[dhcwg] Additional feedback on secure DHCPv6 draft
Brian Haberman <brian@innovationslab.net> Mon, 20 July 2015 12:25 UTC
Return-Path: <brian@innovationslab.net>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A31C41A6FFC for <dhcwg@ietfa.amsl.com>; Mon, 20 Jul 2015 05:25:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BOu5xw-bh2QL for <dhcwg@ietfa.amsl.com>; Mon, 20 Jul 2015 05:25:17 -0700 (PDT)
Received: from uillean.fuaim.com (uillean.fuaim.com [206.197.161.140]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CBC4E1A024E for <dhcwg@ietf.org>; Mon, 20 Jul 2015 05:25:17 -0700 (PDT)
Received: from clairseach.fuaim.com (clairseach-high.fuaim.com [206.197.161.158]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by uillean.fuaim.com (Postfix) with ESMTP id AFAFB88135 for <dhcwg@ietf.org>; Mon, 20 Jul 2015 05:25:17 -0700 (PDT)
Received: from dhcp-a3dc.meeting.ietf.org (dhcp-a3dc.meeting.ietf.org [31.133.163.220]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by clairseach.fuaim.com (Postfix) with ESMTP id 586AE136945C for <dhcwg@ietf.org>; Mon, 20 Jul 2015 05:25:16 -0700 (PDT)
References: <BAY405-EAS240EB1977547713522D4DC1DF980@phx.gbl>
To: "dhcwg@ietf.org" <dhcwg@ietf.org>
From: Brian Haberman <brian@innovationslab.net>
X-Forwarded-Message-Id: <BAY405-EAS240EB1977547713522D4DC1DF980@phx.gbl>
Message-ID: <55ACE8AA.300@innovationslab.net>
Date: Mon, 20 Jul 2015 08:25:14 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.0.1
MIME-Version: 1.0
In-Reply-To: <BAY405-EAS240EB1977547713522D4DC1DF980@phx.gbl>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="q7WjJmt6H061i31EVtvnxHjQeVXJmI8T7"
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcwg/9SvQf7nVkykSkidJygVJcHumYAA>
Subject: [dhcwg] Additional feedback on secure DHCPv6 draft
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2015 12:25:19 -0000
All, Charlie Kaufman has provided a review of the secure DHCPv6 draft. Brian -------- Forwarded Message -------- Subject: RE: [secdir] DHCP IPv6 help needed Date: Thu, 16 Jul 2015 19:28:54 -0700 From: Charlie Kaufman <charliekaufman@outlook.com> To: 'Brian Haberman' <brian@innovationslab.net>, 'Kathleen Moriarty' <kathleen.moriarty.ietf@gmail.com> CC: 'Stephen Farrell' <stephen.farrell@cs.tcd.ie> I've reviewed draft-ietf-dhc-sedhopv6-08, and I have some thoughts on possible improvements - some are details; others are more philosophical. I don't have a detailed understanding of DHCPv6, so some issues may be based on my misunderstanding it. I'll try to mention my assumptions where I'm less confident in them. I wasn't sure where to send this, so I'll send it to you and hope you will forward it appropriately. A big question that probably should be answered in the introduction or under security considerations is "what security vulnerabilities are we trying to mitigate?". To the extent that the primary goal of DHCP is to hand out network parameters (and in particular, temporary IP addresses), a badly behaved DHCP server on a link can issue an IP address that will not work, thus denying service to the requesting client. If it issues an IP address already in use, it might also deny service to some other node on the network. A bad client can acquire large numbers of IP addresses and (at least with IPv4) exhaust the address pool. It was my understanding that with IPv6 nodes just had to acquire the network address and could use their own unique ID so that allocations from a limited pool of addresses was unnecessary. Given all that, what are the threats? The other use of DHCP was as an extension to the old BootP protocol, where an uninitialized node could "boot from the network" and download its operating system and other extremely security sensitive information. That process started by getting some parameters via DHCP. In that case, it would make a lot of sense to make the protocol more secure, but it would also be harder because when dealing with an uninitialized machine there is are not going to be trusted root certificates or any other means of authenticating the messages. In some cases dealing with the secure initialization of a node, it would be good if there were a way for the messages to be encrypted as well as signed. I know of at least one system that uses DHCP to download a random number of purposes of helping to seed the booting client's random number generator. It would be better if that exchange could be encrypted. A smaller but still global issue: the spec is written as though