I've posted what I hope is a final draft of the tcpcrypt spec, at the
usual place:
https://datatracker.ietf.org/doc/draft-ietf-tcpinc-tcpcrypt/
The main open issue was the length of the resumption nonce, and the
concern that recommending 4 bytes was not a good length, so we have
increased it to 8 for cases where 0 is not safe. Here is the particular
paragraph to focus on:
The resumption nonce MUST have a minimum length of zero bytes and
maximum length of eight bytes. The value MUST be chosen randomly or
using a mechanism that guarantees uniqueness even in the face of
virtual machine cloning or other re-execution of the same session.
An attacker who can force either side of a connection to reuse a
session secret with the same nonce will completely break the security
of tcpcrypt. Reuse of session secrets is possible in the event of
virtual machine cloning or reuse of system-level hibernation state.
Implementations SHOULD provide an API through which to set the
resumption nonce length, and MUST default to eight bytes if they
cannot prohibit the reuse of session secrets.
David
_______________________________________________
Tcpinc mailing list
Tcpinc@ietf.org
https://www.ietf.org/mailman/listinfo/tcpinc
