"ISAKMP" flaws?

William Allen Simpson wsimpson at greendragon.com
Thu Nov 17 18:52:43 EST 2005 

Paul Hoffman wrote:
 > At 2:29 PM -0500 11/15/05, Steven M. Bellovin wrote:
 >> I mostly agree with you, with one caveat: the complexity of a spec can
 >> lead to buggier implementations.
 >
 > Well, then we fully agree with each other. Look at the message formats
 > used in the protocols they have attacked successfully so far.
 >
 > Humorously, security folks seem to have ignored this when designing our
 > protocols.
 >

Later, Peter Gutmann wrote:
> In this particular case if the problem is so trivial and easily avoided, why
> does almost every implementation (according to the security advisory) get it
> wrong?
> 
Quoting draft-simpson-danger-isakmp-01.txt, published (after being
blocked by the IETF for years) as:
   http://www.usenix.org/publications/login/1999-12/features/harmful.html

   A great many of the problematic specifications are due to the ISAKMP
   framework.  This is not surprising, as the early drafts used ASN.1,
   and were fairly clearly ISO inspired.  The observations of another
   ISO implementor (and security analyst) appear applicable:

     The specification was so general, and left so many choices, that it
     was necessary to hold "implementor workshops" to agree on what
     subsets to build and what choices to make.  The specification
     wasn't a specification of a protocol.  Instead,  it was a framework
     in which a protocol could be designed and implemented.  [Folklore-00]

   [Folklore-00]  Perlman, R., "Folklore of Protocol Design",
   draft-iab-perlman-folklore-00.txt, Work In Progress, January 1998.

Quoting "Photuris: Design Criteria", LNCS, Springer-Verlag, 1999:

   The hallmark of successful Internet protocols is that they are
   relatively simple.  This aids in analysis of the protocol design,
   improves implementation interoperability, and reduces operational
   considerations.

Compare with Photuris [RFC-2522], where undergraduate (Keromytis) and
graduate (Spatscheck, Provos) students independently were able to
complete interoperable implementations (in their spare time) in a
month or so....

So, no, some "security folks" didn't ignore this ;-)
-- 
William Allen Simpson
     Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list