IETF Logo Mail Archive

Re: [CGA-EXT] Comments on draft-ietf-csi-proxy-send-01

"Laganier, Julien" <julienl@qualcomm.com> Tue, 24 November 2009 16:46 UTC

Return-Path: <julienl@qualcomm.com>
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C7C753A67E9 for <cga-ext@core3.amsl.com>; Tue, 24 Nov 2009 08:46:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.168
X-Spam-Level:
X-Spam-Status: No, score=-105.168 tagged_above=-999 required=5 tests=[AWL=1.431, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sDI+d9OlCX4l for <cga-ext@core3.amsl.com>; Tue, 24 Nov 2009 08:46:27 -0800 (PST)
Received: from wolverine01.qualcomm.com (wolverine01.qualcomm.com [199.106.114.254]) by core3.amsl.com (Postfix) with ESMTP id C3D223A67E4 for <cga-ext@ietf.org>; Tue, 24 Nov 2009 08:46:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=qualcomm.com; i=julienl@qualcomm.com; q=dns/txt; s=qcdkim; t=1259081181; x=1290617181; h=from:to:cc:date:subject:thread-topic:thread-index: message-id:references:in-reply-to:accept-language: content-language:x-ms-has-attach:x-ms-tnef-correlator: acceptlanguage:content-type:content-transfer-encoding: mime-version:x-ironport-av; z=From:=20"Laganier,=20Julien"=20<julienl@qualcomm.com> |To:=20Tony=20Cheneau=20<tony.cheneau@it-sudparis.eu>|CC: =20"draft-ietf-csi-proxy-send@tools.ietf.org"=0D=0A=09<dr aft-ietf-csi-proxy-send@tools.ietf.org>,=0D=0A=20=20=20 =20=20=20=20=20"cga-ext@ietf.org"=0D=0A=09<cga-ext@ietf.o rg>|Date:=20Tue,=2024=20Nov=202009=2008:46:16=20-0800 |Subject:=20RE:=20[CGA-EXT]=20Comments=20on=20draft-ietf- csi-proxy-send-01|Thread-Topic:=20[CGA-EXT]=20Comments=20 on=20draft-ietf-csi-proxy-send-01|Thread-Index:=20AcpqkGn gIXndq0IDTS+XfeIxO1WJCACkQPzA|Message-ID:=20<BF345F63074F 8040B58C00A186FCA57F1C65FB2942@NALASEXMB04.na.qualcomm.co m>|References:=20<alpine.LNX.2.00.0911191100150.7833@whit ebox>=0D=0A=09<BF345F63074F8040B58C00A186FCA57F1C66087842 @NALASEXMB04.na.qualcomm.com>=0D=0A=09<alpine.LNX.2.00.09 11201144010.7546@whitebox>=0D=0A=09<BF345F63074F8040B58C0 0A186FCA57F1C65FB277D@NALASEXMB04.na.qualcomm.com>=0D=0A =20<alpine.LNX.2.00.0911211025090.11248@localhost.localdo main>|In-Reply-To:=20<alpine.LNX.2.00.0911211025090.11248 @localhost.localdomain>|Accept-Language:=20en-US |Content-Language:=20en-US|X-MS-Has-Attach: |X-MS-TNEF-Correlator:|acceptlanguage:=20en-US |Content-Type:=20text/plain=3B=20charset=3D"us-ascii" |Content-Transfer-Encoding:=20quoted-printable |MIME-Version:=201.0|X-IronPort-AV:=20E=3DMcAfee=3Bi=3D"5 400,1158,5812"=3B=20a=3D"28335534"; bh=6NX8jE+J4S4GcMu87HWEdgaiQfcxgD3G9y6B9azrVIM=; b=JaU5HqokCQ1JxX80TQ6ObccNq0g/UbcPryiphY5XVdX2RVvxd2lJukSR 5g0Nqc3cZUFqMbSdvf1ODjV3oGFW05nk718yflsnoUqHL9iqAboR4oXd8 wWXmAIbcrx+XZmJPLjxN7Bxdoacn7k5EYMBY4ykWUGuyGqc9Sg/Js6pSz o=;
X-IronPort-AV: E=McAfee;i="5400,1158,5812"; a="28335534"
Received: from pdmz-ns-mip.qualcomm.com (HELO numenor.qualcomm.com) ([199.106.114.10]) by wolverine01.qualcomm.com with ESMTP; 24 Nov 2009 08:46:21 -0800
Received: from totoro.qualcomm.com (totoro.qualcomm.com [129.46.61.158]) by numenor.qualcomm.com (8.14.2/8.14.2/1.0) with ESMTP id nAOGkLMM010422 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 24 Nov 2009 08:46:21 -0800
Received: from nasanexhub06.na.qualcomm.com (nasanexhub06.na.qualcomm.com [129.46.134.254]) by totoro.qualcomm.com (8.14.2/8.14.2/1.0) with ESMTP id nAOGkKnl020495 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Tue, 24 Nov 2009 08:46:20 -0800 (PST)
Received: from nalasexhub02.na.qualcomm.com (10.47.130.89) by nasanexhub06.na.qualcomm.com (129.46.134.254) with Microsoft SMTP Server (TLS) id 8.2.176.0; Tue, 24 Nov 2009 08:46:19 -0800
Received: from NALASEXMB04.na.qualcomm.com ([10.47.7.118]) by nalasexhub02.na.qualcomm.com ([10.47.130.89]) with mapi; Tue, 24 Nov 2009 08:46:18 -0800
From: "Laganier, Julien" <julienl@qualcomm.com>
To: Tony Cheneau <tony.cheneau@it-sudparis.eu>
Date: Tue, 24 Nov 2009 08:46:16 -0800
Thread-Topic: [CGA-EXT] Comments on draft-ietf-csi-proxy-send-01
Thread-Index: AcpqkGngIXndq0IDTS+XfeIxO1WJCACkQPzA
Message-ID: <BF345F63074F8040B58C00A186FCA57F1C65FB2942@NALASEXMB04.na.qualcomm.com>
References: <alpine.LNX.2.00.0911191100150.7833@whitebox> <BF345F63074F8040B58C00A186FCA57F1C66087842@NALASEXMB04.na.qualcomm.com> <alpine.LNX.2.00.0911201144010.7546@whitebox> <BF345F63074F8040B58C00A186FCA57F1C65FB277D@NALASEXMB04.na.qualcomm.com> <alpine.LNX.2.00.0911211025090.11248@localhost.localdomain>
In-Reply-To: <alpine.LNX.2.00.0911211025090.11248@localhost.localdomain>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "draft-ietf-csi-proxy-send@tools.ietf.org" <draft-ietf-csi-proxy-send@tools.ietf.org>, "cga-ext@ietf.org" <cga-ext@ietf.org>
Subject: Re: [CGA-EXT] Comments on draft-ietf-csi-proxy-send-01
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2009 16:46:28 -0000

