Re: [CGA-EXT] Comments on draft-ietf-csi-proxy-send-01
"Laganier, Julien" <julienl@qualcomm.com> Tue, 24 November 2009 16:46 UTC
Return-Path: <julienl@qualcomm.com>
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C7C753A67E9 for <cga-ext@core3.amsl.com>; Tue, 24 Nov 2009 08:46:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.168
X-Spam-Level:
X-Spam-Status: No, score=-105.168 tagged_above=-999 required=5 tests=[AWL=1.431, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sDI+d9OlCX4l for <cga-ext@core3.amsl.com>; Tue, 24 Nov 2009 08:46:27 -0800 (PST)
Received: from wolverine01.qualcomm.com (wolverine01.qualcomm.com [199.106.114.254]) by core3.amsl.com (Postfix) with ESMTP id C3D223A67E4 for <cga-ext@ietf.org>; Tue, 24 Nov 2009 08:46:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=qualcomm.com; i=julienl@qualcomm.com; q=dns/txt; s=qcdkim; t=1259081181; x=1290617181; h=from:to:cc:date:subject:thread-topic:thread-index: message-id:references:in-reply-to:accept-language: content-language:x-ms-has-attach:x-ms-tnef-correlator: acceptlanguage:content-type:content-transfer-encoding: mime-version:x-ironport-av; z=From:=20"Laganier,=20Julien"=20<julienl@qualcomm.com> |To:=20Tony=20Cheneau=20<tony.cheneau@it-sudparis.eu>|CC: =20"draft-ietf-csi-proxy-send@tools.ietf.org"=0D=0A=09<dr aft-ietf-csi-proxy-send@tools.ietf.org>,=0D=0A=20=20=20 =20=20=20=20=20"cga-ext@ietf.org"=0D=0A=09<cga-ext@ietf.o rg>|Date:=20Tue,=2024=20Nov=202009=2008:46:16=20-0800 |Subject:=20RE:=20[CGA-EXT]=20Comments=20on=20draft-ietf- csi-proxy-send-01|Thread-Topic:=20[CGA-EXT]=20Comments=20 on=20draft-ietf-csi-proxy-send-01|Thread-Index:=20AcpqkGn gIXndq0IDTS+XfeIxO1WJCACkQPzA|Message-ID:=20<BF345F63074F 8040B58C00A186FCA57F1C65FB2942@NALASEXMB04.na.qualcomm.co m>|References:=20<alpine.LNX.2.00.0911191100150.7833@whit ebox>=0D=0A=09<BF345F63074F8040B58C00A186FCA57F1C66087842 @NALASEXMB04.na.qualcomm.com>=0D=0A=09<alpine.LNX.2.00.09 11201144010.7546@whitebox>=0D=0A=09<BF345F63074F8040B58C0 0A186FCA57F1C65FB277D@NALASEXMB04.na.qualcomm.com>=0D=0A =20<alpine.LNX.2.00.0911211025090.11248@localhost.localdo main>|In-Reply-To:=20<alpine.LNX.2.00.0911211025090.11248 @localhost.localdomain>|Accept-Language:=20en-US |Content-Language:=20en-US|X-MS-Has-Attach: |X-MS-TNEF-Correlator:|acceptlanguage:=20en-US |Content-Type:=20text/plain=3B=20charset=3D"us-ascii" |Content-Transfer-Encoding:=20quoted-printable |MIME-Version:=201.0|X-IronPort-AV:=20E=3DMcAfee=3Bi=3D"5 400,1158,5812"=3B=20a=3D"28335534"; bh=6NX8jE+J4S4GcMu87HWEdgaiQfcxgD3G9y6B9azrVIM=; b=JaU5HqokCQ1JxX80TQ6ObccNq0g/UbcPryiphY5XVdX2RVvxd2lJukSR 5g0Nqc3cZUFqMbSdvf1ODjV3oGFW05nk718yflsnoUqHL9iqAboR4oXd8 wWXmAIbcrx+XZmJPLjxN7Bxdoacn7k5EYMBY4ykWUGuyGqc9Sg/Js6pSz o=;
X-IronPort-AV: E=McAfee;i="5400,1158,5812"; a="28335534"
Received: from pdmz-ns-mip.qualcomm.com (HELO numenor.qualcomm.com) ([199.106.114.10]) by wolverine01.qualcomm.com with ESMTP; 24 Nov 2009 08:46:21 -0800
Received: from totoro.qualcomm.com (totoro.qualcomm.com [129.46.61.158]) by numenor.qualcomm.com (8.14.2/8.14.2/1.0) with ESMTP id nAOGkLMM010422 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 24 Nov 2009 08:46:21 -0800
Received: from nasanexhub06.na.qualcomm.com (nasanexhub06.na.qualcomm.com [129.46.134.254]) by totoro.qualcomm.com (8.14.2/8.14.2/1.0) with ESMTP id nAOGkKnl020495 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Tue, 24 Nov 2009 08:46:20 -0800 (PST)
Received: from nalasexhub02.na.qualcomm.com (10.47.130.89) by nasanexhub06.na.qualcomm.com (129.46.134.254) with Microsoft SMTP Server (TLS) id 8.2.176.0; Tue, 24 Nov 2009 08:46:19 -0800
