Re: potential new IETF WG on anonymous IPSec
The IETF has been discussing setting up a working group for anonymous IPSec. They will have a BOF at the next IETF in DC in November. They're also setting up a mailing list you might be interested in if you haven't heard about it already. ... http://www.postel.org/anonsec
To clarify, this is not really "anonymous" in the usual sense. Rather it is a proposal to an extension to IPsec to allow for unauthenticated connections. Presently IPsec relies on either pre-shared secrets or a trusted third party CA to authenticate the connection. The new proposal would let connections go forward using a straight Diffie-Hellman type exchange without authentication. It also proposes less authentication of IP message packets, covering smaller subsets, as an option. The point has nothing to do with anonymity; rather it is an attempt to secure against weaknesses in TCP which have begun to be exploited. Sequence number guessing attacks are more successful today because of increasing bandwidth, and there have been several instances where they have caused disruption on the net. While workarounds are in place, a better solution is desirable. This new effort is Joe Touch's proposal to weaken IPsec so that it uses less resources and is easier to deploy. He calls the weaker version AnonSec. But it is not anonymous, all the parties know the addresses of their counterparts. Rather, it allows for a degree of security on connections between communicators who don't share any secrets or CAs. I don't think "anonymous" is the right word for this, and I hope the IETF comes up with a better one as they go forward. Hal Finney
On 2004, Sep 09, , at 16:57, Hal Finney wrote:
To clarify, this is not really "anonymous" in the usual sense. Rather it is a proposal to an extension to IPsec to allow for unauthenticated connections. Presently IPsec relies on either pre-shared secrets or a trusted third party CA to authenticate the connection. The new proposal would let connections go forward using a straight Diffie-Hellman type exchange without authentication. ... I don't think "anonymous" is the right word for this, and I hope the IETF comes up with a better one as they go forward.
I believe that in the context of e-mail [1, 2, 3, 4] and FreeSWAN this is called "opportunistic encryption". Regards, Zooko [1] http://www.templetons.com/brad/crypt.html [2] http://bitconjurer.org/envelope.html [3] http://pps.sourceforge.net/ [4] http://www.advogato.org/article/391.html
At 12:57 PM 9/9/2004, Hal Finney wrote:
To clarify, this is not really "anonymous" in the usual sense. Rather it is a proposal to an extension to IPsec to allow for unauthenticated connections. Presently IPsec relies on either pre-shared secrets or a trusted third party CA to authenticate the connection. The new proposal would let connections go forward using a straight Diffie-Hellman type exchange without authentication. It also proposes less authentication of IP message packets, covering smaller subsets, as an option.
I read the draft, and I don't see how it offers any improvement over draft-ietf-ipsec-internet-key-00.txt or Gilmore's proposal touse "open secret" as a not-very-secret pre-shared secret that anybody who wants to can accept. It does introduce some lower-horsepower alternatives for authenticating less than the entire packet, and suggests using AH which I thought was getting rather deprecated these days, but another way to reduce horsepower needs is to use AES instead of 3DES. Also, the author's document discusses protecting BGP to prevent some of the recent denial-of-service attacks, and asks for confirmation about the assertion in a message on the IPSEC mailing list suggesting "E.g., it is not feasible for BGP routers to be configured with the appropriate certificate authorities of hundreds of thousands of peers". Routers typically use BGP to peer with a small number of partners, though some big ISP gateway routers might peer with a few hundred. (A typical enterprise router would have 2-3 peers if it does BGP.) If a router wants to learn full internet routes from its peers, it might learn 1-200,000, but that's not the number of direct connections that it has - it's information it learns using those connections. And the peers don't have to be configured "rapidly without external assistance" - you typically set up the peering link when you're setting up the connection between an ISP and a customer or a pair of ISPs, and if you want to use a CA mechanism to certify X.509 certs, you can set up that information at the same time. ---- Bill Stewart bill.stewart@pobox.com
Bill Stewart wrote:
At 12:57 PM 9/9/2004, Hal Finney wrote:
To clarify, this is not really "anonymous" in the usual sense. Rather it is a proposal to an extension to IPsec to allow for unauthenticated connections. Presently IPsec relies on either pre-shared secrets or a trusted third party CA to authenticate the connection. The new proposal would let connections go forward using a straight Diffie-Hellman type exchange without authentication. It also proposes less authentication of IP message packets, covering smaller subsets, as an option.
