBJLMMMNOGDFGEBMDMAA.mcgrew@cisco.com>
Sender: owner-ipsec@lists.tislabs.com
At 12:44 PM -0700 8/5/02, David A. Mcgrew wrote:
>Steve,
>
>personal remarks elided, your technical comments and my responses below.
>
>Steve Kent wrote:
>>
>>  On the topic of the overhead posed by an explicit vs. implicit IV, I
>>  questioned the 20-byte number you used as an example. Your rebuttal
>>  was vague and in no way countered my observation that the payload
>>  size you cited is a very misleading value. Dave Oran pointed out that
>>  header compression can reduce the IP header overhead, and the ESP
>>  header as well. But the UDP header is inside the encryption boundary,
>>  as are the ESP padding and pad length and NEXT field, and the ESP ICV
>>  is random. So, my point stands, i.e., either you were very careless
>>  in making the comparison between a 20-byte payload and an 8-byte IV,
>>  or you were intentionally skewing the argument.
>
>No.  Perhaps I should have provided more detail when I referred to RFC2507.
>>From Section 7.10:
>
>    ... when the ESP Header is used in tunnel mode an entire IP
>    packet is encrypted, and the headers of that packet MAY be compressed
>    before the packet is encrypted at the entry point of the tunnel.
>
>Also, perhaps you are unaware of the work being done to compress headers
>inside of tunnels.  Examples of this work include
>draft-ietf-avt-crtp-enhance-04.txt and draft-ietf-avt-tcrtp-06.txt, and much
>of the work of the Robust Header Compression (RHOC) WG is applicable as
>well.  It's worth nothing that compression that can be used in conjunction
>with IPsec is an explicit goal of the RHOC WG.  Many of these technologies
>were originally developed with voice over IP in mind, but can be used to
>general benefit, especially over wireless links.

I see that you elided my personal comments to make room for yours :-)

The question here, David, is not what I or the WG is aware or unaware 
of. The question is why you chose to use an obviously misleading 
figure as a basis for the argument. If you wanted to make a precise 
argument about a realistic size for VoIP packets, before and after 
applying ESP, then you could have done so.  You certainly have no 
trouble devoting considerable text to the math associated with the 
issue of how many blocks of data can be safely encrypted with counter 
mode. What we have seen in subsequent messages on this topic from 
others is that:

	- another protocol was developed to secure VoIP, 
specifically, calling into question whether we should bother trying 
to optimize ESP for this application
	- a very little analysis of the likely, average compression 
that may be obtained for SOME the headers that you omitted in your 
initial message
	- another message suggesting that well, maybe there is still 
a desire to have a very efficient version of ESP to use with VoIP, 
anyway
	- a message from the IP storage folks says, 8-bytes is not an 
issue for them

What we still do not have is a concrete analysis of the percentage 
overhead that would be associated with use of an explicit vs. 
implicit IV, under various realistic cases, e.g., no compression, 
outer header compression only, inner and outer header compression, 
for VoIP. This analysis is what you should have provided in your 
message, or in any subsequent message, but it is still missing.

>  > With regard to the security evaluation boundary argument, the issue
>>  is exactly that sharing SA state, specifically sequence number
>>  values, across chip or PC board boundaries presents a limitation on
>>  performance. I serve (or have served) as a technical advisor to three
>>  different companies developing high speed crypto chips for IPsec. The
>>  hardware engineers in each company agree with my observation that is
>>  would be a fundamentally bad idea to try to maintain sequence number
>>  sync across chip/board boundaries, for very high speed
>>  implementations.
>
>Steve, I've participated in high speed hardware designs using AES counter
>mode, and we have not seen the limitation that you describe.  I think that
>the best way to get to the root of our disagreement is for you to provide
>more details about the design that you have in mind.  What are the goals to
>which that design is aiming (10 gigabits per second?  100 gigabits per
>second? 1 terabit per second?) and what assumptions does it make (use
>existing chips?  use some particular ASIC technology or particular
>backplane?)?  Why is it necessary to use the same key in different ASICs or
>boards (which is apparently driving your concern about sequence numbers),
>and why is it desirable to do so if those ASICs are within different
>security boundaries?  If it is really necessary to have multiple senders for
>a single key, why not use a short sender-id value?  Is the design that you
>describe in brief a proprietary one or an open one?  If the latter, can you
>refer to an example in the published literature?

I have participated in 10 Gb/s IPsec chip designs, but this issue 
arises at lower speeds as well.

You seem to have lost track of the underlying issue, an issue we 
discussed at length in the design team list, specifically in my 
message of May 17, 2002. At that time I pointed out the problem faced 
by PPVPN and other "aggregating" IPsec implementations, where there 
is a need to mux traffic from one SA over multiple chips/boards, to 
maximize throughput while minimizing hardware costs. Product 
developers trying to do this have discovered that it is infeasible 
(from a performance perspective) to maintain the shared state for 
each SA's sequence number since that state must be updated by 
multiple chips, perhaps on different PC boards, within a product, for 
each packet sent or received on an SA. The WG discussed this issue on 
the list over a year ago, when product developers first encountered 
the problem. The vendors were asking if the sequence numbers could be 
made optional, for the sender, to avoid the problem. The WG said no. 
The WG then strongly recommended managing the sequence numbers for 
each SA before sending the traffic for the SA to a crypto module (as 
viewed from the transmitter's perspective). This is the context that 
motivates managing these values off chip, although others may exist 
as well. This design strategy is consistent with security evaluation 
practices such as 140-1/2, i.e., it does not affect the security 
boundary for the product evaluation so long as the sequence number is 
used only for its originally defined purpose.

