Re: [6lo] Benjamin Kaduk's Discuss on draft-ietf-6lo-ap-nd-15: (with DISCUSS and COMMENT)
Benjamin Kaduk <kaduk@mit.edu> Wed, 05 February 2020 21:20 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: 6lo@ietfa.amsl.com
Delivered-To: 6lo@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 177711200A4; Wed, 5 Feb 2020 13:20:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l84fZZrMbkDR; Wed, 5 Feb 2020 13:20:22 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1EEF12011A; Wed, 5 Feb 2020 13:20:21 -0800 (PST)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 015LKFET010168 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 5 Feb 2020 16:20:17 -0500
Date: Wed, 05 Feb 2020 13:20:15 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
Cc: The IESG <iesg@ietf.org>, "draft-ietf-6lo-ap-nd@ietf.org" <draft-ietf-6lo-ap-nd@ietf.org>, "Shwetha Bhandari (shwethab)" <shwethab@cisco.com>, "6lo-chairs@ietf.org" <6lo-chairs@ietf.org>, "6lo@ietf.org" <6lo@ietf.org>
Message-ID: <20200205212015.GC84913@kduck.mit.edu>
References: <158051274858.21121.16988738930495243847.idtracker@ietfa.amsl.com> <MN2PR11MB3565552065F2F21DD481EEC3D8000@MN2PR11MB3565.namprd11.prod.outlook.com> <20200204030143.GB53329@kduck.mit.edu> <MN2PR11MB35658E5BA1A1DF2BBA232F2DD8030@MN2PR11MB3565.namprd11.prod.outlook.com> <MN2PR11MB3565284DDAB5F7D94CB2F039D8030@MN2PR11MB3565.namprd11.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <MN2PR11MB3565284DDAB5F7D94CB2F039D8030@MN2PR11MB3565.namprd11.prod.outlook.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/6lo/sRPAvfGU9BgrxkYBEmFSEjZPPHc>
Subject: Re: [6lo] Benjamin Kaduk's Discuss on draft-ietf-6lo-ap-nd-15: (with DISCUSS and COMMENT)
X-BeenThere: 6lo@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Mailing list for the 6lo WG for Internet Area issues in IPv6 over constrained node networks." <6lo.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6lo>, <mailto:6lo-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6lo/>
List-Post: <mailto:6lo@ietf.org>
List-Help: <mailto:6lo-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6lo>, <mailto:6lo-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Feb 2020 21:20:25 -0000
On Tue, Feb 04, 2020 at 02:22:23PM +0000, Pascal Thubert (pthubert) wrote: > This was truncated when I received the echo, retrying... It appears different here as well; interesting. I will remove a layer of quoting to make it easier for me to write a reply. > Hello Benjamin > > Whao, that was quick. Many thanks again! > > I got a comment on the change to BCP201 and looked it up. Seems there was > a confusion, BCP 201 is RFC 7696 not RFC 7748. So I rolled back the > overload. Did you expect something else? I think I did expect something else; I thought I wrote: % It's probably better to cite RFC 7696 as BCP 201 directly. I guess maybe there was a copy/paste glitch. > I'm publishing 17 for the delta below, we still have the 3 open points. Please > check the diffs at https://tools.ietf.org/rfcdiff?url2=draft-ietf-6lo-ap-nd- > 17.txt > > More below: > > > > Why do we need to allow ambiguity/flexibility as to the point > > representation > > > > within a given Crypto-Type value (as opposed to fixing the > > > > representation > > as a > > > > parameter of the Crypto-Type)? Alternately, what does > > "(un)compressed" > > > > mean, as it's not really clarified directly? Furthermore, Table 2 > > > > lists an "(un)compressed" representation for type 0 (over P-256), > > > > but RFC 7518 > > notes > > > > that the compressed representation is not supported for P-256 > > > > (Section 6.2.1.1). I also am not finding the needed codepoints > > > > registered in the > > JOSE > > > > registries to use ECDSA25519 (crypto-type 2) -- do we need to > > > > register anything there? > > > > > > Let us take this one separately in a thread with the co authors > > I keep this item in the thread, to track that it's progressing separately > > > > > Clarifying questions: > > > - This spec is authoritative for listing the elliptic curves and the > > > hash > > functions that it supports, correct? > > > - The registry is authoritative for the setting of values, which may > > > change if > > this draft is obsoleted, is that your point? > > > > I think we have different interpretations. > > I was assuming (based more on general practices than the specific text > > in this document, to be clear) that the idea is that new