Re: [CGA-EXT] Key Purpose Id specification and draft-ietf-csi-proxy-send

Alberto García <alberto@it.uc3m.es> Fri, 17 September 2010 12:55 UTC

Return-Path: <alberto@it.uc3m.es>
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1D94E3A68B6 for <cga-ext@core3.amsl.com>; Fri, 17 Sep 2010 05:55:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.62
X-Spam-Level:
X-Spam-Status: No, score=-5.62 tagged_above=-999 required=5 tests=[AWL=0.679, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SjY6lI7qLlM0 for <cga-ext@core3.amsl.com>; Fri, 17 Sep 2010 05:55:47 -0700 (PDT)
Received: from smtp01.uc3m.es (smtp01.uc3m.es [163.117.176.131]) by core3.amsl.com (Postfix) with ESMTP id 2D5833A688C for <cga-ext@ietf.org>; Fri, 17 Sep 2010 05:55:46 -0700 (PDT)
X-uc3m-safe: yes
Received: from bombo (bombo.it.uc3m.es [163.117.139.125]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by smtp01.uc3m.es (Postfix) with ESMTP id 0C715BF0BC3; Fri, 17 Sep 2010 14:56:08 +0200 (CEST)
From: Alberto García <alberto@it.uc3m.es>
To: 'Roque Gagliano' <rogaglia@cisco.com>
References: <8BDAF9A478934FD5BC28B376D394FFB0@bombo> <3EDE6671-8809-47F3-A706-63E0A745BFD2@cisco.com>
Date: Fri, 17 Sep 2010 14:56:05 +0200
Message-ID: <E6451C31103E46809F5A4D1E4F956549@bombo>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-15"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 11
In-Reply-To: <3EDE6671-8809-47F3-A706-63E0A745BFD2@cisco.com>
Thread-Index: ActVf8JY3AAj9T6ZRzqak2GIu20G1gA5EMWg
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.5994
X-TM-AS-Product-Ver: IMSS-7.0.0.3116-6.0.0.1038-17646.005
Cc: cga-ext@ietf.org
Subject: Re: [CGA-EXT] Key Purpose Id specification and draft-ietf-csi-proxy-send
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Sep 2010 12:55:49 -0000

Hi Roque,

|  -----Mensaje original-----
|  De: Roque Gagliano [mailto:rogaglia@cisco.com]
|  Enviado el: jueves, 16 de septiembre de 2010 11:16
|  Para: Alberto García
|  CC: cga-ext@ietf.org
|  Asunto: Re: [CGA-EXT] Key Purpose Id specification and
draft-ietf-csi-proxy-send
|

[...]

|  > c) could be to have 2 Key Purpose Ids for proxy operation instead of
one
|  (therefore replacing id-kp-sendProxy), in which case the following text
could be
|  included in draft-ietf-csi-send-cert, section 7:
|  
|  I take option c).
|  
|  When I first thought about this, I remembered the old times of modem
access
|  and Proxy-ARP in routers. I see now a use-case for
"id-kp-sendProxiedOwner"
|  even without considering MIP6.
|  
|  I agree that we should go this path, it will make a better set of
documents.
|  However, I believe that if we go this path, we need also to make sure
that there
|  is a synchronization between this document and the proxy document to
reflect
|  the correct sender/receiver behavior.

Fine. Then, the main changes in draft-ietf-csi-proxy-send would be:

CHANGE #1
--------------
"5.2.1.  Processing rules for senders

   A Secure ND Proxy MUST NOT use a key to sign NDP message types which
   do not correspond to the authorization granted to the considered key.
   NA, NS and RS messages MUST be signed with a key corresponding to a
   Secure Proxy ND certificate with a KeyPurposeID value
   [I-D.ietf-csi-send-cert] of id-kp-sendProxiedOwner, and the source
   addresses of the messages MUST belong to the prefix associated to the
   certificate.  RA and Redirect messages MUST be signed with a key
   corresponding to a Secure Proxy ND certificate with a KeyPurposeID
   value of id-kp-sendProxiedRouter.  The prefix included in the RA
   message for on-link determination and/or stateless address
   autoconfiguration, and the Target Address of the Redirect message,
   MUST be equal or be included into the prefix associated to that
   certificate.
[...]"

CHANGE #2
--------------
Rule #2 in "5.2.2.  Processing rules for receivers"
"2.  The Key Hash field MUST indicate the use of a known public key.
       A valid certification path (see [RFC3971] Section 6.3) between
       the receiver's trust anchor and the sender's public key MUST be
       known.  The Secure Proxy ND's X509v3 certificate MUST contain an
       extended key usage extension including the appropriate
       KeyPurposeId value and prefix for the message to validate:

       *  For RA messages, a KeyPurposeId value of id-kp-
          sendProxiedRouter MUST exist for the certificate, and the
          prefix included in the RA message for on-link determination
          and/or stateless address autoconfiguration MUST be equal or be
          included into the prefix associated to that certificate.

