IETF Logo Mail Archive

Re: [babel] babel-dtls: verifying "authentication"

"STARK, BARBARA H" <bs7652@att.com> Thu, 10 January 2019 03:18 UTC

Return-Path: <bs7652@att.com>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A89A41310E8 for <babel@ietfa.amsl.com>; Wed, 9 Jan 2019 19:18:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.599
X-Spam-Level:
X-Spam-Status: No, score=-0.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, KHOP_DYNAMIC=2, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ccOn1haoWgm for <babel@ietfa.amsl.com>; Wed, 9 Jan 2019 19:18:03 -0800 (PST)
Received: from mx0a-00191d01.pphosted.com (mx0b-00191d01.pphosted.com [67.231.157.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E16B1310DE for <babel@ietf.org>; Wed, 9 Jan 2019 19:18:03 -0800 (PST)
Received: from pps.filterd (m0049462.ppops.net [127.0.0.1]) by m0049462.ppops.net-00191d01. (8.16.0.22/8.16.0.22) with SMTP id x0A3Ekrd023111; Wed, 9 Jan 2019 22:18:01 -0500
Received: from alpi154.enaf.aldc.att.com (sbcsmtp6.sbc.com [144.160.229.23]) by m0049462.ppops.net-00191d01. with ESMTP id 2pwv27291q-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 09 Jan 2019 22:18:01 -0500
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id x0A3HvZY018201; Wed, 9 Jan 2019 22:17:58 -0500
Received: from zlp30485.vci.att.com (zlp30485.vci.att.com [135.47.91.178]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id x0A3Hpsc018129; Wed, 9 Jan 2019 22:17:52 -0500
Received: from zlp30485.vci.att.com (zlp30485.vci.att.com [127.0.0.1]) by zlp30485.vci.att.com (Service) with ESMTP id E9EB1402EFA8; Thu, 10 Jan 2019 03:17:51 +0000 (GMT)
Received: from GAALPA1MSGHUBAG.ITServices.sbc.com (unknown [130.8.218.156]) by zlp30485.vci.att.com (Service) with ESMTPS id CF53740002DB; Thu, 10 Jan 2019 03:17:51 +0000 (GMT)
Received: from GAALPA1MSGUSRBF.ITServices.sbc.com ([169.254.5.5]) by GAALPA1MSGHUBAG.ITServices.sbc.com ([130.8.218.156]) with mapi id 14.03.0415.000; Wed, 9 Jan 2019 22:17:51 -0500
From: "STARK, BARBARA H" <bs7652@att.com>
To: 'David Schinazi' <dschinazi.ietf@gmail.com>
CC: Babel at IETF <babel@ietf.org>
Thread-Topic: babel-dtls: verifying "authentication"
Thread-Index: AdSoVYQo0/ay4EhYQw+N2cLNVC6kSAAO/2EAAAFCPHA=
Date: Thu, 10 Jan 2019 03:17:50 +0000
Message-ID: <2D09D61DDFA73D4C884805CC7865E6114DF8A9A3@GAALPA1MSGUSRBF.ITServices.sbc.com>
References: <2D09D61DDFA73D4C884805CC7865E6114DF8A154@GAALPA1MSGUSRBF.ITServices.sbc.com> <CAPDSy+6cuAJ1m1-DJAHVNjmsQHP6SOJoFSZx6bF6x8o48xs71Q@mail.gmail.com>
In-Reply-To: <CAPDSy+6cuAJ1m1-DJAHVNjmsQHP6SOJoFSZx6bF6x8o48xs71Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [135.70.217.171]
Content-Type: multipart/alternative; boundary="_000_2D09D61DDFA73D4C884805CC7865E6114DF8A9A3GAALPA1MSGUSRBF_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-01-10_01:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1901100025
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/1BFvKOeMBC0rhBy0mO2-65t9Zgs>
Subject: Re: [babel] babel-dtls: verifying "authentication"
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Jan 2019 03:18:06 -0000

On Wed, Jan 9, 2019 at 1:42 PM STARK, BARBARA H <bs7652@att.com<mailto:bs7652@att.com>> wrote:
I read the draft and think the last paragraph of 2.1 could do with a little more verbiage as to what "fails to verify the peer's authentication" means, since it's part of a "MUST" normative statement. I also don't think the word "authentication" is used consistently or (in some cases) correctly. I think of "authentication" as a process.

I find "request client authentication" and "verify the peer's authentication" to be odd uses of the word "authentication", and not consistent with my understanding of the word. I would suggest something like "request client certificate" (consistent with the name of the message that is sent) or "request client credentials" for the first phrase. And perhaps "validate the peer's certificate" or "validate the peer's credentials" for the second. Unless you mean something different by "verify" vs. "validate" here.

