[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Notes about identifier - locator separator

To: RJ Atkinson <rja@extremenetworks.com>
Subject: Re: Notes about identifier - locator separator
From: Pekka Nikander <Pekka.Nikander@nomadiclab.com>
Date: Mon, 04 Nov 2002 22:25:41 +0200
Cc: multi6@ops.ietf.org
In-reply-to: <505D4733-F02F-11D6-812C-00039357A82A@extremenetworks.com>
References: <505D4733-F02F-11D6-812C-00039357A82A@extremenetworks.com>
User-agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.2b) Gecko/20021101

Ran,

Pekka Nikander wrote:

The key here is state.  If the middle box or the receiver
has state (e.g. a cryptographic key or a communication context),
it can check that the arriving packet indeed contains or
implies a known long lasting identifier, and act accordingly.
However, parties that do not have that state cannot find
out the long lasting identifiers.

> On Sunday, Nov 3, 2002, at 08:26 America/Montreal, Masataka Ohta wrote:

For a receiver to retrieve an appropriate cryptographic key or
a communication context for a packet, a long lasting ID in clear
text, as an index to the long lasting database of key or context,
must be carried by the packet.

RJ Atkinson wrote:

SPIs in ESP/AH are examples of IDs contained in a packet used
as an index to the Security Association state.  SPIs are not
normally long-lasting -- typically only valid for the lifetime
of the SA (plus epsilon).  Any sane key management strategy
involves changing *session* keys *at least* every 24 hours,
even for very strong cryptographic algorithms.

With all respect, I think that the situation is slightly
more subtle.  Let me make a usual Alice and Bob style
example.

 1. If Alice and Bob have never communicated before
    (and don't have a mutual reference point), the
    ID Alice sends to Bob does not carry any information.

    Summary: a fresh ID carries no information.

    Thus, Alice can choose the ID freely, with the
    assumption that Bob will associate some state
    with the ID.  OTOH, the ID must somehow be communicated,
    and it will be vulnerable to discosure, even if
    unauthenticated D-H is used.

 2. If Alice and Bob have communicated before, Alice
    has to send the same ID to Bob so that he can retrive
    the afore mentioned state.  For privacy reasons she
    does not want to send it in clear text.  If she has
    recorded Bob's PK the issue is trivial, of course, but
    let's pretend for a while that PK crypto does not exist
    (Ohta-san does not believe in PK.)

    Now, if Bob knows Alice only by this long lasting ID and
    does not have any short term state with Alice, Alice
    basically MUST communicate the ID to Bob so that Bob can
    retrieve the state.  As far as I understand, that is
    what Ohta-san says.

    OTOH, he is obviously wrong in stating that the ID must
    be send in clear text, even in the absense of PK crypto.
    There are other means, as you well know.

    Summary: An ID must be communicated if one wants to
    refer to it, but it does not need to be communicated
    in clear.

--Pekka

References:
- Re: Notes about identifier - locator separator
  - From: RJ Atkinson <rja@extremenetworks.com>

Prev by Date: Re: Notes about identifier - locator separator
Next by Date: RE: PI/metro/geo [Re: The state of IPv6 multihoming development]
Previous by thread: Re: Notes about identifier - locator separator
Next by thread: Re: Notes about identifier - locator separator
Index(es):
- Date
- Thread