[CGA-EXT] [draft-ietf-csi-proxy-send-01] review

Jean-Michel Combes <jeanmichel.combes@gmail.com> Tue, 08 December 2009 18:50 UTC

Return-Path: <jeanmichel.combes@gmail.com>
X-Original-To: cga-ext@core3.amsl.com
Delivered-To: cga-ext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 681E528C1C6 for <cga-ext@core3.amsl.com>; Tue, 8 Dec 2009 10:50:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.409
X-Spam-Level:
X-Spam-Status: No, score=-1.409 tagged_above=-999 required=5 tests=[AWL=-1.110, BAYES_00=-2.599, MANGLED_NAIL=2.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xdHAhobjLOLa for <cga-ext@core3.amsl.com>; Tue, 8 Dec 2009 10:50:15 -0800 (PST)
Received: from mail-iw0-f195.google.com (mail-iw0-f195.google.com [209.85.223.195]) by core3.amsl.com (Postfix) with ESMTP id 6E36A28C17C for <cga-ext@ietf.org>; Tue, 8 Dec 2009 10:50:15 -0800 (PST)
Received: by iwn33 with SMTP id 33so4154239iwn.29 for <cga-ext@ietf.org>; Tue, 08 Dec 2009 10:50:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=+Z27QCbgexq/sFH/mDEMQwjSjlYEODIMNJAWDzmK69E=; b=YZ7CqdFzewmMsKPbQr2eiD69Pe9ZaU1dN2znw4beV3dIMrNQA8riPGgBnxurpBjgAe Sky0o7a/Nz0qVHkFf1f07bOyIO+ehZpkqSck4kioMsFcJQkgG17PO8pouN32cOXckzvS h3htagh/LGFg2cZ6ig6P4GfmjqkLOkHfJ+wHU=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=BfO1XXAQwiCNY8Q4Mh7m8i7uvkY5196r+gICVIRww7uMi1K0clWnTBg5SZJ08Ytq8P 1QZkrrzIXOdt8aKr8EUr6LIUHsjxDYxTYrf7sJlQo1pufEpLLVSJfGSUHuFbnquOnlOb hCjGaxtQjelB5Wj0hupL9UecVRC4CvuVg3RRc=
MIME-Version: 1.0
Received: by 10.231.81.148 with SMTP id x20mr129552ibk.2.1260298201568; Tue, 08 Dec 2009 10:50:01 -0800 (PST)
Date: Tue, 8 Dec 2009 19:50:01 +0100
Message-ID: <729b68be0912081050k177ee024vb7cf51f00d75e937@mail.gmail.com>
From: Jean-Michel Combes <jeanmichel.combes@gmail.com>
To: cga-ext@ietf.org
Content-Type: text/plain; charset=ISO-8859-1
Subject: [CGA-EXT] [draft-ietf-csi-proxy-send-01] review
X-BeenThere: cga-ext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: CGA and SeND Extensions <cga-ext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/cga-ext>
List-Post: <mailto:cga-ext@ietf.org>
List-Help: <mailto:cga-ext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/cga-ext>, <mailto:cga-ext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Dec 2009 18:50:18 -0000

Hi,

Here are some comments/questions about this draft (sorry if some have
already been submitted/solved on the ML):


4.  Application Scenarios

<JMC>
These 3 scenarios are already documented in "Securing Neighbor
Discovery Proxy Problem Statement" [draft-ietf-csi-sndp-prob-03], so I
think they may be removed from the document or do you assume that your
solution only solves these scenarios (i.e. your solution cannot solve
IKEv2 scenario and Anycast scenario described in
[draft-ietf-csi-sndp-prob-03] but I don't think so :))
<JMC>