>Additionally, I do not understand your implicit contention that LFSR
>synchronization would be easier to maintain across chip or board boundaries
>than integer synchronization.  The synch problem is fundamental to the
>movement of data, not to the algebraic mechanism by which a next-value is
>generated.

This is not an LFSR-specific issue. This too has been discussed on 
the design team mailing list. Your colleague, Scott Fluhrer, first 
suggested that one could use part of the counter for a per-chip ID, 
to avoid conflicts in the per-packet IV. One of the attractions of 
the compromise design that Russ proposed is that it allows the sender 
to include a per-chip value, if needed, as part of the per-packet IV, 
or to omit it if there is no need to mux an SA over multiple chips. 
This is essentially invisible to the receiver, who does not need to 
examine IV structure. One cannot make use of the same technique with 
the ESP sequence numbers, because the semantics for them require 
sequential generation of values.

>  > Separartely, you maintained that your employer had not encountered
>>  any problems in this regard, and I countered that this was probably
>>  because your employer was not building high assurance products, and
>>  thus the security boundary was very large. A check of the FIPS 140-1
>>  evaluated products list confirms my assertion about the assurance
>  > level of all Cisco evaluated products.
>
>The FIPS-140 evaluations of Cisco gear have no bearing on this discussion.
>It's worth pointing out that the approach of using the ESP sequence number
>as a per-packet counter does *not* decrease security, and that you have not
>even argued that it does.  What you have argued is that that approach could
>prove limiting in a high-speed design - *not* that it is less secure.  That
>approach does not limit the security of a system, and does not have any
>bearing on the FIPS-140-2 process.

YOU argued that maintaining ESP sequence numbers (that are used as 
counter mode inputs) within the security boundary was easy, based on 
Cisco's experience. Since
the context of the discussion was the security issues associated with 
maintaining these values off chip, for the reasons explained (yet 
again) above, I responded that keeping the counters within the 
security boundary was easy only if one had a relatively broad 
security boundary, consistent with a low level of assurance, e.g., 
FIPS 140-1/2 level 2 or less. So, my observation about the evaluation 
of Cisco IPsec products is at level 2 is thoroughly relevant to this 
discussion, given your initial message on the topic.

The use of these sequence numbers as counter inputs almost certainly 
does decrease security assurance, relative to current designs, 
whenever SAs have to be muxed across chips/boards. This is because 
the counters need to be managed off chip under these circumstances, 
for the reasons explained above, again. At best one might be able to 
maintain the currently attainable assurance level if the security 
boundary were extended to encompass the parts of the systems where 
the (now overused) sequence numbers were generated, but almost 
certainly at increased system costs/complexity. I believe we 
discussed this topic in the design team message exchanges earlier 
this year.

>  > Again, your response has not
>>  countered my criticisms. Instead you asked what vendors didn't
>>  maintain the sequence number within the security perimeter. That's
>>  not the point. The point is that, historically, there has been no
>>  need to maintain the ESP sequence counter within the perimeter for
>>  FIPS 140-1.
>
>RFCs 2401 and 2406 state that "protection against replays" is one of the
>goals of IPsec and that ESP provides that service by using monotonically
>increasing sequence numbers.   Given this fact, how can an implementer *not*
>put the ESP sequence number within the security perimeter?
>
>	<SNIP>
>
>>  But, reusing it for counter mode creates that need and
>>  adversely limits the design space for higher assurance products.
>
>I do not believe that the use of a monotonically increasing sequence number
>limits the design space.  This is apparently the real source of our
>disagreements.
>
>  > The above argument segues into the disagreement re the pitfalls of
>  > reusing ESP sequence numbers for counter mode, and what I maintain is
>>  an irrelevant discussion of other crypto modes.  You claim to not
>>  understand the security difference between sequence numbers used,
>>  optionally, for anti-replay, and unique values used as inputs to a
>>  crypto algorithm.
>
>No, what I don't understand is the contention that the current standards do
>not mandate the uniqueness of the ESP sequence number.
>
>  > The distinction is that the former use is of
>>  secondary security importance, as evidenced by the fact that it is an
>>  optional feature (for the receiver) and that is is outside the
>>  security evaluation boundary under 140-1/2. In contrast. the inputs
>>  for counter mode are security critical values that fall within the
>>  evaluation boundary for 140-1/2.
>
>Sure, but the fact that anti-replay may be of lesser importance than
>confidentiality has no bearing on the fact that RFCs mandate the uniqueness
>of the ESP sequence numbers.
>
>
>  > As is so often the case, the term
>>  "trust" has no relevance here. The ESP sequence number plays a
>>  well-defined role, and reusing it for another purpose is a bad design
>>  approach, from a security standpoint.
>
>Including the ESP sequence number inside the security boundary *increases*
>security.

