Re: [dhcwg] Secure DHCPv6 Deployment Consideration - proposed text

[神明達哉 <jinmei@wide.ad.jp>]

At Tue, 25 Aug 2015 02:56:40 +0000,
Sheng Jiang <jiangsheng@huawei.com> wrote:

> During the latest AD review and security review, we have received
> many constructive comments. Although some general security issues
> are out of scope, we have integrated most of comments. One of the
> major concern is regarding to the deployment/applicability,
> particularly the PKI availability. Therefore, we have proposed the
> below text for a new section, deployment consideration. Your review
> and comments are appreciated.

> Deployment Consideration
>
> This document defines two authentication models: authentication
> based on public key certificates and PKI; and authentication based
> on leap of faith to public keys. It is worth noticing that in real
> deployment, the two models may be mixed together on the serve to be
> able to serve both stable clients and roaming clients, which may be
> treated with different service policies.

I thought we chose to use TOFU (Trust-on-first-use) instead of "leap
of faith".  Is it intentional this text now uses the latter?

> 1. Authentication based on certificate and PKI
>
> This model would mainly be used in the scenarios such as enterprise
> networks where tight security policies are applied and the clients
> are stable terminal devices. It would provide tighter security
> protection because both server and client can be authenticated based
> on a common trusted CA. As with this precondition, this model would
> require more complicated pre-configuration, particularly on the
> client side.

Once we say "require more complicated pre-configuration", we'll lose
the most boasted advantage of this proposal: ease of deployment.  So
text like this will also need to answer "then, why do we bother
to introduce a new mechanism?"  I thought this question is one of the
common feedback (or pushback) from post-WGLC reviews, and will have to
be addressed in some way.

In my understanding, the honest answer is that "we think public-key
based mechanism is just more modern, that's it".  We could also note a
relatively minor security advantage in cases like silently stolen
client keys on the server.  There might also be cases where we can
show this approach actually improves deployability, but from the
lessons I learned from previous discussions I suspect such discussions
will be speculative at best, and will be unlikely to satisfy the
reviewers.

> The server can always be considered to have connectivity to
> authorized CA and verify the clients’ certificate. Because the
> client may have to validate the authentication in the condition of
> without connectivity wider than link-local，the verification on the
> client devices may have to be performed locally. One or multiple
> certificates, which form a certification path [RFC5280], need to be
> deployed in the client in order to verify the certificate sent from
> the server and so perform the authentication. Besides the
> certificate used to prove the identity, the server may also need to
> provide additional certificates to help the client generate a
> certificate chain from the certificates deployed in the client to
> the certificate.

I'm not sure if this paragraph directly and clearly addresses the
concern regarding how the client validates the certificate or public
key.  I suspect we'll need to discuss something more specific, like
how a client could pre-cache a complete certification path with
discussions on its own risks.

> 2.  Authentication based on leap of faith
>
> This model would mainly be the scenarios that the security policies
> are loss and the clients may roam, such as public coffee
> shops. Therefore, the PKI could not be deployed in advance. This
> model requires minimum pre-configuration - server and client has a
> public/private key pair. A signed certificate could be an equivalent
> to a public key in this model.

Several reviewers have already pointed out that TOFU (or leap of
faith) is not suitable for coffee shop cases (and I agree with them).
My personal answer to them is that a more appropriate case would be
initial setup in a closed home network.  We might also say TOFU can be
used for hijack prevention.

> The Leap of faith model by itself could not prevent a client to
> trust a malicious server or a server to trust a malicious client at
> the beginning of the first session. But the leap of faith mechanism
> guarantees the subsequent messages are sent by the same previous
> sender, and therefore narrows the time window that an attacker can
> perform attacks. Also, the message integrity is provided.

what does "also, the message integrity is provided" mean in this
context?

> The server may constrain the resource and access rights to clients who is based on leap of faith model to avoid potential malicious attacks
>
> Additional mechanisms to justify the trust relationship, such as
> requiring human intervention at the point of the leap of faith on
> the client or the server may run some algorithm to detect malicious
> behaviors from clients.

"some algorithm to detect malicious behaviors from clients":
specifically what does this mean?

If I remember correctly, there was also a concern about privacy leak
by exchanging clients' public keys or certificates.  Do we have
another section to address this point?

Finally, a couple of editorial nits:

> the two models may be mixed together on the serve to...
s/on the serve/on the server/?

> The Leap of faith model by itself could not prevent a client to
> trust a malicious server or a server to trust a malicious client...

s/to trust/from trusting/ (2 occurrences).

--
JINMEI, Tatuya