[secnet] / NOTES

#* Design of new, multi-subnet secnet protocol

Like the first version, we're tunnelling IP packets inside UDP
packets. To defeat various restrictions which may be imposed on us by
network providers (like the prohibition of incoming TCP connections)
we're sticking with UDP for everything this time, including key setup.

Other new features include being able to deal with subnets hidden
behind changing 'real' IP addresses, and the ability to choose
algorithms and keys per pair of communicating sites.

** Configuration and structure

The network is made up from a number of 'sites'. These are collections
of machines with private IP addresses. The new secnet code runs on
machines which have interfaces on the private site network and some
way of accessing the 'real' internet.

Each end of a tunnel is identified by a name. Often it will be
convenient for every gateway machine to use the same name for each
tunnel endpoint, but this is not vital. Individual tunnels are
identified by their two endpoint names.


The configuration is held in memory as a data structure as follows:

The root is a Dictionary. Dictionaries hold (key,value) pairs. Keys
are atoms. Values are lists, dictionaries or closures. Lists can hold
the following types: string, number.

Closures cannot be constructed directly; they are added to the
'default' dictionary before the configuration file is read. Invocation
of a closure can return any type of value.


Configuration file format: the file describes a dictionary.

key value;

value is item[,item...]

item can be "string", number, path (looks up in dictionary),
{dictionary}, value(value), value{dictionary}.  If item is a list it
is copied into the list - we can't have lists of lists.

A path is [/]key[\[index\]][/key[\[index\]]...], defining a lookup
from the current dictionary (or parents) or the root. If a key refers
to a list of more than one item then an index number (base 0) in
square brackets can be used to specify the list item number.

Items of the form value1(value2) invoke executable value1 with an
argument of value2. The return value can be a string or dictionary,
but not a list. (Invocation happens after the entire configuration
file has been read.)

Items of the form value{dict} invoke executable value with an argument
of a single-element list, containing dict. It's just syntactic sugar
for value({dict}).


When a key is used (rather than defined) it is looked up in the
current dictionary, and if it isn't found it is looked up in the
(lexical) parent, until the root is reached. 


What sorts of crypto-related things do we need to define?

sources of randomness
block algorithms
block cipher modes?
hash functions
padding functions
public key signature algorithms
public key crypto key stores
key setup algorithms


** Protocols

*** Protocol environment:

Each gateway machine serves a particular, well-known set of private IP
addresses (i.e. the agreement over which addresses it serves is
outside the scope of this discussion). Each gateway machine has an IP
address on the interconnecting network (usually the Internet), which
may be dynamically allocated and may change at any point.

Each gateway knows the RSA public keys of the other gateways with
which it wishes to communicate. The mechanism by which this happens is
outside the scope of this discussion. There exists a means by which
each gateway can look up the probable IP address of any other.

*** Protocol goals:

The ultimate goal of the protocol is for the originating gateway
machine to be able to forward packets from its section of the private
network to the appropriate gateway machine for the destination
machine, in such a way that it can be sure that the packets are being
sent to the correct destination machine, the destination machine can
be sure that the source of the packets is the originating gateway
machine, and the contents of the packets cannot be understood other
than by the two communicating gateways.

XXX not sure about the address-change stuff; leave it out of the first
version of the protocol. From experience, IP addresses seem to be
quite stable so the feature doesn't gain us much.

**** Protocol sub-goal 1: establish a shared key

Definitions:

A is the originating gateway machine
B is the destination gateway machine
PK_A is the public RSA key of A
PK_B is the public RSA key of B
PK_A^-1 is the private RSA key of A
PK_B^-1 is the private RSA key of B
x is the fresh private DH key of A
y is the fresh private DH key of B
k is g^xy mod m
g and m are generator and modulus for Diffie-Hellman
nA is a nonce generated by A
nB is a nonce generated by B
iA is an index generated by A, to be used in packets sent from B to A
iB is an index generated by B, to be used in packets sent from A to B
i? is appropriate index for receiver

Note that 'i' may be re-used from one session to the next, whereas 'n'
is always fresh.

Messages:

1) A->B: *,iA,msg1,A,B,nA

2) B->A: iA,iB,msg2,B,A,nB,nA

(The order of B and A reverses in alternate messages so that the same
code can be used to construct them...)

3) A->B: {iB,iA,msg3,A,B,nA,nB,g^x mod m}_PK_A^-1

If message 1 was a replay then A will not generate message 3, because
it doesn't recognise nA.

If message 2 was from an attacker then B will not generate message 4,
because it doesn't recognise nB.

