Re: why is SA lifetime kilobyte limit disabled in racoon?

[Steven Bellovin <smb%cs.columbia.edu@localhost>]

On May 23, 2011, at 4:26 05PM, Matthias Drochner wrote:

> 
> smb%cs.columbia.edu@localhost said:
>>> At least it
>>> would be a help to fingerprint the OS or estimate uptime.
>> Depends on how you pick the starting point.
> 
> OK, not for the fingerprint -- the mere fact that there is a simple
> counter tells something about the OS and perhaps the byteorder.
> But there is another argument for a random start value which is
> to protect those who don't read manuals and use the cipher
> with a static key. Hope that they don't reboot that often that
> birthday paradox strikes again:-)

That's why I really dislike counter mode -- it's too easy to make a
serious mistake with it...
> 
>> But you've given another reason why they don't specify it: having
>> one counter per system, rather than one per SA, is perfectly acceptable
>> if you rekey at the right time.
> 
> Actually, the reason that I didn't suggest a per-system counter
> wasn't that I'm concerned about overflow.
> One is that for an API which accomodates everyone (including the
> paranoid), some per-SA state will be needed anyway. I'm more
> concerned about a sustaining API, and like to leave crypto
> things to those who know more.
> And the other is that a global counter would not only leak information
> about the system as such but also about the activity of other ipsec
> connections. I can't imagine that this would be acceptable for eg a
> corporate tunnel endpoint.

Sorry, I misinterpreted your comment -- you had spoken about a new API
for per-SA state, so I assumed you meant instead of the current global
state.

                --Steve Bellovin, https://www.cs.columbia.edu/~smb