I read the draft, and I don't see how it offers any improvement over draft-ietf-ipsec-internet-key-00.txt or Gilmore's proposal touse "open secret" as a not-very-secret pre-shared secret that anybody who wants to can accept.
That is part of the solution, but not all, as noted below.
It does introduce some lower-horsepower alternatives for authenticating less than the entire packet, and suggests using AH which I thought was getting rather deprecated these days, but another way to reduce horsepower needs is to use AES instead of 3DES.
That is corrected in draft-touch-tcp-antispoof, which contains the BGP focus of anonsec-00; anonsec-01 (to appear in about 2 weeks) focuses on just the anonsec portion of 00.
Also, the author's document discusses protecting BGP to prevent some of the recent denial-of-service attacks, and asks for confirmation about the assertion in a message on the IPSEC mailing list suggesting "E.g., it is not feasible for BGP routers to be configured with the appropriate certificate authorities of hundreds of thousands of peers". Routers typically use BGP to peer with a small number of partners, though some big ISP gateway routers might peer with a few hundred. (A typical enterprise router would have 2-3 peers if it does BGP.) If a router wants to learn full internet routes from its peers, it might learn 1-200,000, but that's not the number of direct connections that it has - it's information it learns using those connections. And the peers don't have to be configured "rapidly without external assistance" - you typically set up the peering link when you're setting up the connection between an ISP and a customer or a pair of ISPs, and if you want to use a CA mechanism to certify X.509 certs, you can set up that information at the same time.
Thanks for that input; the claim that BGP in core Internet routers required intractible setup for TCP-MD5 has been refuted by experience noted during the TCPM WG meeting in San Diego as well. This section of tcp-antispoof will be updated accordingly. Joe
---- Bill Stewart bill.stewart@pobox.com
[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Bill Stewart wrote:
Also, the author's document discusses protecting BGP to prevent some of the recent denial-of-service attacks, and asks for confirmation about the assertion in a message on the IPSEC mailing list suggesting "E.g., it is not feasible for BGP routers to be configured with the appropriate certificate authorities of hundreds of thousands of peers". Routers typically use BGP to peer with a small number of partners, though some big ISP gateway routers might peer with a few hundred. (A typical enterprise router would have 2-3 peers if it does BGP.) If a router wants to learn full internet routes from its peers, it might learn 1-200,000, but that's not the number of direct connections that it has - it's information it learns using those connections. And the peers don't have to be configured "rapidly without external assistance" - you typically set up the peering link when you're setting up the connection between an ISP and a customer or a pair of ISPs, and if you want to use a CA mechanism to certify X.509 certs, you can set up that information at the same time.
On the backbone, between BGP peers, one would have thought that there are relatively few attackers, as the staff are highly trusted and the wires are hard to access - hence no active attacks going on and only some passive eavesdropping attacks. Also, anyone setting up BGP routing knows the other party, so there is a prior relationship. The whole point of the CA model is that there is no prior relationship and that the network is a wild wild west sort of place - both of these assumptions seem to be reversed in the backbone world, no? So one would think that using opportunistic cryptography would be ideal for the BGP world? iang
On Wed, 15 Sep 2004, Ian Grigg wrote:
The whole point of the CA model is that there is no prior relationship and that the network is a wild wild west sort of place - both of these assumptions seem to be reversed in the backbone world, no? So one would think that using opportunistic cryptography would be ideal for the BGP world?
If I remember correctly, the TCP MD5 option field was designed for securing BGP traffic, using the shared secret approach. I was also thinking about "borrowing" this feature for things like announcement of additional features, eg. the possibility of opportunistic encryption, in eg. the TCP/SYNACK packets. There's space for 16 bytes of magic numbers.
