potential new IETF WG on anonymous IPSec
touch at ISI.EDU
Sat Sep 11 00:00:08 PDT 2004
Bill Stewart wrote:
> At 12:57 PM 9/9/2004, Hal Finney wrote:
>> > http://www.postel.org/anonsec
>> To clarify, this is not really "anonymous" in the usual sense. Rather it
>> is a proposal to an extension to IPsec to allow for unauthenticated
>> connections. Presently IPsec relies on either pre-shared secrets or a
>> trusted third party CA to authenticate the connection. The new proposal
>> would let connections go forward using a straight Diffie-Hellman type
>> exchange without authentication. It also proposes less authentication
>> of IP message packets, covering smaller subsets, as an option.
> I read the draft, and I don't see how it offers any improvement
> over draft-ietf-ipsec-internet-key-00.txt or Gilmore's proposal touse
> "open secret" as a not-very-secret pre-shared secret
> that anybody who wants to can accept.
That is part of the solution, but not all, as noted below.
> It does introduce some lower-horsepower alternatives for
> authenticating less than the entire packet, and suggests
> using AH which I thought was getting rather deprecated these days,
> but another way to reduce horsepower needs is to use AES instead of 3DES.
That is corrected in draft-touch-tcp-antispoof, which contains the BGP
focus of anonsec-00; anonsec-01 (to appear in about 2 weeks) focuses on
just the anonsec portion of 00.
> Also, the author's document discusses protecting BGP to prevent
> some of the recent denial-of-service attacks,
> and asks for confirmation about the assertion in a message
> on the IPSEC mailing list suggesting
> "E.g., it is not feasible for BGP routers to be configured with the
> appropriate certificate authorities of hundreds of thousands of peers".
> Routers typically use BGP to peer with a small number of partners,
> though some big ISP gateway routers might peer with a few hundred.
> (A typical enterprise router would have 2-3 peers if it does BGP.)
> If a router wants to learn full internet routes from its peers,
> it might learn 1-200,000, but that's not the number of direct connections
> that it has - it's information it learns using those connections.
> And the peers don't have to be configured "rapidly without external
> assistance" -
> you typically set up the peering link when you're setting up the
> connection between an ISP and a customer or a pair of ISPs,
> and if you want to use a CA mechanism to certify X.509 certs,
> you can set up that information at the same time.
Thanks for that input; the claim that BGP in core Internet routers
required intractible setup for TCP-MD5 has been refuted by experience
noted during the TCPM WG meeting in San Diego as well. This section of
tcp-antispoof will be updated accordingly.
> Bill Stewart bill.stewart at pobox.com
[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
More information about the cypherpunks-legacy