         Link 1                                               Link 2

         Host A                   ND Proxy (P)                Host B
           |                          |                          |
           | SRC = A                  |                          |
           | DST = solicited_node(B)  |                          |
           | ICMPv6 NS                |                          |
           | TARGET = B               |                          |
           | SLLAO = B_LL             |                          |
           |------------------------->|                          |
           |                          | SRC = A                  |
           |                          | DST = solicited_node(B)  |
           |                          | ICMPv6 NS                |
           |                          | TARGET = B               |
           |                          | SLLAO = P_LL             |
           |                          |------------------------->|
           |                          |                          |
           |                          | SRC = B                  |
           |                          | DST = A                  |
           |                          | ICMPv6 NA                |
           |                          | TARGET = B               |
           |                          | TLLAO = B_LL             |
           |                          |<-------------------------|
           | SRC = B                  |                          |
           | DST = A                  |                          |
           | ICMPv6 NA                |                          |
           | TARGET = B               |                          |
           | TLLAO = B_LL             |                          |
           |<-------------------------|                          |
           |                          |                          |


                      Figure 1: Proxy ND operations

<JMC>
s/TLLAO = B_LL/TLLA = P_LL/
<JMC>

4.2.  Scenario 2: Mobile IPv6

  The Mobile IPv6 protocol [RFC3775] allows a mobile node (MN) to move
  from one link to another while maintaining reachability at a stable
  address, the so-called MN's home address (HoA.)  When a mobile node
  attaches to a foreign network, all the packets sent to the MN's HoA
  and forwarded on the home link by a correspondent node (CN) or a
  router are intercepted by the home agent (HA) on that home link,
  encapsulated and tunneled to the mobile node's registered care-of
  address (CoA.)

<JMC>
s/registered care-of address (CoA.)/registered care-of address (CoA).
<JMC>

  It is not possible to apply the current SEND specification to protect
  the NA message issued by the HA.  To generate an ICMPv6 NA with a
  valid CGA option and the corresponding RSA Signature option, the HA
  needs knowledge of the private key related to the MN's
  Cryptographically Generated Address (CGA.)  Any ICMPv6 NA without a
  valid CGA and RSA signature option is to be treated as insecure by a
  SEND receiver.

<JMC>
s/the MN's Cryptographically Generated Address (CGA.)/the MN's
Cryptographically Generated Address (CGA).
<JMC>


  Proxy Mobile IPv6 [I-D.ietf-netlmm-proxymip6] is a network-based
  mobility management protocol that provides an IP mobility management
  support for MNs without requiring MNs being involved in the mobility
  related signaling.  The IP mobility management is totally hidden to
  the MN in a Proxy Mobile IPv6 domain and is performed by two
  functional entities: the Local Mobility Anchor (LMA) and the Mobile
  Access Gateway (MAG.)

<JMC>
s/[I-D.ietf-netlmm-proxymip6]/[RFC5213]
s/Mobile Access Gateway (MAG.)/Mobile Access Gateway (MAG).
<JMC>

  When the MN connects to a new access link it will send a multicast
  ICMPv6 Router Solicitation (RS.)  The MAG on the new access link,
  upon detecting the MN's attachment, will signal the LMA for updating
  the binding state of the MN (Proxy Binding Update - PBU) and once the
  signaling is complete (Proxy Binding Ack - PBA - received), it will
  reply to the MN with a ICMPv6 Router Advertisement (RA) containing
  its home network prefix(es) that were assigned to that mobility
  session, making the MN believe it is still on the same link and not
  triggering the IPv6 address reconfiguration (figure Figure 3.)

<JMC>
s/ICMPv6 Router Solicitation (RS.)/ICMPv6 Router Solicitation (RS).
<JMC>

  o  A certificate authorizing an entity to act as an ND proxy is
     introduced.  This is achieved via specifying explicitly in the
     X509v3 certificate the purpose for which the certificate is
     issued, as described in a companion document
     [I-D.krishnan-cgaext-send-cert-eku].  Briefly, two KeyPurposeID
     values are defined: one for authorizing routers, and one for
     authorizing proxies.  The inclusion of the proxy authorization
     value allows the certificate owner to perform proxying of SEND
     messages for a set of prefixes indicated in the same certificate.

<JMC>
s/[I-D.krishnan-cgaext-send-cert-eku]/[draft-ietf-csi-send-cert-01]

s/ Briefly, two KeyPurposeID values are defined: one for authorizing
routers, and one for authorizing proxies./ Briefly, one KeyPurposeID
value is defined for authorizing proxies.
I think that avoids to mention the third KeyPurposeID (i.e.
authorization for a node to use an address range)
<JMC>

  o  A new option called Proxy Signature option (PSO) is defined.  This
     option contains the key hash value of the Secure Proxy ND's public
     key and the digital signature computed over the SEND message.  The
     key has value is computed over the public key within the Secure
     Proxy ND's certificate.

