[Cryptography] IPsec DH parameters, other flaws

[Dan McDonald]

Oh I'm so glad you further completed the big picture.  ESPECIALLY for the parts where I was still a grad student and hadn't yet joined the fray.

> On Jul 11, 2020, at 9:57 AM, William Allen Simpson <william.allen.simpson at gmail.com> wrote:
> 
> Having given folks a few days to respond....
> 
> 
> On 7/7/20 1:11 AM, Dan McDonald wrote:
>> Your story is missing a bit of credit-where-due, Bill.
> Sorry, just didn't push a whole hog history in one post.

Thank you.

>>> On Jul 6, 2020, at 9:13 AM, William Allen Simpson <william.allen.simpson at gmail.com> wrote:
>>> Instead, all the IPsec design took place in the PIPE/SIP/SIPP WG.  None of the
>>> other IPng efforts required security.  (Needed it, but wouldn't require it.)
>> You're missing a part of, GASP, the US Government who actually had a practical mindset, and a mandate from TWO different sponsors (neither of whom were up the road on 295):  NRL. 
> 
> Yes, a great deal of credit should go to Naval Research Labs' (NRL) running code.
> (Also more famously later work on Onion Routing.)

That was spinning up as I was leaving... smart folks who worked on that.

> IIRC, Ran Atkinson joined PIPE/SIP/SIPP circa mid-1993, and wrote an architecture
> document that he graciously permitted me to reformat and republish (extracts) for IPv4.

Yes, mid-1993 I was finishing my last classes in grad. school.  Ran hired me thanks to a post on misc.jobs.resumes.

> But the header formats and details were finalized long before Ran arrived, and mostly
> were originally based upon experimental code written for Karn's KA9Q NOS.  There's a
> reason that ESP is port 50, and AH is port 51.
> 
> And let us not forget swIPe: https://en.wikipedia.org/wiki/SwIPe_(protocol)
> Came out of those lunch discussions I'd mentioned that Karn hosted.  First posted as an
> internet draft, but the IETF wouldn't allow RFC publication.  Published by Usenix.

One or more of JI or Perry told me about this.

> Also, let us not forget Usenix.  A lot of security would never have happened without a
> fearless board at Usenix, willing to defy US government prior restraint efforts.

A big fan. The NRL IPv6-in-BSD paper was presented at the January, 1996 USENIX (while I was travelling from DC to CA to start Sun).

>> I should point out here that while we were trying to get our work out, there were some license-purists who thought that, GASP, BSD licensing wasn't free enough.  This caused stinks that might've attracted the WRONG sort of scrutiny, and we were scare shitless about the up-the-road folks from putting the hammer down.
> Yeah, there was more than enough FUD flung around.  Metzger was in the NetBSD
> community.  Karn had his own code base that was used in rather a lot of (late
> '80s early '90s) products.  I contributed code in both places.
> 
> Most significant IPsec development was in *BSD.  Gnu/Linux GPL came years later,
> thanks to promotion and funding by John Gilmore.

I've met those various *SWAN folks over time.

>>> Perry Metzger called me, and over 1994 Christmas week, we ported IPsec from
>>> IPv6 to IPv4.  We called these the "Troublemakers" drafts.
>> Oooh I do remember that.  I remember some crypto-centered cynics thought it couldn't be built, and then we had our wonder-intern port our IPv6 stuff to IPv4 quickly during the summer of 1995.  :)
> In addition, Photuris draft -00 was published December 1994.  By summer of 1995,
> both session key management and IP packet security were implemented, and
> commercially deployed not very long afterward.
> 
> Also, I'd like to call out other significant efforts:
> 
> Angelos Keromytis (a Greek undergrad) developed a completely independent
> implementation circa October 1995.  He is now a full professor.
> 
> Niels Provos (a physics grad student in Hamburg) did an implementation that was
> interoperable with both Keromytis and KA9Q.  We coopted him into changing majors
> and universities, and drove him across the border into Canada to work on OpenSSH,
> so it could be _imported_ into the US.  After years doing good security things at
> Google, IIRC he's CSO at Stripe.

And a blacksmith too, IIRC.

> I've always been pleased to know that our original IPsec design was easy enough to
> understand that (brilliant, talented) undergrads, interns, and non-computer
> engineers could write interoperable implementations over a summer. ;)

I was annoyed nobody ever ported Photuris or other KM experiments to PF_KEY.  It would've worked nicely, I think.

> Contrast with IKE/ISAKMP.  Took paid teams, and at least a half dozen bakeoffs and
> workshops over a period of several years before interoperable implementations.

As mentioned earlier, Solaris had to OEM IKEv1's core (from a very good implementation) to make perceived time-to-market.  It's why IKEv1 in illumos (the successor of OpenSolaris) distros is in the closed-binary wad.

<SNIP!>

> As you've mentioned, Sun was pushing SKIP.  I'm fairly sure that in addition
> to being rather resource intensive, it was patented?

No idea about patents, but their developers had pulled the wool over way-too-many eyes inside Sun.  I could've attacked the problem differently in hindsight, but even had I done it differently, I'd have been up against a LOT of internal pressure.

> We've seen this in other areas as well.  In subsequent years, Randy Bush has
> often referred to the Internet *Vendor* Task Force.

Eeesh.

>> My $0.02, because I refuse to be erased,
>> Dan
> 
> I've not forgotten you!  Is a copy of the NRL code base posted anywhere?

RIPE has copies:

	https://ftp.ripe.net/ipv6/nrl/

I probably have 'em squirreled away somewhere here too.

Thank you!
Dan