[anonsec] Re: potential new IETF WG on anonymous IPSec (fwd

Joe Touch touch at ISI.EDU
Fri Sep 10 09:03:50 PDT 2004 

Clarifications below...

Eugen Leitl wrote:

>----- Forwarded message from "\"Hal Finney\"" <hal at finney.org> -----
>
>From: hal at finney.org ("Hal Finney")
>Date: Thu,  9 Sep 2004 12:57:29 -0700 (PDT)
>To: cryptography at metzdowd.com, cypherpunks at al-qaeda.net,
>	rah at shipwright.com
>Subject: Re: potential new IETF WG on anonymous IPSec
>
>
>>The IETF has been discussing setting up a working group
>>for anonymous IPSec.  They will have a BOF at the next IETF
>>in DC in November.  They're also setting up a mailing list you
>>might be interested in if you haven't heard about it already.
>>...
>>	http://www.postel.org/anonsec
>
>
>To clarify, this is not really "anonymous" in the usual sense.

It does not authenticate the endpoint's identification, other than "same
place I had been talking to."

There's no difference between having no "name" and having a name you
cannot trust. I.e., I could travel under the name "anonymous" or "", or
under the name "A. Smith". If you don't know whether I am actually A.
Smith, the latter is identical to the former.

>Rather it
>is a proposal to an extension to IPsec to allow for unauthenticated
>connections.

Correction: it is a proposal to extend Internet security - including
Ipsec, but also including TCP-MD5 (sometimes called "BGP MD5") and other
security mechanisms at various layers. It is not focused only on IPsec.

>Presently IPsec relies on either pre-shared secrets or a
>trusted third party CA to authenticate the connection.  The new proposal
>would let connections go forward using a straight Diffie-Hellman type
>exchange without authentication.

This is one option, but not the only one.

>It also proposes less authentication
>of IP message packets, covering smaller subsets, as an option.

There are two aspects:
	- smaller portion of the packet is hashed
	- none of the packet is hashed, but a cookie is used

>The point has nothing to do with anonymity;

The last one, agreed. But the primary assumption is that we can avoid a
lot of infrastructure and impediment to deployment by treating an
ongoing conversation as a reason to trust an endpoint, rather than a
third-party identification. Although anonymous access is not the primary
goal, it is a feature of the solution.

>rather it is an attempt
>to secure against weaknesses in TCP which have begun to be exploited.

Please review the draft; there are a number of reasons this is being
considered, not the least of which is to reduce the cumbersome
requirement of key infrastructure as well as to avoid performance penalties.

>Sequence number guessing attacks are more successful today because of
>increasing bandwidth, and there have been several instances where they
>have caused disruption on the net.  While workarounds are in place, a
>better solution is desirable.

Please be more specific; how would it be better?

>This new effort is Joe Touch's proposal to weaken IPsec so that it uses
>less resources and is easier to deploy.  He calls the weaker version
>AnonSec.  But it is not anonymous, all the parties know the addresses
>of their counterparts.

Address != identity. Agreed, if what you want to do is hide traffic,
this does not provide traffic confidentiality. But it does not tell you
whether the packets come from 128.9.x.x (ISI, e.g.) or from someone
spoofing 128.9.x.x; all you know is that whoever is using that address
is capable of having an ongoing conversation (TCP connection, e.g.) with
you.

I.e., there are two ways to be anonymous, as noted earlier:
	1) don't give out your name (A. Smith, e.g.)
	2) give out a name, but it doesn't necessarily mean anything
	(e.g., Mickey Mouse)

Even if you use "real" names in (2), there's no difference with (1),
since you don't know whether the real Mickey Mouse is using it.

>Rather, it allows for a degree of security on
>connections between communicators who don't share any secrets or CAs.
>I don't think "anonymous" is the right word for this, and I hope the
>IETF comes up with a better one as they go forward.
>
>Hal Finney
>
>---------------------------------------------------------------------
>The Cryptography Mailing List
>Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
>
>----- End forwarded message -----
>
>
>------------------------------------------------------------------------
>
>_______________________________________________



_______________________________________________


----------

-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07078, 11.61144            http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
http://moleculardevices.org         http://nanomachines.net



--- end forwarded text


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

More information about the cypherpunks-legacy mailing list