IETF Logo Mail Archive

Re: [dhcwg] A new draft of draft-jiang-dhc-secure-dhcpv6 is submitted. Comments are welcome!

"Bernie Volz (volz)" <volz@cisco.com> Sun, 13 July 2008 14:07 UTC

Return-Path: <dhcwg-bounces@ietf.org>
X-Original-To: dhcwg-archive@megatron.ietf.org
Delivered-To: ietfarch-dhcwg-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7BE7228C1D4; Sun, 13 Jul 2008 07:07:40 -0700 (PDT)
X-Original-To: dhcwg@core3.amsl.com
Delivered-To: dhcwg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5618B28C1D4 for <dhcwg@core3.amsl.com>; Sun, 13 Jul 2008 07:07:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.238
X-Spam-Level:
X-Spam-Status: No, score=-6.238 tagged_above=-999 required=5 tests=[AWL=0.361, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B86n9SO4jPFq for <dhcwg@core3.amsl.com>; Sun, 13 Jul 2008 07:07:37 -0700 (PDT)
Received: from rtp-iport-1.cisco.com (rtp-iport-1.cisco.com [64.102.122.148]) by core3.amsl.com (Postfix) with ESMTP id 6D1D428C102 for <dhcwg@ietf.org>; Sun, 13 Jul 2008 07:07:37 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.30,353,1212364800"; d="scan'208";a="14147466"
Received: from rtp-dkim-2.cisco.com ([64.102.121.159]) by rtp-iport-1.cisco.com with ESMTP; 13 Jul 2008 14:07:58 +0000
Received: from rtp-core-1.cisco.com (rtp-core-1.cisco.com [64.102.124.12]) by rtp-dkim-2.cisco.com (8.12.11/8.12.11) with ESMTP id m6DE7wnE025799; Sun, 13 Jul 2008 10:07:58 -0400
Received: from xbh-rtp-211.amer.cisco.com (xbh-rtp-211.cisco.com [64.102.31.102]) by rtp-core-1.cisco.com (8.13.8/8.13.8) with ESMTP id m6DE7wsi007203; Sun, 13 Jul 2008 14:07:58 GMT
Received: from xmb-rtp-20a.amer.cisco.com ([64.102.31.15]) by xbh-rtp-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Sun, 13 Jul 2008 10:07:57 -0400
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Date: Sun, 13 Jul 2008 10:08:09 -0400
Message-ID: <8E296595B6471A4689555D5D725EBB21080C9EAC@xmb-rtp-20a.amer.cisco.com>
In-Reply-To: <00b301c8e276$625d9e60$c80c6f0a@china.huawei.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [dhcwg] A new draft of draft-jiang-dhc-secure-dhcpv6 is submitted. Comments are welcome!
Thread-Index: AcjhyiklbzF0c7YrS/ijkgl+dVxjowAq0nDgAJ66m+A=
References: <4874C06F.5090302@cisco.com> <00b301c8e276$625d9e60$c80c6f0a@china.huawei.com>
From: "Bernie Volz (volz)" <volz@cisco.com>
To: Sean Shuo Shen <sshen@huawei.com>, "Mark Stapp (mjs)" <mjs@cisco.com>, Sheng Jiang <shengjiang@huawei.com>
X-OriginalArrivalTime: 13 Jul 2008 14:07:57.0804 (UTC) FILETIME=[DA230AC0:01C8E4F1]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=9836; t=1215958078; x=1216822078; c=relaxed/simple; s=rtpdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=volz@cisco.com; z=From:=20=22Bernie=20Volz=20(volz)=22=20<volz@cisco.com> |Subject:=20RE=3A=20[dhcwg]=20A=20new=20draft=20of=20draft- jiang-dhc-secure-dhcpv6=20is=20submitted.=20Comments=20are=2 0welcome! |Sender:=20 |To:=20=22Sean=20Shuo=20Shen=22=20<sshen@huawei.com>,=20=22 Mark=20Stapp=20(mjs)=22=20<mjs@cisco.com>,=0A=20=20=20=20=20 =20=20=20=22Sheng=20Jiang=22=20<shengjiang@huawei.com>; bh=BpWOXkBX0OejTXv7ned9zOL09uZYi2ojo3zLZYhJkFY=; b=rfp5VpqR3I/UpP2WmtgaL1+t6dvCAla8fL5MWM+plwqCbBQuoYTOckmaE+ m3VyrKQi9u4zC8c86YT9fS1GMP/4jrQXLyxF+YnzAmLx0YSTBGZw0iOKccaM oq5f5NXHTV;
Authentication-Results: rtp-dkim-2; header.From=volz@cisco.com; dkim=pass ( sig from cisco.com/rtpdkim2001 verified; );
Cc: dhcwg@ietf.org
Subject: Re: [dhcwg] A new draft of draft-jiang-dhc-secure-dhcpv6 is submitted. Comments are welcome!
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/dhcwg>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dhcwg-bounces@ietf.org
Errors-To: dhcwg-bounces@ietf.org

