IETF Logo Mail Archive

Re: [dhcwg] comments on draft-ietf-dhc-sedhcpv6-10.txt

神明達哉 <jinmei@wide.ad.jp> Wed, 24 February 2016 17:56 UTC

Return-Path: <jinmei.tatuya@gmail.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BA231A004A; Wed, 24 Feb 2016 09:56:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.577
X-Spam-Level: *
X-Spam-Status: No, score=1.577 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, FRT_BIGGERMEM1=2.555, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xZZ0bG4gD2o5; Wed, 24 Feb 2016 09:56:21 -0800 (PST)
Received: from mail-io0-x232.google.com (mail-io0-x232.google.com [IPv6:2607:f8b0:4001:c06::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8784A1A6FFB; Wed, 24 Feb 2016 09:56:21 -0800 (PST)
Received: by mail-io0-x232.google.com with SMTP id g203so55165390iof.2; Wed, 24 Feb 2016 09:56:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=x2HRWgOXcf6OfJwQw+wQhS53rBo1N1FaPSvv0UpQta0=; b=zQBQI0opYpjkVPA/DGNeWlXEczGllhrN83udFJ1H3Lnbw21uzZkfcJI20xsX3xqSlE aB6bLlX/WNz2PMyp4UDuC2IKL8r+N+WZqcsNKKRlc3w+bM47KwxH8qqA+b66rn3mGJvS yMuC4Tccs7kwhBmMIrAkrLf+nvXyuyFLlDhEcaLXhGyVrcQKuQknDGuFjq8WgoiETwuD GZYSkvP0gpOczgZyP3mKSUE9Abh72PnIy6oDz4Kx7z7w2rVw2Arjn6FxYIPUl5Wf52ec OT1LOYgJzUNeQrKXMi+lorzLLm8vrDQk883JwvU0xwbBwEQtR2nMmbUlotf+uHSFFWoG ciTA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=x2HRWgOXcf6OfJwQw+wQhS53rBo1N1FaPSvv0UpQta0=; b=meIX5NJbbW4vqIJIMvOcadQLb4Dm+rvuEG+qKtQ8ko8UnzW2aplcdKdfJpbETubCB8 tQe3MqYt8xnOH7MwOEGnG1F/4ti48Px01NA5iJ6DwSVuww0MNG3euJKI4+Ko4IXshSs4 nkX5GCwqz7hMiaNRWLdqhOjwjX//Iqd8O4WFot4uMIOsxlo4P3H84KbwBK/f1AUlAtsn iAZCVfEiBqgtjGfXSIKbFAoo6zeXcHmIXS+6X+kcf+ZbKw0Y6GpoxiUGS6OmEKgH6i/p BMDVBI+ZOgJ1w/woenCVaDhvXHF02oAUjXDS0Me83q9W8WaazUBTuRp+2OCw+bl5fudR tSyw==
X-Gm-Message-State: AG10YOSke4DmEg7mYLbQma9TxNfz+bk7zQAjIIp60ktBsLYbAo+ywFWbubFR+OAaxaZANRe/nTeYjmi0pJjw/g==
MIME-Version: 1.0
X-Received: by 10.107.137.142 with SMTP id t14mr43528803ioi.172.1456336580577; Wed, 24 Feb 2016 09:56:20 -0800 (PST)
Sender: jinmei.tatuya@gmail.com
Received: by 10.107.169.35 with HTTP; Wed, 24 Feb 2016 09:56:20 -0800 (PST)
In-Reply-To: <CAJ3w4NcmG18puJpzPFFvn4U8P7eQwh2WeMvcvH+UJHNPQd_BRw@mail.gmail.com>
References: <CAJE_bqdZTc57BGzVq8-EaOa7kT2ME9_3bXNKFr0WGk_MzLNOBQ@mail.gmail.com> <CAJ3w4NermaJtDzf3V4+WQcpJ5kEdWX6RQ9CyWiFmOmKw8+QZSQ@mail.gmail.com> <CAJE_bqc+1=CT66f88tB_DbavBmvnnYcK3a+LR_OwUWu_O-WnVw@mail.gmail.com> <CAJ3w4Ne8rU-cnvNqeM0x0PFw+mAD-TEmyegOJDgQuCiccFY2hg@mail.gmail.com> <CAJE_bqdBqjSG0UnGuKfjtQMB-Rp81pU7n_+Eq_Fb=yar+673hA@mail.gmail.com> <CAJ3w4NcmG18puJpzPFFvn4U8P7eQwh2WeMvcvH+UJHNPQd_BRw@mail.gmail.com>
Date: Wed, 24 Feb 2016 09:56:20 -0800
X-Google-Sender-Auth: FJvc7ysJmYfDyfaTRM3TfDAG9uI
Message-ID: <CAJE_bqc9JHcUGCGW9VSPrHTBUe4tKowh9OHVbUA1qWwanWyYBg@mail.gmail.com>
From: 神明達哉 <jinmei@wide.ad.jp>
To: Lishan Li <lilishan48@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/dhcwg/mGuVONxsFDLVz6iY7907xrbBhTs>
Cc: "dhcwg@ietf.org" <dhcwg@ietf.org>, draft-ietf-dhc-sedhcpv6@ietf.org
Subject: Re: [dhcwg] comments on draft-ietf-dhc-sedhcpv6-10.txt
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2016 17:56:23 -0000