<JMC>
s/The key has value is computed/The key hash value is computed
<JMC>


  This is accomplished by signing the message with the public key of
  the authorized Secure Proxy ND.  The signature of the neighbor
  discovery proxy is included in a new option called Proxy Signature
  option (PSO.)  The signature is performed over all the NDP options
  present in the message and the PSO is appended as the last option in
  the message.

<JMC>
s/The signature of the neighbor discovery proxy is included in a new
option called Proxy Signature option (PSO.) /The signature of the
neighbor discovery proxy is included in a new option called Proxy
Signature option (PSO).
<JMC>

     1.  The 128-bit CGA Message Type tag [RFC3972] value for Secure
         Proxy ND, 0x09F5 2BE5 3B62 4C76 CB96 4E7F CDC9 2804 (The tag
         value has been generated randomly by the editor of this
         specification.)

<JMC>
s/The tag value has been generated randomly by the editor of this
specification.)/The tag value has been generated randomly by the
editor of this specification).
<JMC>

     This field starts after the Key Hash field.  The length of the
     Digital Signature field is determined by the length of the RSA
     Signature option minus the length of the other fields (including
     the variable length Pad field.)

<JMC>
s/(including the variable length Pad field.)/(including the variable
length Pad field).

  1.  The SEND message is constructed without the PSO as follow:

      A.  If the Secure Proxy ND is locally generating the SEND message
          for a proxied address, the message is constructed as
          described in Neighbor Discovery for IP version 6
          specification [RFC4861].

      B.  If the Secure Proxy ND is forwarding a SEND message, first
          the authenticity of the intercepted message is verified as
          specified in SEND specification [RFC3971] Section 5.  If the
          SEND message is valid, any CGA or RSA option MUST be removed
          from the message.  The intercepted message is finally
          modified as described in Section 4 of the ND Proxy
          specification [RFC4389].

<JMC>
Maybe, to add the case where a Secure Proxy is forwarding a SEND
message, already forwarded by another Secure Proxy ND:

C.  If the Secure Proxy ND is forwarding a SEND message already
containing a PSO, first
the authenticity of the intercepted message is verified as specified
in Section 6.2.2 of this draft.  If the SEND message is valid, the PSO
MUST be removed from the message.  The intercepted message is finally
modified as described in Section 4 of the ND Proxy specification
[RFC4389].
<JMC>

  If, on the other hand, a message does not include a PSO, then the
  Secure Proxy ND support doens't introduce any further security issues
  since this specification does not modify the SEND processing rules if
  an ICMPv6 ND message does not contain a PSO.  Thus, the same security
  considerations than that of SEND applies (cf. Section 9 of the SEND
  specification [RFC3971].)

<JMC>
I don't agree with the fact that this mechanism doesn't bring any
further security issues. I would add text about the fact that the
Secure Proxy ND's certificate provided to the Proxy ND router weakens
the security in comparison to a classical SEND deployment (i.e.
without Proxy ND entity): now, in the case where a Secure Proxy ND is
compromised, it is able to launch a DoS attack even against a ND
process between 2 nodes on a same link (e.g. in the figure below, a
attack may be launch against a ND process between node A and node B).

                     +-----------------+
----------------------| Secure Proxy ND |----- Node C
   |         |       +-----------------+
 Node A    Node B

So, maybe, it would be useful to add text here to explain the issue
and to add text at the beginning of the Section 6.2.2 maybe as
follows:
When a node receives at the same time a ND message protected by SEND
[RFC3971] and a ND message protected by PSO on the same subject (e.g.
a NA message after a solicited NS) but with different information
(e.g. the NA messages don't contains the same information for a same
solicited NS), the node MUST treat the message secured with SEND and
it MUST silently ignore the one secured with PSO.
<JMC>

Thanks in advance for your reply.

Best regards.

JMC.