[CGA-EXT] [draft-ietf-csi-proxy-send-01] review
Jean-Michel Combes <jeanmichel.combes@gmail.com> Tue, 08 December 2009 18:50 UTC
Return-Path: <jeanmichel.combes@gmail.com>
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 681E528C1C6 for <cga-ext@core3.amsl.com>;
Tue, 8 Dec 2009 10:50:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.409
X-Spam-Level:
X-Spam-Status: No, score=-1.409 tagged_above=-999 required=5 tests=[AWL=-1.110,
BAYES_00=-2.599, MANGLED_NAIL=2.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xdHAhobjLOLa for
<cga-ext@core3.amsl.com>; Tue, 8 Dec 2009 10:50:15 -0800 (PST)
Received: from mail-iw0-f195.google.com (mail-iw0-f195.google.com
[209.85.223.195]) by core3.amsl.com (Postfix) with ESMTP id 6E36A28C17C for
<cga-ext@ietf.org>; Tue, 8 Dec 2009 10:50:15 -0800 (PST)
Received: by iwn33 with SMTP id 33so4154239iwn.29 for <cga-ext@ietf.org>;
Tue, 08 Dec 2009 10:50:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
h=domainkey-signature:mime-version:received:date:message-id:subject
:from:to:content-type; bh=+Z27QCbgexq/sFH/mDEMQwjSjlYEODIMNJAWDzmK69E=;
b=YZ7CqdFzewmMsKPbQr2eiD69Pe9ZaU1dN2znw4beV3dIMrNQA8riPGgBnxurpBjgAe
Sky0o7a/Nz0qVHkFf1f07bOyIO+ehZpkqSck4kioMsFcJQkgG17PO8pouN32cOXckzvS
h3htagh/LGFg2cZ6ig6P4GfmjqkLOkHfJ+wHU=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
h=mime-version:date:message-id:subject:from:to:content-type;
b=BfO1XXAQwiCNY8Q4Mh7m8i7uvkY5196r+gICVIRww7uMi1K0clWnTBg5SZJ08Ytq8P
1QZkrrzIXOdt8aKr8EUr6LIUHsjxDYxTYrf7sJlQo1pufEpLLVSJfGSUHuFbnquOnlOb
hCjGaxtQjelB5Wj0hupL9UecVRC4CvuVg3RRc=
MIME-Version: 1.0
Received: by 10.231.81.148 with SMTP id x20mr129552ibk.2.1260298201568;
Tue, 08 Dec 2009 10:50:01 -0800 (PST)
Date: Tue, 8 Dec 2009 19:50:01 +0100
Message-ID: <729b68be0912081050k177ee024vb7cf51f00d75e937@mail.gmail.com>
From: Jean-Michel Combes <jeanmichel.combes@gmail.com>
To: cga-ext@ietf.org
Content-Type: text/plain; charset=ISO-8859-1
Subject: [CGA-EXT] [draft-ietf-csi-proxy-send-01] review
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>,
<mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>,
<mailto:cga-ext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Dec 2009 18:50:18 -0000
Hi,
Here are some comments/questions about this draft (sorry if some have
already been submitted/solved on the ML):
4. Application Scenarios
<JMC>
These 3 scenarios are already documented in "Securing Neighbor
Discovery Proxy Problem Statement" [draft-ietf-csi-sndp-prob-03], so I
think they may be removed from the document or do you assume that your
solution only solves these scenarios (i.e. your solution cannot solve
IKEv2 scenario and Anycast scenario described in
[draft-ietf-csi-sndp-prob-03] but I don't think so :))
<JMC>
Link 1 Link 2
Host A ND Proxy (P) Host B
| | |
| SRC = A | |
| DST = solicited_node(B) | |
| ICMPv6 NS | |
| TARGET = B | |
| SLLAO = B_LL | |
|------------------------->| |
| | SRC = A |
| | DST = solicited_node(B) |
| | ICMPv6 NS |
| | TARGET = B |
| | SLLAO = P_LL |
| |------------------------->|
| | |
| | SRC = B |
| | DST = A |
| | ICMPv6 NA |
| | TARGET = B |
| | TLLAO = B_LL |
| |<-------------------------|
| SRC = B | |
| DST = A | |
| ICMPv6 NA | |
| TARGET = B | |
| TLLAO = B_LL | |
|<-------------------------| |
| | |
Figure 1: Proxy ND operations
<JMC>
s/TLLAO = B_LL/TLLA = P_LL/
<JMC>
4.2. Scenario 2: Mobile IPv6
The Mobile IPv6 protocol [RFC3775] allows a mobile node (MN) to move
from one link to another while maintaining reachability at a stable
address, the so-called MN's home address (HoA.) When a mobile node
attaches to a foreign network, all the packets sent to the MN's HoA
and forwarded on the home link by a correspondent node (CN) or a
router are intercepted by the home agent (HA) on that home link,
encapsulated and tunneled to the mobile node's registered care-of
address (CoA.)