       *  For Redirect messages, a KeyPurposeId value of id-kp-
          sendProxiedRouter MUST exist for the certificate, and the
          prefix included in the Target Address of the Redirect message
          MUST belong to the prefix associated to that certificate.

       *  For NA, NS and RS messages, a KeyPurposeId value of id-kp-
          sendProxiedOwner MUST exist for the certificate, and the
          source addresses of the messages MUST belong to the prefix
          associated to the certificate.

       If any of these tests fails, the verification fails."

CHANGE #3
--------------
Modification of the application scenarios to detail how the certificates are
configured. For example, for PMIPv6:

"  To provide SEND protection, each MAG is configured to act as a proxy
   by means of a certificate associated to the PMIPv6 domain,
   authorizing each MAG to proxy securely NA and RS messages by means of
   a KeyPurposeId value of id-kp-sendProxiedOwner.  In addition, the
   certificate must also authorize the MAG to advertise prefixes, by
   associating to the same certificate a KeyPurposeId value of id-kp-
   sendProxiedRouter.  Note that the inclusion of multiple KeyPurposeId
   values is supported by [I-D.ietf-csi-send-cert]."

CHANGE #4
--------------
And finally, in the following paragraph would be included in the security
considerations section:

"  A compromised Secure ND Proxy provisioned with an authorization
   certificate with a KeyPurposeId value of id-kp-sendProxiedRouter is
   able, like a compromised router to siphon off traffic from the host,
   or mount a man-in-the-middle attack, for hosts communicating to off-
   link hosts.  However, a Secure ND Proxy with an authorization
   certificate with a KeyPurposeId value of id-kp-sendProxiedOwner can
   also siphon off traffic or mount a man-in-the-middle attack for
   communication between on-link hosts, even if the hosts use SEND.
   Note that different application scenarios may require one type of
   authorization, the other, or both.  To minimize security risks,
   authorization capabilities SHOULD NOT exceed the ones strictly
   required by the application scenario to be deployed."


Do you think the new text is reasonable?

|  
|  Finally, I would like to clarify the validation behavior when listen
several EKUs in
|  a certificate. At this time, the document states that the existence of a
particular
|  EKU is a sufficient condition. This means that if a certificate has a
id-kp-
|  sendProxiedRouter and a id-kp-sendRouter EKU and I am validating a RA
with or
|  without the proxy option, it will validate in either cases using the same
key. I
|  believe this should be the correct behavior as it should be the operator
to decide
|  how it want to configure its network.

I agree that a certificate could hold both id-kp-sendProxiedRouter and
id-kp-sendRouter EKUs and validate RA or Redirect/RA proxying with the same
key. 

I think the text provided above allows this behavior. 

Thanks and regards,
Alberto

|  
|  
|  
|  Regards,
|  
|  Roque
|  
|  
|  >
|  > "The inclusion of the proxied routing authorization value (id-kp-
|  sendProxiedRouter)
|  > indicates that the certificate has been issued for allowing the proxy
|  > to perform proxying of RA and Redirect messages for the prefix(es)
|  > that are mentioned in the X.509 extensions for IP addresses. When a
|  > node's only certificate includes a prefix and only the
|  > id-kp-sendProxiedRouter authorization KeyPurposeId value, the node
cannot
|  > perform proxying of NS, NA and RS messages.
|  >
|  > The inclusion of the proxied owner authorization value (id-kp-
|  sendProxiedOwner)
|  > Indicates that the certificate has been issued for allowing the proxy
to
|  > perform proxying of NS, NA and RS messages for any address in the
prefix of
|  > such certificate. When a node's only certificate includes a prefix and
only
|  > the id-kp-sendProxiedOwner authorization KeyPurposeId value, the node
|  > cannot advertise that prefix in an RA."
|  >
|  > The benefit of option c) is that proxy security is tailored to the
proxy
|  requirements, in the sense that different application scenarios may
require one
|  type of authorization, the other, or both. For example, MIPv6 would use a
|  certificate with just id-kp-sendProxiedOwner, while PMIPv6 and RFC4389
would
|  use a certificate with both id-kp-sendProxiedRouter and sendProxiedOwner.
|  Compromising a MIPv6 HA would not allow an attacker to issue RA and
Redirects.
|  My personal opinion is that, to minimize security risks, authorization
capabilities
|  should not exceed the ones strictly required by the application scenario
to be
|  deployed, and two Key Purpose Ids for proxy operation provide appropriate
|  granularity for this.
|  >
|  > (sorry if I fail to expose fairly the benefits of all options - feel
free to comment,
|  of course)
|  >
|  > For me, b) would acceptable, but I think c) should be better.
|  > What do you think?
|  >
|  > Regards,
|  > Alberto
|  >
|  > _______________________________________________
|  > CGA-EXT mailing list
|  > CGA-EXT@ietf.org
|  > https://www.ietf.org/mailman/listinfo/cga-ext