Our intent was to use the terms authenticate and authentication in the same way as the TLS specifications do, in particular see the TLS 1.3 spec introduction<https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc8446-23section-2D1&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=LoGzhC-8sc8SY8Tq4vrfog&m=YC72PjflRXn_GgiF5MetBcDZlLnezCCCcGyKIBnug0g&s=oBF96sjCDL5QI5GpPkbNS_KavWpgv9kfW5Qo1N0ye20&e=>.

<bhs> I looked at the TLS 1.3 spec, and the use of “authentication” there is very consistent with my understanding of authentication as a process. The 2 phrases I noted seem to use “authentication” as if it meant “authentication key” – which it does not. The CertificateRequest message is not used to request client authentication (i.e., request the client perform the authentication process). It is used to request a client authentication key. You cannot verify an authentication. But you can verify an authentication key.

Will only X.509 certificate keys be allowed, or will "DH_anon" key exchange be allowed?

babel-dtls does not specify what source of authentication to use, X509 are one allowed option, but they are not mandated
DH_anon is prohibited by "Nodes MUST use mutual authentication" (and subsequent clarifying text in section 2.1)

<bhs> TLS 1.2 (RFC 5246) says “The following rules apply to the certificates sent by the server:
   -  The certificate type MUST be X.509v3, unless explicitly negotiated otherwise (e.g., [TLSPGP]).”
DTLS (RFC 6347) doesn’t modify this requirement and neither DTLS nor babel-DTLS requires support for certificate format negotiation. Every babel-dtls implementation has to be prepared to act as the DTLS server. Practically speaking doesn’t this mean every babel-dtls implementation that expects to interoperate in an open environment has to either have or be able to generate an X.509 certificate? Anything less and there can be no expectation of interoperability. Clearly, a closed environment can use whatever it wants. But I don’t find closed environments very interesting.

Here are the possible things that are sometimes done as part of certificate validation, that I think this phrase is potentially referring to:
1. Ensure the certificate validDate is not in the past. This check should only be done if the implementation thinks the underlying system has acquired a good current time (i.e., it runs a NTP client and getting the current datetime via NTP has succeeded, or the current datetime has been configured).
2. Check the certificate's chain of trust for a trusted CA. This would mean there is a configured set of trusted CAs.
3. Check if the certificate has been revoked. This is often not done, but might not be a bad idea the first time the certificate is seen.
4. Check if this identical certificate is included in a store of trusted certificates (either it was previously trusted and stored or the store is configured).
5. Check some aspect of "identity". Is there some characteristic of the peer that is expected to be stable wrt a certificate? For example, would the same certificate always originate from the same MAC address or LL IPv6 address?
6. If a TOFU (trust on first use) policy is supported, what exactly should be trusted (and what should not be trusted)? I do like allowing for a TOFU policy (if an implementation chooses to support one). If it is allowed, I would suggest something like the cert is TOFU if the IPv6 LL address hasn't been seen before (new neighbor). After that it always has to use the same cert. When changing certs, send old and new cert together for some time, so new cert is associated with trusted old cert.

Presumably, a device might be configured with a new certificate at some point (like when the old one expires). Will the new certificate be considered the same neighbor if the "identity" matches (see item 5 for question on determining identity)? If you get a request for a new DTLS session and already have a session for that "identity" (IPv6 LL address?) with a different certificate, what do you do?

If there is already a DTLS connection using a provided certificate, what do you do if you get a request for a new DTLS session using the same certificate? Tear down the old one?

With all this said. I think it might be enough if the draft had statements like:
"The key exchange mechanism used MUST require use of X.509 certificates." (if this is the intent)
"Certificate validation MUST be done according to internal policy. Characteristics of certificates that MAY be used for validation include the validDate, the Certificate Authority (CA) chain of trust, inclusion in a revocation list, prior determination of trust, and whether the IPv6 link local address is the same as in prior uses of the certificate. A trust on first use (TOFU) model MAY be supported, with policy defined by the implementation. Any TOFU policy MUST, at a minimum, ensure that a given certificate is only ever used from a single IPv6 link local address (neighbor) and fail an unknown certificate used for an IPv6 link local address already associated with a trusted certificate. "
"When new certificates are issued, they SHOULD be sent together with the old certificate prior to the old certificate's expiration or revocation, so it is possible for the new certificate to inherit any trust associated with the old certificate."

Certificate validation is out of scope for the babel-dtls draft, in the same manner as it is out of scope for the TLS or DTLS RFCs. I don't think any mention of certificates at all belongs in this draft, as some applications may choose to not use certificates. In the case of babel, the babel-dtls draft specifies how to use DTLS; on the other hand the certificates and PKI you use is left to the users of babel-dtls, for example the homenet mapping document could mandate X509 and how to add new certificates to the trust store, and the other points you mentioned would make sense to me in that document.

Or make certificate validation a SHOULD. ☹

Validating identity is a MUST, the fact that that identity maps to a certificate is a MAY.

<bhs> Validating what identity? You haven’t specified any identity to map anything to. You can’t make validation a MUST if you give no clue as to how or what to validate.

Barbara

Thanks,
David

v2.23.0 | Report a Bug | By Email