DHCPv6 were symmetric between the two communicating nodes. My understanding is that it is a request/response protocol where the client always initiates exchanges and the server always responds. This implies some differences in how algorithms are negotiated. It is appropriate that if a server gets a request with an algorithm it does not support, that it send an error code with the expectation that the client will try again. But if the client gets a request with an algorithm it does not support, it cannot request that the server use a different one. This will make it difficult for the server to migrate to new algorithms. A better way would be to introduce a new optional field in requests listing the supported algorithms. The only real alternative is for the server to assume that the client supports that algorithms that the client used in the request and to favor those. My remaining comments are to the details of the formatting, though some are pretty important: The encoding allows only a single certificate. There are very few cases where this will be useful. In all of the public PKIs deployed out there, endpoints have certificate chains of at least 2 or 3 certificates and not infrequently 4 or more. The protocol should probably allow what IKEv2 calls a "certificate bundle". That, however, will exacerbate what might already be a fatal problem of very long messages that need to be fragmented. It is very difficult for a server to protect itself from state exhaustion denial of service attacks while accepting fragmented datagrams. It might be better to do something like sending hashes of certificates instead of the certificates themselves and then providing a mechanism for retrieving the certificates based on the hashes in a series of messages. But there are no simple elegant solutions here. I don't have a concrete recommendation of than to discuss alternatives with implementers. In the syntax of a signature, it would probably be better to have a single algorithm identifier that specifies both the hash and the public key signature algorithm rather than separate identifiers for the two. That's because some public key signature algorithms - including RSASSA-PKCS1-v1_5 include a specifier of the hash algorithm within the encoded signed data. If you include the signature algorithm redundantly, they you need to say what happens when they differ. Another alternative would be to take the signature encoding from X.509 certificates the way you did with public key specifications. It is dangerous to use timestamps to avoid replay attacks when synchronized time is not otherwise needed because it implicitly requires caching all packets that arrived during the clock-skew window, and that might be a very large number. You might be better off using something like TCP-cookies or IKEv2-cookies where if the server is being overwhelmed it replies with an unsigned reply containing a nonce and asks the client to resubmit the request with that nonce. If cleverly designed, the server can compute that nonce as a hash of a secret and information from the packet header so that it need not keep state while waiting for the second message. At the end of section 6.2, there is a mention of minimum and maximum key lengths. While I think this is a good idea, there does not appear to be anywhere that this information is encoded in the exchanged data. The only place I can think of it being useful would be in the "supported algorithms list" field that I proposed adding. Otherwise, the sender picks a number and the recipient can take it or leave it. Finally, when discussing Relay Agents, there are fields that Relay agents need to be able to add and remove. Unless these are encoded in some separate part of the message, the sender will have to anticipate any fields that it knows the relay agent will remove and not include those under the signature and the recipient will need to know what fields the relay agent added and exclude those from the signature calculation. This all seems very fragile. It might be good to do something explicit about it. --Charlie
- [dhcwg] Additional feedback on secure DHCPv6 draft Brian Haberman
- Re: [dhcwg] Additional feedback on secure DHCPv6 … Bernie Volz (volz)
- Re: [dhcwg] Additional feedback on secure DHCPv6 … Francis Dupont
- Re: [dhcwg] Additional feedback on secure DHCPv6 … Sheng Jiang
- Re: [dhcwg] Additional feedback on secure DHCPv6 … 神明達哉
- Re: [dhcwg] Additional feedback on secure DHCPv6 … Francis Dupont