OPEN ISSUE: Standards Track

Steven M. Bellovin smb at research.att.com
Thu May 22 16:21:20 CEST 2003 

In message <3ECCF46D.E09436DE at iprg.nokia.com>, "Charles E. Perkins" writes:
>
>
>As an example, I think it was a terrible mistake to delay
>Mobile IPv6 for so long pending the completion of the world's
>most sophisticated and super robost security solution (slight
>exaggeration, but ...).  I guess I don't have to describe the
>effect this can have in a world moving at what used to be
>called "Internet speed".
>

It wasn't a matter of a "sophisticated and super robost security solution";
it was a matter of one that would *ever* work outside a company.

> To put it as briefly as
>possible, the ADs demanded a key distribution mechanism
>_in addition_ to the basic authentication scheme.  This is
>in marked contrast to the situation with AH and ESP,  But
>_nobody_ claims that AH and ESP were insecure because they
>were standardized without key distribution.

You can't do AH or ESP without keys; the difference is that we had a 
story about where those keys could come from even before we had a key 
distribution mechanism.  The story was simple:  pre-arranged keys.
That only works for MobileIP if you can pre-arrange keys with every 
possible spot you'd ever roam to, which is quite at variance with the 
plans I'd heard for MobileIP.  The only path forward we heard was, in 
effect, the One True PKI; that's something that will not, can not, and 
should not exist ("should not" because it would be horribly destructive 
towards any form of Internet privacy).

>Bottom line: at this point in time, I am convinced
>that trying to use IPsec was my own worst mistake in the initial
>designs of Mobile IPv6

I won't argue that point; however, any form of cryptographic 
authentication would run into the same key distribution problem.
Very little of the issue had to do with the syntax or semantics of 
IPsec.  You were running afoul of a basic architectural issue.

Let me expand a bit more on why IPsec can work (on a small scale) 
without key distribution, and on why the models are fundamentally 
different.  If I want to talk "securely" to someone, I have to have 
some out-of-band way of knowing who they are.  Put in concrete terms, 
if Alice wants to talk to Bob, she needs to know that it's Bob she 
wants to reach and not, say, Carol.  If you don't know out-of-band the 
difference between Bob and Carol, there's no difference in whom you're 
talking to...  If you do know it's Bob, you have to have some way to 
verify that the party to whom you're talking really is Bob.  That can 
be via pre-arranged keys or by a key distribution mechanism *rooted in 
a common trust anchor*.  In other words, it's not the key distribution 
mechanism that's at issue, it's the out-of-band trust mechanism, and 
that's relatively easy for most uses of IPsec. 

With MobileIP, the mobile node and the home agent are trying to 
persuade random parts of the Internet infrastructure of assorted 
ownership and trust relationships.  But where's the trust anchor?


		--Steve Bellovin, http://www.research.att.com/~smb (me)
		http://www.wilyhacker.com (2nd edition of "Firewalls" book)

More information about the Problem-statement mailing list