IETF Logo Mail Archive

[dhcwg] Additional feedback on secure DHCPv6 draft

Brian Haberman <brian@innovationslab.net> Mon, 20 July 2015 12:25 UTC

Return-Path: <brian@innovationslab.net>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A31C41A6FFC for <dhcwg@ietfa.amsl.com>; Mon, 20 Jul 2015 05:25:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BOu5xw-bh2QL for <dhcwg@ietfa.amsl.com>; Mon, 20 Jul 2015 05:25:17 -0700 (PDT)
Received: from uillean.fuaim.com (uillean.fuaim.com [206.197.161.140]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBC4E1A024E for <dhcwg@ietf.org>; Mon, 20 Jul 2015 05:25:17 -0700 (PDT)
Received: from clairseach.fuaim.com (clairseach-high.fuaim.com [206.197.161.158]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by uillean.fuaim.com (Postfix) with ESMTP id AFAFB88135 for <dhcwg@ietf.org>; Mon, 20 Jul 2015 05:25:17 -0700 (PDT)
Received: from dhcp-a3dc.meeting.ietf.org (dhcp-a3dc.meeting.ietf.org [31.133.163.220]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by clairseach.fuaim.com (Postfix) with ESMTP id 586AE136945C for <dhcwg@ietf.org>; Mon, 20 Jul 2015 05:25:16 -0700 (PDT)
References: <BAY405-EAS240EB1977547713522D4DC1DF980@phx.gbl>
To: "dhcwg@ietf.org" <dhcwg@ietf.org>
From: Brian Haberman <brian@innovationslab.net>
X-Forwarded-Message-Id: <BAY405-EAS240EB1977547713522D4DC1DF980@phx.gbl>
Message-ID: <55ACE8AA.300@innovationslab.net>
Date: Mon, 20 Jul 2015 08:25:14 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.0.1
MIME-Version: 1.0
In-Reply-To: <BAY405-EAS240EB1977547713522D4DC1DF980@phx.gbl>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="q7WjJmt6H061i31EVtvnxHjQeVXJmI8T7"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcwg/9SvQf7nVkykSkidJygVJcHumYAA>
Subject: [dhcwg] Additional feedback on secure DHCPv6 draft
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2015 12:25:19 -0000

All,
     Charlie Kaufman has provided a review of the secure DHCPv6 draft.

Brian


-------- Forwarded Message --------
Subject: RE: [secdir] DHCP IPv6 help needed
Date: Thu, 16 Jul 2015 19:28:54 -0700
From: Charlie Kaufman <charliekaufman@outlook.com>
To: 'Brian Haberman' <brian@innovationslab.net>, 'Kathleen Moriarty'
<kathleen.moriarty.ietf@gmail.com>
CC: 'Stephen Farrell' <stephen.farrell@cs.tcd.ie>

I've reviewed draft-ietf-dhc-sedhopv6-08, and I have some thoughts on
possible improvements - some are details; others are more
philosophical. I don't have a detailed understanding of DHCPv6, so
some issues may be based on my misunderstanding it. I'll try to
mention my assumptions where I'm less confident in them.

I wasn't sure where to send this, so I'll send it to you and hope you
will forward it appropriately.

A big question that probably should be answered in the introduction or
under security considerations is "what security vulnerabilities are we
trying to mitigate?". To the extent that the primary goal of DHCP is
to hand out network parameters (and in particular, temporary IP
addresses), a badly behaved DHCP server on a link can issue an IP
address that will not work, thus denying service to the requesting
client. If it issues an IP address already in use, it might also deny
service to some other node on the network. A bad client can acquire
large numbers of IP addresses and (at least with IPv4) exhaust the
address pool. It was my understanding that with IPv6 nodes just had to
acquire the network address and could use their own unique ID so that
allocations from a limited pool of addresses was unnecessary.

Given all that, what are the threats?

The other use of DHCP was as an extension to the old BootP protocol,
where an uninitialized node could "boot from the network" and download
its operating system and other extremely security sensitive
information. That process started by getting some parameters via DHCP.
In that case, it would make a lot of sense to make the
protocol more secure, but it would also be harder because when dealing
with an uninitialized machine there is are not going to be trusted
root certificates or any other means of authenticating the messages.

In some cases dealing with the secure initialization of a node, it
would be good if there were a way for the messages to be encrypted as
well as signed. I know of at least one system that uses DHCP to
download a random number of purposes of helping to seed the booting
client's random number generator. It would be better if that exchange
could be encrypted.

A smaller but still global issue: the spec is written as though DHCPv6
were symmetric between the two communicating nodes. My understanding
is that it is a request/response protocol where the client always
initiates exchanges and the server always responds. This implies some
differences in how algorithms are negotiated. It is appropriate that
if a server gets a request with an algorithm it does not support, that
it send an error code with the expectation that the client will try
again. But if the client gets a request with an algorithm it does not
support, it cannot request that the server use a different one. This
will make it difficult for the server to migrate to new algorithms. A
better way would be to introduce a new optional field in requests
listing the supported algorithms. The only real alternative is for the
server to assume that the client supports that algorithms that the
client used in the request and to favor those.

My remaining comments are to the details of the formatting, though
some are pretty important:

The encoding allows only a single certificate. There are very few
cases where this will be useful. In all of the public PKIs deployed
out there, endpoints have certificate chains of at least 2 or 3
certificates and not infrequently 4 or more. The protocol should
probably allow what IKEv2 calls a "certificate bundle".

That, however, will exacerbate what might already be a fatal problem
of very long messages that need to be fragmented. It is very difficult
for a server to protect itself from state exhaustion denial of service
attacks while accepting fragmented datagrams. It might be better to do
something like sending hashes of certificates instead of the
certificates themselves and then providing a mechanism for retrieving
the certificates based on the hashes in a series of messages. But
there are no simple elegant solutions here. I don't have a concrete
recommendation of than to discuss alternatives with implementers.

In the syntax of a signature, it would probably be better to have a
single algorithm identifier that specifies both the hash and the
public key signature algorithm rather than separate identifiers for
the two. That's because some public key signature algorithms -
including RSASSA-PKCS1-v1_5 include a specifier of the hash algorithm
within the encoded signed data. If you include the signature algorithm
redundantly, they you need to say what happens when they
differ. Another alternative would be to take the signature encoding
from X.509 certificates the way you did with public key
specifications.

It is dangerous to use timestamps to avoid replay attacks when
synchronized time is not otherwise needed because it implicitly
requires caching all packets that arrived during the clock-skew
window, and that might be a very large number. You might be better off
using something like TCP-cookies or IKEv2-cookies where if the server
is being overwhelmed it replies with an unsigned reply containing a
nonce and asks the client to resubmit the request with that nonce. If
cleverly designed, the server can compute that nonce as a hash of a
secret and information from the packet header so that it need not keep
state while waiting for the second message.

At the end of section 6.2, there is a mention of minimum and maximum
key lengths. While I think this is a good idea, there does not appear
to be anywhere that this information is encoded in the exchanged
data. The only place I can think of it being useful would be in the
"supported algorithms list" field that I proposed adding. Otherwise,
the sender picks a number and the recipient can take it or leave it.

Finally, when discussing Relay Agents, there are fields that Relay
agents need to be able to add and remove. Unless these are encoded in
some separate part of the message, the sender will have to anticipate
any fields that it knows the relay agent will remove and not include
those under the signature and the recipient will need to know what
fields the relay agent added and exclude those from the signature
calculation. This all seems very fragile. It might be good to do
something explicit about it.

	  --Charlie

v2.23.0 | Report a Bug | By Email