headers
Russ Housley | 18 Sep 2006 19:42

KeyProv BoF has been Requested

The Security Area Directors have received a request for a BOF at IETF 
67 on  the Provisioning of Symmetric Keys (KEYPROV). The members of 
the KEYPROV mailing list have proposed a WG charter in response to 
feedback received at an informal meeting at IETF 66.

BOF name: Provisioning of Symmetric Keys (KEYPROV)
Area: Security Area
BOF Chair Names:
      	Phillip Hallam-Baker <pbaker <at> verisign.com>(VeriSign)
	Shuh Chang <shuh.chang <at> gemalto.com> (GemAlto)
Mailing list: ietf-keyprov at safehaus.org

Please join the mail list if this topic is of interest to you.

Russ

-------- Proposed Charter --------

Provisioning of Symmetric Keys (KEYPROV)

Background

Current developments in inter-domain One Time Password (OTP) token 
and inter-domain use of Kerberos have highlighted the need for a 
standard protocol for provisioning symmetric keys.

The need for provisioning protocols in PKI architectures has been 
recognized for some time. Although the existence and architecture of 
these protocols provides a feasibility proof for the KEYPROV work 
assumptions built into these protocol mean that it is not possible to
(Continue reading)

Permalink | Reply | 0 comments |
headers
Russ Housley | 22 Sep 2006 20:56

Call for Participation: KeyProv BoF

I have just approved the KeyProv BOF for the San Diego IETF meeting.

Again, if you are interested in this topic, please join the mail list.

Russ

>Date: Mon, 18 Sep 2006 13:42:05 -0400
>To: saag <at> mit.edu
>From: Russ Housley <housley <at> vigilsec.com>
>Subject: KeyProv BoF has been Requested
>
>The Security Area Directors have received a request for a BOF at 
>IETF 67 on  the Provisioning of Symmetric Keys (KEYPROV). The 
>members of the KEYPROV mailing list have proposed a WG charter in 
>response to feedback received at an informal meeting at IETF 66.
>
>BOF name: Provisioning of Symmetric Keys (KEYPROV)
>Area: Security Area
>BOF Chair Names:
>         Phillip Hallam-Baker <pbaker <at> verisign.com>(VeriSign)
>         Shuh Chang <shuh.chang <at> gemalto.com> (GemAlto)
>Mailing list: ietf-keyprov at safehaus.org
>
>Please join the mail list if this topic is of interest to you.
>
>Russ
>
>
>-------- Proposed Charter --------
>
(Continue reading)

Permalink | Reply | 0 comments |
headers
Magnus Nyström | 25 Sep 2006 14:19

Draft amendment to PKCS #5 v2.0 for XMLDsig and XMLEnc

Dear All,

I just wanted to inform the SAAG about the existence of this draft 
amendment, available from:

http://www.rsasecurity.com/rsalabs/node.asp?id=2127

and solicit feedback on the proposal - feedback would preferably sent to 
the pkcs-editor <at> rsasecurity.com or to the pkcs-tng mailing list 
(pkcs-tng <at> rsasecurity.com).

The intent with this amendment is as follows:

PKCS #5 Version 2.0 defines a number of functions and schemes related to 
password-based cryptography. To make use of these constructs in an 
interoperable manner, PKCS #5 v2.0 provides an ASN.1 module containing 
object identifiers identifying the defined algorithms and ASN.1 type 
definitions for their parameters. This enables the exchange of PKCS 
#5-derived data in ASN.1-oriented environments. What's been missing is an 
XML schema for these constructs, enabling use of PKCS #5 in XML-oriented 
environments. An example of this is when XML encryption is used to protect 
data and keys that protect the data are derived from pass-phrases. This 
amendment tries to bridge this gap.

Regards,
-- Magnus
Permalink | Reply | 0 comments |
headers
Russ Housley | 28 Sep 2006 20:50

Fwd: Reminder: security activity proposal

Some people on this list may be interested ...

Resent-From: public-usable-authentication <at> w3.org
From: Thomas Roessler <tlr <at> w3.org>
Date: September 28, 2006 12:56:32 AM PDT
To: public-usable-authentication <at> w3.org
Subject: Reminder: security activity proposal

Hello,

this is a quick reminder that the security activity proposal (i.e.,
the formal stuff around the proposed Web Security Context WG [1]) is
up for AC review through 6 October.

Those of you who want to participate in this work and haven't talked
to their W3C AC reps, yet, should do so soon; I'm very happy to help
find the relevant contact information if needed.

If you do not have an AC representative, yet, and want to
participate, pleae contact me off-list.