Crypto-Types > > could be specified and added to the registry, and implementations > > incorporate them, without needing to revise or update this > > specification: the registered Crypto-Type would contain all the > > information needed to integrate with the mechanisms specified here. > > In that mindset, any list of algorithms in this document becomes out > > of date once the first additional Crypto-Type is registered, and the > > question of what algorithms the specification supports is more open-ended > than just the literal words on the page. > > Makes sense to me > > > > > From there I'm unsure what to do. The goal is to keep the focus on > > > the bill > > of material of what needs to be implemented. > > > If that helps I can add (values to be confirmed by IANA) as follows? > > > > > > " The elliptic curves and the hash functions that can be used with this > > > specification are listed in Table 2 in Section 8.3. The signature > > > scheme that specifies which combination is used is signaled by a > > > Crypto-Type (values to be confirmed by IANA) in a new IPv6 ND Crypto- > > > ID Parameters Option (CIPO, see Section 4.3) that contains the > > > parameters that are necessary for the proof, a Nonce option > > > ([RFC3971]) and a NDP Signature option (Section 4.4). > > > " > > > > To make a more concrete question: suppose I wanted to use > SHAKE256/256 > > as a hash function paired with ECDSA on curve25519. What would need > > to happen to enable that? The text above implies that, since > > SHAKE256/256 is not listed in the table, it's not allowed for use with > > this specification, and thus that I'd need to Update this > > specification in order to allow its use. > > The registry has "Specification Required" or "IESG Approval". The "IESG > Approval" path is for the case where the IES approves using the new hash > with the draft as is. > So yes, the spirit is that if the IESG determines that your case can happen > without a change in the spec, the registry could be extended and the spec > applied. > In that context, how does the following work: > > " > The elliptic curves and the hash functions listed in Table 2 in > Section 8.3 can be used with this specification; more may be added in > the future to the IANA registry. The signature scheme that specifies > which combination is used (including the curve and the representation > conventions) is signaled by a Crypto-Type in a new IPv6 ND Crypto-ID > Parameters Option (CIPO, see Section 4.3) that contains the > parameters that are necessary for the proof, a Nonce option > ([RFC3971]) and a NDP Signature option (Section 4.4). The NA(EARO) > is modified to enable a challenge and transport a Nonce option. > " > > Note that this incorporate text to cover the discussion between Rene and Jim > that different representation conventions imply different crypto-ids and > cannot reuse the same keypair Understood; this looks good. > > > > > > > > > Section 4.1 > > > > > > > > The Crypto-ID is derived from the public key and a modifier as > > > > follows: > > > > > > > > 1. The hash function indicated by the Crypto-Type is applied to the > > > > CIPO. Note that all the reserved and padding bits MUST be set to > > > > zero. > > > > 2. The leftmost bits of the resulting hash, up to the size of the > > > > ROVR field, are used as the Crypto-ID. > > > > > > > > This construction seems to allow for some malleability, in that an > > attacker who > > > > observes a given Crypto-ID and CIPO could produce a related, > > > > valid, > > Crypto-ID > > > > by reducing the ROVR length and truncating what was received. I > > > > haven't attempted to explore what (if any) potential consequences > > > > there are of > > such > > > > malleability, and would like to know if anyone else has already done so. > > It > > > > looks like the NDPSO construction includes the length of the > > > > Crypto-ID, > > so it > > > > would be hard for an attacker to do much with such a truncated > > > > Crypto- > > ID, but > > > > attacks only get better... > > > > > > The point is that the Crypto-ID remains in the 6LBR is its original > > > form, size > > and value. A shorted Crypto-ID is a different Crypto-ID even if bits match. > > Truncated per se does not help vs. any other change. > > > Also, the attacker would have to be on path of the initial > > > registration. If > > that is so, and it wants to update the ROVR, it can do that a