Received: from NALASEXMB04.na.qualcomm.com ([10.47.7.118]) by nalasexhub02.na.qualcomm.com ([10.47.130.89]) with mapi; Tue, 24 Nov 2009 08:46:18 -0800
From: "Laganier, Julien" <julienl@qualcomm.com>
To: Tony Cheneau <tony.cheneau@it-sudparis.eu>
Date: Tue, 24 Nov 2009 08:46:16 -0800
Thread-Topic: [CGA-EXT] Comments on draft-ietf-csi-proxy-send-01
Thread-Index: AcpqkGngIXndq0IDTS+XfeIxO1WJCACkQPzA
Message-ID: <BF345F63074F8040B58C00A186FCA57F1C65FB2942@NALASEXMB04.na.qualcomm.com>
References: <alpine.LNX.2.00.0911191100150.7833@whitebox> <BF345F63074F8040B58C00A186FCA57F1C66087842@NALASEXMB04.na.qualcomm.com> <alpine.LNX.2.00.0911201144010.7546@whitebox> <BF345F63074F8040B58C00A186FCA57F1C65FB277D@NALASEXMB04.na.qualcomm.com> <alpine.LNX.2.00.0911211025090.11248@localhost.localdomain>
In-Reply-To: <alpine.LNX.2.00.0911211025090.11248@localhost.localdomain>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "draft-ietf-csi-proxy-send@tools.ietf.org" <draft-ietf-csi-proxy-send@tools.ietf.org>, "cga-ext@ietf.org" <cga-ext@ietf.org>
Subject: Re: [CGA-EXT] Comments on draft-ietf-csi-proxy-send-01
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2009 16:46:28 -0000
Hi Tony, I had overlooked the proxy ND siphoning off traffic exchanged between two on-link link-local addresses. I agree that this is a difference with the compromised router threat and should be acknowledged in the document. How about the following? Thanks to the authorization certificate it is provisioned with, a proxy ND is authorized to issue ND signaling on behalf of nodes on the subnet. Thus, a compromised proxy is able, like a compromised router, to siphon off traffic from the host, or mount a man-in-the-middle attack. However, when two on-link hosts communicate using their respective link-local addresses, the threats involved with a compromised router and a compromised proxy ND differs because the router is not able to siphon off traffic exchanged between the hosts or mount a man-in-the-middle attack, while the proxy ND can. As for SEND which does not protect against attacks involved with the compromise of a router, as described in Sections 9.2.4 of [RFC3971], Secure Proxy ND Support for SEND does not protect against similar attacks involved with the compromise of the proxy ND. However, the additional threat of siphoning off or mounting a man-in-the-middle attack between two link-local addresses is countered by having SEND nodes receiving both unproxied and proxied messages give priority to unproxied ones. Here, the "unproxied" messages are those that contain a valid signature option as specified per the SEND specification [RFC3971], and "proxied" messages are those that contain a valid proxy signature option (PSO) as specified in this document. As to specifying that the proxy ND is always authorized to proxy for addresses in the fe80::/64 prefix vs. inclusion in the certificate of either a list of node's link local addresses that the proxy ND is authorized to proxy, or of the whole fe80::/64 prefix, I have no strong opinion and would like to ask the WG participant what is their preference there? --julien > -----Original Message----- > From: cga-ext-bounces@ietf.org [mailto:cga-ext-bounces@ietf.org] On > Behalf Of Tony Cheneau > Sent: Saturday, November 21, 2009 1:53 AM > To: Laganier, Julien > Cc: draft-ietf-csi-proxy-send@tools.ietf.org; cga-ext@ietf.org > Subject: Re: [CGA-EXT] Comments on draft-ietf-csi-proxy-send-01 > > Hi Julien > > On Fri, 20 Nov 2009, Laganier, Julien wrote: > > > Tony, > > > > If a router is compromised, it can send a RA containing a PIO with > the L bit set to zero, and thus two hosts on the link trying to > communicate