Re: [dhcwg] Secure DHCPv6 Deployment Consideration - proposed text

[神明達哉 <jinmei@wide.ad.jp>]

At Wed, 26 Aug 2015 08:59:27 +0000,
Sheng Jiang <jiangsheng@huawei.com> wrote:

> >> 1. Authentication based on certificate and PKI
> >>
> >> This model would mainly be used in the scenarios such as enterprise
> >> networks where tight security policies are applied and the clients
> >> are stable terminal devices. It would provide tighter security
> >> protection because both server and client can be authenticated based
> >> on a common trusted CA. As with this precondition, this model would
> >> require more complicated pre-configuration, particularly on the
> >> client side.
> >
> >Once we say "require more complicated pre-configuration", we'll lose
> >the most boasted advantage of this proposal: ease of deployment.  So
> >text like this will also need to answer "then, why do we bother
> >to introduce a new mechanism?"  I thought this question is one of the
> >common feedback (or pushback) from post-WGLC reviews, and will have to
> >be addressed in some way.
[...]
> PKI-based deployment is easier than symmetric key mechanism,
> particularly when there are multiple servers. PKI is more modern and
> common. It may be combined with other protocol deployment, not only
> DHCPv6. I will try to enhance the text, but such discussion actually
> belong to section 3, "Security Overview of DHCPv6".

If we can convincingly explain a PKI-based deployment is easier
without showing specific details and without saying something
speculative, that would be great.  I'm personally pessimistic about
that possibility, but if you think you can do it, please go ahead.

> >I'm not sure if this paragraph directly and clearly addresses the
> >concern regarding how the client validates the certificate or public
> >key.  I suspect we'll need to discuss something more specific, like
> >how a client could pre-cache a complete certification path with
> >discussions on its own risks.
>
> The establish, deployment and its risks of certification path is another generic issues, which a) is out of scope, it is secure dhcpv6 specific, b) it is addressed in the referred RFC.

(Do you mean it is NOT secure dhcpv6 specific?)

I, for one, wouldn't be opposed to not explaining this point in more
detail, but my understanding of the feedback was that reviewers didn't
buy the argument for dismissing this as "out of scope"; I also thought
they considered there is some DHCP specific points in that this is a
kind of chicken-and-egg problem.  Personally I suspect we cannot
pretend it's not our problem.  But again, this is a matter of how
the reviewers will react to this approach.  If you're confident you
can convince them with this argument, I just with you good luck:-)

> >> 2.  Authentication based on leap of faith
> >>
> >> This model would mainly be the scenarios that the security policies
> >> are loss and the clients may roam, such as public coffee
> >> shops. Therefore, the PKI could not be deployed in advance. This
> >> model requires minimum pre-configuration - server and client has a
> >> public/private key pair. A signed certificate could be an equivalent
> >> to a public key in this model.
> >
> >Several reviewers have already pointed out that TOFU (or leap of
> >faith) is not suitable for coffee shop cases (and I agree with them).
> >My personal answer to them is that a more appropriate case would be
> >initial setup in a closed home network.  We might also say TOFU can be
> >used for hijack prevention.
>
> Let's see what the reviewers may response. I can certainly modify the example. But I am not sure what else is the best model for coffee shop.

We can't oversell this thing.  If there's a scenario where no model
with the secure DHCPv6 looks viable, we just can't say it can be used
for the scenario, at least with the boasted advantage of easier
deployment.  (Note that I'm not necessarily pushing the other
examples; I'm only saying we have to be honest).

> >> The Leap of faith model by itself could not prevent a client to
> >> trust a malicious server or a server to trust a malicious client at
> >> the beginning of the first session. But the leap of faith mechanism
> >> guarantees the subsequent messages are sent by the same previous
> >> sender, and therefore narrows the time window that an attacker can
> >> perform attacks. Also, the message integrity is provided.
> >
> >what does "also, the message integrity is provided" mean in this
> >context?
>
> It means the receiver can validate the message does not modified in the middle.

After the first session, right? (On the first use MITM attack is
possible).  And then it seems to me to say the obvious; the only
difference between TOFU and non-TOFU is in its first session, and once
the trust relationship is established all features of the non-TOFU
case including integrity are provided.  So, personally, I'd just
remove this sentence since it's rather confusing in this context.

> >> The server may constrain the resource and access rights to clients who is
> >based on leap of faith model to avoid potential malicious attacks
> >>
> >> Additional mechanisms to justify the trust relationship, such as
> >> requiring human intervention at the point of the leap of faith on
> >> the client or the server may run some algorithm to detect malicious
> >> behaviors from clients.
> >
> >"some algorithm to detect malicious behaviors from clients":
> >specifically what does this mean?

This point still seems to be open.

--
JINMEI, Tatuya