[dhcwg] Remaining Issue for Secure DHCPv6 WGLC

Lishan Li <lilishan48@gmail.com> Fri, 21 April 2017 08:45 UTC

Return-Path: <lilishan48@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C1241294F4 for <dhcwg@ietfa.amsl.com>; Fri, 21 Apr 2017 01:45:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.449
X-Spam-Level:
X-Spam-Status: No, score=-2.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JO12KfISdhev for <dhcwg@ietfa.amsl.com>; Fri, 21 Apr 2017 01:45:11 -0700 (PDT)
Received: from mail-qk0-x232.google.com (mail-qk0-x232.google.com [IPv6:2607:f8b0:400d:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3D7512948E for <dhcwg@ietf.org>; Fri, 21 Apr 2017 01:45:11 -0700 (PDT)
Received: by mail-qk0-x232.google.com with SMTP id d80so1911769qke.3 for <dhcwg@ietf.org>; Fri, 21 Apr 2017 01:45:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=JgkuBfaEVnRyJAglDZMAj3LInJpZMg08QcdJvgCL56Q=; b=aUa65ThgXJoUjrXjsW4W7tqRKvko66KhrOo8AXJdGPDbehzx6IzrMeCHORFCf8sbm+ KlWOewJDod9fAE4+SojcKUoQ7EcDYLOXJyR0fUK5aJ81E3HzZjYvKl7EHKYSGgeY+Rjj ZrxqwEqKX4NwyasACFVFZ8FDYnPolXOp/eYsQV45njP/sRqhWh1nV6SIKOdjce+Lxknp qlYLmUewE6kcIJYxFOHEP+oE74ou6aB6YQV/1t5UUzx1o5EEO5Ib1YfyTb1wehEMNBFL YJO+7ApRvtzURuX5x2q9xrSGI5ffrSWrmOunJKNvTOV68HoYqerC4nruhjz48HmOYuxD NTkw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=JgkuBfaEVnRyJAglDZMAj3LInJpZMg08QcdJvgCL56Q=; b=n61aG7Jj1Z1e47cdKJxtyBJkenygTT+9hASe3n3csauvn14MTmyZ+6wqOMWgeHN9mN W1pcPLzQ6S+cFbnkTeT03DvMuxZYgGqy4r0tqudtuZmz0pNs0uBQDXhO39eQz+LwicuP HmHQYYOVe4cupaAIJOnQaVFLJDUsS85nzN2Dac+8Av3DLb251mq215/K1gGVaK7i5Qe8 3/1sXD3b1uqRQWvJp9jhabiGtvtSAdpfpRuW2zp4HB4EczFtgi87DscyBEXpdXw4qczD zjc7ve4EyTn4WG8qNC19VliTF3lG7GO/eHzWMr2vIWMhZmyaM2gsheJGrl5ZjR4XGwSq hadQ==
X-Gm-Message-State: AN3rC/65Fm2i/shQ3l2D0lLAfyiwHM+qOh9dS67Cr2w2XzWTbUX/T0F5 O/9576ksx5qUA1UiTJDvBPDrOcztCg==
X-Received: by 10.55.155.7 with SMTP id d7mr12650217qke.320.1492764310699; Fri, 21 Apr 2017 01:45:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.237.58.71 with HTTP; Fri, 21 Apr 2017 01:45:10 -0700 (PDT)
From: Lishan Li <lilishan48@gmail.com>
Date: Fri, 21 Apr 2017 16:45:10 +0800
Message-ID: <CAJ3w4Nd1j4SBYh3KebFYjRaCS3k1ux28mHPk7yvtTCkEjm7QUA@mail.gmail.com>
To: dhcwg <dhcwg@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c06016a790898054da94632"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/Da6bcXv2gQ7W9AEdNR5TzpAI644>
Subject: [dhcwg] Remaining Issue for Secure DHCPv6 WGLC
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Apr 2017 08:45:13 -0000

Dear All,

Thanks a lot for all the valuable comments on secure DHCPv6 WGLC. As the
DHC chairs, Bernie and Tomek gave us many support and valuable comments.
It is my honor to work with them. Thanks to the DHC chairs.

For the proposed comments, there are still some remaining issues for
discussion
in the following.

1. Bernie: What about verifying the certificate's time? A client might not
have current
time and so may not be able to determine if certificate has expired?

[LS]: According to Ted's comments, Clients that don't have the current time
don't get
very good security. I think that we can add it into the security
consideration part.

2. Jinmei: related to the previous point, I think it's better to prohibit
the
transaction ID of 0 for Encryption-query messages (the client must
re-generate
the ID when its implementation generates 0).  Otherwise it's possible for
the
client to see a 0 transaction ID in Encryption-response messages for
normal cases other than Reconfigure.

[LS]: Tomek has the same comment on the Reconfigure message. As Jinmei
suggested: If the encrypted DHCPv6 message is Reconfigure message, then
the transaction-id of the Encrypted-Response message is regenerated.

3. Tomek: This draft defines a set of recommendations for secure
environment.
It is not expected to be used by all DHCP implementations is every
deployment,
just those who are interested in improved security. In certain way it is
very similar
to anonymity profile. Anonymity profile defined set or rules that are not
expected
to be used by all DHCP implementations in every deployment, just those who
are
interested in improved privacy. So maybe it should be called Security
Profile for
DHCPv6? I think this approach does not change anything from technical
perspective,
but simply frames the solution better. Described that way it may also be
easier to
accept to people who may afraid we want to force everyone to encrypt
everything
everywhere. It's just a suggestion to consider, I don't insist on it if
authors or the WG
disagree.

[LS]: Kathleen Moriarty also proposes this problem. She suggested us to
have opportunistic security as mandatory to implement. Otherwise, the
reader
will think that it's not pointing to a practical implementable RFC.
Maybe another way is Tomek's suggestion, changing the name of the draft.
In this way, there will be less issues.

4. Tomek: I mentioned that I was concerned with the possibility of clients
and servers
getting “junk” is a security concern as someone could generate bad packets
with
encrypted data and send them to clients and servers in the hope to crash
the either
when they try to decrypt and then process junk. Tomek suggested we might
want to
think about whether to add some magic value to the first few bytes of a
message
before encrypting it and then the decrypter can check those first few bytes
to see if
they are value and discard the message if not. Perhaps the encoding from
RFC5652
would accomplish this if we are using more than just the encryptedContent?
Anyway,
something to think about.

[LS]: According to Sten Carlsen's comments, there is no other method than
careful
programming and careful testing with deliberate intent to find weak spots.
I think that it is a general problem for encryption, not the specific
problem for
secure DHCPv6.

5. Tomek: "After the decryption, it handles the message as per 3315". I'm
not a
security expert by any stretch of that word, so excuse my naive question.
Anyway,
can you always detect that the decryption was a success or failure? Some
decryption
techniques will produce output, even when the key is incorrect, but the
output will be
an almost random garbage. Can the mechanism defined in RFC5652 always
reliably
conclude the decoding operation was success/failure? If not, I'm afraid
that asking
clients and server to decode random garbage will break some implementations.

[LS]: I also think that it is a general security problem. Looking forward
to the guidance
from some security experts.

6. Bernie: Regarding the reference of RFC5652, check in with Stephen to
get more clarity on what pieces are applicable?

[LS]: Looking forward to the guidance from some security experts.

Looking forward to all the comments and guidance. Thanks in advance.

Best Regards,
Lishan