Re: [dhcwg] questions about DHCPv6 authentication

Thanks for the response.

>>>>> On Thu, 17 Jun 2004 12:53:18 +0200, 
>>>>> Christian Strauf <strauf@uni-muenster.de> said:

>> I don't really understand this part...does this assume a separate
>> Solicit-Advertise (or Reply if rapid-commit option is used?)
>> exchanges to negotiate the key?  If so, what if the server and/or
>> the client only implement the "stateless" subset described in
>> RFC3736?  Note that RFC3736 says:

(snip)

>> I read this to mean that Authenticated DHCP can be used for
>> implementations only support RFC3736.  But how can such
>> implementations select the key without the "previous message
>> exchange"?
> the key distribution is done out-of-band, as stated in section 21.4.3.
> Therefore, no inital exchange for key distribution is necessary.

I know that.  Perhaps I was not clear enough, but I meant the
following process by "negotiation the key":

(we assume both the client and the server have a shared secret.  It's
okay)

- the client sends a solicit message with an authentication option.
- the server chooses one particular key identified by <DHCP realm,
  client DUID, key id>
- the server sends an advertise message with an authentication option
  authenticated with the selected key
- the client extracts the realm and key ID specified by the server
  from the advertise message.  At this point, the client can identify
  a particular key to be used for authentication in this session.

In fact, RFC3315 says:

   If the server has selected a key for the client in a previous message
   exchange (see section 21.4.5.1),
             ^^^^^^^^^^^^^^^^^^^^
and section 21.4.5.1 talks about a solicit-advertise exchange.

> The way I
> understand this section is that clients must keep using the same key they've
> been using for any previous message exchange that included an authentication
> option. Stateless DHCPv6 clients are free to use authentication options with
> pre-shared keys the same way that RFC3315 clients do.

Are you assuming the following procedure?

- the client sends an information-request with an authentication
  option.
- the server chooses one particular key identified by <DHCP realm,
  client DUID, key id>
- the server sends a reply message with an authentication option
  authenticated with the selected key
- the client extracts the realm and key ID specified by the server
  from the reply message.  At this point, the client can identify
  a particular key to be used for authenticating the reply message.

and,

- if the client and the server ever make further exchanges of
  information-request and reply, they should use the same key used in
  the first exchange.  (By the phrase of "use that same key for
  validating subsequent messages with the client.")

If so, that *may* make sense.  However, I think it's very hard to
imply the above just from the description in RFC3315.  And in that
sense, I'd first like to know if this is the real intention of the RFC
authors.

>> 2. RFC3315 says in Section 21.4.2 (Message Validation) that
>> 
>> If the MAC
>> computed by the receiver does not match the MAC contained in the
>> authentication option, the receiver MUST discard the DHCP message.
>> 
>> It seems to me this part of the specification some other parts of
>> Section 21.4:
>> 
>> 2-1) in Section 21.4.4.2, the RFC allows the client to respond to
>> an Advertise even if it fails on authentication:
>> 
>> Client behavior, if no Advertise messages include authentication
>> information or pass the validation test, is controlled by local
>> policy on the client.  According to client policy, the client MAY
>> choose to respond to an Advertise message that has not been
>> authenticated.
>> 
>> Doesn't this contradict with Section 21.4.2?
> Yes, partly. I think the part that is contradictory is "[...] or pass the
> validation test [...]". This section clearly -- as you correctly identified in
> my eyes -- contradicts the quoted part of 21.4.2 above. I agree that a failed
> validation test is very critical and should not be open to local policy (i.e.
> no responses to these advertise messages should be made by the client in any
> case).

> The other part ("[...] no Advertise messages include authentication information
> [...]") may indeed be a matter of local policy.

Okay, I tend to agree.

>> 2-2) this can be a more serious issue.  The RFC says in Section
>> 21.4.4.4 that:
>> 
>> If the Reply
>> fails to pass the validation test, the client MUST restart the DHCP
>> configuration process by sending a Solicit message.
>> 
>> Doesn't this contradict with Section 21.4.2?  Moreover, it
>> seems to me that restarting the configuration process in this
>> case can open up a possibility of DoS attack.  What is the
>> background of this specification?
> I think that it doesn't contradict section 21.4.2 but as a matter of fact is a
> logical consequence if validation tests fail. However, I agree 100% that this
> is a potentially dangerous behaviour because it can be used for DoS attacks on
> servers and clients. I think that this deserves to be addressed in the Security
> Considerations section because appropriate timeouts or similar should be in
> place to prevent this kind of attack by malicious hosts that send malformed
> replies that will fail validation tests.

Hmm, I'm not sure how appropriate timeouts can protect the attack, but
at least I'm happy that I can share my concern on the threat with you.

I'd still like to hear from others, particularly from the RFC authors,
but so far it seems to me that the authentication mechanism will need
some clarification.  Does it make sense to write a separate draft like
"clarifications on the DHCPv6 authentication mechanism"?

					JINMEI, Tatuya
					Communication Platform Lab.
					Corporate R&D Center, Toshiba Corp.
					jinmei@isl.rdc.toshiba.co.jp

_______________________________________________
dhcwg mailing list
dhcwg@ietf.org
https://www1.ietf.org/mailman/listinfo/dhcwg