Sean:

Regarding point 1 and 2, the AUTH option was designed to carry
authentication data. What that data is and how it is used depends on the
*protocol* field. The existing protocols are just the CURRENTLY defined
possibilities. New protocols can define new mechanisms. As 21.2 of RFC
3315 states:

   The Authentication option provides a framework for multiple
   authentication protocols.  Two such protocols are defined here.
   Other protocols defined in the future will be specified in separate
   documents.

---

>However, in that
>way, it is much more complicated for verifier to tell what contents are
>covered by this signature or not (especially when more options are
added
>during transmission).

As I keep trying to tell you this does NOT happen in DHCPv6. Messages
are ENCAPSULATED; options are not "added" along the way (such as is done
in DHCPv4 with the relay-agent option). Once a message is formed (yes,
the entity forming the message adds options), that's it - nothing else
(no other entity) adds anything to the message. And, having the complete
message be part of the "signature" is the proper way to go.

For DHCPv6, the intent was that the way one handles options that have
positional requirements is to ENCAPSULATE them within other options.
That's why we have IA options (IA_NA, IA_TA, and IA_PD) which
encapsulate the addresses (prefixes) and why those IAADDR/IAPREFIX
options can encapsulate other options. The ordering of options at a
particular level is immaterial and should NEVER need to be in any
specific order.

- Bernie

-----Original Message-----
From: dhcwg-bounces@ietf.org [mailto:dhcwg-bounces@ietf.org] On Behalf
Of Sean Shuo Shen
Sent: Thursday, July 10, 2008 6:19 AM
To: Mark Stapp (mjs); 'Sheng Jiang'
Cc: dhcwg@ietf.org
Subject: Re: [dhcwg] A new draft of draft-jiang-dhc-secure-dhcpv6 is
submitted. Comments are welcome!

Hi Mark,
Thanks for the detailed comments. Please see answers in lines.

>it's certainly worthwhile to explore use of asymmetric keys to secure 
>dhcpv6, so it's helpful to see this work. but there are a number of 
>issues with the details in this draft:

Before going through each problem, it will be helpful to clarify a
point:
the mechanism we proposed is not just an alternate auth which uses
asymmetric keys (instead of symmetric keys), it also prevent IP spoofing
because CGA (rfc3972) provides bound between public key and IP address.

>1. it's not clear why the existing extensible authentication option 
>couldn't be used. I believe I could map everything proposed for the new

>"Signature Option" into the existing option, so I have to ask: why not 
>do that? I suspect that you can make a case that it would be awkward to

>try to fit the CGA parameters data into the body of the authentication 
>option, and so make the case for the new CGA params option. but I'd
like 
>to see that tradeoff discussed.

There was a similar discussion with Bernie Volz yesterday and the day
before
yesterday. For unknown reasons, mails from Sheng did not show up on the
mail
list. However, we paste some discussion context the following: 

Overall, we are aiming to provide additional security on top of current
DHCPv6 by using CGA. A CGA address is designed cryptographically bound
with
the client (or server) public key, this public/private key pair can be
used
to provide IP address verification and data integrity WITHOUT any
separate
key management mechanisms. (I don't think any current DHC options can do
IP
address verification.)

When CGA is used as a secure and identity-bound IPv6 address, no extra
authentication key mechanism is needed. Also public key management is
very
easy and does not need to transmit key related material in plaintext
like
DHCP AUTH does. In summary, the newly proposed Signature Option can
achieve
the same security purposes with a simpler and safer foundations - key
management.

Additionally, CGA can be used not particularly for DHCPv6, but also used
for
other scenarios when a save and identity-bound IPv6 address (like SEND)
is
desired.

>2. an important benefit of using the existing option and specification 
>that supports it is that the text in rfc3315 is much more detailed and 
>rigorous than the text in this draft. the 3315 text is clear and
correct 
>about the actual computations based on the structure of dhcpv6
messages. 
>I don't think there'd be much benefit in extending this draft so that
it 
>duplicates that existing specification text. I'd much rather see a
focus 
>on the specifics of the steps required to produce and verify the 
>key-pair-based hash and signatures.