lot more. > > > Now, the crypto-ID dictates the size of the ROVR not the other way > > around, so I fixed: > > > " > > > The leftmost bits of the resulting hash, up to the desired size, are > > > used as > > the Crypto-ID. > > > " > > > Anything else I should consider doing? > > > > The only other thing I would *consider* doing (which is not to say > > that it's clear it should be done) is to include the desired size as > > input to the hash. But I don't have any specific reason to do that or > > attack that would be stymied by doing so. > > > > With RFC 8505 the 6LN decides the parameters of the registration without an > indication from the router. So at the moment I cannot figure how to do that > apart from config. We are missing a mechanism to signal the expected > format of the ROVR and other parameters such as recommended lifetimes > for types of addresses, etc..., in the RA messages. That's also in the long > term plan and I'm considering whether to do that at 6lo or 6MAN. 6MAN > would be better but it is slow/reluctant to adopt RFC 8505 for general > purpose. I was just thinking a field in the CIPO to indicate the length to truncate the hash output at, which would still be chosen by the 6LN. Which I see you already did per below; great :) > > > > The implementation of multiple hash functions in a constrained > > > > devices may consume excessive amounts of program memory. > > > > > > > > But multiple signature algorithm implementations will not? > > > > > > draft-ietf-lwig-curve-representations discussed in the next section > > > enables > > to factorize code, if I understand well. > > > But to your point, what about the following clarification: > > > > > > " > > > The implementation of multiple hash functions in a constrained > > > devices may consume excessive amounts of program memory. This > > > specification enables the use of SHA-256 [RFC6234] for all the > > > supported ECC curves. > > > > Hmm, but Table 2 lists SHA-512 (not SHA-256) for crypto-type 1 (though > > I guess type 2 is SHA-256 on the same curve). > > Yes, I understand that type 2 is less classical but enables the reuse of the SHA > 256 hash. > I defer to Rene on this. I was just commenting about "enables the use of SHA-256" since it also allows other hashes. But the words as written are true, so I have no real objection. > > > Per your comment we recommend 128 bits minimum. Keeping it at 64 > > > bits > > was not the intention. > > > Not sure why you meant by sibling; the text would become > > > > > > " > > > As opposed to the RSA Signature Option (RSAO) defined in section 5.2. > > > of SEND [RFC3971], the NDPSO does not have a key hash field. > > > Instead, the leftmost 128 bits of the ROVR field in the EARO are used > > > to retrieve the CIPO that contains the key material used for signature > > > verification, left-padded if needed. > > > > > > " > > > > I think "sibling" was intended to be the case when the EARO and the > > CIPO appear in the same NS as "sibling options" within the NS. > > (Though as you note the CIPO could have been previously received in a > > different message.) This text is probably okay, though I guess the > > reader has to know that there's an EARO associated with the NDPSO. > > > > You right, does not hurt to be more specific. In section 4.4: > > " > An ND message that carries an NDPSO MUST have one and only one EARO. > The EARO MUST contain a Crypto-ID in the ROVR field, and the Crypto- > ID MUST be associated with the keypair used for the Digital Signature > in the NDPSO. > > " Thanks! > > > > > > > > > The 6LR on receiving the NDPSO and CIPO options first regenerates > the > > > > Crypto-ID based on the CIPO option to make sure that the leftmost > > > > bits up to the size of the ROVR match. If and only if the > > > > check is > > > > > > > > In the vein of my previous questions about where the Crypto-ID > > > > appears > > and > > > > truncation/malleability, this text seems to leave some room for > > confusion > > > > about how many bits of output are being compared, and compared to > > what. > > > > > > I'm unsure what you mean here. Based on my response above, can you > > please reopen is needed, with some clarification? > > > > I was trying to get at how the NDPSO includes the Crypto-ID length in > > the signed data, but the 6LR has to determine what length to use from > > the length of the ROVR in the NS. This is in general not