4) B->A: {iA,iB,msg4,B,A,nB,nA,g^y mod m}_PK_B^-1

At this point, A and B share a key, k. B must keep retransmitting
message 4 until it receives a packet encrypted using key k.

5) A: iB,iA,msg5,(ping/msg5)_k

6) B: iA,iB,msg6,(pong/msg6)_k

(Note that these are encrypted using the same transform that's used
for normal traffic, so they include sequence number, MAC, etc.)

The ping and pong messages can be used by either end of the tunnel at
any time, but using msg0 as the unencrypted message type indicator.

**** Protocol sub-goal 2: end the use of a shared key

7) i?,i?,msg0,(end-session/msg7,A,B)_k

This message can be sent by either party. Once sent, k can be
forgotten. Once received and checked, k can be forgotten. No need to
retransmit or confirm reception. It is suggested that this message be
sent when a key times out, or the tunnel is forcibly terminated for
some reason.

8) i?,i?,NAK/msg8

If the link-layer can't work out what to do with a packet (session has
gone away, etc.) it can transmit a NAK back to the sender.  The sender
can then try to verify whether the session is alive by sending ping
packets, and forget the key if it isn't. Potential denial-of-service
if the attacker can stop the ping/pong packets getting through (the
key will be forgotten and another key setup must take place), but if
they can delete packets then we've lost anyway...

The attacker can of course forge NAKs since they aren't protected. But
if they can only forge packets then they won't be able to stop the
ping/pong working. Trust in NAKs can be rate-limited...

Alternative idea: if you receive a packet you can't decode, because
there's no key established, then initiate key setup...

