IETF Logo Mail Archive

Re: [dhcwg] Eric Rescorla's No Objection on draft-ietf-dhc-rfc3315bis-10: (with COMMENT)

Eric Rescorla <ekr@rtfm.com> Tue, 23 January 2018 02:57 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE3E9127011 for <dhcwg@ietfa.amsl.com>; Mon, 22 Jan 2018 18:57:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 87GrqI8CwfeR for <dhcwg@ietfa.amsl.com>; Mon, 22 Jan 2018 18:57:19 -0800 (PST)
Received: from mail-yb0-x235.google.com (mail-yb0-x235.google.com [IPv6:2607:f8b0:4002:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE831126C0F for <dhcwg@ietf.org>; Mon, 22 Jan 2018 18:57:15 -0800 (PST)
Received: by mail-yb0-x235.google.com with SMTP id 65so4290641ybz.6 for <dhcwg@ietf.org>; Mon, 22 Jan 2018 18:57:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=F8k8ZFoN6c8SO53OMJ8SU6psu/Jvoh/wxvHQr7nRufw=; b=Gt5GYfZg4B9OFWEgcU2lv3waEHOyL2UsWECzW6QwKElOL/IJh1hesJDM6Ap7JoHA6+ 33HDhehiKQ4i9JZmVhth5Xfn01Auuey+KSlQPRoAEX306zjF+9v7q7H9EeAa7Tm9JzKE svjFwpRJB37muU0qMWnq4voRJ4PHlG7uLyHAHCGq/rs2Wxsu/Z+RK+4SVR4I5JqSy58Y jQPHmuttqpF2yagtPpqs2b5p6XuDUVLzCHyvxtnljxFqZ/06CY1DZBT+n3LwJCi97IKL zit7N9j0vxI/+g+HnWBWjCTtiAceYPXKBF5YagqSakvYouxKk5pO2m5b2IbeZydBEVBj dMZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=F8k8ZFoN6c8SO53OMJ8SU6psu/Jvoh/wxvHQr7nRufw=; b=hiCsZdRFJyp2U3llsOYXi/NtHIeF+Ei6KVCtcykGy4CxvXTWmUenn4v+2prT/nxZ2M yT49eJZI5tD5He9M28wW5+HncQAakqplH6UKXC+JpSEY0Q4LYFqLC92MlX2+9mnLgCbL /VT+CE5w1+6XdWpfyWeqfp3jXI7iHzd6ItOV9lG1f/EAJ38Hv+b61AsMfm/Q1XizZpfh v6mhHvccE4CmDrTQwFOdoxfx6rz2v+OyD3TYNGtPKI2fRrjse/2CEwOFBLwIkDwuYjpF 4Edf28CMTULqVYtFT8x5M/rkyodVa2IUYF+tZf+4jwbcHZJDfRQfo2cBhsDPuPqZXABe aSiA==
X-Gm-Message-State: AKwxytclHP3UHj0Ewmi6P0tj0xfFdAJocQn4Q29QOIUal70vfR8n43wa 0G7F3ok7IYSOkiQarPYqg9jHoAMKGCcjUXhKkQHPrw==
X-Google-Smtp-Source: AH8x225ZwobhNyTgtn0sCN6b6vBGx4PhGcXEhLSe4hzWidgP3SEDgOsBE+z5/eSilvKJFtNI2690X1TLNJGNmfPOBxY=
X-Received: by 10.37.80.129 with SMTP id e123mr939465ybb.497.1516676234856; Mon, 22 Jan 2018 18:57:14 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.160.201 with HTTP; Mon, 22 Jan 2018 18:56:34 -0800 (PST)
In-Reply-To: <CCF96896-3AF5-4926-A50D-E4D9B4FE4E10@cisco.com>
References: <151656279222.3388.17356187412394517479.idtracker@ietfa.amsl.com> <85bba58c-e7ef-ce42-50a5-3ba83f2abba0@gmail.com> <CABcZeBNN1GFBZHo2kbvNKwbh1ehHaCcu4yOjz7cuEHcNGkxcxg@mail.gmail.com> <39b6f692-ca0f-fd8c-f6af-3410f0e8387e@gmail.com> <CABcZeBOnYjOtitSpu9KEiDFb5AkV4iHe2da14X5N__qvdFg+sw@mail.gmail.com> <CCF96896-3AF5-4926-A50D-E4D9B4FE4E10@cisco.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 22 Jan 2018 18:56:34 -0800
Message-ID: <CABcZeBM0VcJg8_CVHbfd0qUsFgLa0SQbs+wV9_L2jqeO94L41A@mail.gmail.com>
To: "Bernie Volz (volz)" <volz@cisco.com>
Cc: Tomek Mrugalski <tomasz.mrugalski@gmail.com>, The IESG <iesg@ietf.org>, "draft-ietf-dhc-rfc3315bis@ietf.org" <draft-ietf-dhc-rfc3315bis@ietf.org>, Ralph Droms <rdroms.ietf@gmail.com>, "dhc-chairs@ietf.org" <dhc-chairs@ietf.org>, "dhcwg@ietf.org" <dhcwg@ietf.org>
Content-Type: multipart/alternative; boundary="001a114026f637e529056368b40d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/wIgzvf2UZ6m5A7wBEbGMfEN0HfQ>
Subject: Re: [dhcwg] Eric Rescorla's No Objection on draft-ietf-dhc-rfc3315bis-10: (with COMMENT)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jan 2018 02:57:22 -0000

On Mon, Jan 22, 2018 at 6:53 PM, Bernie Volz (volz) <volz@cisco.com> wrote:

> Hi:
>
> I don’t see need to change DUID practices that have been used for a long
> number of years (as originally specified in 3315). There are a lot of
> things one could do, but what’s the benefit?
>

The benefit is that you have a pile of different mechanisms which are
redundant. This would simplkify that.