1. http://www.w3.org/2005/Security/wsc-charter

Thanks,
--
Thomas Roessler, W3C   <tlr <at> w3.org>

<div>
Some people on this list may be interested ...<br><br><blockquote type="cite" class="cite" cite="">
Resent-From:
<a href="mailto:public-usable-authentication <at> w3.org">
public-usable-authentication <at> w3.org</a><br>From: Thomas Roessler
&lt;<a href="mailto:tlr <at> w3.org">tlr <at> w3.org</a>&gt;<br>Date: September 28, 2006 12:56:32 AM PDT<br>To:
<a href="mailto:public-usable-authentication <at> w3.org">
public-usable-authentication <at> w3.org</a><br>Subject: Reminder: security activity proposal<br><br>
Hello,<br><br>
this is a quick reminder that the security activity proposal (i.e.,<br>
the formal stuff around the proposed Web Security Context WG [1]) is<br>
up for AC review through 6 October.<br><br>
Those of you who want to participate in this work and haven't talked<br>
to their W3C AC reps, yet, should do so soon; I'm very happy to help<br>
find the relevant contact information if needed.<br><br>
If you do not have an AC representative, yet, and want to<br>
participate, pleae contact me off-list.<br><br>
1.
<a href="http://www.w3.org/2005/Security/wsc-charter">
http://www.w3.org/2005/Security/wsc-charter</a><br><br>
Thanks,<br>
-- <br>
Thomas Roessler, W3C&nbsp;&nbsp;
&lt;<a href="mailto:tlr <at> w3.org">tlr <at> w3.org</a>&gt;<br>
</blockquote>
<br>
</div>
Permalink | Reply | 0 comments |
headers
Sam Hartman | 29 Sep 2006 20:33
Picon
Favicon

tsvwg, preemption and rsvp: exposing characteristics of confidential traffic


There are two RSVP drafts before the IESG or in last call that affect
the security community.

The first is draft-ietf-tsvwg-rsvp-ipsec and the second is
draft-ietf-tsvwg-vpn-signal-preemption.

These drafts set up a model under which each precedence class of data
from a preemption standpoint goes over its own SA and uses its own
aggregate RSVP reservation.  What that means is you expose on the
unprotected side of the interface what fraction of your traffic is at
each precedence level.

First question: Is this new or something we have signed onto in the
past?

Obviously, it is sometimes desirable to set things up this way.
However if this is new, are we happy with this being a requirement?
Are there situations where the distribution of traffic precedences is
sufficiently sensitive that we'd rather make ugly tradeoffs than
expose it?

I'd appreciate your input on these questions and any comments you have
on the two drafts.

Thanks,

Sam Hartman
Security Area Director
Permalink | Reply | 0 comments |
headers
Bill Sommerfeld | 29 Sep 2006 20:46
Picon

Re: [saag] tsvwg, preemption and rsvp: exposing characteristics of confidential traffic

On Fri, 2006-09-29 at 14:33 -0400, Sam Hartman wrote:
> These drafts set up a model under which each precedence class of data
> from a preemption standpoint goes over its own SA and uses its own
> aggregate RSVP reservation.  What that means is you expose on the
> unprotected side of the interface what fraction of your traffic is at
> each precedence level.
> 
> First question: Is this new or something we have signed onto in the
> past?

it's something we've signed on to in the past in the context of
diffserv; the architecture is such that the actual
preemption/priority/etc mechanism is almost completely opaque to IPsec.

See rfc4301, halfway into section 4.1 (starting near the bottom of page
13):

   If different classes of traffic (distinguished by Differentiated
   Services Code Point (DSCP) bits [NiBlBaBL98], [Gro02]) are sent on
   the same SA, and if the receiver is employing the optional
   anti-replay feature available in both AH and ESP, this could result
   in inappropriate discarding of lower priority packets due to the
   windowing mechanism used by this feature.  Therefore, a sender SHOULD
   put traffic of different classes, but with the same selector values,
   on different SAs to support Quality of Service (QoS) appropriately.
   To permit this, the IPsec implementation MUST permit establishment
   and maintenance of multiple SAs between a given sender and receiver,
   with the same selectors.  Distribution of traffic among these
   parallel SAs to support QoS is locally determined by the sender and
   is not negotiated by IKE.  The receiver MUST process the packets from
   the different SAs without prejudice.  These requirements apply to
   both transport and tunnel mode SAs.  In the case of tunnel mode SAs,
   the DSCP values in question appear in the inner IP header.  In
   transport mode, the DSCP value might change en route, but this should
   not cause problems with respect to IPsec processing since the value
   is not employed for SA selection and MUST NOT be checked as part of
   SA/packet validation.  However, if significant re-ordering of packets
   occurs in an SA, e.g., as a result of changes to DSCP values en
   route, this may trigger packet discarding by a receiver due to
   application of the anti-replay mechanism.

