IETF Logo Mail Archive

Re: [Anima-signaling] GRASP issue 52: Insecure instance text

Brian E Carpenter <brian.e.carpenter@gmail.com> Wed, 03 August 2016 02:42 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: anima-signaling@ietfa.amsl.com
Delivered-To: anima-signaling@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 292F612D5FD for <anima-signaling@ietfa.amsl.com>; Tue, 2 Aug 2016 19:42:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QmBDfbnyLYYT for <anima-signaling@ietfa.amsl.com>; Tue, 2 Aug 2016 19:42:01 -0700 (PDT)
Received: from mail-pf0-x233.google.com (mail-pf0-x233.google.com [IPv6:2607:f8b0:400e:c00::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B60912D5E8 for <anima-signaling@ietf.org>; Tue, 2 Aug 2016 19:42:01 -0700 (PDT)
Received: by mail-pf0-x233.google.com with SMTP id y134so72200957pfg.0 for <anima-signaling@ietf.org>; Tue, 02 Aug 2016 19:42:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:organization:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=HqMRhgJl36J2QF5JpFK5oeSL6qlxjyLrjN8FrTZE/GE=; b=KVBviOl7xLwVx45oHw9Z8uqx8JGGB5Pe5DutQc6lO/VgvSKUyHRyvvcTYmMXISq05Q TKQYPypJNinM1w7DsKjIsxondTL5Nav+R9z0NOEeXDNhJOzBM/VrrbaurtAWGgdXBErz qURTCTbNXt/gcr6CME3e/2tdYfzN5sDeMLBkcgnfwuLwE/hH8MlMFfU8Vy8STh+oj4iy ISGELCR4ZW2z/esTmApdI+YqKLCJEWcVQ8iG786YPGs4mpW/aG+WeNZnaCo2cpoZqp7t 0NW1r1g4gfT7K0bHtrJSOLZe31rl8vO7peAw7cz8hvbKbq7rbG3shofMjr9fRXlTkVco oarw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:organization :message-id:date:user-agent:mime-version:in-reply-to :content-transfer-encoding; bh=HqMRhgJl36J2QF5JpFK5oeSL6qlxjyLrjN8FrTZE/GE=; b=C6YyW80k+Ib5zVainol2ltuPwu9JENjRRCPoaZWmeSh9Gd+5/kZJwxu6uat+xxz/yC otcfKmVNvjvycHg7sCOBgqmJbNBLGFZ2BkTTyPSfIBWngSV8gBTM3P712+ZqHy7Mn1gK NdQnIkA55kRR+MSuWOe2G8af4q0VtTUcGDf+LUEr+yL3nRP99eJGnACIUFtWYdmg/73x 7w6BKOdz0ooamPA2Kg8D5XlAcTJLhw4V2qATPpJ54UfmmRBikvJmkfGs4cpJn7Nr/s93 tGaRUo6lZWS4zJsuyhB1DYjbMPID08uhW0CFTEy4J5VDPwPIt0oQbWt15PAFbQptmxPW cyvg==
X-Gm-Message-State: AEkoouv4U2nQsteO2oxPp35RNX2BWoYJzGO/grhAhznCpsmVUwEhX+1UaHqIf6kW9Lzvog==
X-Received: by 10.98.92.65 with SMTP id q62mr112078719pfb.70.1470192121113; Tue, 02 Aug 2016 19:42:01 -0700 (PDT)
Received: from [192.168.178.23] ([118.148.76.250]) by smtp.gmail.com with ESMTPSA id n80sm7824948pfi.19.2016.08.02.19.41.58 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 02 Aug 2016 19:42:00 -0700 (PDT)
To: Toerless Eckert <eckert@cisco.com>
References: <fbc9727c-c4c0-1cd1-b015-382c33a5a90a@gmail.com> <20160801092907.GV21039@cisco.com> <96d3a8f9-eca8-ed02-eff2-a0f586e8bea3@gmail.com> <20160802115436.GB21039@cisco.com> <93718cdd-4906-418b-ce5c-ef7113b51df4@gmail.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
Message-ID: <9d8a40ff-f646-c745-c77f-da4682704b21@gmail.com>
Date: Wed, 3 Aug 2016 14:42:02 +1200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <93718cdd-4906-418b-ce5c-ef7113b51df4@gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima-signaling/5fCZjaCMzvum5rm75WnCsf4nLQ8>
Cc: Anima signaling DT <anima-signaling@ietf.org>
Subject: Re: [Anima-signaling] GRASP issue 52: Insecure instance text
X-BeenThere: anima-signaling@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Mailing list for the signaling design team of the ANIMA WG <anima-signaling.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima-signaling>, <mailto:anima-signaling-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima-signaling/>
List-Post: <mailto:anima-signaling@ietf.org>
List-Help: <mailto:anima-signaling-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima-signaling>, <mailto:anima-signaling-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Aug 2016 02:42:03 -0000

OK, here is what I got from Max's notes and the discussion with
Toerless. This is a new section proposed for the GRASP spec. (It also
covers Issue 49.) Comments?

   Brian

3.3.2.  Limited Security Instances

   This section describes three cases where additional instances of
   GRASP are appropriate.

   1) As mentioned in Section 3.2, some GRASP operations might be
   performed across an administrative domain boundary by mutual
   agreement.  Such operations MUST be confined to a separate instance
   of GRASP with its own copy of all GRASP data structures.  Messages
   MUST be authenticated and SHOULD be encrypted.  TLS is RECOMMENDED
   for this purpose.

   2) During initialisation, before a node has joined the applicable
   trust infrastructure, [I-D.ietf-anima-bootstrapping-keyinfra], it is
   impossible to secure messages.  Thus, the security bootstrap process
   needs to use insecure GRASP discovery, response and flood messages.
   Such usage MUST be limited to link-local operations and MUST be
   confined to a separate insecure instance of GRASP with its own copy
   of all GRASP data structures.  This instance is nicknamed DULL -
   Discovery Unsolicited Link Local.

   The detailed rules for the DULL instance of GRASP are as follows:

   o  An initiator MUST only send Discovery or Flood Synchronization
      link-local multicast messages with a loop count of 1.  A
      responder MAY send a Discovery Response message. Other GRASP
      message types MUST NOT be sent.

   o  A responder MUST silently discard any message whose loop count is
      not 1.

   o  A responder MUST silently discard any message referring to a GRASP
      Objective that is not directly part of the bootstrap creation
      process.

   o  A responder MUST NOT relay any multicast messages.

   o  A Discovery Response MUST indicate a link-local address.

   o  A Discovery Response MUST NOT include a Divert option.

   o  A node MUST silently discard any message whose source address is
      not link-local.

   3) During ACP formation [I-D.ietf-anima-autonomic-control-plane], a
   separate instance of GRASP is used, with unicast messages secured by
   TLS, and with its own copy of all GRASP data structures.  This
   instance is nicknamed SONN - Secure Only Neighbor Negotiation.

   The detailed rules for the SONN instance of GRASP are as follows:

   o  Any type of GRASP message MAY be sent.

   o  An initiator MUST send any Discovery or Flood Synchronization
      link-local multicast messages with a loop count of 1.

   o  A responder MUST silently discard any Discovery or Flood
      Synchronization message whose loop count is not 1.

   o  A responder MUST silently discard any message referring to a GRASP
      Objective that is not directly part of the ACP creation process.

   o  A responder MUST NOT relay any multicast messages.

   o  A Discovery Response MUST indicate a link-local address.

   o  A Discovery Response MUST NOT include a Divert option.

   o  A node MUST silently discard any message whose source address is
      not link-local.

v2.8.7 | Report a Bug | By Email