[18978] in cryptography@c2.net mail archive
Re: "ISAKMP" flaws?
daemon@ATHENA.MIT.EDU (William Allen Simpson)
Thu Nov 17 20:07:52 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 17 Nov 2005 18:52:43 -0500
From: William Allen Simpson <wsimpson@greendragon.com>
To: cryptography@metzdowd.com
In-Reply-To: <E1EclLX-0004gN-00@medusa01.cs.auckland.ac.nz>
Paul Hoffman wrote:
> At 2:29 PM -0500 11/15/05, Steven M. Bellovin wrote:
>> I mostly agree with you, with one caveat: the complexity of a spec can
>> lead to buggier implementations.
>
> Well, then we fully agree with each other. Look at the message formats
> used in the protocols they have attacked successfully so far.
>
> Humorously, security folks seem to have ignored this when designing our
> protocols.
>
Later, Peter Gutmann wrote:
> In this particular case if the problem is so trivial and easily avoided, why
> does almost every implementation (according to the security advisory) get it
> wrong?
>
Quoting draft-simpson-danger-isakmp-01.txt, published (after being
blocked by the IETF for years) as:
http://www.usenix.org/publications/login/1999-12/features/harmful.html
A great many of the problematic specifications are due to the ISAKMP
framework. This is not surprising, as the early drafts used ASN.1,
and were fairly clearly ISO inspired. The observations of another
ISO implementor (and security analyst) appear applicable:
The specification was so general, and left so many choices, that it
was necessary to hold "implementor workshops" to agree on what
subsets to build and what choices to make. The specification
wasn't a specification of a protocol. Instead, it was a framework
in which a protocol could be designed and implemented. [Folklore-00]
[Folklore-00] Perlman, R., "Folklore of Protocol Design",
draft-iab-perlman-folklore-00.txt, Work In Progress, January 1998.
Quoting "Photuris: Design Criteria", LNCS, Springer-Verlag, 1999:
The hallmark of successful Internet protocols is that they are
relatively simple. This aids in analysis of the protocol design,
improves implementation interoperability, and reduces operational
considerations.
Compare with Photuris [RFC-2522], where undergraduate (Keromytis) and
graduate (Spatscheck, Provos) students independently were able to
complete interoperable implementations (in their spare time) in a
month or so....
So, no, some "security folks" didn't ignore this ;-)
--
William Allen Simpson
Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