<JMC>
s/registered care-of address (CoA.)/registered care-of address (CoA).
<JMC>
It is not possible to apply the current SEND specification to protect
the NA message issued by the HA. To generate an ICMPv6 NA with a
valid CGA option and the corresponding RSA Signature option, the HA
needs knowledge of the private key related to the MN's
Cryptographically Generated Address (CGA.) Any ICMPv6 NA without a
valid CGA and RSA signature option is to be treated as insecure by a
SEND receiver.
<JMC>
s/the MN's Cryptographically Generated Address (CGA.)/the MN's
Cryptographically Generated Address (CGA).
<JMC>
Proxy Mobile IPv6 [I-D.ietf-netlmm-proxymip6] is a network-based
mobility management protocol that provides an IP mobility management
support for MNs without requiring MNs being involved in the mobility
related signaling. The IP mobility management is totally hidden to
the MN in a Proxy Mobile IPv6 domain and is performed by two
functional entities: the Local Mobility Anchor (LMA) and the Mobile
Access Gateway (MAG.)
<JMC>
s/[I-D.ietf-netlmm-proxymip6]/[RFC5213]
s/Mobile Access Gateway (MAG.)/Mobile Access Gateway (MAG).
<JMC>
When the MN connects to a new access link it will send a multicast
ICMPv6 Router Solicitation (RS.) The MAG on the new access link,
upon detecting the MN's attachment, will signal the LMA for updating
the binding state of the MN (Proxy Binding Update - PBU) and once the
signaling is complete (Proxy Binding Ack - PBA - received), it will
reply to the MN with a ICMPv6 Router Advertisement (RA) containing
its home network prefix(es) that were assigned to that mobility
session, making the MN believe it is still on the same link and not
triggering the IPv6 address reconfiguration (figure Figure 3.)
<JMC>
s/ICMPv6 Router Solicitation (RS.)/ICMPv6 Router Solicitation (RS).
<JMC>
o A certificate authorizing an entity to act as an ND proxy is
introduced. This is achieved via specifying explicitly in the
X509v3 certificate the purpose for which the certificate is
issued, as described in a companion document
[I-D.krishnan-cgaext-send-cert-eku]. Briefly, two KeyPurposeID
values are defined: one for authorizing routers, and one for
authorizing proxies. The inclusion of the proxy authorization
value allows the certificate owner to perform proxying of SEND
messages for a set of prefixes indicated in the same certificate.
<JMC>
s/[I-D.krishnan-cgaext-send-cert-eku]/[draft-ietf-csi-send-cert-01]
s/ Briefly, two KeyPurposeID values are defined: one for authorizing
routers, and one for authorizing proxies./ Briefly, one KeyPurposeID
value is defined for authorizing proxies.
I think that avoids to mention the third KeyPurposeID (i.e.
authorization for a node to use an address range)
<JMC>
o A new option called Proxy Signature option (PSO) is defined. This
option contains the key hash value of the Secure Proxy ND's public
key and the digital signature computed over the SEND message. The
key has value is computed over the public key within the Secure
Proxy ND's certificate.
