IETF Logo Mail Archive

Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 - Respond by May 18

神明達哉 <jinmei@wide.ad.jp> Thu, 15 May 2014 17:36 UTC

Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA9BD1A02CB for <dhcwg@ietfa.amsl.com>; Thu, 15 May 2014 10:36:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.978
X-Spam-Level:
X-Spam-Status: No, score=-0.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L3m3vb3H09ey for <dhcwg@ietfa.amsl.com>; Thu, 15 May 2014 10:36:56 -0700 (PDT)
Received: from mail-we0-x22d.google.com (mail-we0-x22d.google.com [IPv6:2a00:1450:400c:c03::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F05A51A02B9 for <dhcwg@ietf.org>; Thu, 15 May 2014 10:36:55 -0700 (PDT)
Received: by mail-we0-f173.google.com with SMTP id u57so1434560wes.32 for <dhcwg@ietf.org>; Thu, 15 May 2014 10:36:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=AQF0vXj3lR6QIrBe91JWFzWG+TkrpjbWqmNzjebrydc=; b=wJbRGNgV1+eLfntJX3cb8nUl1oZO6aQzC0mAos8sNKxxMVKhTFXSenmpRwj4F8G73q VWzSO+20666Vb+JXsHVNU5LeCTBCBloc/hF9HY+JYWgVHjvNENFps/az7Z4T30ijdWqM iR6bjAWaoEZC+i3kCCiMwA248D7zAlwHvD4fXvhclIQIJ1S/s2OnGEvUgocQj86bxxgj U57nuAMyN/TYBJO0xkzvPYGnUORhmj+vxksQ6DjI9VLUxJUdVJfOCCa+3kQbgPBAigK1 wPmM3neI00pUyMT5ySVGx8T7MXqh6PvwE5AmKyN0XWWjOk2kE2KzGXtBA89W+APVFvQk 759w==
MIME-Version: 1.0
X-Received: by 10.180.13.239 with SMTP id k15mr6291536wic.4.1400175407676; Thu, 15 May 2014 10:36:47 -0700 (PDT)
Sender: jinmei.tatuya@gmail.com
Received: by 10.194.222.9 with HTTP; Thu, 15 May 2014 10:36:47 -0700 (PDT)
In-Reply-To: <5D36713D8A4E7348A7E10DF7437A4B923AE47C5A@nkgeml512-mbx.china.huawei.com>
References: <535FEDAD.5010103@gmail.com> <CAJE_bqen37j5UCsKZj6syVyvk2Xed4V_xGp-t4xY8shjmS+H5g@mail.gmail.com> <5D36713D8A4E7348A7E10DF7437A4B923AE43272@nkgeml512-mbx.china.huawei.com> <CAJE_bqe75D7oRJq=XmjPR9Dfvu3-AcL8kF9Pkm3JEOVsyxhr5A@mail.gmail.com> <5D36713D8A4E7348A7E10DF7437A4B923AE442FD@nkgeml512-mbx.china.huawei.com> <CAJE_bqc+Z8awb5773OLs8QtXuCRxYCWFRAKuQ9YP8anFwEQqsQ@mail.gmail.com> <5D53E8BB-F692-4752-A1B2-9BB09747C58B@nominum.com> <CAJE_bqeNNW1=dSnj4f=t7Fx9waG81cDeHdcikqk0ECUoLvgVzQ@mail.gmail.com> <86DAC0E6-BC1A-4247-9AD1-C13DA01F170D@nominum.com> <5D36713D8A4E7348A7E10DF7437A4B923AE47C5A@nkgeml512-mbx.china.huawei.com>
Date: Thu, 15 May 2014 10:36:47 -0700
X-Google-Sender-Auth: v4vsA8gu6hM1pdS6SZ9PilVw13I
Message-ID: <CAJE_bqeSH+qELChVq=_bjRQ_8eWzsRV379wWKPNQjHTqAuMbFg@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
To: Sheng Jiang <jiangsheng@huawei.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/dhcwg/Qnuf68r5oV2NDxmdK76iKPOZZsE
Cc: dhcwg <dhcwg@ietf.org>, Ted Lemon <ted.lemon@nominum.com>
Subject: Re: [dhcwg] WGLC for draft-ietf-dhc-sedhcpv6-02 - Respond by May 18
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 May 2014 17:36:58 -0000

At Tue, 13 May 2014 08:58:07 +0000,
Sheng Jiang <jiangsheng@huawei.com> wrote:

> >> My main concern is the combination of authenticating clients with the
> >> leap of faith model.  This model isn't suitable for the "grant
> >> different access" usage, since anyone can pretend to be an
> >> authenticated client with that model.
> >
> Ted Lemon>You are right--I don't think there is a use case for leap-of-faith with clients.
>
> The purpose of authenticating clients with the leap of faith model
> is to protect the follow-up client-to-server messages, such as
> Confirm, Renew, Rebind, Decline, Release, Information-request
> messages, hence, more protection for clients.
>
> When there is no security protection, an attacker can try to tamper
> the messages or generate bogus messages at the all the stages of the
> communication between a DHCP client and a server. For example, an
> attacker may send a bogus Release message, masquerading as a client,
> to the server. The network then deny the access from that IP
> address. It would actually affect the client.

