Re: [CGA-EXT] Question about RS/RA protection w/ SEND
arno@natisbad.org (Arnaud Ebalard) Tue, 18 August 2009 07:20 UTC
Return-Path: <arno@natisbad.org>
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B50F33A6B5D for <cga-ext@core3.amsl.com>; Tue, 18 Aug 2009 00:20:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.569
X-Spam-Level:
X-Spam-Status: No, score=-3.569 tagged_above=-999 required=5 tests=[AWL=0.030, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fWYnuEbT8KkJ for <cga-ext@core3.amsl.com>; Tue, 18 Aug 2009 00:20:36 -0700 (PDT)
Received: from copper.chdir.org (copper.chdir.org [88.191.97.87]) by core3.amsl.com (Postfix) with ESMTP id 2CE383A6A90 for <cga-ext@ietf.org>; Tue, 18 Aug 2009 00:20:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=natisbad.org; s=mail; h=From:To:Cc:Subject:References:Date: In-Reply-To:Message-ID:MIME-Version:Content-Type; bh=g++1PnR+bKa KYGehrt1tQEYJhVn78tmqlFrQim9db64=; b=f97m0c7GljIz6pA4Ihl5B8RbSpB giXSV3d323LlQhHV1YX/rarjr2Utz1WyDpkzQci7Isv/ccTCaHWiAlOOeEQWNSCm /xssTJoaWru3iSnk9vGYI/ws4JSC1gY6YgYZ+3YpNHD46sdaHgBr4O3PzDBCGbj6 mgB8k32Gp5101IdQ=
Received: from [2001:7a8:78df:2:20d:93ff:fe55:8f79] (helo=small.ssi.corp) by copper.chdir.org with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69) (envelope-from <arno@natisbad.org>) id 1MdIyS-0001nL-Vr; Tue, 18 Aug 2009 09:19:17 +0200
From: arno@natisbad.org
To: Greg Daley <hoskuld@hotmail.com>
References: <8763cv95i7.fsf@small.ssi.corp> <87d471ed0c.fsf@small.ssi.corp> <BAY114-W38A61C369061241BAFA05EADFF0@phx.gbl>
X-PGP-Key-URL: http://natisbad.org/arno@natisbad.org.asc
X-Fingerprint: 47EB 85FE B99A AB85 FD09 46F3 0255 957C 047A 5026
X-Hashcash: 1:20:090818:hoskuld@hotmail.com::CswX1+9P3gAeVIyd:000000000000000000000000000000000000000000A9mF
X-Hashcash: 1:20:090818:cga-ext@ietf.org::6S6vu7UlLEz5gqKS:0BTGa
Date: Tue, 18 Aug 2009 09:19:56 +0200
In-Reply-To: <BAY114-W38A61C369061241BAFA05EADFF0@phx.gbl> (Greg Daley's message of "Tue, 18 Aug 2009 15:48:06 +1000")
Message-ID: <873a7pk2qr.fsf@small.ssi.corp>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/23.0.92 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: cga-ext@ietf.org
Subject: Re: [CGA-EXT] Question about RS/RA protection w/ SEND
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Aug 2009 07:20:37 -0000
Hi Greg, Greg Daley <hoskuld@hotmail.com> writes: >> So, in order for my MN to get a secured RA w/ a Nonce option from a >> SEND-enabled router on the link, it needs to send a RS with the Nonce >> option using the unspecified address as source for its message. >> >> Sending such a message is authorized (as per section 5.1.1) and the >> message will be considered secured (as per section 5.1.2. I should say >> it will not be considered unsecured) by the receiver. As per section 8, >> this will trigger the emission of a secured advertisement, which will >> include the nonce option found in the RS (as per section 5.3.3). > > I believe the behaviour of the responding device was constrained > during the security review for SEND. > > The issue here was the potential to generate known clear-text (the > nonce) onto the network without performing any significant work. A > unicast RA is not rate-limited the same way as the multicast RA, and > the RAs are visible to all packet recipients. This could cause a SEND > advertiser to generate multiple responses which reveal information > about its private key (or hash to particular values, like the recent > MD5 certificate attack). > > The problem with your certificate only MN is that it cannot reliably > receive a quick RA in order to detect change and configure a new > source address. That is because it will rely upon the Multicast > delivery of packets which is strictly time separated by > MinDelayBetweenRAs. > > While RFC3775 Identifies a smaller value for this (0.03-0.07s) this > relies upon all networks using the values from RFC3775. This is not > the default, and certainly not optimal for some wireless networks. > > In a constrained network environment though, your mechanism could > work. My main target was the Home Network (for securing the Home Link Detection mechanism of the MN) in which the reduced values for the MinDelayBetweenRAs apply. But I think you are right on the following point: relying only on multicast RA will not work well on crowdy networks or in common environments (i.e. w/o beting able to force more frequent response from routers). > I guess the issue is mostly one of motivation and the correct > engineering solution. Why have the constraint of requiring nonces, and > only certificates (not CGA) for the MN? Well, it took me only 3 days or so to have a basic implementation of the mechanism (no timestamp check though) in UMIP (Linux MIPv6 daemon) and required only to support RS (addition of nonce and timestamp) and RA (nonce and sig option parsing and validation). Implementing (and deploying) the CGA part can be done later but is IMHO a lot more work. > Isn't there a way of reengineering the 3971 operations to support > Certificate based devices holding Nonces? (For example, even if it is > not possible to authenticate the origin of the certificate, the > operations required to sign the message could be checked by the > recipient router: it's not like we have a large deployed base ;) Sorry, I fail to understand the idea. Can you give an example? > An old and dated draft which looked at using nonces for response > matching is at: > > http://ietfreport.isoc.org/all-ids/draft-daley-dna-nonce-resp-01.txt > > The principle here was not to rely upon existing SEND function so much > as to include a new option for the purpose of liveness proof. The > draft didn't go anywhere, but perhaps it could stoke some ideas. Thanks for the pointer. Cheers, a+
- [CGA-EXT] Question about RS/RA protection w/ SEND Arnaud Ebalard
- Re: [CGA-EXT] Question about RS/RA protection w/ … Arnaud Ebalard
- Re: [CGA-EXT] Question about RS/RA protection w/ … Greg Daley
- Re: [CGA-EXT] Question about RS/RA protection w/ … Arnaud Ebalard