Re: potential new IETF WG on anonymous IPSec
Ian Grigg wrote: .. I wouldn't think that the encryption need be opportunistic; in the BGP backbone world, as you noted, peers are known a-priori, and should have certs that could be signed by well-known, trusted CAs. Let's see if I can make these assumptions clearer, because I still perceive that CAs have no place in BGP, and you seem to be assuming that they do. I should have said could have certs. BGP could use shared secrets or CAs; it may be the case that anonymous security (as at least I call it) doesn't map well to BGP, in which you usually know who you want to trust. It may still help, though - e.g., in the case of the recent TCP RST attacks, it would have. The rest of your note focuses on the difference between two-party trust and trust using a shared third party. The former degenerates to the latter where I sign your cert, though ;-) I agree that for BGP the two-party case is probably more relevant, though there some BGP peerings are based on trust relationships of sets of parties that can - or already do - have trusted third-party coordination outside BGP. Joe signature.asc Description: OpenPGP digital signature
Re: public-key: the wrong model for email?
At 10:28 PM 9/16/04 +0200, Hadmut Danisch wrote: Because PKC works for this AliceBob communication scheme. If you connect to a web server, then what you want to know, or what authentication means is: Are you really www.somedomain.com? That's the AliceBob model. SSL is good for that. What makes you think verislime or other CAs are authenticating? You can't sue them, they are 0wn3d by a State (and so can issue false certs, just like States issue false meatspace IDs), etc. If I send you an encrypted e-mail, I do want that _you_ Ed Gerck, can read it only. That's still the AliceBob model. PGP and S/MIME are good for that. What makes you think that EG is a physical entity, if you haven't met him and learned to trust him through out of band channels? The sender of an e-mail does not need to pretend beeing a particular person or sender. Any identity of the 8 (10?) billion humans on earth will do it. What makes you think that, given 1e10 humans, there are 1e10 identities? Ie, why do you think there is a one-to-one mapping? PKC is good as long as the communication model is a closed and relatively small user group. A valid signature of an unknown sender has at least the meaning that the sender belongs to that user group. PKC is only as good as the means by which you obtain the public key. A server, a CA, are all worthless. The emperor has no clothes, get used to it.
Re: potential new IETF WG on anonymous IPSec
Ian Grigg wrote: Bill Stewart wrote: Also, the author's document discusses protecting BGP to prevent some of the recent denial-of-service attacks, and asks for confirmation about the assertion in a message on the IPSEC mailing list suggesting E.g., it is not feasible for BGP routers to be configured with the appropriate certificate authorities of hundreds of thousands of peers. Routers typically use BGP to peer with a small number of partners, though some big ISP gateway routers might peer with a few hundred. (A typical enterprise router would have 2-3 peers if it does BGP.) If a router wants to learn full internet routes from its peers, it might learn 1-200,000, but that's not the number of direct connections that it has - it's information it learns using those connections. And the peers don't have to be configured rapidly without external assistance - you typically set up the peering link when you're setting up the connection between an ISP and a customer or a pair of ISPs, and if you want to use a CA mechanism to certify X.509 certs, you can set up that information at the same time. On the backbone, between BGP peers, one would have thought that there are relatively few attackers, as the staff are highly trusted and the wires are hard to access - hence no active attacks going on and only some passive eavesdropping attacks. Also, anyone setting up BGP routing knows the other party, so there is a prior relationship. My understanding of the attacks this past spring is that: a) they were indeed on the backbone BGP peers b) that those peers had avoided setting up preshared keys or getting mutually-authenticatable certificates because of the configuration overhead (small on a per-pair basis, but may be large in aggregate) While inspired by this issue, there may be other solutions (e.g., IMO IPsec) which are more appropriate for BGP peers. The whole point of the CA model is that there is no prior relationship and that the network is a wild wild west sort of place Except that certs need to be signed by authorities that are trusted. - both of these assumptions seem to be reversed in the backbone world, no? So one would think that using opportunistic cryptography would be ideal for the BGP world? iang I wouldn't think that the encryption need be opportunistic; in the BGP backbone world, as you noted, peers are known a-priori, and should have certs that could be signed by well-known, trusted CAs. Joe signature.asc Description: OpenPGP digital signature
Re: potential new IETF WG on anonymous IPSec