seems obvious to extend this to rsvp or any other scheme which involves
intentional packet reordering by the network.
Permalink | Reply | 0 comments |
headers
Sam Hartman | 29 Sep 2006 21:09
Picon
Favicon

Re: tsvwg, preemption and rsvp: exposing characteristics of confidential traffic

>>>>> "Bill" == Bill Sommerfeld <sommerfeld <at> sun.com> writes:

    Bill> On Fri, 2006-09-29 at 14:33 -0400, Sam Hartman wrote:
    >> These drafts set up a model under which each precedence class
    >> of data from a preemption standpoint goes over its own SA and
    >> uses its own aggregate RSVP reservation.  What that means is
    >> you expose on the unprotected side of the interface what
    >> fraction of your traffic is at each precedence level.
    >> 
    >> First question: Is this new or something we have signed onto in
    >> the past?

    Bill> it's something we've signed on to in the past in the context
    Bill> of diffserv; the architecture is such that the actual
    Bill> preemption/priority/etc mechanism is almost completely
    Bill> opaque to IPsec.

I was aware of the text you cite below, but:

    Bill> See rfc4301, halfway into section 4.1 (starting near the
    Bill> bottom of page 13):

    Bill>    If different classes of traffic (distinguished by
    Bill> Differentiated Services Code Point (DSCP) bits [NiBlBaBL98],
    Bill> [Gro02]) are sent on the same SA, and if the receiver is
    Bill> employing the optional anti-replay feature available in both
    Bill> AH and ESP, this could result in inappropriate discarding of
    Bill> lower priority packets due to the windowing mechanism used
    Bill> by this feature.  Therefore, a sender SHOULD put traffic of
    Bill> different classes, but with the same selector values, on
    Bill> different SAs to support Quality of Service (QoS)
    Bill> appropriately.  To permit this, the IPsec implementation
    Bill> MUST permit establishment and maintenance of multiple SAs
    Bill> between a given sender and receiver, with the same
    Bill> selectors.  Distribution of traffic among these parallel SAs
    Bill> to support QoS is locally determined by the sender and is
    Bill> not negotiated by IKE.  The receiver MUST process the
    Bill> packets from the different SAs without prejudice.  These
    Bill> requirements apply to both transport and tunnel mode SAs.
    Bill> In the case of tunnel mode SAs, the DSCP values in question
    Bill> appear in the inner IP header.  In transport mode, the DSCP
    Bill> value might change en route, but this should not cause
    Bill> problems with respect to IPsec processing since the value is
    Bill> not employed for SA selection and MUST NOT be checked as
    Bill> part of SA/packet validation.  However, if significant
    Bill> re-ordering of packets occurs in an SA, e.g., as a result of
    Bill> changes to DSCP values en route, this may trigger packet
    Bill> discarding by a receiver due to application of the
    Bill> anti-replay mechanism.

That says sender SHOULD and the implementation MUST support, which
means we've signed onto it as an option, not as a requirement.

--Sam
Permalink | Reply | 0 comments |
headers
Black_David | 30 Sep 2006 00:01

Re: tsvwg, preemption and rsvp: exposing characteristics of confidentialtraffic

Sam,

The terminology in this space is confusing, and used in different
ways in different documents, so let's stick to this clarification
from Section 1 of the VPN Signaled Preemption draft:

   For the purposes of the
   present discussion, "priority" is a set of algorithms applied to
   datagrams, where "precedence" is a policy attribute of sessions.

In other words, "priority" is about traffic handling (e.g., Diffserv)
whereas "precedence" is about admission control.  Despite this, the
VPN Signaled Preemption draft then proceeds to use "Priority" (NB:
first letter capitalized) for things that are actually "precedence".
For example, in Section 1.3:

   Preemption of a reservation is specified in the context,
   in [RFC3181] which in essence specifies that a reservation installed
   in the network using an Preemption Priority and retained using a
   separate Defending Priority may be removed by the network via an RESV
   Error signal that removes the entire reservation.

That's an unfortunate source of confusion.  I would strongly encourage
the authors to clean this up, particularly their unfortunate use of
'"priority"' as a precedence level in Sections 2.3.3 and 2.3.4 (example
quoted below in this message).

In order to avoid further confusion, I will use the phrase "Diffserv
priority" to refer to priority for datagram traffic handling.