Hi Tony,

I had overlooked the proxy ND siphoning off traffic exchanged between two on-link link-local addresses. I agree that this is a difference with the compromised router threat and should be acknowledged in the document. How about the following?

   Thanks to the authorization certificate it is provisioned with, a proxy ND
   is authorized to issue ND signaling on behalf of nodes on the subnet. 

   Thus, a compromised proxy is able, like a compromised router, to siphon off
   traffic from the host, or mount a man-in-the-middle attack. However, when
   two on-link hosts communicate using their respective link-local addresses,
   the threats involved with a compromised router and a compromised proxy ND 
   differs because the router is not able to siphon off traffic exchanged
   between the hosts or mount a man-in-the-middle attack, while the proxy ND
   can.

   As for SEND which does not protect against attacks involved with the compromise
   of a router, as described in Sections 9.2.4 of [RFC3971], Secure Proxy ND Support
   for SEND does not protect against similar attacks involved with the 
   compromise of the proxy ND. However, the additional threat of siphoning off or
   mounting a man-in-the-middle attack between two link-local addresses is countered  
   by having SEND nodes receiving both unproxied and proxied messages give priority to 
   unproxied ones.  Here, the "unproxied" messages are those that contain a valid signature 
   option as specified per the SEND specification [RFC3971], and "proxied"
   messages are those that contain a valid proxy signature option (PSO) as
   specified in this document.

As to specifying that the proxy ND is always authorized to proxy for addresses in the fe80::/64 prefix vs. inclusion in the certificate of either a list of node's link local addresses that the proxy ND is authorized to proxy, or of the whole fe80::/64 prefix, I have no strong opinion and would like to ask the WG participant what is their preference there?

--julien

> -----Original Message-----
> From: cga-ext-bounces@ietf.org [mailto:cga-ext-bounces@ietf.org] On
> Behalf Of Tony Cheneau
> Sent: Saturday, November 21, 2009 1:53 AM
> To: Laganier, Julien
> Cc: draft-ietf-csi-proxy-send@tools.ietf.org; cga-ext@ietf.org
> Subject: Re: [CGA-EXT] Comments on draft-ietf-csi-proxy-send-01
> 
> Hi Julien
> 
> On Fri, 20 Nov 2009, Laganier, Julien wrote:
> 
> > Tony,
> >
> > If a router is compromised, it can send a RA containing a PIO with
> the L bit set to zero, and thus two hosts on the link trying to
> communicate will sends their packets to the router and will not attempt
> to resolve each others' address. Doing so, it can mount a MiTM attack
> of siphon off packets sent by a host. This is acknowledged in section
> 4.2.1. of RFC 3756.
> Indeed, I forgot this L flag. You're right.
> 
> 
> > Regarding the fe80::/64 prefix, it does not need to be advertized by
> the router or proxy. It should be assumed that a ND proxy is always
> authorized to proxy signaling for the fe80::/64 prefix. That does not
> need to be signaled in the certificate, it has to be written down in
> the draft however :)
> This is a good way to go (other way around seems to add the fe80::/64
> prefix to
> the Secure Proxy ND's certificate). However, can you add a security
> consideration specific to this new "rule" ? I see a security issue here.
> 
> From RFC 4861, section 4.6.2 (the Prefix Information Option):
> "A router SHOULD NOT send a prefix option for the link-local prefix and
> a host
> SHOULD ignore such a prefix option."
> 
> Meaning that the attack in 4.2.1 of RFC 3756 "SHOULD NOT" work on two
> nodes
> communicating directly using their link-local addresses (as the PIOs
> sent by
> the router will more likely be ignored).
> Here, the Secure Proxy ND seems to be able to siphon off the
> communication of
> the same two nodes using their link-local addresses (as it is always
> authorized
> to proxy signaling for the fe80::/64 prefix).
> 
> Maybe I am (again) missing something here.
> 
> 
> Regards,
>  	Tony
> _______________________________________________
> CGA-EXT mailing list
> CGA-EXT@ietf.org
> https://www.ietf.org/mailman/listinfo/cga-ext

v2.23.0 | Report a Bug | By Email