Re: [CGA-EXT] Comments on draft-ietf-csi-proxy-send-01

"Laganier, Julien" <> Tue, 24 November 2009 16:46 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id C7C753A67E9 for <>; Tue, 24 Nov 2009 08:46:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -105.168
X-Spam-Status: No, score=-105.168 tagged_above=-999 required=5 tests=[AWL=1.431, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id sDI+d9OlCX4l for <>; Tue, 24 Nov 2009 08:46:27 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id C3D223A67E4 for <>; Tue, 24 Nov 2009 08:46:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;;; q=dns/txt; s=qcdkim; t=1259081181; x=1290617181; h=from:to:cc:date:subject:thread-topic:thread-index: message-id:references:in-reply-to:accept-language: content-language:x-ms-has-attach:x-ms-tnef-correlator: acceptlanguage:content-type:content-transfer-encoding: mime-version:x-ironport-av; z=From:=20"Laganier,=20Julien"=20<> |To:=20Tony=20Cheneau=20<>|CC: =20""=0D=0A=09<dr>,=0D=0A=20=20=20 =20=20=20=20=20""=0D=0A=09<cga-ext@ietf.o rg>|Date:=20Tue,=2024=20Nov=202009=2008:46:16=20-0800 |Subject:=20RE:=20[CGA-EXT]=20Comments=20on=20draft-ietf- csi-proxy-send-01|Thread-Topic:=20[CGA-EXT]=20Comments=20 on=20draft-ietf-csi-proxy-send-01|Thread-Index:=20AcpqkGn gIXndq0IDTS+XfeIxO1WJCACkQPzA|Message-ID:=20<BF345F63074F m>|References:=20<alpine.LNX.2.00.0911191100150.7833@whit ebox>=0D=0A=09<BF345F63074F8040B58C00A186FCA57F1C66087842>=0D=0A=09<alpine.LNX.2.00.09 11201144010.7546@whitebox>=0D=0A=09<BF345F63074F8040B58C0>=0D=0A =20<alpine.LNX.2.00.0911211025090.11248@localhost.localdo main>|In-Reply-To:=20<alpine.LNX.2.00.0911211025090.11248 @localhost.localdomain>|Accept-Language:=20en-US |Content-Language:=20en-US|X-MS-Has-Attach: |X-MS-TNEF-Correlator:|acceptlanguage:=20en-US |Content-Type:=20text/plain=3B=20charset=3D"us-ascii" |Content-Transfer-Encoding:=20quoted-printable |MIME-Version:=201.0|X-IronPort-AV:=20E=3DMcAfee=3Bi=3D"5 400,1158,5812"=3B=20a=3D"28335534"; bh=6NX8jE+J4S4GcMu87HWEdgaiQfcxgD3G9y6B9azrVIM=; b=JaU5HqokCQ1JxX80TQ6ObccNq0g/UbcPryiphY5XVdX2RVvxd2lJukSR 5g0Nqc3cZUFqMbSdvf1ODjV3oGFW05nk718yflsnoUqHL9iqAboR4oXd8 wWXmAIbcrx+XZmJPLjxN7Bxdoacn7k5EYMBY4ykWUGuyGqc9Sg/Js6pSz o=;
X-IronPort-AV: E=McAfee;i="5400,1158,5812"; a="28335534"
Received: from (HELO ([]) by with ESMTP; 24 Nov 2009 08:46:21 -0800
Received: from ( []) by (8.14.2/8.14.2/1.0) with ESMTP id nAOGkLMM010422 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 24 Nov 2009 08:46:21 -0800
Received: from ( []) by (8.14.2/8.14.2/1.0) with ESMTP id nAOGkKnl020495 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Tue, 24 Nov 2009 08:46:20 -0800 (PST)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Tue, 24 Nov 2009 08:46:19 -0800
Received: from ([]) by ([]) with mapi; Tue, 24 Nov 2009 08:46:18 -0800
From: "Laganier, Julien" <>
To: Tony Cheneau <>
Date: Tue, 24 Nov 2009 08:46:16 -0800
Thread-Topic: [CGA-EXT] Comments on draft-ietf-csi-proxy-send-01
Thread-Index: AcpqkGngIXndq0IDTS+XfeIxO1WJCACkQPzA
Message-ID: <>
References: <alpine.LNX.2.00.0911191100150.7833@whitebox> <> <alpine.LNX.2.00.0911201144010.7546@whitebox> <> <alpine.LNX.2.00.0911211025090.11248@localhost.localdomain>
In-Reply-To: <alpine.LNX.2.00.0911211025090.11248@localhost.localdomain>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "" <>, "" <>
Subject: Re: [CGA-EXT] Comments on draft-ietf-csi-proxy-send-01
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 24 Nov 2009 16:46:28 -0000