Nonetheless, on your concern:

> These drafts set up a model under which each precedence class of data
> from a preemption standpoint goes over its own SA and uses its own
> aggregate RSVP reservation.  What that means is you expose on the
> unprotected side of the interface what fraction of your traffic is at
> each precedence level.

Actually, only the vpn-signaled-preemption draft appears to do this.

The rsvp-ipsec draft allows multiple reservations between the same
endpoints for the same DSCP, which would allow such traffic to use
different tunnels but if it requires traffic for different
reservations to use different tunnels, I was not able to find
a statement of that requirement.

OTOH, the vpn-signaled-preemption draft is quite clear that different
precedence levels for the same DSCP result in different IPsec tunnels.
Section 2.3.3 says:

   Due to
   the mechanics of preemption, however, this would not expand the
   existing "routine" reservations in the interface and inner domains,
   as doing this causes loss of information - how much of the
   reservation is now "routine" and how much is "priority"?  Rather,
   this new reservation will open up a separate set of tunnels or
   security associations for traffic of its application class at its
   precedence between that aggregator and deaggregator.

Here, "priority" is being used in its "Priority" sense as a level of
precedence.  The concern I have here is that the second sentence quoted
above does not immediately follow from the first - there's a missing
logical step in asserting that if the aggregate traffic for a DSCP
(single Diffserv priority level) exceeds the reserved and/or available
capacity then the policing of that traffic to the appropriate limit
MUST respect precedence (i.e., delay/drop/shape "routine" traffic before
"priority" traffic).  That requirement should be asserted and defended
in the vpn-signaled-preemption draft, because it is what leads to
your concern.  Meeting that requirement in general requires segregation
of traffic at each precedence level within a single Diffserv priority,
and because the reservation identity is not marked on the datagrams,
separate IPsec tunnels are needed to do this, thus making precedence
distinctions within a Diffserv priority visible to traffic analysis
between the VPN routers.

At least, that's what I think is going on (the confusing use of the
'priority' word doesn't help).  I've added Fred Baker and Francois
LeFaucheur to the cc: line so that they can correct anything
I've gotten wrong.  If my above explanation is correct, I can answer
your first question:

> First question: Is this new or something we have signed onto
> in the past?

I'm the author of RFC 2983, the initial source of the concepts
in the RFC 4301 text that Bill Sommerfeld quoted, and I was involved
in making sure that RFC 4301 covered that issue.  IMHO, from a Diffserv
and IPsec standpoint, I believe this is new and (as stated above), I
think the vpn-signaled-preemption draft should state and defend this
precedence-aware-traffic-conditioning requirement.  That discussion
could then be expanded to cover your second question:

> Obviously, it is sometimes desirable to set things up this way.
> However if this is new, are we happy with this being a requirement?
> Are there situations where the distribution of traffic precedences is
> sufficiently sensitive that we'd rather make ugly tradeoffs than
> expose it?

I share your concern about this being a requirement.

Thanks,
--David
----------------------------------------------------
David L. Black, Senior Technologist
EMC Corporation, 176 South St., Hopkinton, MA  01748
+1 (508) 293-7953             FAX: +1 (508) 293-7786
black_david <at> emc.com        Mobile: +1 (978) 394-7754
----------------------------------------------------

> -----Original Message-----
> From: saag-bounces <at> MIT.EDU [mailto:saag-bounces <at> MIT.EDU] On 
> Behalf Of Sam Hartman
> Sent: Friday, September 29, 2006 2:34 PM
> To: saag <at> MIT.EDU; ipsec <at> ietf.org
> Cc: tsvwg-chairs <at> tools.ietf.org
> Subject: [saag] tsvwg,preemption and rsvp: exposing 
> characteristics of confidentialtraffic
> 
> 
> 
> 
> 
> There are two RSVP drafts before the IESG or in last call that affect
> the security community.
> 
> 
> The first is draft-ietf-tsvwg-rsvp-ipsec and the second is
> draft-ietf-tsvwg-vpn-signal-preemption.
> 
> 
> These drafts set up a model under which each precedence class of data
> from a preemption standpoint goes over its own SA and uses its own
> aggregate RSVP reservation.  What that means is you expose on the
> unprotected side of the interface what fraction of your traffic is at
> each precedence level.
> 
> First question: Is this new or something we have signed onto in the
> past?
> 
> Obviously, it is sometimes desirable to set things up this way.
> However if this is new, are we happy with this being a requirement?
> Are there situations where the distribution of traffic precedences is
> sufficiently sensitive that we'd rather make ugly tradeoffs than
> expose it?
> 
> 
> I'd appreciate your input on these questions and any comments you have
> on the two drafts.
> 
> Thanks,
> 
> Sam Hartman
> Security Area Director
> 
> 
> _______________________________________________
> saag mailing list
> saag <at> mit.edu
> http://mailman.mit.edu/mailman/listinfo/saag
>
Permalink | Reply | 0 comments |
headers
Black_David | 30 Sep 2006 01:22

Re: tsvwg, preemption and rsvp: exposing characteristics of confidentialtraffic

Fred,

This looks like a good approach.