Joe Touch wrote: Ian Grigg wrote: On the backbone, between BGP peers, one would have thought that there are relatively few attackers, as the staff are highly trusted and the wires are hard to access - hence no active attacks going on and only some passive eavesdropping attacks. Also, anyone setting up BGP routing knows the other party, so there is a prior relationship. My understanding of the attacks this past spring is that: a) they were indeed on the backbone BGP peers b) that those peers had avoided setting up preshared keys or getting mutually-authenticatable certificates because of the configuration overhead (small on a per-pair basis, but may be large in aggregate) While inspired by this issue, there may be other solutions (e.g., IMO IPsec) which are more appropriate for BGP peers. Thanks for the clarification. Re-reading (all) of the above, I noticed that these are DOS attacks. (That changes things - crypto protocols don't really a priori stop or defeat DOS attacks. They can help, or they may not, it all depends.) It's then important to examine the threat here. Who is the attacker and what motives and tools does he have available? It would be annoying to do all the work, only to discover that he has other tools that are just as easy... (This is called what's-your-threat-model, sometimes abbreviated to WYTM?) The whole point of the CA model is that there is no prior relationship and that the network is a wild wild west sort of place Except that certs need to be signed by authorities that are trusted. Right, in that the CA model seeks to add trust to the wild wild west by the provision of these signed / trusted certs. Whether it achieves that depends on the details. It is not wise to just assume it succeeds because someone said so. - both of these assumptions seem to be reversed in the backbone world, no? So one would think that using opportunistic cryptography would be ideal for the BGP world? iang I wouldn't think that the encryption need be opportunistic; in the BGP backbone world, as you noted, peers are known a-priori, and should have certs that could be signed by well-known, trusted CAs. Let's see if I can make these assumptions clearer, because I still perceive that CAs have no place in BGP, and you seem to be assuming that they do. In the world of PKIs, there are some big assumptions. Here's two of them: Alice and Bob don't know each other, and don't necessarily trust each other. There exists a central stable party that *both* Alice and Bob know better than each other and can be trusted to pass the trust on. Known as a trusted third party, TTP, or a certificate authority, CA, in particular. This situation exists in large companies for example - the company knows Alice and Bob better than they may know each other. (In theory.) Now, whether it exists in any real world depends on which world pertains. In the world of browsing, it is .. assumed to exist, but that can be challenged. In the world of email, it pretty clearly doesn't exist - almost all (desired) email is done between known parties, and the two parties generally have much better ways of establishing and bootstrapping a crypto relationship than asking for some centralised party to do it. (Hence, the relative success of PGP over S/MIME.) Ditto for the world of secure systems administration (SSH). When we come to BGP, it seems that BGP routing parties have a very high level of trust between them. And this trust is likely to exceed by orders of magnitude any trust that a third party could generate. Hence, adding certs signed by this TTP (well known CA or not) is unlikely to add anything, and will thus likely add costs for no benefit. If anyone tried to impose a TTP for this purpose, I'd suspect the BGP admins would ignore it. Another way of thinking about it is to ask who would the two BGP operators trust more than each other? In such a world, a CA-signed certificate is an encumberance only, and seems to be matched by comments in the AnonSec draft that they are unlikely to be deployed. iang PS: on the general issue of doing what you call anonSec, I'd say, fantastic, definately overdue, could save IPSec from an embarrassingly slow adoption! I do concur with all the other posts about how anon is the wrong word, but I'd say that getting the right term is not so important as doing the work! On the point of what the right word is, that depends on the technique chosen. I haven't got that far in the draft as yet.
Re: potential new IETF WG on anonymous IPSec
On Thu, 16 Sep 2004, Major Variola (ret) wrote: At 02:17 PM 9/16/04 -0700, Joe Touch wrote: Except that certs need to be signed by authorities that are trusted. Name one. You don't have to sign the certs. Use self-signed ones, then publish a GPG signature of your certificate in a known place; make bloody sure your GPG key is firmly embedded in the web-of-trust. This can be done with certs signed by an untrusted (read: any other than the one you operate yourself) CA as well. For HTTPS, there can be a negotiated standard location and format of the certificate signature file, stored in eg. /gpgsigned.xml location; the certificate is transported during the SSL handshake, so you can validate it within a single HTTPS request for the file. Similar thing applies for the client certificates and the servers; but then the server has to request the certificate signature from somewhere else (the location may be specified as an URL in the comment field of the client certificate). This should be easy to implement with PHP scripts, if Apache is configured to make the certificate visible as an environmental variable.