Ian Grigg wrote:
Bill Stewart wrote:
Also, the author's document discusses protecting BGP to prevent some of the recent denial-of-service attacks, and asks for confirmation about the assertion in a message on the IPSEC mailing list suggesting "E.g., it is not feasible for BGP routers to be configured with the appropriate certificate authorities of hundreds of thousands of peers". Routers typically use BGP to peer with a small number of partners, though some big ISP gateway routers might peer with a few hundred. (A typical enterprise router would have 2-3 peers if it does BGP.) If a router wants to learn full internet routes from its peers, it might learn 1-200,000, but that's not the number of direct connections that it has - it's information it learns using those connections. And the peers don't have to be configured "rapidly without external assistance" - you typically set up the peering link when you're setting up the connection between an ISP and a customer or a pair of ISPs, and if you want to use a CA mechanism to certify X.509 certs, you can set up that information at the same time.
On the backbone, between BGP peers, one would have thought that there are relatively few attackers, as the staff are highly trusted and the wires are hard to access - hence no active attacks going on and only some passive eavesdropping attacks. Also, anyone setting up BGP routing knows the other party, so there is a prior relationship.
My understanding of the attacks this past spring is that: a) they were indeed on the backbone BGP peers b) that those peers had avoided setting up preshared keys or getting mutually-authenticatable certificates because of the configuration overhead (small on a per-pair basis, but may be large in aggregate) While inspired by this issue, there may be other solutions (e.g., IMO IPsec) which are more appropriate for BGP peers.
The whole point of the CA model is that there is no prior relationship and that the network is a wild wild west sort of place
Except that certs need to be signed by authorities that are trusted.
- both of these assumptions seem to be reversed in the backbone world, no? So one would think that using opportunistic cryptography would be ideal for the BGP world?
iang
I wouldn't think that the encryption need be opportunistic; in the BGP backbone world, as you noted, peers are known a-priori, and should have certs that could be signed by well-known, trusted CAs. Joe [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
At 02:17 PM 9/16/2004, Joe Touch wrote:
Ian Grigg wrote:
On the backbone, between BGP peers, one would have thought that there are relatively few attackers, as the staff are highly trusted and the wires are hard to access - hence no active attacks going on and only some passive eavesdropping attacks. Also, anyone setting up BGP routing knows the other party, so there is a prior relationship.
My understanding of the attacks this past spring is that: a) they were indeed on the backbone BGP peers b) that those peers had avoided setting up preshared keys or getting mutually-authenticatable certificates because of the configuration overhead (small on a per-pair basis, but may be large in aggregate)
The interesting attacks were a sequence-number guessing attack using forged TCP RST packets, which tell the TCP session to tear down, therefore dropping the BGP connection (typically between two ISPs). The attackers didn't need to be trusted backbone routers - they could be randoms anywhere on the Internet. BGP authentication doesn't actually help this problem, because the attack simply kills the connection at a TCP layer rather than lying to the BGP application. A simple way to avoid most of this problem is to filter packets at the edges so that customer connections can't send IP (or ICMP, while you're at it) packets to the core addresses on the routers that do the BGP signalling. (It's not a complete solution, because both ends of the connection need to so that, or need to do spoof-proofing so nobody can forge packets from those addresses, or both.) Customers can still send packets to the ISP edge routers supporting their own connections, but killing your own internet connection is much less entertaining than killing somebody else's, and if the customer is managing their own router, their users probably have an easier time killing that end of the connection than convincing the ISP's end to drop the connection. (One downside to this approach is that customers can't simply ping routers to get information about paths, latencies, capacities, etc., but that's not necessarily a bad thing. Also, you can set things up so they can traceroute to the far end of a connection and still get traceroute responses from the intermediate routers.)
While inspired by this issue, there may be other solutions (e.g., IMO IPsec) which are more appropriate for BGP peers. ... I wouldn't think that the encryption need be opportunistic; in the BGP backbone world, as you noted, peers are known a-priori, and should have certs that could be signed by well-known, trusted CAs.
