Simple Key Management for IP BOF (SKIP) Reported by Hemma Prafullchandra/Sun Microsystems The SKIP BOF met once at the 33rd IETF on Wednesday, 19 July. The meeting was chaired by Martin Patterson. Agenda o Introduction o SKIP in AH/ESP o ETHZ SKIP implementation o ELVIS+ SKIP implementation o End-System SKIP implementation o General discussion SKIP in AH/ESP -- Tom Markson How is the Kp algorithm related to the IPSEC security transforms algorithm? Kp algorithm is specified using eight bits, so one can assign a number for every transform defined by IPSEC. What if it requires more than eight bits? Would Sun/author be willing to change the specification to allow it to inter-work with ESP? Yes, as our goal is to allow SKIP to inter-work with ESP. What is the lifetime of Kij? The lifetime of Kij is dependent on the lifetime of the Diffie-Hellman keys of the communicating parties. The lifetime of Kijn is implementation dependent, meaning whenever n is changed, Kijn will change. n is never zero. Comment: For interoperability, how n changes also needs to be defined and not only how the initial value is established. Why not use ephemeral half keys instead of Kijn? (This question could not be answered to Hilarie Orman's satisfaction. Ashar will have to address this one.) Hilarie commented that there are other more elegant solutions. The SKIP header appears in every ESP packet. Are there any plans to integrate SKIP further into ESP? There was no clear consensus. What is the overhead per packet considering there is a SKIP header in every packet? Martin referred to performance numbers on SKIP; mentioned path MTU discovery. The point was made that crypto performance is often CPU bound. (Cheryl Madson reported that, per Steve Deering, path MTU discovery and multicast is not intended to work for IPv4.) A request was made for some performance figures on unencrypted data with SKIP headers to evaluate the SKIP header overhead per packet issue. Some figures were also requested on cpu/network throughput. Jeff Schiller suggested using compressed headers even though state would have to be maintained. What are we doing about certificate distribution? There is quite a bit of work in progress in this area, but no specifications as this time. We have a limited protocol implemented to do bilateral certificate exchange, we are also working on both chained and cross-certification models of the X.509/PEM world and the PGP web-of-trust. We would like to work within IPSEC on this. How many bits of the Diffie-Hellman keys are used to derive the shared secret? Now that we are also discussing the key distribution problem, why was SKIP not presented at the IPSEC Working Group session during the key management session? SKIP assumes that the communicating parties have already established certified Diffie-Hellman public keys for the corresponding party/parties. Now, we are working on solving the problem of certificate distribution; we have nothing to present yet. ETHZ SKIP Implementation -- Germano Caronni o Based on first draft plus modifications o IPSP protocol 79 o Unicast only o Transport and encapsulated mode o Des, idea and "rc4" o Keyed MD5 o Manual keying o Solaris 2.4, NeXTSTEP, NetBSD o Not interoperable with the other implementations FTP over IP with DES+MD5 (ss10 -> ss20) => approximately 300kB/sec). This work will be released in the public domain around the 15th of August. Why SKIP and not photuris? In February of 1995, when my work was started, the photuris specification was not concrete. SKIP is much more simple, basically context free. SKIP works with gateways, and has concept for small multicast groups. Still missing: o Multicast o Key management (key distribution for bilateral key exchange on its way) o No ASN.1, X.509 -- next Differences from the specification: o Defined padding of Kp if required o For transport mode, used reserved byte after next-p-field to transmit number of pad bytes o Authentication over next-p-field, reserved bytes, sequence number, data Which level of OS was this implemented to? For Solaris, to binary (no source available). For NeXTSTEP, as a binary patch. For NetBSD, catch interrupts. ELVIS+ -- Nickolai Tzarev Two realizations: o Solaris 2.4 - Unicast - Simple command line interface - Simple graphical interface - MD5 - Final release in October Futures: support for multicast and key distribution o DOS/Windows - NDISv2 compliance driver - NDIS v3 next - Final release in November Futures: windows for workgroups and windows95 Cryptography in Russia is banned, how is this going to effect your work? Encryption/decryption is banned but if used for privacy of personal information then is it okay. Also, the president has signed the decree, the parliament has not. ES-SKIP -- Tom Markson Loadable kernel module? Yes, but tried to limit the dependencies on the kernel. Does it always have to run below the IP layer? Yes. The draft is not sufficient to implement SKIP, the FAQs are also required. Are you planning to integrate the changes into the draft? Yes, a revision of the draft will be made What are the node-ids? Martin gave an explanation. There are other groups of algorithms that can be used, is SKIP flexible enough to support other algorithms, e.g., elliptic curves? Martin said yes, though Diffie-Hellman is the implicit default. How are the values that the Diffie-Hellman modulus used negotiated? If you have a 512 bit modulus and a 1024 bit modulus, will they interoperate? SKIP does not negotiate this. It is done out-of-band. 512-bit DH keys will not interoperate with 1024-bit DH keys. For interoperability, a set of 512-bit and 1024-bit DH parameters should be published as part of the draft. Generate a set of these parameters that impeachable in the IETF forum. Internet standards need to be specified in a manner that independent implementations can interoperate. Photuris negotiates almost everything, so that if independent implementations existed they are very likely to interoperate. Skip should be able to negotiate which Kij and Kp algorithms are supported by the remote party. Should the FAQs be folded or incorporated into the SKIP draft? Jeff did not think this is necessary. They can be specified as separate drafts, but all the information needs to be provided, and there needs to consensus on the drafts. What is the relation with IPSEC? Jeff decided to take a straw-poll and asked how many people would be happy with SKIP moving into the standards track as an Proposed Standard? 80/consensus to move SKIP into the standards track. Ashar needs to discuss with Jeff S., Paul L. and Ran A. how to proceed; clearly some changes will be required to the Internet-Draft.