[anonsec] Finishing off the Problem and Applicability Statement draft
Black_David at emc.com (Black_David@emc.com) Wed, 25 July 2007 20:52 UTC
From: "Black_David at emc.com"
Date: Wed, 25 Jul 2007 16:52:29 -0400
Subject: [anonsec] Finishing off the Problem and Applicability Statement draft
Message-ID: <F222151D3323874393F83102D614E0550A4D23BD@CORPUSMX20A.corp.emc.com>
As discussed in this afternoon's btns meeting, Sam's AD review of draft-ietf-btns-prob-and-applic-05.txt turned up a couple of areas that need serious attention: 1) Leap of Faith discussion (Section 5.7) 2) NAT Traversal, mobility and multihoming issues (Sections 6.1 and 6.2) The purpose of this message is to explain what the authors propose to do about these areas, so that the WG chairs can determine the rough consensus of the WG on what should be done. Taking the areas in reverse order, the current sections 6.1 and 6.2 of the draft essentially say that NAT, mobility and multihoming issues are out of scope. Whether they are out of scope is a longer discussion, but the approach agreed to in this afternoon's btns meeting is to remove Sections 6.1 and 6.2 from the problem and applicability statement draft, and deal with whether the issues are in scope and what to do about them if they are in the context of the WG's other drafts. The Leap of Faith concerns are somewhat more involved. Sam's original review comments were: >> I wonder if the working group has adequately reviewed section >> 5.7. In particular do we actually have a strong consensus that >> caching of BTNS credentials is inappropriate? We certainly >> have a lot of issues to work through before we can recommend >> this caching. But if there is no caching how is that leap of >> faith at all? The first problem is that the "Yes" and "No" in the last line of the Section 5.7 table don't capture what's really going on; it's not that BTNS credentials can't be cached, but rather that there is no security advantage to doing so. Here's the proposed change to correct that. OLD: -------------------------------+---------+---------+ Cache unauthenticated | Yes | No | credential for future refs | | | -------------------------------+---------+---------+ SSH requires proper warnings and options in the applications to reject unauthenticated credentials, while BTNS will accept those automatically if they match the corresponding policy entries. Once SSH accepts a credential for the first time, it should be cached, and can be reused automatically without further warnings. NEW: -------------------------------+---------+---------+ Cache unauthenticated |Required | Allowed | credential for future refs | | | -------------------------------+---------+---------+ SSH requires proper warnings and options in the applications to reject unauthenticated credentials, while BTNS will accept those automatically if they match the corresponding policy entries. Once SSH accepts a credential for the first time, it should be cached, and can be reused automatically without further warnings. BTNS credentials can be cached for future use, but there is no security advantage to doing so, as a new unauthenticated credential that is allowed by the policy entries will be automatically accepted, and BTNS-IPsec does not require IPsec to reuse credentials in a manner similar to SSH. When IPsec does reuse unauthenticated credentials, there may be implementation advantages to caching them in BTNS-IPsec. The next problem is that the last paragraph in the section speculates about extending BTNS to duplicate SSH's functionality. It needs to be clearer that it is speculating about this, and acknowledge Sam's point that if one wants SSH-like functionality, one runs into issues. OLD: On the other hand, there are two key issues with BTNS-IPsec: whether to cache credentials and if so, how to treat cached credentials. The main reason to cache a credential is to treat it differently the next time it appears. For SAB without Channel Binding, the credentials should not be cached because they remain unauthenticated, and BTNS- IPsec does not require IPsec to reuse credentials in a manner similar to SSH. For CBB, credential caching and verification are usually done at the higher layer protocols or applications, as well be discussed in the next section. Caching credentials at the BTNS-IPsec is not as important because the channel binding will bind whatever credentials are presented (new or cached) to the higher layer protocol identity. NEW: SSH-style credential caching for reuse with SAB could be addressed by future extension(s) to BTNS-IPsec; such extension(s) would need to provide warnings about and a mechanism for user acceptance of unauthenticated credentials in order to establish a level of assurance of authentication comparable to SSH's "Leap of Faith", and would also need to deal with issues caused by the absence of identities in BTNS-IPsec. At best a cached BTNS-IPsec credential reauthenticates the network-layer source of traffic when the credential is reused - in contrast, SSH credential reuse reauthenticates an identity. Network layer re-authentication is further complicated by the ability of NATs to cause multiple independent network layer sources of traffic to appear to be one source (potentially requiring acceptance and caching of multiple BTNS-IPsec credentials), the ability of multihoming to cause one network layer source of traffic to appear to be multiple sources (potentially triggering unexpected warnings and requiring a user to re-accept the same BTNS-IPsec credential), and interactions with both mobility and address ownership changes (potentially requiring controlled BTNS-IPsec credential reassignment and invalidation). These issues are left to be addressed by possible future work on addition of "Leap of Faith" functionality to BTNS-IPsec. In contrast, for CBB, credential caching and verification are usually done at the higher layer protocols or applications, as will be discussed in the next section. Caching credentials for CBB at the BTNS-IPsec level is not as important because the channel binding will bind whatever credentials are presented (new or cached) to the higher layer protocol identity. Sam has reviewed these proposed changes and pronounced them acceptable. The authors propose to produce a -06 version of the draft with these changes (plus some other minor edits) that Sam would then take forward for IESG approval. Thanks, --David (for the draft authors) ---------------------------------------------------- David L. Black, Senior Technologist EMC Corporation, 176 South St., Hopkinton, MA 01748 +1 (508) 293-7953 FAX: +1 (508) 293-7786 black_david at emc.com Mobile: +1 (978) 394-7754 ----------------------------------------------------
- [anonsec] Finishing off the Problem and Applicabiā¦ Black_David@emc.com
- [anonsec] nat traversal scoping Michael Richardson
- [anonsec] multihoming and btns Michael Richardson
- [anonsec] multihoming and BTNS Michael Richardson
- [anonsec] mobility and btns Michael Richardson