I agree with Joe. You can fix most of the problems using ACLs, but IPSEC does have some appeal to it. You don't even need CAs - pre-shared secrets are perfectly adequate, but if you want to use a CA-based IPSEC implementation for convenience, you can agree on what CA to use when you're agreeing on other parameters. ---- Bill Stewart bill.stewart@pobox.com
Bill Stewart wrote:
At 02:17 PM 9/16/2004, Joe Touch wrote:
Ian Grigg wrote:
On the backbone, between BGP peers, one would have thought that there are relatively few attackers, as the staff are highly trusted and the wires are hard to access - hence no active attacks going on and only some passive eavesdropping attacks. Also, anyone setting up BGP routing knows the other party, so there is a prior relationship.
My understanding of the attacks this past spring is that: a) they were indeed on the backbone BGP peers b) that those peers had avoided setting up preshared keys or getting mutually-authenticatable certificates because of the configuration overhead (small on a per-pair basis, but may be large in aggregate)
The interesting attacks were a sequence-number guessing attack using forged TCP RST packets, which tell the TCP session to tear down, therefore dropping the BGP connection (typically between two ISPs). The attackers didn't need to be trusted backbone routers - they could be randoms anywhere on the Internet. BGP authentication doesn't actually help this problem, because the attack simply kills the connection at a TCP layer rather than lying to the BGP application.
FWIW, the other system we were referring to - TCP-MD5 - works at the TCP layer. It rejects packets within TCP, before any further TCP processing, that don't match the MD5 hash. It isn't BGP authentication. This is why I refer to it as TCP-MD5 rather than BGP-MD5, even though the latter is more common. Joe [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Joe Touch wrote:
Ian Grigg wrote:
On the backbone, between BGP peers, one would have thought that there are relatively few attackers, as the staff are highly trusted and the wires are hard to access - hence no active attacks going on and only some passive eavesdropping attacks. Also, anyone setting up BGP routing knows the other party, so there is a prior relationship.
My understanding of the attacks this past spring is that: a) they were indeed on the backbone BGP peers b) that those peers had avoided setting up preshared keys or getting mutually-authenticatable certificates because of the configuration overhead (small on a per-pair basis, but may be large in aggregate)
While inspired by this issue, there may be other solutions (e.g., IMO IPsec) which are more appropriate for BGP peers.
Thanks for the clarification. Re-reading (all) of the above, I noticed that these are DOS attacks. (That changes things - crypto protocols don't really a priori stop or defeat DOS attacks. They can help, or they may not, it all depends.) It's then important to examine the threat here. Who is the attacker and what motives and tools does he have available? It would be annoying to do all the work, only to discover that he has other tools that are just as easy... (This is called what's-your-threat-model, sometimes abbreviated to WYTM?)
The whole point of the CA model is that there is no prior relationship and that the network is a wild wild west sort of place
Except that certs need to be signed by authorities that are trusted.
Right, in that the CA model seeks to add trust to the wild wild west by the provision of these signed / trusted certs. Whether it achieves that depends on the details. It is not wise to just assume it succeeds because someone said so.
- both of these assumptions seem to be reversed in the backbone world, no? So one would think that using opportunistic cryptography would be ideal for the BGP world?
iang
I wouldn't think that the encryption need be opportunistic; in the BGP backbone world, as you noted, peers are known a-priori, and should have certs that could be signed by well-known, trusted CAs.
