IETF Logo Mail Archive

Re: [dhcwg] Additional feedback on secure DHCPv6 draft

"Bernie Volz (volz)" <volz@cisco.com> Mon, 20 July 2015 12:51 UTC

Return-Path: <volz@cisco.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77C421A8772 for <dhcwg@ietfa.amsl.com>; Mon, 20 Jul 2015 05:51:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hWp4g2zkCRND for <dhcwg@ietfa.amsl.com>; Mon, 20 Jul 2015 05:51:15 -0700 (PDT)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1CF81A8872 for <dhcwg@ietf.org>; Mon, 20 Jul 2015 05:49:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7839; q=dns/txt; s=iport; t=1437396575; x=1438606175; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=SRpGdN/2lrFM1g4HRC41bBq0nqn6VNABldsitmwOlS4=; b=KXBVXjnAHR+BAZjl92S2Izpk4Qn5b/2VNPlNblWDLUu92AXYTSj5dTmz ackK8wOw1IIQwBOeOZA873mSPBOGEzEeaRqD67kY4EBKl+XTJFW8/JEX7 NQ35Q0Ri5ullX7DfFFbu0GHxUAKONxaDJEOVwhv3jPJC+/Qgkm2t8NJfM 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AeAwAh7axV/5hdJa1cgxNUabtqCYFrCoV3AoEnOBQBAQEBAQEBgQqEIwEBAQMBAQEBNzQLBQsCAQgRAwECAR4QIQYLHQgCBA4FG4d+AwoIDcBaDQuFIwEBAQEBAQEBAQEBAQEBAQEBAQEBARMEi0yCTYFgDhgzBwaDEYEUBZRSAYo4gWiRX4coJoIMARyBU28BgQMHHYEjAQEB
X-IronPort-AV: E=Sophos;i="5.15,507,1432598400"; d="scan'208";a="170352593"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by alln-iport-6.cisco.com with ESMTP; 20 Jul 2015 12:49:34 +0000
Received: from xhc-rcd-x15.cisco.com (xhc-rcd-x15.cisco.com [173.37.183.89]) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id t6KCnXVP010534 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 20 Jul 2015 12:49:33 GMT
Received: from xmb-rcd-x04.cisco.com ([169.254.8.177]) by xhc-rcd-x15.cisco.com ([173.37.183.89]) with mapi id 14.03.0195.001; Mon, 20 Jul 2015 07:49:33 -0500
From: "Bernie Volz (volz)" <volz@cisco.com>
To: Brian Haberman <brian@innovationslab.net>
Thread-Topic: [dhcwg] Additional feedback on secure DHCPv6 draft
Thread-Index: AQHQwucpb9ZpWOs4rEmKzf0KB1JV3J3kTz5s
Date: Mon, 20 Jul 2015 12:49:32 +0000
Message-ID: <F915DA92-D523-4902-9936-39E2702E0B28@cisco.com>
References: <BAY405-EAS240EB1977547713522D4DC1DF980@phx.gbl>, <55ACE8AA.300@innovationslab.net>
In-Reply-To: <55ACE8AA.300@innovationslab.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcwg/CaQ2a_zRjqAIjp-9Ku0bd5SXrFY>
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>
Subject: Re: [dhcwg] Additional feedback on secure DHCPv6 draft
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jul 2015 12:51:17 -0000

Just an FYI - for DHCPv6, there are no relay agent issues as the client's message is encapsulated as an option in the relay message and hence the client's message (and server's reply to client) are not modified in any way. So I believe the last pargraph of the comments can be ignored (not applicable).

(For sedhcpv4, this is an issue but also well understood - giaddr and option 82 are the issue there.)

- Bernie (from iPad)

