IETF Logo Mail Archive

Re: [Anima-bootstrap] anima-bootstrap: Bootstrap proxy discovery options

"Toerless Eckert (eckert)" <eckert@cisco.com> Wed, 09 December 2015 19:23 UTC

Return-Path: <eckert@cisco.com>
X-Original-To: anima-bootstrap@ietfa.amsl.com
Delivered-To: anima-bootstrap@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A27951A03AA for <anima-bootstrap@ietfa.amsl.com>; Wed, 9 Dec 2015 11:23:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -13.31
X-Spam-Level:
X-Spam-Status: No, score=-13.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_32=0.6, J_CHICKENPOX_44=0.6, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6lHhYbfK3OR3 for <anima-bootstrap@ietfa.amsl.com>; Wed, 9 Dec 2015 11:23:14 -0800 (PST)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 774411A03A6 for <anima-bootstrap@ietf.org>; Wed, 9 Dec 2015 11:23:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3399; q=dns/txt; s=iport; t=1449688994; x=1450898594; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=t+2VQK5wcvkTpnEH2Pm8Bth1ujHnobbAa/VFXIEEp0o=; b=AhXhTXYjGdI28rz+607Wwhs91bOeH4Y7uuzvvZy2S7omCCvb9ok/TTCB NBj6q+wa8ZpISppLRcGTwaWx8vYjc/knDmFXyZihl5rzgf7tyXwRnneNj dkn7KX8sDhhJdKntbZxFLkCiLUJrzLJBIYwy+0mIpRDcSjXwnJyKVEaKz U=;
X-IronPort-AV: E=Sophos;i="5.20,405,1444694400"; d="scan'208";a="54064696"
Received: from rcdn-core-8.cisco.com ([173.37.93.144]) by rcdn-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 09 Dec 2015 19:23:13 +0000
Received: from mcast-linux1.cisco.com (mcast-linux1.cisco.com [172.27.244.121]) by rcdn-core-8.cisco.com (8.14.5/8.14.5) with ESMTP id tB9JND3l010996 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 9 Dec 2015 19:23:13 GMT
Received: from mcast-linux1.cisco.com (localhost.cisco.com [127.0.0.1]) by mcast-linux1.cisco.com (8.13.8/8.13.8) with ESMTP id tB9JNDmu017199; Wed, 9 Dec 2015 11:23:13 -0800
Received: (from eckert@localhost) by mcast-linux1.cisco.com (8.13.8/8.13.8/Submit) id tB9JNDf4017198; Wed, 9 Dec 2015 11:23:13 -0800
Date: Wed, 09 Dec 2015 11:23:13 -0800
From: "Toerless Eckert (eckert)" <eckert@cisco.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <20151209192313.GR29056@cisco.com>
References: <20151204014333.GZ29056@cisco.com> <A4DCBB7E-A722-4AC1-A7B7-BD185ABEBF7F@cisco.com> <13379.1449515233@dooku.sandelman.ca> <20D831CB-5075-4899-9C4F-D3D04334B1CF@cisco.com> <2495.1449614267@dooku.sandelman.ca> <43C69994-D02E-44A0-A739-4A6E45A3CE8C@cisco.com> <566776A4.4080804@gmail.com> <20151209131234.GN29056@cisco.com> <56687A15.7070305@gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <56687A15.7070305@gmail.com>
User-Agent: Mutt/1.4.2.2i
Archived-At: <http://mailarchive.ietf.org/arch/msg/anima-bootstrap/iuXjWxDVKfKG_PZkMI60QBTkptk>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, "Max Pritikin (pritikin)" <pritikin@cisco.com>, "anima-bootstrap@ietf.org" <anima-bootstrap@ietf.org>
Subject: Re: [Anima-bootstrap] anima-bootstrap: Bootstrap proxy discovery options
X-BeenThere: anima-bootstrap@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Mailing list for the bootstrap design team of the ANIMA WG <anima-bootstrap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima-bootstrap/>
List-Post: <mailto:anima-bootstrap@ietf.org>
List-Help: <mailto:anima-bootstrap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Dec 2015 19:23:16 -0000

Alice never knows until later.

a) Lets assume we're talking bout announcements by Bob/Eve to connect to their ACP.

   Minimally, Alice has no idea whom it wants to connect to. So it simply starts
   let's say dTLS to Bob and Eve. Alice will then figure out whether Bob and.or
   Eve have domain certs for the same domain Alice is in. If not, Alice (or Bob/Eve)
   will drop the dTLS connection.

   We could try to optimize by announcing Bob/Eve's domain certs into the
   discovery messages. This would save some unnecessary connection attempts by
   Alice. No strong opinions.

b) Lets assume we're talking about announcements by Bob/Eve to be enrollment proxies.

   So now Alice is not in a domain and will set up ESP "randomnly" to Bob and/or Eve.

   If we do not have a MASA, then Alice is really at the mercy of
   The guy who plugs Alice's cable into some network connection.
   "Do not plug into an untusty socket".

   Aka: Alice tries EST to Bob. Bob proxies to Bobs domain registrar which
   checks Alices serial number and decides that Alice does not belong to Bobs domain.

   Alices continues on to build EST to Eve. and may get accepted into domain there.

   Aka: Both Bob and Eve belong to friendly domains only accepting devices
   they know they own.

   If we do have a MASA, Alice can feel more secure. So it connects to Eve,
   and Eve 's domain registrar wants to have Alice - even thoug alice doesn't below
   to Eves domain, but Eve is evil in this case. Alice will only accept enrollment
   when Eve is producing to Alice a ticket from the MASA stating that Alice belongs
   to Alices domain. And Alice trusts this ticket because it ultimately came from
   a MASA that must belong to Alices manufacturer. And ensures that the manufacturer
   is at least logging that Eve's domain/registrar is claiming to own Alice. 

   I can't see how Bob/Eve announcing their certs here would help Alice at all
   before establishing the EST connection.

Cheers
    Toerless


   Mr. Carpenter wanted to have the insecure enrollment option without MASA
   (and eg: ciscos autonomic solution also does this, so inse)like alsoeg: cisco customers in our c(and Cisco customers) wanted to have the
   
   These announcemments could contain Bob/Eves domain certificates.

   Alice can now quickly validate that it wants to connect Bob
If this is not for bootstrap but announcements to connect ACP,
then
So, if this was an announceme
Irr
So, if this is
Alice would not know. Alice would (randomnly) build 
On Thu, Dec 10, 2015 at 07:59:33AM +1300, Brian E Carpenter wrote:
> On 10/12/2015 02:12, Toerless Eckert (eckert) wrote:
> ...
> > I am happy about any new valuable crypto we can put into the discovery, i just
> > want to make sure we can be precise about the attack vector it helps to protect
> > against.
> 
> I very much agree with that. I wasn't actually saying we must add a public
> key for the first exchange, just that we *could*. Actually the attack that really
> puzzles me is this one:
> 
> Alice: Hello everybody, I want to join.
> 
> Bob: Hi Alice, I'll be your proxy today.
> Eve: Hi Alice, I'll be your proxy today.
> 
> How does Alice know to listen to Bob and ignore Eve?
> At that point she has no keys or certificates for Bob.
> 
>    Brian

-- 
---
Toerless Eckert, eckert@cisco.com

v2.23.0 | Report a Bug | By Email