Re: [CGA-EXT] CGA-EXT Digest, Vol 47, Issue 2

"Roque Gagliano (rogaglia)" <rogaglia@cisco.com> Mon, 07 January 2013 09:40 UTC

Return-Path: <rogaglia@cisco.com>
X-Original-To: cga-ext@ietfa.amsl.com
Delivered-To: cga-ext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C67DF21F88B9 for <cga-ext@ietfa.amsl.com>; Mon, 7 Jan 2013 01:40:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C0FPPRFSJxd4 for <cga-ext@ietfa.amsl.com>; Mon, 7 Jan 2013 01:40:55 -0800 (PST)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) by ietfa.amsl.com (Postfix) with ESMTP id 2C21121F869C for <cga-ext@ietf.org>; Mon, 7 Jan 2013 01:40:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8713; q=dns/txt; s=iport; t=1357551655; x=1358761255; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=xNDak5k6JYRL5m+D8pe2qDPVoAoMXMG/B8H2k9edheo=; b=Q1HGxr7S50sqEviC81oRt2KxJrbPVu5wXL9lp3DRaZft5RLRv8c1RgVo ym2PdUNYO7L0heVBBB+bJSZm7j/kJeIU0MEET1QqQcWMAw3ByIKUXIJbS KIplD0PFYbZG4/zpnuVGQpHca/lEwVdcHxTqNqaCiMu7ef/s73qn1OMic E=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgEFAPGW6lCtJXHA/2dsb2JhbABFvVIWc4IeAQEBAwEBAQEaHRQgCwUHBAIBCA4DAwEBAQsCAREJBycKARQJCAIEDgUIARICBIdwBgy2TIxdg1dhA5JYhE+PLYJ0gWgHAhce
X-IronPort-AV: E=Sophos;i="4.84,423,1355097600"; d="scan'208";a="159549167"
Received: from rcdn-core2-5.cisco.com ([173.37.113.192]) by rcdn-iport-6.cisco.com with ESMTP; 07 Jan 2013 09:40:54 +0000
Received: from xhc-rcd-x02.cisco.com (xhc-rcd-x02.cisco.com [173.37.183.76]) by rcdn-core2-5.cisco.com (8.14.5/8.14.5) with ESMTP id r079esFw025092 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 7 Jan 2013 09:40:54 GMT
Received: from xmb-rcd-x02.cisco.com ([169.254.4.144]) by xhc-rcd-x02.cisco.com ([173.37.183.76]) with mapi id 14.02.0318.004; Mon, 7 Jan 2013 03:40:54 -0600
From: "Roque Gagliano (rogaglia)" <rogaglia@cisco.com>
To: Hosnieh Rafiee <ietf@rozanak.com>
Thread-Topic: [CGA-EXT] CGA-EXT Digest, Vol 47, Issue 2
Thread-Index: AQHN7LsVoJaiGOKzT0iV+Q/2cgoQDw==
Date: Mon, 7 Jan 2013 09:40:53 +0000
Message-ID: <EF4348D391D0334996EE9681630C83F0220218BC@xmb-rcd-x02.cisco.com>
References: <mailman.6716.1357502970.3374.cga-ext@ietf.org> <000701cdec4e$0a6cd040$1f4670c0$@rozanak.com>
In-Reply-To: <000701cdec4e$0a6cd040$1f4670c0$@rozanak.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.147.19.46]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <8AD42A01694FA64EB07D51AB7F1B90B9@cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "<cga-ext@ietf.org>" <cga-ext@ietf.org>
Subject: Re: [CGA-EXT] CGA-EXT Digest, Vol 47, Issue 2
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jan 2013 09:40:56 -0000

Hosnieh,

I have some comments:
- Why this is an important problem to be addressed is not clear in the text other than saying "CGA are computing intensive", which is arguable depending on network sizes and equipment 
- You need to add text to the document on where the improvement resides. You mentioned something on the answer to Ahmad but that is still not convincing.
- You mention that the strength of your algorithm requires that the key pair needs to be changed every 2 days. In the case you are using SEND, this means generating new certificates for every node every 2 days. This seams like a non-starter IMHO.
- Please include the reference to your studies instead of saying "Our experimental results show a definite improvement ".