will sends their packets to the router and will not attempt > to resolve each others' address. Doing so, it can mount a MiTM attack > of siphon off packets sent by a host. This is acknowledged in section > 4.2.1. of RFC 3756. > Indeed, I forgot this L flag. You're right. > > > > Regarding the fe80::/64 prefix, it does not need to be advertized by > the router or proxy. It should be assumed that a ND proxy is always > authorized to proxy signaling for the fe80::/64 prefix. That does not > need to be signaled in the certificate, it has to be written down in > the draft however :) > This is a good way to go (other way around seems to add the fe80::/64 > prefix to > the Secure Proxy ND's certificate). However, can you add a security > consideration specific to this new "rule" ? I see a security issue here. > > From RFC 4861, section 4.6.2 (the Prefix Information Option): > "A router SHOULD NOT send a prefix option for the link-local prefix and > a host > SHOULD ignore such a prefix option." > > Meaning that the attack in 4.2.1 of RFC 3756 "SHOULD NOT" work on two > nodes > communicating directly using their link-local addresses (as the PIOs > sent by > the router will more likely be ignored). > Here, the Secure Proxy ND seems to be able to siphon off the > communication of > the same two nodes using their link-local addresses (as it is always > authorized > to proxy signaling for the fe80::/64 prefix). > > Maybe I am (again) missing something here. > > > Regards, > Tony > _______________________________________________ > CGA-EXT mailing list > CGA-EXT@ietf.org > https://www.ietf.org/mailman/listinfo/cga-ext
- [CGA-EXT] Comments on draft-ietf-csi-proxy-send-01 Tony Cheneau
- Re: [CGA-EXT] Comments on draft-ietf-csi-proxy-se… Laganier, Julien
- Re: [CGA-EXT] Comments on draft-ietf-csi-proxy-se… Tony Cheneau
- Re: [CGA-EXT] Comments on draft-ietf-csi-proxy-se… Jean-Michel Combes
- Re: [CGA-EXT] Comments on draft-ietf-csi-proxy-se… Laganier, Julien
- Re: [CGA-EXT] Comments on draft-ietf-csi-proxy-se… Laganier, Julien
- Re: [CGA-EXT] Comments on draft-ietf-csi-proxy-se… Tony Cheneau
- Re: [CGA-EXT] Comments on draft-ietf-csi-proxy-se… Laganier, Julien
- Re: [CGA-EXT] Comments on draft-ietf-csi-proxy-se… Tony Cheneau
- Re: [CGA-EXT] Comments on draft-ietf-csi-proxy-se… Laganier, Julien
- Re: [CGA-EXT] Comments on draft-ietf-csi-proxy-se… Tony Cheneau
- Re: [CGA-EXT] Comments on draft-ietf-csi-proxy-se… Laganier, Julien
- [CGA-EXT] Review draft-ietf-csi-proxy-send-01 Roque Gagliano
- Re: [CGA-EXT] Review draft-ietf-csi-proxy-send-01 Laganier, Julien
- Re: [CGA-EXT] Review draft-ietf-csi-proxy-send-01 Roque Gagliano
- Re: [CGA-EXT] Review draft-ietf-csi-proxy-send-01 Laganier, Julien
- Re: [CGA-EXT] Review draft-ietf-csi-proxy-send-01 Roque Gagliano
- Re: [CGA-EXT] Review draft-ietf-csi-proxy-send-01 Roque Gagliano
- [CGA-EXT] Review of draft-ietf-csi-proxy-send Jari Arkko
- Re: [CGA-EXT] Review draft-ietf-csi-proxy-send-01 Tony Cheneau
- Re: [CGA-EXT] Review of draft-ietf-csi-proxy-send Tony Cheneau
- Re: [CGA-EXT] Review of draft-ietf-csi-proxy-send Jari Arkko
- Re: [CGA-EXT] Review of draft-ietf-csi-proxy-send Alberto García
- Re: [CGA-EXT] Review of draft-ietf-csi-proxy-send Alberto García
- Re: [CGA-EXT] Comments on draft-ietf-csi-proxy-se… Alberto García
- Re: [CGA-EXT] Review of draft-ietf-csi-proxy-send Laganier, Julien
- Re: [CGA-EXT] Review of draft-ietf-csi-proxy-send Tony Cheneau
- Re: [CGA-EXT] Review of draft-ietf-csi-proxy-send Alberto García
- Re: [CGA-EXT] Review of draft-ietf-csi-proxy-send Jari Arkko
- Re: [CGA-EXT] Review of draft-ietf-csi-proxy-send Alberto García