[anonsec] Re: potential new IETF WG on anonymous IPSec (fwd from hal at finney.org) (fwd from touch at ISI.EDU)

Eugen Leitl eugen at leitl.org
Fri Sep 10 12:20:28 EDT 2004

From: Joe Touch <touch at ISI.EDU>
Subject: Re: [anonsec] Re: potential new IETF WG on anonymous IPSec (fwd frTo: "Discussions of anonymous Internet security." <anonsec at postel.org>
Date: Fri, 10 Sep 2004 09:03:50 -0700
Reply-To: "Discussions of anonymous Internet security." <anonsec at postel.org>

Clarifications below...

Eugen Leitl wrote:

>----- Forwarded message from "\"Hal Finney\"" <hal at finney.org> -----
>From: hal at finney.org ("Hal Finney")
>Date: Thu,  9 Sep 2004 12:57:29 -0700 (PDT)
>To: cryptography at metzdowd.com, cypherpunks at al-qaeda.net,
>	rah at shipwright.com
>Subject: Re: potential new IETF WG on anonymous IPSec
>>The IETF has been discussing setting up a working group
>>for anonymous IPSec.  They will have a BOF at the next IETF
>>in DC in November.  They're also setting up a mailing list you
>>might be interested in if you haven't heard about it already.
>>	http://www.postel.org/anonsec
>To clarify, this is not really "anonymous" in the usual sense. 

It does not authenticate the endpoint's identification, other than "same 
place I had been talking to."

There's no difference between having no "name" and having a name you 
cannot trust. I.e., I could travel under the name "anonymous" or "", or 
under the name "A. Smith". If you don't know whether I am actually A. 
Smith, the latter is identical to the former.

>Rather it
>is a proposal to an extension to IPsec to allow for unauthenticated

Correction: it is a proposal to extend Internet security - including 
Ipsec, but also including TCP-MD5 (sometimes called "BGP MD5") and other 
security mechanisms at various layers. It is not focused only on IPsec.

>Presently IPsec relies on either pre-shared secrets or a
>trusted third party CA to authenticate the connection.  The new proposal
>would let connections go forward using a straight Diffie-Hellman type
>exchange without authentication.

This is one option, but not the only one.

>It also proposes less authentication
>of IP message packets, covering smaller subsets, as an option.

There are two aspects:
	- smaller portion of the packet is hashed
	- none of the packet is hashed, but a cookie is used

>The point has nothing to do with anonymity;

The last one, agreed. But the primary assumption is that we can avoid a 
lot of infrastructure and impediment to deployment by treating an 
ongoing conversation as a reason to trust an endpoint, rather than a 
third-party identification. Although anonymous access is not the primary 
goal, it is a feature of the solution.

>rather it is an attempt
>to secure against weaknesses in TCP which have begun to be exploited.

Please review the draft; there are a number of reasons this is being 
considered, not the least of which is to reduce the cumbersome 
requirement of key infrastructure as well as to avoid performance penalties.

>Sequence number guessing attacks are more successful today because of
>increasing bandwidth, and there have been several instances where they
>have caused disruption on the net.  While workarounds are in place, a
>better solution is desirable.

Please be more specific; how would it be better?

>This new effort is Joe Touch's proposal to weaken IPsec so that it uses
>less resources and is easier to deploy.  He calls the weaker version
>AnonSec.  But it is not anonymous, all the parties know the addresses
>of their counterparts.

Address != identity. Agreed, if what you want to do is hide traffic, 
this does not provide traffic confidentiality. But it does not tell you 
whether the packets come from 128.9.x.x (ISI, e.g.) or from someone 
spoofing 128.9.x.x; all you know is that whoever is using that address 
is capable of having an ongoing conversation (TCP connection, e.g.) with 

I.e., there are two ways to be anonymous, as noted earlier:
	1) don't give out your name (A. Smith, e.g.)
	2) give out a name, but it doesn't necessarily mean anything
	(e.g., Mickey Mouse)

Even if you use "real" names in (2), there's no difference with (1), 
since you don't know whether the real Mickey Mouse is using it.

>Rather, it allows for a degree of security on
>connections between communicators who don't share any secrets or CAs.
>I don't think "anonymous" is the right word for this, and I hope the
>IETF comes up with a better one as they go forward.
>Hal Finney
>The Cryptography Mailing List
>Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
>----- End forwarded message -----



Eugen* Leitl <a href="http://leitl.org">leitl</a>
ICBM: 48.07078, 11.61144            http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
http://moleculardevices.org         http://nanomachines.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20040910/b10a1240/attachment.pgp>

More information about the cryptography mailing list