Re: Geopolitical Darwin Awards
Ken Brown wrote... Prostitution industry? Well, Industry from what I understand is probably too strong a term. These seem to be individual females. And no, they ain't wearin' high heels and hot pants, so what we're talking about is very, very discrete, and sometimes for goods and services as opposed to pure $$$. But it's there, and people in general seem to know it's there. -TD _ On the road to retirement? Check out MSN Life Events for advice on how to get there! http://lifeevents.msn.com/category.aspx?cid=Retirement
Re: potential new IETF WG on anonymous IPSec
Bill Stewart wrote: At 02:17 PM 9/16/2004, Joe Touch wrote: Ian Grigg wrote: On the backbone, between BGP peers, one would have thought that there are relatively few attackers, as the staff are highly trusted and the wires are hard to access - hence no active attacks going on and only some passive eavesdropping attacks. Also, anyone setting up BGP routing knows the other party, so there is a prior relationship. My understanding of the attacks this past spring is that: a) they were indeed on the backbone BGP peers b) that those peers had avoided setting up preshared keys or getting mutually-authenticatable certificates because of the configuration overhead (small on a per-pair basis, but may be large in aggregate) The interesting attacks were a sequence-number guessing attack using forged TCP RST packets, which tell the TCP session to tear down, therefore dropping the BGP connection (typically between two ISPs). The attackers didn't need to be trusted backbone routers - they could be randoms anywhere on the Internet. BGP authentication doesn't actually help this problem, because the attack simply kills the connection at a TCP layer rather than lying to the BGP application. FWIW, the other system we were referring to - TCP-MD5 - works at the TCP layer. It rejects packets within TCP, before any further TCP processing, that don't match the MD5 hash. It isn't BGP authentication. This is why I refer to it as TCP-MD5 rather than BGP-MD5, even though the latter is more common. Joe signature.asc Description: OpenPGP digital signature
Re: potential new IETF WG on anonymous IPSec
At 02:17 PM 9/16/04 -0700, Joe Touch wrote: Except that certs need to be signed by authorities that are trusted. Name one.
Re: potential new IETF WG on anonymous IPSec
On 2004-09-16T20:11:56-0700, Major Variola (ret) wrote: At 02:17 PM 9/16/04 -0700, Joe Touch wrote: Except that certs need to be signed by authorities that are trusted. Name one. Oh, come on. Nothing can be absolutely trusted. How much security is enough? Aren't the DOD CAs trusted enough for your tastes? Of course, 'tis problematic for civilians to get certs from there.
Re: potential new IETF WG on anonymous IPSec
At 02:17 PM 9/16/2004, Joe Touch wrote: Ian Grigg wrote: On the backbone, between BGP peers, one would have thought that there are relatively few attackers, as the staff are highly trusted and the wires are hard to access - hence no active attacks going on and only some passive eavesdropping attacks. Also, anyone setting up BGP routing knows the other party, so there is a prior relationship. My understanding of the attacks this past spring is that: a) they were indeed on the backbone BGP peers b) that those peers had avoided setting up preshared keys or getting mutually-authenticatable certificates because of the configuration overhead (small on a per-pair basis, but may be large in aggregate) The interesting attacks were a sequence-number guessing attack using forged TCP RST packets, which tell the TCP session to tear down, therefore dropping the BGP connection (typically between two ISPs). The attackers didn't need to be trusted backbone routers - they could be randoms anywhere on the Internet. BGP authentication doesn't actually help this problem, because the attack simply kills the connection at a TCP layer rather than lying to the BGP application. A simple way to avoid most of this problem is to filter packets at the edges so that customer connections can't send IP (or ICMP, while you're at it) packets to the core addresses on the routers that do the BGP signalling. (It's not a complete solution, because both ends of the connection need to so that, or need to do spoof-proofing so nobody can forge packets from those addresses, or both.) Customers can still send packets to the ISP edge routers supporting their own connections, but killing your own internet connection is much less entertaining than killing somebody else's, and if the customer is managing their own router, their users probably have an easier time killing that end of the connection than convincing the ISP's end to drop the connection. (One downside to this approach is that customers can't simply ping routers to get information about paths, latencies, capacities, etc., but that's not necessarily a bad thing. Also, you can set things up so they can traceroute to the far end of a connection and still get traceroute responses from the intermediate routers.) While inspired by this issue, there may be other solutions (e.g., IMO IPsec) which are more appropriate for BGP peers. ... I wouldn't think that the encryption need be opportunistic; in the BGP backbone world, as you noted, peers are known a-priori, and should have certs that could be signed by well-known, trusted CAs. I agree with Joe. You can fix most of the problems using ACLs, but IPSEC does have some appeal to it. You don't even need CAs - pre-shared secrets are perfectly adequate, but if you want to use a CA-based IPSEC implementation for convenience, you can agree on what CA to use when you're agreeing on other parameters. Bill Stewart [EMAIL PROTECTED]