terribly > > interesting since an on-path attacker could change "anything" that > > would be input to the signature validation, but seemed a little more > > interesting to me because of the way that an attacker could truncate > > the Crypto-ID, and the truncation would not be directly detectable in > > the EARO/ROVR but would only be detected during signature validation. > > That is, the 6LR would replicate the Crypto-ID calculation from the > > CIPO, and the Crypto-ID would *appear* to match up, but the signature > > in the NDPSO would fail to validate. I have in general a preference > > to make the reason for failure apparent closer to the error, if > > possible, but in this specific case the system as a whole seems to > > work okay even though the error is detected "one step later" than it > > could be. (Adding the target output length into the hash input for > > Crypto-ID calculation as I mentioned above as an option would make > > this error detected at the first possible point, when validating the > > Crypto-ID > > calculation.) > > This could be achieved by placing the length of the ROVR in the CIPO. Making > this change. > We already had the ROVR size in the signature. Note that in the signature the > format of that size is not given. Would need 2 bytes if expressed in bytes. > I'd reword to use the option length of the EARO, which is expressed in units > of 8 bytes and is stored in one octet. > Works? > > This leads to sparse changes, but mostly: > > > > > " > > > The signature generated by the 6LN to provide proof-of-ownership of > the private-key is carried in the NDP Signature Option (NDPSO). It > is generated by the 6LN in a fashion that depends on the Crypto-Type > (see Table 2 in Section 8.3) chosen by the 6LN as follows: > > * Concatenate the following in the order listed: > > 1. The 128-bit Message Type tag [RFC3972] (in network byte order). > For this specification the tag is 0x8701 55c8 0cca dd32 6ab7 e415 > f148 84d0. (The tag value has been generated by the editor of > this specification on random.org). > > <snip> > > 6. 1-byte Option Length of the EARO containing the Crypto-ID. I think just having this length in the CIPO suffices; we would not necessarily need to also include it in the signature input separtaely. (But it does no harm to do so.) > 7. 1-byte Crypto-Type value sent in the CIPO. > > <snap> > > The 6LR on receiving the NDPSO and CIPO options first checks that the > EARO Length in the CIPO matches the length of the EARO. If so it > regenerates the Crypto-ID based on the CIPO to make sure that the > leftmost bits up to the size of the ROVR match. > > If and only if the check is successful, it tries to verify the > signature in the NDPSO option using the following: > > * Concatenate the following in the order listed: > > 1. 128-bit type tag (in network byte order) > > <snoop> > > 6. 1-byte EARO Length received in the CIPO. > 7. 1-byte Crypto-Type value received in the CIPO. > > " > > > > > > > Perhaps it goes without saying (as part of DAD), but the 6LBR has to > > consult its database of ROVR/IP address to determine what response to > > give in the DAC. Part of my question above was about what state the > > 6LBR needs and what verification the 6LBR does as part of the process > > -- am I correct that it's just checking whether (1) the requested > > address is already registered and (if so) (2) that the ROVR in the > > EARO matches the one registered with the requested address? > > Yes, per RFC 8505, inherited from RFC 6775. I'd say that DAD expressed as > you did is the core function of RFC 6775. > This draft does not really change the 6LBR, just adds the capability to > stimulate a revalidation by the 6LR. It sounds like it does go without saying :) Thanks for confirming. > > > > > > > All together we get: > > > " > > > Replay Attacks Using Nonces (NonceLR and NonceLN) generated by > both > > > the 6LR and 6LN ensure a contributory behavior that provides an > > > efficient protection against replay attacks of the challenge/ > > > response flow. A nonce should never repeat for a same key. The > > > protection depends on the quality of the Nonce computation, e.g., > > > of a random number generator when used to compute the Nonce. > > > " > > > > I'd consider "A nonce should never repeat for a single key, but nonces > > do not need to be unpredictable for secure operation". > > > Which leads to: > " > > Replay