BTW, there other proposals for privacy extensions today that you should mention: https://tools.ietf.org/html/draft-ietf-6man-stable-privacy-addresses-02

Roque.

On Jan 6, 2013, at 9:40 PM, Hosnieh Rafiee <ietf@rozanak.com>; wrote:

> Dear Ahmad,
> 
> Thank you so much for your comments. 
> 
>> SEND already offers what you are looking for. It has the Timestamp and the
> Signature options which are attached to the DNP messages.
> 
> As I explained in my last email to Jeremy, It just updates SEND and does not
> replace it. It updates SEND because of the signature contents. I also
> explained in the draft that we used the same timestamp as is used in SEND.
> 
>> I agree with the claim that CGA is compute intensive, but one can use Sec=0
> or 1. In this case the computation of the CGA (SEND) would be equivalent to
> the complexity of your approach.  
> I compared it with both sec value 0 and sec value 1. I did not consider sec
> value higher because it is not really feasible in practice that someone wait
> for 2 or 3 hours to days to generate an address. CGA for 1 it is 600 times
> more. For zero it is about 10 to 20 times more. 
> 
> The computation of this algorithm is faster than that for CGA and also the
> verification process is much faster. In the verification process you do not
> need to do all the CGA generation processing in reverse in order to verify
> it. With CGA you also have to include the verification time for the
> signature even though we say we use a sec value of 0 this is not considered
> in the verification process. For CGA you also need to include an extra 17
> bytes of options (modifier and collision count) in the packet, but with SSAS
> the packet size would be less. 
> 
> Thank you,
> Hosnieh
> 
> -----Original Message-----
> From: cga-ext-bounces@ietf.org [mailto:cga-ext-bounces@ietf.org] On Behalf
> Of cga-ext-request@ietf.org
> Sent: Sunday, January 06, 2013 9:10 PM
> To: cga-ext@ietf.org
> Subject: CGA-EXT Digest, Vol 47, Issue 2
> 
> If you have received this digest without all the individual message
> attachments you will need to update your digest options in your list
> subscription.  To do so, go to 
> 
> https://www.ietf.org/mailman/listinfo/cga-ext
> 
> Click the 'Unsubscribe or edit options' button, log in, and set "Get MIME or
> Plain Text Digests?" to MIME.  You can set this option globally for all the
> list digests you receive at this point.
> 
> 
> 
> Send CGA-EXT mailing list submissions to
> 	cga-ext@ietf.org
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> 	https://www.ietf.org/mailman/listinfo/cga-ext
> or, via email, send a message with subject or body 'help' to
> 	cga-ext-request@ietf.org
> 
> You can reach the person managing the list at
> 	cga-ext-owner@ietf.org
> 
> When replying, please edit your Subject line so it is more specific than
> "Re: Contents of CGA-EXT digest..."
> 
> 
> Today's Topics:
> 
>   1. Re:  Call for comments on draft-rafiee-6man-ssas-00.txt
>      (Al-Sadeh, Ahmad)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Sun, 6 Jan 2013 21:09:53 +0100
> From: "Al-Sadeh, Ahmad" <Ahmad.AlSadeh@hpi.uni-potsdam.de>;
> To: Hosnieh Rafiee <ietf@rozanak.com>;, "cga-ext@ietf.org";
> 	<cga-ext@ietf.org>;
> Cc: "ipv6@ietf.org"; <ipv6@ietf.org>;
> Subject: Re: [CGA-EXT] Call for comments on
> 	draft-rafiee-6man-ssas-00.txt
> Message-ID: <BB4E1F8A-2971-4648-82E4-3A34DBE777A5@mimectl>
> Content-Type: text/plain; charset="Windows-1252"
> 
> Hosnieh,
> I have read your draft. And I have the following comments.
> SEND already offers what you are looking for. It has the Timestamp and the
> Signature options which are attached to the DNP messages. So, the new
> benefits of your approach are not clear to me.