(I've removed draft-ietf-dhc-sedhcpv6@ietf.org)

At Tue, 23 Feb 2016 10:45:40 +0800,
Lishan Li <lilishan48@gmail.com> wrote:

> > I'm still not sure if my point was made clear...so let me be more
> > specific: in the following message exchanges:
> >
> > 1. Information-request from client to server(s)
> > 2. Reply to the Information-request from server(s) to client
> > 3. Encryption-Query from client to server
> > 4. Encryption-Response from server to client
> >
> > did you mean the Reply message of exchange #2?
> >
> > If so, do you at least agree that it makes almost no sense to include
> > the explicit separate signature in messages 3 and 4?
> >
> > [LS]: Yes, I mean the Reply message of exchange #2. The reply message
> contains the signature option and timestamp option for message integrity
> check. In the #3 and #4 messages, the DHCPv6 messages are encrypted, so the
> signature and timestamp option are not contained.
> What do you think of it?

Okay.  So focusing on the Reply message (#2): my point was:

- in effect, its only content is the certificate (or public key).
- the recipient is already expected to validate this only content
  directly (by comparing it with locally pre-configured info, by using
  a PKI, etc), so we do not necessarily need to provide additional
  integrity protection for it by signing the message.
- on the other hand, if we eliminate the signing and the signature
  option from this, we'll completely eliminate this option from the
  protocol.  This will help make the protocol simpler and reduce
  development costs.

If you still disagree, perhaps it helps if you can show a specific
attack vector because of the lack of the signature.

> > Right, but this argument also holds even if we have TOFU...
> >
> > > So, I think that
> > > the certificate option is enough for authentication.
> > > Looking forward to your further guidance.
> >
> > ...so these don't explain why we should now remove the public key
> > option.  One obvious, though possibly relatively minor, drawback of
> > only having a certificate is that it will make the message size even
> > bigger when we actually only need the public key.
> >
> > I'm not necessarily opposed to removing the public key option if we
> > cover all such discussions and reach consensus, but I don't think I've
> > seen it yet.
> >
> > [LS]: In consideration of the support of TOFU and the add of all such
> discussions and consensus, the better way for us is to add the public key
> option as the before secure DHCPv6 version.
> Am I correct?

No, I just didn't see why the public key option was removed (the
explanation regarding TOFU didn't make sense to me).  As I already
said, I'm not necessarily opposed to removing it if there's a
convincing reason that can outweigh its cons.

> > > > >- Section 6

> > Introducing a new error code is related but a minor point.  My
> > question was about what the client should do if it sees that code (or
> > whatever signal that indicates this kind of failure).
> >
> [LS]: As you said before, the DecryptionFail failure is equivalent to
> SignatureFail. So if the client sees that code, the client MAY resend the
> message following normal retransmission routines defined in [RFC3315].
> Am I correct?

Not sure if you are correct:-), but, yes, that answers my question.
Whether this behavior makes most sense is a different question, on
which I don't yet have a particular idea.  Maybe I should first see a
revised draft in full text.

> > p.s. there's another bigger open issue I separated from the rest of
> > the discussions:
> > https://mailarchive.ietf.org/arch/msg/dhcwg/-tZBpeMs-EiVyMm0MLBpj3dFYNI

Reminder: this is still open.

> > [LS]: Another open isssue is that:
> If the server receives the Information-request message but it does not
> support this work, what should the server do?
> In my opinion, if the server don't support this work, it has two choices:
> 1. drop the received Information-request message;
> In this way, the client will not receive any message which illustrate the
> server don't support secure DHCPv6. If there is no authenticated DHCPv6
> server, the client may resend the Information-request message;
> 2. send the Reply message with the corresponding error status code to the
> client;
> This way will introduce the downgrade attack, a third party may send the
> Reply message with the corresponding error status code. And then the DHCPv6
> configuration process may be unsecured.
> I prefer the first one solution. Which one would you prefer? Looking
> forward to your guidance.

I'd simply expect the usual behavior: the server will return a Reply
(obviously) without the requested information (which, in this case,
the certificate or public key option).  I don't think we can eliminate
the possibility of downgrade attack by an on-path attacker, however we
specify the behavior in this case.

--
jinmei

v2.23.0 | Report a Bug | By Email