What the preceding text says is that you really do not understand 
FIPS 140-1/2! The security concerns for ESP sequence number values 
are NOT the same as for crypto inputs such as like IVs.  This is not 
a matter of opinion; it is a clear cut evaluation criteria difference 
under FIPS 140-1/2.  Ask anyone who is familiar with the criteria.

Today, if an IPsec chip manages the sequence number on chip, the 
assurance level is potentially quite high, but this is irrelevant to 
FIPS evaluation, so long as the sequence number is NOT used as an 
input to the crypto function as an IV or equivalent. But, we have 
identified a set of scenarios where it is not feasaible to manage the 
sequence number on  chip, as explained above.  So, the WG suggested, 
over a year ago, that designers to to adopt a strategy that will 
require moving the sequence number off chip, under some 
circumstances. This posed no problem re basic crypto security, UNTIL 
you proposed using this sequence number as an input to counter mode. 
That adversely affects the security boundary and, the assurance for 
products.

>  > With regard to the use of counters for per-packet and intra-packet
>  > inputs to counter mode, your response did not rebut my observation
>>  that the 2-fold difference in adder size was an issue ignore by your
>>  initial claim.
>
>Fine, but that has nothing to do with the point that I was making: the
>performance advantage of a 64-bit LFSR over a 64-bit integer increment
>function is completely negligible when compared to the computational cost of
>the AES-encrypting a packet.  This is an important point because
>draft-ietf-ipsec-ciph-aes-ctr-00.txt uses that performance advantage as a
>false premise in support of an argument as to why an implementer might want
>to use an LFSR rather than counter mode.

The issue here is a subtle one, but the argument in Russ' ID is not 
incorrect, although it may be incomplete. Consider an IPsec device 
optimized for your favorite application, VoIP. Let's say that the 
encrypted payload, including all protocol headers and the ESP trailer 
is always between 16 and 32 bytes. I could design an IPsec device 
using a crypto chip that contains two AES cores. (Many high end 
crypto chips today employ multiple algorithm cores.)  When I receive 
an outbound packet for an SA, I know I will need no more than  32 
bytes of key stream, because of the limited application context for 
which I have optimized the device. I select the key for the SA and I 
generate a new, per-packet IV and use it to create key stream for 
both AES cores, in parallel, with the intra-packet counter values set 
to "0" and "1" (maybe hardwired). Now I can begin to encrypt that 
packet. When I am one ROUND into the encryption process, I am now 
ready to begin encrypting a new packet, perhaps for another SA. So, 
the time to generate the new per-packet IV might be bounded by the 
time to execute one ROUND of AES, rather than by a full, 12-round 
encryption process, as you suggest. This is one example where the 
time for per-packet IV generation might be as critical as the 
intra-packet counter update. I suspect there are others.

>  > You did respond to my observations about the greater flexibility
>  > afforded to a product designer by a per-packet input approach that
>>  allows the sender to choose whatever means of generating the value
>>  that meets the security and performance requirements for a product.
>>  Your response was as assertion that the 8-byte overhead of an
>>  explicit IV is not worth the flexibility. This is a value judgement,
>>  not a technical argument. However, I am annoyed by the way you tend
>>  to couch the argument, i.e., as though this is an extra 8 bytes,
>>  whereas the reality is that the same 8-byte overhead that has been
>>  the default for ESP (in CBC mode) since it became a standard. So the
>>  question is not whether to add 8 bytes, but whether there is a
>>  pressing need to remove 8 bytes.
>
>Yes, reducing the encapsulation overhead of ESP while maintaining security
>is a worthwhile goal, in my opinion.

Your proposal reduces security, in a range of real system 
implementations, in exchange for an 8-byte savings. We still don't 
have a firm percentage overhead we can assign to that 8-byte savings, 
in your favorite case, but we do know that it is tiny in most other 
contexts.

You have argued for a very conservative bound on the number of 
packets that can be encrypted per SA, because you understand the 
potential adverse, theoretical consequences of sending more than 2^64 
blocks, even though you cannot describe an attack that would exploit 
this potential weakness.  On the other hand, experience has shown 
that the vast majority of security failures in deployed crypto 
systems arise not from subtle crypto vulnerabilities of the sort you 
are focusing on, but on system design and implementation 
vulnerabilities. My emphasis on not reusing the ESP sequence number, 
to save 8 bytes, is based on that latter set of concerns and a desire 
to offer an architecture that preserves maximum implementation and 
performance flexibility for developers, while not degrading security 
assurance.

Steve
References:
- RE: draft-ietf-ipsec-ciph-aes-ctr-00.txt
  - From: "David A. Mcgrew" <mcgrew@cisco.com>
Prev by Date: Son of Ike status
Next by Date: RE: draft-ietf-ipsec-ciph-aes-ctr-00.txt
Prev by thread: RE: draft-ietf-ipsec-ciph-aes-ctr-00.txt
Next by thread: RE: draft-ietf-ipsec-ciph-aes-ctr-00.txt
Index(es):
- Date
- Thread