Please check the rest of the draft for more "residual verbiage
about tunnels", as there's also potentially problematic text in at
least Sections 2.1 and 2.3.1  In 2.1, there are a number of places
where use of singular "reservation" instead of plural "reservations"
may imply that there is one aggregate reservation for the tunnel.

Also, please consider how the approach in this draft ought to be
applied to a PHB that consists of multiple DSCPs (e.g., an AF
class, cf. RFC 2597).  I believe AF is not a good fit to the
sort of traffic that motivated this draft, so explaining that
may suffice.

Thanks,
--David

> -----Original Message-----
> From: Fred Baker [mailto:fred <at> cisco.com] 
> Sent: Friday, September 29, 2006 6:59 PM
> To: Black, David
> Cc: hartmans-ietf <at> MIT.EDU; saag <at> MIT.EDU; ipsec <at> ietf.org; 
> tsvwg-chairs <at> tools.ietf.org; flefauch <at> cisco.com
> Subject: Re: [saag] tsvwg,preemption and rsvp: exposing 
> characteristics of confidentialtraffic
> 
> hmm. It sounds like there is some residual verbiage about tunnels in  
> the vpn-signaled-preemption draft.
> 
> Bottom line, both drafts call for a common DSCP. Both require  
> multiple reservations by vport in the RSVP signaling, with the vport  
> indicating anything that the network administrator wants it to  
> indicate, and the vpn-signaling draft specifically saying that the  
> network administrator in question is requesting that it signify call  
> precedence. Call precedence is, in reality, not signaled by the vport

> number, but by the priorities signaled in the RFC3181-clone priority  
> (precedence) fields of the rsvp draft, but the values used for the  
> vports have to be agreed upon throughout the network in order to name

> the resulting reservations so they can be "discussed" among the  
> equipment.
> 
> I am willing to clean up the use of "priority" and "precedence" as  
> you suggest and clean up this paragraph, along with Jari's  
> "discuss" (as in, "remove a section the principal client of the draft

> asked to have written into it"). I think it's fair to ask for any  
> remaining IESG comment before doing so...
> 
> On Sep 29, 2006, at 3:01 PM, Black_David <at> emc.com wrote:
> 
> > Actually, only the vpn-signaled-preemption draft appears to do this.
> >
> > The rsvp-ipsec draft allows multiple reservations between the same
> > endpoints for the same DSCP, which would allow such traffic to use
> > different tunnels but if it requires traffic for different
> > reservations to use different tunnels, I was not able to find
> > a statement of that requirement.
> >
> > OTOH, the vpn-signaled-preemption draft is quite clear that
different
> > precedence levels for the same DSCP result in different IPsec
tunnels.
> > Section 2.3.3 says:
> >
> >    Due to
> >    the mechanics of preemption, however, this would not expand the
> >    existing "routine" reservations in the interface and inner
domains,
> >    as doing this causes loss of information - how much of the
> >    reservation is now "routine" and how much is "priority"?  Rather,
> >    this new reservation will open up a separate set of tunnels or
> >    security associations for traffic of its application class at its
> >    precedence between that aggregator and deaggregator.
>
Permalink | Reply | 0 comments |
headers
Fred Baker | 30 Sep 2006 01:30
Picon
Favicon

Re: tsvwg, preemption and rsvp: exposing characteristics of confidentialtraffic


On Sep 29, 2006, at 4:22 PM, Black_David <at> emc.com wrote:

> Also, please consider how the approach in this draft ought to be
> applied to a PHB that consists of multiple DSCPs (e.g., an AF
> class, cf. RFC 2597).  I believe AF is not a good fit to the
> sort of traffic that motivated this draft, so explaining that
> may suffice.

well, ...

This draft is for real time traffic, which is to say "traffic that  
calls for reservations". So yes, AF is not for real time traffic. I  
need to have a discussion with Verizon.

But certain random customers do indeed have a need for preferential  
AF traffic in VPN-like networks similar to these. I suspect it  
behaves a lot like AF as it goes through a tunnel (well documented  
already) - with the exception that DSCP modifications that happened  
in the black network will not be propagated into the red networks, so  
any actual useful information is lost.

Sigh. Mumble. Sigh.
Permalink | Reply | 0 comments |

Gmane