Re: Geopolitical Darwin Awards
Tyler Durden wrote: Who, the Iranians? Which ones are fanatics? I'll grant there are some fanatics left in Iran, but Iran seems increasingly dominated by fairly sleezy clergy/judges. Like any government, theirs is deteriorating into a mere racket. And if you ask me, fanaticism never lasts very long anywhere, only for about a generation during turbulent times. Iran in particular is a special case...seems to me their cultural momentum will always outweigh any temporary fanaticism. A country that has a small but thriving prostitution industry can't be all that fanatical. Prostitution industry? Iran has rebooted its swimming-pool maintenance industry. Its just this place, you know. Apparently the best thing about is the lack of American tourists - just like Cuba ;-)
Re: Geopolitical Darwin Awards
Ken Brown wrote... Apparently the best thing about is the lack of American tourists - just like Cuba ;-) What! I'm deeply offended by that remark...I demand you with Aw fuckit. It's true. In fact, when I'm in a restaurant outside the US, I have witnessed that the food quality is inversely proportional to the number of Americans in the place. (Oh don't get me wrong...places catering to Americans will have great heaping PILES of food, but it'll be bland and tasteless, and the beer will suck.) -TD A Big, Fat Dynamo! -Homer Simpson From: ken [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: Tyler Durden [EMAIL PROTECTED] CC: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: Geopolitical Darwin Awards Date: Fri, 17 Sep 2004 13:45:18 +0100 Tyler Durden wrote: Who, the Iranians? Which ones are fanatics? I'll grant there are some fanatics left in Iran, but Iran seems increasingly dominated by fairly sleezy clergy/judges. Like any government, theirs is deteriorating into a mere racket. And if you ask me, fanaticism never lasts very long anywhere, only for about a generation during turbulent times. Iran in particular is a special case...seems to me their cultural momentum will always outweigh any temporary fanaticism. A country that has a small but thriving prostitution industry can't be all that fanatical. Prostitution industry? Iran has rebooted its swimming-pool maintenance industry. Its just this place, you know. Apparently the best thing about is the lack of American tourists - just like Cuba ;-) _ FREE pop-up blocking with the new MSN Toolbar get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
Re: Geopolitical Darwin Awards
On Fri, 17 Sep 2004, Tyler Durden wrung hi hands and exclaimed: Hey Hey Hey! I'm not the original quoter there...watch it! -TD To which [EMAIL PROTECTED] took not and made a closer examination of his previous posting, thus: From: J.A. Terranson [EMAIL PROTECTED] To: Tyler Durden [EMAIL PROTECTED] CC: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: Geopolitical Darwin Awards Date: Thu, 16 Sep 2004 15:48:01 -0500 (CDT) On Thu, 16 Sep 2004, Tyler Durden wrote: They are fanatics. They expect to get a six pack of virgins. And they will say Hey, it was not us, it was these terrorists who happen to have somehow stolen some nukes from persons unknown. We are completely opposed to terrorism, and are fully cooperating with foreign investigations. This sounds like dubya, not the ayatollahs. Aha! Screamed measl. Durden is *right*, and I have defamed him even worse than he usually defames himself! After receiving this near revelation, measl hung his head in shame, and promised to be more careful with his electron snippers in the future :-) -- Yours, J.A. Terranson [EMAIL PROTECTED] 0xBD4A95BF ...justice is a duty towards those whom you love and those whom you do not. And people's rights will not be harmed if the opponent speaks out about them. Osama Bin Laden - - - There aught to be limits to freedom!George Bush - - - Which one scares you more?
Re: Geopolitical Darwin Awards
Hey Hey Hey! I'm not the original quoter there...watch it! -TD From: J.A. Terranson [EMAIL PROTECTED] To: Tyler Durden [EMAIL PROTECTED] CC: [EMAIL PROTECTED], [EMAIL PROTECTED] Subject: Re: Geopolitical Darwin Awards Date: Thu, 16 Sep 2004 15:48:01 -0500 (CDT) On Thu, 16 Sep 2004, Tyler Durden wrote: They are fanatics. They expect to get a six pack of virgins. And they will say Hey, it was not us, it was these terrorists who happen to have somehow stolen some nukes from persons unknown. We are completely opposed to terrorism, and are fully cooperating with foreign investigations. This sounds like dubya, not the ayatollahs. -- Yours, J.A. Terranson [EMAIL PROTECTED] 0xBD4A95BF ...justice is a duty towards those whom you love and those whom you do not. And people's rights will not be harmed if the opponent speaks out about them. Osama Bin Laden - - - There aught to be limits to freedom!George Bush - - - Which one scares you more? _ Express yourself instantly with MSN Messenger! Download today - it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/