Hi Tony,

I had overlooked the proxy ND siphoning off traffic exchanged between two on-link link-local addresses. I agree that this is a difference with the compromised router threat and should be acknowledged in the document. How about the following?

   Thanks to the authorization certificate it is provisioned with, a proxy ND
   is authorized to issue ND signaling on behalf of nodes on the subnet. 

   Thus, a compromised proxy is able, like a compromised router, to siphon off
   traffic from the host, or mount a man-in-the-middle attack. However, when
   two on-link hosts communicate using their respective link-local addresses,
   the threats involved with a compromised router and a compromised proxy ND 
   differs because the router is not able to siphon off traffic exchanged
   between the hosts or mount a man-in-the-middle attack, while the proxy ND

   As for SEND which does not protect against attacks involved with the compromise
   of a router, as described in Sections 9.2.4 of [RFC3971], Secure Proxy ND Support
   for SEND does not protect against similar attacks involved with the 
   compromise of the proxy ND. However, the additional threat of siphoning off or
   mounting a man-in-the-middle attack between two link-local addresses is countered  
   by having SEND nodes receiving both unproxied and proxied messages give priority to 
   unproxied ones.  Here, the "unproxied" messages are those that contain a valid signature 
   option as specified per the SEND specification [RFC3971], and "proxied"
   messages are those that contain a valid proxy signature option (PSO) as
   specified in this document.

As to specifying that the proxy ND is always authorized to proxy for addresses in the fe80::/64 prefix vs. inclusion in the certificate of either a list of node's link local addresses that the proxy ND is authorized to proxy, or of the whole fe80::/64 prefix, I have no strong opinion and would like to ask the WG participant what is their preference there?


> -----Original Message-----
> From: [] On
> Behalf Of Tony Cheneau
> Sent: Saturday, November 21, 2009 1:53 AM
> To: Laganier, Julien
> Cc:;
> Subject: Re: [CGA-EXT] Comments on draft-ietf-csi-proxy-send-01
> Hi Julien
> On Fri, 20 Nov 2009, Laganier, Julien wrote:
> > Tony,
> >
> > If a router is compromised, it can send a RA containing a PIO with
> the L bit set to zero, and thus two hosts on the link trying to
> communicate will sends their packets to the router and will not attempt
> to resolve each others' address. Doing so, it can mount a MiTM attack
> of siphon off packets sent by a host. This is acknowledged in section
> 4.2.1. of RFC 3756.
> Indeed, I forgot this L flag. You're right.
> > Regarding the fe80::/64 prefix, it does not need to be advertized by
> the router or proxy. It should be assumed that a ND proxy is always
> authorized to proxy signaling for the fe80::/64 prefix. That does not
> need to be signaled in the certificate, it has to be written down in
> the draft however :)
> This is a good way to go (other way around seems to add the fe80::/64
> prefix to
> the Secure Proxy ND's certificate). However, can you add a security
> consideration specific to this new "rule" ? I see a security issue here.
> From RFC 4861, section 4.6.2 (the Prefix Information Option):
> "A router SHOULD NOT send a prefix option for the link-local prefix and
> a host
> SHOULD ignore such a prefix option."
> Meaning that the attack in 4.2.1 of RFC 3756 "SHOULD NOT" work on two
> nodes
> communicating directly using their link-local addresses (as the PIOs
> sent by
> the router will more likely be ignored).
> Here, the Secure Proxy ND seems to be able to siphon off the
> communication of
> the same two nodes using their link-local addresses (as it is always
> authorized
> to proxy signaling for the fe80::/64 prefix).
> Maybe I am (again) missing something here.
> Regards,
>  	Tony
> _______________________________________________
> CGA-EXT mailing list