**** Protocol sub-goal 3: send a packet

9) i?,i?,msg0,(send-packet/msg9,packet)_k
Commit	Line	Data
2fe58dfd SE	1	#* Design of new, multi-subnet secnet protocol
	2
	3	Like the first version, we're tunnelling IP packets inside UDP
	4	packets. To defeat various restrictions which may be imposed on us by
	5	network providers (like the prohibition of incoming TCP connections)
	6	we're sticking with UDP for everything this time, including key setup.
	7
	8	Other new features include being able to deal with subnets hidden
	9	behind changing 'real' IP addresses, and the ability to choose
	10	algorithms and keys per pair of communicating sites.
	11
	12	** Configuration and structure
	13
	14	The network is made up from a number of 'sites'. These are collections
	15	of machines with private IP addresses. The new secnet code runs on
	16	machines which have interfaces on the private site network and some
	17	way of accessing the 'real' internet.
	18
	19	Each end of a tunnel is identified by a name. Often it will be
	20	convenient for every gateway machine to use the same name for each
	21	tunnel endpoint, but this is not vital. Individual tunnels are
	22	identified by their two endpoint names.
	23
	24
	25	The configuration is held in memory as a data structure as follows:
	26
	27	The root is a Dictionary. Dictionaries hold (key,value) pairs. Keys
	28	are atoms. Values are lists, dictionaries or closures. Lists can hold
	29	the following types: string, number.
	30
	31	Closures cannot be constructed directly; they are added to the
	32	'default' dictionary before the configuration file is read. Invocation
	33	of a closure can return any type of value.
	34
	35
	36	Configuration file format: the file describes a dictionary.
	37
	38	key value;
	39
	40	value is item[,item...]
	41
	42	item can be "string", number, path (looks up in dictionary),
	43	{dictionary}, value(value), value{dictionary}. If item is a list it
	44	is copied into the list - we can't have lists of lists.
	45
	46	A path is [/]key[\[index\]][/key[\[index\]]...], defining a lookup
	47	from the current dictionary (or parents) or the root. If a key refers
	48	to a list of more than one item then an index number (base 0) in
	49	square brackets can be used to specify the list item number.
	50
	51	Items of the form value1(value2) invoke executable value1 with an
	52	argument of value2. The return value can be a string or dictionary,
	53	but not a list. (Invocation happens after the entire configuration
	54	file has been read.)
	55
	56	Items of the form value{dict} invoke executable value with an argument
	57	of a single-element list, containing dict. It's just syntactic sugar
	58	for value({dict}).
	59
	60
	61	When a key is used (rather than defined) it is looked up in the
	62	current dictionary, and if it isn't found it is looked up in the
	63	(lexical) parent, until the root is reached.
	64
65
66
67
68	What sorts of crypto-related things do we need to define?
69
70	sources of randomness
71	block algorithms
72	block cipher modes?
73	hash functions
74	padding functions
75	public key signature algorithms
76	public key crypto key stores
77	key setup algorithms
78
79
80	** Protocols
81
82	*** Protocol environment:
83
84	Each gateway machine serves a particular, well-known set of private IP
85	addresses (i.e. the agreement over which addresses it serves is
86	outside the scope of this discussion). Each gateway machine has an IP
87	address on the interconnecting network (usually the Internet), which
88	may be dynamically allocated and may change at any point.
89
90	Each gateway knows the RSA public keys of the other gateways with
91	which it wishes to communicate. The mechanism by which this happens is
92	outside the scope of this discussion. There exists a means by which
93	each gateway can look up the probable IP address of any other.
94
95	*** Protocol goals:
96
97	The ultimate goal of the protocol is for the originating gateway
98	machine to be able to forward packets from its section of the private
99	network to the appropriate gateway machine for the destination
100	machine, in such a way that it can be sure that the packets are being
101	sent to the correct destination machine, the destination machine can
102	be sure that the source of the packets is the originating gateway
103	machine, and the contents of the packets cannot be understood other
104	than by the two communicating gateways.
105
106	XXX not sure about the address-change stuff; leave it out of the first
107	version of the protocol. From experience, IP addresses seem to be
108	quite stable so the feature doesn't gain us much.
109
110	**** Protocol sub-goal 1: establish a shared key
111
112	Definitions:
113
114	A is the originating gateway machine
115	B is the destination gateway machine
116	PK_A is the public RSA key of A
117	PK_B is the public RSA key of B
118	PK_A^-1 is the private RSA key of A
119	PK_B^-1 is the private RSA key of B
120	x is the fresh private DH key of A
121	y is the fresh private DH key of B
122	k is g^xy mod m
123	g and m are generator and modulus for Diffie-Hellman
124	nA is a nonce generated by A
125	nB is a nonce generated by B
126	iA is an index generated by A, to be used in packets sent from B to A
127	iB is an index generated by B, to be used in packets sent from A to B
128	i? is appropriate index for receiver
129
130	Note that 'i' may be re-used from one session to the next, whereas 'n'
131	is always fresh.
132
133	Messages:
134
135	1) A->B: *,iA,msg1,A,B,nA
136
137	2) B->A: iA,iB,msg2,B,A,nB,nA
138
139	(The order of B and A reverses in alternate messages so that the same
140	code can be used to construct them...)
141
142	3) A->B: {iB,iA,msg3,A,B,nA,nB,g^x mod m}_PK_A^-1
143
144	If message 1 was a replay then A will not generate message 3, because
145	it doesn't recognise nA.
146
147	If message 2 was from an attacker then B will not generate message 4,
148	because it doesn't recognise nB.
149
150	4) B->A: {iA,iB,msg4,B,A,nB,nA,g^y mod m}_PK_B^-1
151
152	At this point, A and B share a key, k. B must keep retransmitting
153	message 4 until it receives a packet encrypted using key k.
154
155	5) A: iB,iA,msg5,(ping/msg5)_k
156
157	6) B: iA,iB,msg6,(pong/msg6)_k
158
159	(Note that these are encrypted using the same transform that's used
160	for normal traffic, so they include sequence number, MAC, etc.)
161
162	The ping and pong messages can be used by either end of the tunnel at
163	any time, but using msg0 as the unencrypted message type indicator.
164
165	**** Protocol sub-goal 2: end the use of a shared key
166
167	7) i?,i?,msg0,(end-session/msg7,A,B)_k
168
169	This message can be sent by either party. Once sent, k can be
170	forgotten. Once received and checked, k can be forgotten. No need to
171	retransmit or confirm reception. It is suggested that this message be
172	sent when a key times out, or the tunnel is forcibly terminated for
173	some reason.
174
175	8) i?,i?,NAK/msg8
176
177	If the link-layer can't work out what to do with a packet (session has
178	gone away, etc.) it can transmit a NAK back to the sender. The sender
179	can then try to verify whether the session is alive by sending ping
180	packets, and forget the key if it isn't. Potential denial-of-service
181	if the attacker can stop the ping/pong packets getting through (the
182	key will be forgotten and another key setup must take place), but if
183	they can delete packets then we've lost anyway...
184
185	The attacker can of course forge NAKs since they aren't protected. But
186	if they can only forge packets then they won't be able to stop the
187	ping/pong working. Trust in NAKs can be rate-limited...
188
189	Alternative idea: if you receive a packet you can't decode, because
190	there's no key established, then initiate key setup...
191
192	**** Protocol sub-goal 3: send a packet
193
194	9) i?,i?,msg0,(send-packet/msg9,packet)_k