<JMC>
s/The key has value is computed/The key hash value is computed
<JMC>
This is accomplished by signing the message with the public key of
the authorized Secure Proxy ND. The signature of the neighbor
discovery proxy is included in a new option called Proxy Signature
option (PSO.) The signature is performed over all the NDP options
present in the message and the PSO is appended as the last option in
the message.
<JMC>
s/The signature of the neighbor discovery proxy is included in a new
option called Proxy Signature option (PSO.) /The signature of the
neighbor discovery proxy is included in a new option called Proxy
Signature option (PSO).
<JMC>
1. The 128-bit CGA Message Type tag [RFC3972] value for Secure
Proxy ND, 0x09F5 2BE5 3B62 4C76 CB96 4E7F CDC9 2804 (The tag
value has been generated randomly by the editor of this
specification.)
<JMC>
s/The tag value has been generated randomly by the editor of this
specification.)/The tag value has been generated randomly by the
editor of this specification).
<JMC>
This field starts after the Key Hash field. The length of the
Digital Signature field is determined by the length of the RSA
Signature option minus the length of the other fields (including
the variable length Pad field.)
<JMC>
s/(including the variable length Pad field.)/(including the variable
length Pad field).
1. The SEND message is constructed without the PSO as follow:
A. If the Secure Proxy ND is locally generating the SEND message
for a proxied address, the message is constructed as
described in Neighbor Discovery for IP version 6
specification [RFC4861].
B. If the Secure Proxy ND is forwarding a SEND message, first
the authenticity of the intercepted message is verified as
specified in SEND specification [RFC3971] Section 5. If the
SEND message is valid, any CGA or RSA option MUST be removed
from the message. The intercepted message is finally
modified as described in Section 4 of the ND Proxy
specification [RFC4389].
<JMC>
Maybe, to add the case where a Secure Proxy is forwarding a SEND
message, already forwarded by another Secure Proxy ND:
C. If the Secure Proxy ND is forwarding a SEND message already
containing a PSO, first
the authenticity of the intercepted message is verified as specified
in Section 6.2.2 of this draft. If the SEND message is valid, the PSO
MUST be removed from the message. The intercepted message is finally
modified as described in Section 4 of the ND Proxy specification
[RFC4389].
<JMC>
If, on the other hand, a message does not include a PSO, then the
Secure Proxy ND support doens't introduce any further security issues
since this specification does not modify the SEND processing rules if
an ICMPv6 ND message does not contain a PSO. Thus, the same security
considerations than that of SEND applies (cf. Section 9 of the SEND
specification [RFC3971].)
<JMC>
I don't agree with the fact that this mechanism doesn't bring any
further security issues. I would add text about the fact that the
Secure Proxy ND's certificate provided to the Proxy ND router weakens
the security in comparison to a classical SEND deployment (i.e.
without Proxy ND entity): now, in the case where a Secure Proxy ND is
compromised, it is able to launch a DoS attack even against a ND
process between 2 nodes on a same link (e.g. in the figure below, a
attack may be launch against a ND process between node A and node B).
+-----------------+
----------------------| Secure Proxy ND |----- Node C
| | +-----------------+
Node A Node B
So, maybe, it would be useful to add text here to explain the issue
and to add text at the beginning of the Section 6.2.2 maybe as
follows:
When a node receives at the same time a ND message protected by SEND
[RFC3971] and a ND message protected by PSO on the same subject (e.g.
a NA message after a solicited NS) but with different information
(e.g. the NA messages don't contains the same information for a same
solicited NS), the node MUST treat the message secured with SEND and
it MUST silently ignore the one secured with PSO.
<JMC>
Thanks in advance for your reply.
Best regards.
JMC.
- [CGA-EXT] [draft-ietf-csi-proxy-send-01] review Jean-Michel Combes
- Re: [CGA-EXT] [draft-ietf-csi-proxy-send-01] reviā¦ Jean-Michel Combes