The same answer for point 1. We provide new security mechanisms
DIFFERENT
from the current. 
According to the verifications, there are rigorous descriptions in
rfc3971
and rfc3972. Surely we can make a clear reference or give short
descriptions
for sender/receiver activities.

>2a. doing (2) would help get you out of thinking that you depend on the

>ordering of options - the text in 3315 is correct about that. I second 
>Bernie's point that there's no need to require special ordering.

The order design is to simplify the verification processing at the
receiver
side. It is certainly doable if the signature option is somewhere in the
middle and still protect message contents after itself. However, in that
way, it is much more complicated for verifier to tell what contents are
covered by this signature or not (especially when more options are added
during transmission).

>3. there are an unusual number of instances of direct quotation from 
>RFCs. IMO, it's generally better to refer to RFCs because small quotes 
>can be misleading without the context of an entire protocol. it's one 
>thing to use quotations if you're trying to establish a clarification
of 
>the meaning of a specific passage, but I don't think that's what's 
>happening here.

The reason we do these direct quotations is because DHCPv6 has more
security
issues than our mechanism can solve. What we are quoting is what DHCPv6
[RFC3315] states as security issues and we can solve it.

>4. it would be more useful to describe a general-purpose way to use 
>asymmetric key pairs. the only things specific about the CGA
application 
>as described here is the details of the use of the CGA parameters 
>structure and the dependency on seeing the client's original IP source 
>address. but isn't that really just a specialized case, that only 
>extends the general case in a couple of ways?

As we state at the beginning, our proposal is not only substitute
symmetric
key with asymmetric key, but also verification of IP address and simpler
also safer key management.

>5. do you intend this only to be used when DHCPv6 is used to convey 
>configuration options? are there any differences required to support 
>address configuration, or prefix delegation?

Any scenarios that the sender can use certain source address rather than
unspecific addresses can be protected.

>6. what happens in relayed environments - where the client's original
IP 
>source address is no longer visible to the DHCP server? is this just 
>meant to be hop-by-hop integrity protection?

Reply agents will add its own CGA option and Signature option out of
encapsulated client/server DHCP message.

>7. I don't see anything here about authorization. anyone who can 
>generate a key pair can use this, right? so ... it's just message 
>integrity protection? do you propose to configure clients with server
or 
>relay public keys? something like SEND, would it be interesting to 
>authorize relays and servers via certs? or validate clients' keys with 
>certs?

I think you are talking about authentication of the message sender. This
is
exactly what the signature does. A malicious node can certainly generate
a
key pair, sign the message with private key and send the public key with
the
message. But the receiver can find out that this public key is not
trustworthy according to local public key list or certs. Certificate is
a
safe way to use asymmetric cryptosystem and it's not the only way.


Thank you!

Sheng & Sean




Sheng Jiang wrote:
> A new draft of draft-jiang-dhc-secure-dhcpv6 is submitted. Comments
are 
> welcome!
>  
> Filename:    draft-jiang-dhc-secure-dhcpv6
> Version:    00
> Staging URL:    
>
http://www3.ietf.org/proceedings/staging/draft-jiang-dhc-secure-dhcpv6-0
0.tx
t
> Title:     Secure DHCPv6 Using CGAs
> Creation_date:    2008-07-04
> WG ID:     Indvidual Submission
> Number_of_pages: 14
> Abstract:
> The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) enables DHCP

> servers to pass configuration parameters. It offers configuration 
> flexibility. If not secured, DHCPv6 is vulnerable to various attacks  
> particularly fake attack. This document analyzes the security issues
of 
> DHCPv6 and specifies security mechanisms, mainly using CGAs.
>  
> Best regards,
> 
> Sheng JIANG, Ph.D.
> 
> IP Research Department, Networking Research Department, Network
Product 
> Line, Huawei Technologies Co. Ltd.
> 
>  
> 
> 
>
------------------------------------------------------------------------
> 
> _______________________________________________
> dhcwg mailing list
> dhcwg@ietf.org
> https://www.ietf.org/mailman/listinfo/dhcwg
_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www.ietf.org/mailman/listinfo/dhcwg


_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www.ietf.org/mailman/listinfo/dhcwg
_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www.ietf.org/mailman/listinfo/dhcwg

v2.23.0 | Report a Bug | By Email