> On Jul 20, 2015, at 8:25 AM, Brian Haberman <brian@innovationslab.net> wrote:
> 
> All,
>     Charlie Kaufman has provided a review of the secure DHCPv6 draft.
> 
> Brian
> 
> 
> -------- Forwarded Message --------
> Subject: RE: [secdir] DHCP IPv6 help needed
> Date: Thu, 16 Jul 2015 19:28:54 -0700
> From: Charlie Kaufman <charliekaufman@outlook.com>
> To: 'Brian Haberman' <brian@innovationslab.net>, 'Kathleen Moriarty'
> <kathleen.moriarty.ietf@gmail.com>
> CC: 'Stephen Farrell' <stephen.farrell@cs.tcd.ie>
> 
> I've reviewed draft-ietf-dhc-sedhopv6-08, and I have some thoughts on
> possible improvements - some are details; others are more
> philosophical. I don't have a detailed understanding of DHCPv6, so
> some issues may be based on my misunderstanding it. I'll try to
> mention my assumptions where I'm less confident in them.
> 
> I wasn't sure where to send this, so I'll send it to you and hope you
> will forward it appropriately.
> 
> A big question that probably should be answered in the introduction or
> under security considerations is "what security vulnerabilities are we
> trying to mitigate?". To the extent that the primary goal of DHCP is
> to hand out network parameters (and in particular, temporary IP
> addresses), a badly behaved DHCP server on a link can issue an IP
> address that will not work, thus denying service to the requesting
> client. If it issues an IP address already in use, it might also deny
> service to some other node on the network. A bad client can acquire
> large numbers of IP addresses and (at least with IPv4) exhaust the
> address pool. It was my understanding that with IPv6 nodes just had to
> acquire the network address and could use their own unique ID so that
> allocations from a limited pool of addresses was unnecessary.
> 
> Given all that, what are the threats?
> 
> The other use of DHCP was as an extension to the old BootP protocol,
> where an uninitialized node could "boot from the network" and download
> its operating system and other extremely security sensitive
> information. That process started by getting some parameters via DHCP.
> In that case, it would make a lot of sense to make the
> protocol more secure, but it would also be harder because when dealing
> with an uninitialized machine there is are not going to be trusted
> root certificates or any other means of authenticating the messages.
> 
> In some cases dealing with the secure initialization of a node, it
> would be good if there were a way for the messages to be encrypted as
> well as signed. I know of at least one system that uses DHCP to
> download a random number of purposes of helping to seed the booting
> client's random number generator. It would be better if that exchange
> could be encrypted.
> 
> A smaller but still global issue: the spec is written as though DHCPv6
> were symmetric between the two communicating nodes. My understanding
> is that it is a request/response protocol where the client always
> initiates exchanges and the server always responds. This implies some
> differences in how algorithms are negotiated. It is appropriate that
> if a server gets a request with an algorithm it does not support, that
> it send an error code with the expectation that the client will try
> again. But if the client gets a request with an algorithm it does not
> support, it cannot request that the server use a different one. This
> will make it difficult for the server to migrate to new algorithms. A
> better way would be to introduce a new optional field in requests
> listing the supported algorithms. The only real alternative is for the
> server to assume that the client supports that algorithms that the
> client used in the request and to favor those.
> 
> My remaining comments are to the details of the formatting, though
> some are pretty important:
> 
> The encoding allows only a single certificate. There are very few
> cases where this will be useful. In all of the public PKIs deployed
> out there, endpoints have certificate chains of at least 2 or 3
> certificates and not infrequently 4 or more. The protocol should
> probably allow what IKEv2 calls a "certificate bundle".
> 
> That, however, will exacerbate what might already be a fatal problem
> of very long messages that need to be fragmented. It is very difficult
> for a server to protect itself from state exhaustion denial of service
> attacks while accepting fragmented datagrams. It might be better to do
> something like sending hashes of certificates instead of the
> certificates themselves and then providing a mechanism for retrieving
> the certificates based on the hashes in a series of messages. But
> there are no simple elegant solutions here. I don't have a concrete
> recommendation of than to discuss alternatives with implementers.
> 
> In the syntax of a signature, it would probably be better to have a
> single algorithm identifier that specifies both the hash and the
> public key signature algorithm rather than separate identifiers for
> the two. That's because some public key signature algorithms -
> including RSASSA-PKCS1-v1_5 include a specifier of the hash algorithm
> within the encoded signed data. If you include the signature algorithm
> redundantly, they you need to say what happens when they
> differ. Another alternative would be to take the signature encoding
> from X.509 certificates the way you did with public key
> specifications.
> 
> It is dangerous to use timestamps to avoid replay attacks when
> synchronized time is not otherwise needed because it implicitly
> requires caching all packets that arrived during the clock-skew
> window, and that might be a very large number. You might be better off
> using something like TCP-cookies or IKEv2-cookies where if the server
> is being overwhelmed it replies with an unsigned reply containing a
> nonce and asks the client to resubmit the request with that nonce. If
> cleverly designed, the server can compute that nonce as a hash of a
> secret and information from the packet header so that it need not keep
> state while waiting for the second message.
> 
> At the end of section 6.2, there is a mention of minimum and maximum
> key lengths. While I think this is a good idea, there does not appear
> to be anywhere that this information is encoded in the exchanged
> data. The only place I can think of it being useful would be in the
> "supported algorithms list" field that I proposed adding. Otherwise,
> the sender picks a number and the recipient can take it or leave it.
> 
> Finally, when discussing Relay Agents, there are fields that Relay
> agents need to be able to add and remove. Unless these are encoded in
> some separate part of the message, the sender will have to anticipate
> any fields that it knows the relay agent will remove and not include
> those under the signature and the recipient will need to know what
> fields the relay agent added and exclude those from the signature
> calculation. This all seems very fragile. It might be good to do
> something explicit about it.
> 
>      --Charlie
> 
> _______________________________________________
> dhcwg mailing list
> dhcwg@ietf.org
> https://www.ietf.org/mailman/listinfo/dhcwg

v2.23.0 | Report a Bug | By Email