Re: [Anima-bootstrap] brsky concern2: Timelyness of log entries

Toerless Eckert <tte@cs.fau.de> Wed, 02 November 2016 01:15 UTC

Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: anima-bootstrap@ietfa.amsl.com
Delivered-To: anima-bootstrap@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1F51129883 for <anima-bootstrap@ietfa.amsl.com>; Tue, 1 Nov 2016 18:15:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.696
X-Spam-Level:
X-Spam-Status: No, score=-5.696 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.497] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jlva25Wj7DnB for <anima-bootstrap@ietfa.amsl.com>; Tue, 1 Nov 2016 18:15:08 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D153E129866 for <anima-bootstrap@ietf.org>; Tue, 1 Nov 2016 18:15:07 -0700 (PDT)
Received: from faui40p.informatik.uni-erlangen.de (faui40p.informatik.uni-erlangen.de [131.188.34.77]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id F2D2D58C4AE; Wed, 2 Nov 2016 02:15:05 +0100 (CET)
Received: by faui40p.informatik.uni-erlangen.de (Postfix, from userid 10463) id D7767B0ACEC; Wed, 2 Nov 2016 02:15:05 +0100 (CET)
Date: Wed, 02 Nov 2016 02:15:05 +0100
From: Toerless Eckert <tte@cs.fau.de>
To: "Max Pritikin (pritikin)" <pritikin@cisco.com>
Message-ID: <20161102011505.GA4057@faui40p.informatik.uni-erlangen.de>
References: <20161101202856.GA2418@faui40p.informatik.uni-erlangen.de> <E8529790-2F91-4C19-BC1B-687A4B4F423A@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <E8529790-2F91-4C19-BC1B-687A4B4F423A@cisco.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima-bootstrap/l7xWs6f-1IPO6ktWHfDKy37ywVc>
Cc: Toerless Eckert <tte+ietf@cs.fau.de>, "anima-bootstrap@ietf.org" <anima-bootstrap@ietf.org>
Subject: Re: [Anima-bootstrap] brsky concern2: Timelyness of log entries
X-BeenThere: anima-bootstrap@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Mailing list for the bootstrap design team of the ANIMA WG <anima-bootstrap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima-bootstrap/>
List-Post: <mailto:anima-bootstrap@ietf.org>
List-Help: <mailto:anima-bootstrap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Nov 2016 01:15:10 -0000

Thanks, Max...inline
On Tue, Nov 01, 2016 at 10:15:50PM +0000, Max Pritikin (pritikin) wrote:
> I think this conversation could quickly get derailed by the flow details from above (I disagree with some of your assumptions).

What assumptions do you disagree with ?

> Perhaps it would help to start with a statement of the security concern you???re raising. I think it is: 

> Can an attacker inject entries into the audit log that would cause problems for the Registrar heuristic/analytics based decisions?

Right. Sub-sections of section 7 about specific attack problems. This could
be one such sub-section.

> The following are attempts to minimize possible attacks against the audit log:
> 
> 1) Nonced entries require the attacker to have had access to the device during that boot of the device to use the audit token.

Right. But access could have been long ago and log entry created much later.
And those would trigger rejection of the device according to 3.3.4 log
verification. I call this a false positive. And spying on the audit-log.

> If the Registrar is comfortable with the chain of control they can ignore these entries. 

Just to reconfirm: You are saying that registrars could ignore the audit log
and you cal that "attempts to minimize possible attacks against the audit log" ??

> Previous versions have indicated that Registrar authentication by the MASA is required for these as well but I???m not seeing that currently 

Should vbe optional. But should have some discussion what benefits authentication
would have. Eliminate "some" ? DoS attacks against MASA ? What else..

> 2) Nonceless entries are always problematic. From -04: "If a nonce is not provided then the MASA service MUST authenticate the Registrar as a valid customer.  This prevents denial of service attacks??? and ???the Registrar MUST be authenticated by the MASA service although no requirement is implied that the MASA associates this authentication with ownership.???. I???ve contended that doing so is why we???d have a voucher format indicating ownership. 

I thought the netconf solution also supports an anonymous ownership voucher ?
Is that true ? Is that possible with BRSKY ?

> Section 5.1 includes an EDNOTE to discuss this case. As of yet folks haven???t responded but I???ll take it that you???re voting for this additional round trip.

See above on the delayed attack vector. DO you think that strong enough 
to worry about it ?

Cheers
    Toerless