Let's see if I can make these assumptions clearer, because I still perceive that CAs have no place in BGP, and you seem to be assuming that they do. In the world of PKIs, there are some big assumptions. Here's two of them: Alice and Bob don't know each other, and don't necessarily trust each other. There exists a central stable party that *both* Alice and Bob know better than each other and can be trusted to pass the trust on. Known as a trusted third party, TTP, or a certificate authority, CA, in particular. This situation exists in large companies for example - the company knows Alice and Bob better than they may know each other. (In theory.) Now, whether it exists in any real world depends on which world pertains. In the world of browsing, it is .. assumed to exist, but that can be challenged. In the world of email, it pretty clearly doesn't exist - almost all (desired) email is done between known parties, and the two parties generally have much better ways of establishing and bootstrapping a crypto relationship than asking for some centralised party to do it. (Hence, the relative success of PGP over S/MIME.) Ditto for the world of secure systems administration (SSH). When we come to BGP, it seems that BGP routing parties have a very high level of trust between them. And this trust is likely to exceed by orders of magnitude any trust that a third party could generate. Hence, adding certs signed by this TTP (well known CA or not) is unlikely to add anything, and will thus likely add costs for no benefit. If anyone tried to impose a TTP for this purpose, I'd suspect the BGP admins would ignore it. Another way of thinking about it is to ask who would the two BGP operators trust more than each other? In such a world, a CA-signed certificate is an encumberance only, and seems to be matched by comments in the AnonSec draft that they are unlikely to be deployed. iang PS: on the general issue of doing what you call anonSec, I'd say, fantastic, definately overdue, could save IPSec from an embarrassingly slow adoption! I do concur with all the other posts about how "anon" is the wrong word, but I'd say that getting the right term is not so important as doing the work! On the point of what the right word is, that depends on the technique chosen. I haven't got that far in the draft as yet.
Ian Grigg wrote: ...
I wouldn't think that the encryption need be opportunistic; in the BGP backbone world, as you noted, peers are known a-priori, and should have certs that could be signed by well-known, trusted CAs.
Let's see if I can make these assumptions clearer, because I still perceive that CAs have no place in BGP, and you seem to be assuming that they do.
I should have said "could have certs". BGP could use shared secrets or CAs; it may be the case that anonymous security (as at least I call it) doesn't map well to BGP, in which you usually know who you want to trust. It may still help, though - e.g., in the case of the recent TCP RST attacks, it would have. The rest of your note focuses on the difference between two-party trust and trust using a shared third party. The former degenerates to the latter where I sign your cert, though ;-) I agree that for BGP the two-party case is probably more relevant, though there some BGP peerings are based on trust relationships of sets of parties that can - or already do - have trusted third-party coordination outside BGP. Joe [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
At 04:05 PM 9/16/2004, Joe Touch wrote:
FWIW, the other system we were referring to - TCP-MD5 - works at the TCP layer. It rejects packets within TCP, before any further TCP processing, that don't match the MD5 hash. It isn't BGP authentication.
Oh - I'd misunderstood. Yes, that sounds much harder to forge, so it's actually useful for DOS reduction. At 03:27 AM 9/17/2004, Ian Grigg wrote:
I wouldn't think that the encryption need be opportunistic; in the BGP backbone world, as you noted, peers are known a-priori, and should have certs that could be signed by well-known, trusted CAs.
Let's see if I can make these assumptions clearer, because I still perceive that CAs have no place in BGP, and you seem to be assuming that they do. ... When we come to BGP, it seems that BGP routing parties have a very high level of trust between them. And this trust is likely to exceed by orders of magnitude any trust that a third party could generate. Hence, adding certs signed by this TTP (well known CA or not) is unlikely to add anything, and will thus likely add costs for no benefit.
If anyone tried to impose a TTP for this purpose, I'd suspect the BGP admins would ignore it. Another way of thinking about it is to ask who would the two BGP operators trust more than each other?
There are two reasons to use the CA. One is if the parties don't know each other (not a problem here), but the other is so the VPN receiver has some external validation on the data it receives, making MITM attacks harder. For applications like BGP, you don't care if the CA is Dun & Bradstreet or if it's just Alice's own CA, because it's really functioning as a shared secret but the commodity VPN hardware wants an X.509 cert for MITM protection. ---- Bill Stewart bill.stewart@pobox.com
participants (6)
-
Bill Stewart -
hal@finney.org -
Ian Grigg -
Joe Touch -
Thomas Shaddack -
Zooko O'Whielcronx