I see what you're trying to say, and it makes some sense, but I'd like
to see more precise discussion, rather than just listing random
message types and obscuring details with a word like "such as".  For
example, I don't see (at least not immediately) what kind of
protection can be provided for Information-request in this context.
It's stateless by definition, so a forged Information-request from an
attacker doesn't break anything on other clients.

Also, I don't see the need for leap-of-faith in the case of forged
Release.  The server doesn't have to "leap" when it first sees a
client's public key since it's not for authenticating the client for
that particular request but for authenticating a possible subsequent
Release to confirm that is certainly from the client the server
originally responded to.  Also, for this purpose, the server only has
to remember the client's public key during that DHCPv6 session; it can
immediately forget the public key after that, so it doesn't have to
worry about "resource exhaustion attacks" at all.

I can see one possibility of client authentication + leap-of-faith
from the discussion so far, though: it may help prevent an attacker
from pretending to be a disconnected past client by sending a forged
Solicit (maybe with a forged public key).  If it was granted, there
might be confusion when the legitimate client comes back and tries to
establish another DHCPv6 session (I'm not sure if this inevitably
causes a security threat or could be just some confusion).  If the
server stores the original public key of the legitimate client, it can
reject the forged Solicit.  (Interesting, Solicit is not listed in the
message types you listed above).

> It has been realized that the leap of faith cannot prevent an
> attacker from impersonating legal clients to perform resource
> exhausting attacks against the DHCP server. In order to deal with
> this type of attack, certificate based mechanism needs to be
> provided. We also note that the leap of faith will consume
> additional memory resources of servers to remember the hash values
> of the public keys used by the clients. However, when using SHA-1
> the length of the hash of a public key is no longer than an IPv6
> address. So, we don’t think this will seriously affect the
> performance of the DHCP server.

Any trick to "mitigate" such a threat may be useful, but my main point
was at a more higher level: whether we should worry about this issue
in the first place: for clients this shouldn't be much concern in
practice; for sever, if we don't see the need for client authentication +
leap-of-faith, we don't have to worry about it (note that avoiding
forged Release doesn't require leap-of-faith as I noted above).  So,
only with an example like avoiding a forged Solicit explained above do
we need to worry about it.  But, right now, such a precise discussion
is totally missing in the draft and only some vague fear of a threat
is documented, which made me think whether this is really an issue or
not.  Discussions like specific "mitigation" such as the use of
fingerprint does not address this fundamental point.  I hope I'm clear
about my concern this time...

Now, with this latest understanding, I'd revise my previous specific
suggestion I described in
http://www.ietf.org/mail-archive/web/dhcwg/current/msg15524.html:

- provide a short "applicability considerations" section.  It includes
  some specific common use cases of server authentication and
  client authentication with key management:
  1. authenticating a server, mainly for clients to authenticate the
     information the server provides
  2. authenticating a client, so the server can selectively serve a
     specific client (or deny specific clients)
  3. authenticating a client, so the server can prevent an attacker
     from breaking an existing DHCPv6 session of a legitimate client.
  4. authenticating a client, so the server can prevent an attacker
     from establishing a new DHCPv6 session pretending to be a past
     legitimate client.

  For 1, both CA/preshared or leap-of-faith can be used.  The latter
  is weak in pure security point of view, but probably better than
  no protection by narrowing the attack scope.

  For 2, leap-of-faith cannot be used, since anyone can pretend to be
  a new legitimate client.

  For 3, leap-of-faith is not necessary, since the server uses the
  public key only to confirm that a subsequent message is sent from
  that client (rather than "trusting" the client in the initial
  solicit).

  For 4, both CA/preshared or leap-of-faith can be used, just like
  case 1.

And, for the security consideration on the "resource exhaustion
attacks", we'd note it matters only for cases like 4 in the
applicability categorization.  (With that clarification, we might or
might now want to mention possible mitigation, like the use of
footprint instead of full key information).

If this document is organized like this, I'll feel much more
comfortable.

--
JINMEI, Tatuya

v2.23.0 | Report a Bug | By Email