> I agree with the claim that CGA is compute intensive, but one can use Sec=0
> or 1. In this case the computation of the CGA (SEND) would be equivalent to
> the complexity of your approach.  Therefore the enhancements that are
> proposed to protect the user privacy by setting a lifetime for the generated
> address (e.g. 2 days) or generating the key pairs by CGA code can be
> directly applied to the CGA and SEND implementation without significant
> change to proposed standard.
> In Section 5, ?? it provides proof of address ownership at a speed that is
> about 600 times faster than that of the CGA algorithm.?
> For which Sec value this comparison was done?
> Regards,
> Ahmad AlSadeh
> 
> ________________________________
> From: cga-ext-bounces@ietf.org [cga-ext-bounces@ietf.org] On Behalf Of
> Hosnieh Rafiee [ietf@rozanak.com]
> Sent: 04 January 2013 21:13
> To: cga-ext@ietf.org
> Subject: [CGA-EXT] Call for comments on draft-rafiee-6man-ssas-00.txt
> 
> 
> Dear All,
> 
> This draft addresses the following problem:
> Unfortunately the existing drafts do not consider the integration of
> security and privacy  for the generation of the Interface ID (IID). This
> draft tries to offer a solution to this problem while at the same time
> considering the generation and verification times and complexity of the
> existing algorithms. Please take a look. Comments are greatly appreciated.
> Thank you,
> Hosnieh
> 
> 
> 
> Filename:        draft-rafiee-6man-ssas
> Revision:        00
> Title:           A Simple Secure Addressing Generation Scheme for IPv6
> AutoConfiguration (SSAS)
> Creation date:   2013-01-02
> WG ID:           Individual Submission
> Number of pages: 13
> URL:
> http://www.ietf.org/internet-drafts/draft-rafiee-6man-ssas-00.txt
> Status:          http://datatracker.ietf.org/doc/draft-rafiee-6man-ssas
> Htmlized:        http://tools.ietf.org/html/draft-rafiee-6man-ssas-00
> 
> 
> Abstract:
>   The default method for IPv6 address generation uses two unique
>   manufacturer IDs that are assigned by the IEEE Standards Association
>   [1] (section 2.5.1 RFC-4291) [RFC4291]. This means that a node will
>   always have the same Interface ID (IID) whenever it connects to a new
>   network. Because the node's IP address does not change, the node is
>   vulnerable to privacy related attacks. To address this issue, there
>   are currently two mechanisms in use to randomize the IID,
>   Cryptographically Generated Addresses (CGA) [RFC3972] and Privacy
>   Extension [RFC4941]. The problem with the former approach is the
>   computational cost involved for the IID generation. The problem with
>   the latter approach is that it lacks security. This document offers a
>   new algorithm for use in the generation of the IID while, at the same
>   time, securing the node against some types of attack, such as IP
>   spoofing. These attacks are prevented with the addition of a
>   signature to the Neighbor Discovery messages (NDP).
> 
> 
> --------------------------------------------------------------------
> IETF IPv6 working group mailing list
> ipv6@ietf.org
> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> --------------------------------------------------------------------
> 
> _______________________________________________
> CGA-EXT mailing list
> CGA-EXT@ietf.org
> https://www.ietf.org/mailman/listinfo/cga-ext
> 
> 
> ------------------------------
> 
> _______________________________________________
> CGA-EXT mailing list
> CGA-EXT@ietf.org
> https://www.ietf.org/mailman/listinfo/cga-ext
> 
> 
> End of CGA-EXT Digest, Vol 47, Issue 2
> **************************************
> 
> _______________________________________________
> CGA-EXT mailing list
> CGA-EXT@ietf.org
> https://www.ietf.org/mailman/listinfo/cga-ext