Attacks A nonce should never repeat for a single key, but > nonces do not need to be unpredictable for secure operation. > Using nonces (NonceLR and NonceLN) generated by both the 6LR and > 6LN ensure a contributory behavior that provides an efficient > protection against replay attacks of the challenge/response flow. > The quality of the protection by a random nonce depends on the > random number generator and its parameters (e.g., sense of time). > " > > > > > > > > Twisted the text to > > > " > > > With this specification the 6LN can freely form its IPv6 address(es) > > > in any fashion, thereby enabling either 6LoWPAN compression for IPv6 > > > addresses that are derived from Layer-2 addresses, or temporary > > > addresses, e.g., formed pseudo-randomly and released in relatively > > > short cycles for privacy reasons [RFC8064][RFC8065], that cannot be > > > compressed. > > > > > > " > > > > This text is good. I would suggest changing the Section-1 text, > > though, as the current "requires a device [...] to enable a better > > compression" reads as if the requirement is always present, and that > > the reason for the requirement is to get the compression; instead, the > > situation is (IIUC) that in order to get that compression, the node is > > required to choose its address based on the L2 address. > > > Which gives > > " > With the 6lo adaptation layer in [RFC4944] and [RFC6282], a 6LN can > obtain a better compression for an IPv6 address with an Interface ID > (IID) that is derived from a Layer-2 address. As a side note, this > is incompatible with Secure Neighbor Discovery (SeND) [RFC3971] and > Cryptographically Generated Addresses (CGAs) [RFC3972], since they > derive the IID from cryptographic keys, whereas this specification > separates the IID and the key material. > " > > > > > > > > Text in the main spec has > > > " > > > The assumption is that the 6LR and the 6LBR maintain a security > > association, so there is no need to propagate the proof of ownership > > to the 6LBR. > > > " > > > But I'm not aware of people using anything beyond Layer-2 security. > > > The > > EDAR/EDAC are unicast ICMPv6 messages; what would be your > > recommendation to protect them at L3? > > > > At L3? I don't know of much other than IPsec (or some tunneling solution). > > But by "details" I meant more about whether confidentiality protection > > is required or "merely" integrity protection and source-authentication. > > In this case the merely is enough. The EDAR has the ROVR and the registered > address. Those will appear later in ND flows anyway. > In the main text, : > > " > The assumption is that the 6LR and the 6LBR maintain a security > association to authenticate and protect the integrity of the EDAR and > EDAC messages, so there is no need to propagate the proof of > ownership to the 6LBR. The 6LBR implicitly trusts that the 6LR > performs the verification when the 6LBR requires it, and if there is > no further exchange from the 6LR to remove the state, that the > verification succeeded. > " Thanks! -Ben
- [6lo] Benjamin Kaduk's Discuss on draft-ietf-6lo-… Benjamin Kaduk via Datatracker
- Re: [6lo] Benjamin Kaduk's Discuss on draft-ietf-… Pascal Thubert (pthubert)
- Re: [6lo] Benjamin Kaduk's Discuss on draft-ietf-… Rene Struik
- Re: [6lo] Benjamin Kaduk's Discuss on draft-ietf-… Benjamin Kaduk
- Re: [6lo] Benjamin Kaduk's Discuss on draft-ietf-… Pascal Thubert (pthubert)
- Re: [6lo] Benjamin Kaduk's Discuss on draft-ietf-… Pascal Thubert (pthubert)
- Re: [6lo] Benjamin Kaduk's Discuss on draft-ietf-… Pascal Thubert (pthubert)
- Re: [6lo] Benjamin Kaduk's Discuss on draft-ietf-… Benjamin Kaduk
- Re: [6lo] Benjamin Kaduk's Discuss on draft-ietf-… Pascal Thubert (pthubert)
- Re: [6lo] Benjamin Kaduk's Discuss on draft-ietf-… Pascal Thubert (pthubert)
- Re: [6lo] Benjamin Kaduk's Discuss on draft-ietf-… Pascal Thubert (pthubert)
- Re: [6lo] Benjamin Kaduk's Discuss on draft-ietf-… Benjamin Kaduk
- Re: [6lo] Benjamin Kaduk's Discuss on draft-ietf-… Pascal Thubert (pthubert)
- Re: [6lo] Benjamin Kaduk's Discuss on draft-ietf-… Pascal Thubert (pthubert)
- Re: [6lo] Benjamin Kaduk's Discuss on draft-ietf-… Pascal Thubert (pthubert)
- Re: [6lo] Benjamin Kaduk's Discuss on draft-ietf-… Benjamin Kaduk
- Re: [6lo] Benjamin Kaduk's Discuss on draft-ietf-… Pascal Thubert (pthubert)
- Re: [6lo] Benjamin Kaduk's Discuss on draft-ietf-… Benjamin Kaduk