And, if you’d really like the WG to develop a new format, that doesn’t seem
> something to do in a bis document?
>

I'm not suggesting a new format. You already support UUIDs. I'm suggesting
that you recommend that people use UUIDs and generate them using the same
inputs they already use for generating the other DUIDs.


Regarding Replay Protection, as this is for Reconfigure (server to client),
> there should only be a need for a single Reconfigure per client. Even if
> multiple are sent by server for a single client, that only causes some to
> fail replay checks if out of order delivery or processing and means maybe
> some are dropped, which isn’t an issue (especially as now Reconfigure no
> longer communicates what may need reconfiguration).
>

All right

-Ekr


>
> - Bernie (from iPad)
>
> On Jan 22, 2018, at 9:11 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>
>
>
> On Mon, Jan 22, 2018 at 5:07 PM, Tomek Mrugalski <
> tomasz.mrugalski@gmail.com> wrote:
>
>> On 01/23/18 01:25, Eric Rescorla wrote:
>> > On Mon, Jan 22, 2018 at 4:14 PM, Tomek Mrugalski
>> > <tomasz.mrugalski@gmail.com <mailto:tomasz.mrugalski@gmail.com>> wrote:
>> >
>> >     On 01/21/18 20:26, Eric Rescorla wrote:
>> >     > Eric Rescorla has entered the following ballot position for
>> >     > draft-ietf-dhc-rfc3315bis-10: No Objection
>> >     Hi Eric,
>> >
>> >     Thank you for your review and your favourable ballot. See my answers
>> >     below.
>> >
>> >     > ------------------------------------------------------------
>> ----------
>> >     > COMMENT:
>> >     > ------------------------------------------------------------
>> ----------
>> >     >
>> >     > Document: draft-ietf-dhc-rfc3315bis-10.txt
>> >     >
>>
>> >     Anyway, this part of the spec hasn't changed in bis. It would be
>> >     extremely difficult to make any changes as there are millions of
>> devices
>> >     that already use those DUID types.
>> > Well, we could encourage people to move to a UUID type for sending, no?
>> In many environments there is no standard way of getting the UUID. As an
>> implementor of DHCPv6 client I have no idea how to check whether the
>> hardware provides access to its UUID. Also, sysadmins like usage of LLT
>> and LL, because it has MAC address in it. This is something they know
>> and can read from the box or from the device itself. It's reasonable to
>> ask a user "what's your mac address?" but it's much more tricky to ask
>> "what's your uuid?" and expect to get a coherent answer.
>>
>> There may be privacy concerns, too. Once your phone discloses its UUID,
>> it's much easier to track it and changing MAC address wouldn't help you
>> at all. Devices using anonymity profile (RFC7844) must use LL type.
>>
>> I'm not saying that UUID is a bad type of DUID, just pointing out that
>> it has its own issues. But does it matter that much? DUID is just a blob
>> that must be unique and the server uses it to identify a client. If the
>> DUID is of certain type, additional information about the client can be
>> printed and that's about it.
>>
>
> I think you're misunderstanding me. What I am proposing is that you take
> the
> DUID input values, hash them, and use them as input to a name-based
> UUID: https://tools.ietf.org/rfcmarkup?doc=4122#section-4.3
>
>
> >     > The description of how to actually do replay detection seems pretty
>> >     > thin. Do you think more detail would be helpful here.
>> >     It would. How about this text added to the end of Section 20.3:
>> >
>> >     "The client that receives a message with RDM field set to 0x00 MUST
>> >     compare its replay detection field with the previous value sent by
>> >     the same server. If this is the first time a client sees
>> Authentication
>> >     option sent by the server, it MUST record the replay detection
>> value,
>> >     but otherwise skip the replay detection check.
>> >
>> >     The servers that support reconfigure mechanism MUST ensure the
>> replay
>> >     detection value is retained after restarts. Failing to do that will
>> >     cause the clients to refuse reconfigure messages sent by the server,
>> >     effectively rendering the reconfigure mechanism useless."
>> > This seems like it scales badly as you need to keep an infinite replay
>> > list.
>> Not at all, unless your client interacted with infinite number of
>> servers and intends to visit them again. The server stores a single 64
>> bit integer. Every time a packet is sent, that value is incremented. The
>> client stores one value for every server it wants to continue
>> communicating with. For great majority of cases this would be one
>> server. For mobile clients that visited multiple locations and have the
>> capability to retain the information to possibly resume operation in
>> previous locations that would be a handful of servers at most.
>>
>
> It seems like you're assuming that the client can only have one outstanding
> transaction with the server. Is that correct?
>
> -Ekr
>
>
>
> > What happens if you falsely declare something a replay?
>> If you falsely declare something a replay (why would you do that?), the
>> reconfigure packet is dropped by the client. The server will retransmit
>> its reconfigure message with a higher value which hopefully be accepted
>> by the client. If you somehow sabotage the client or trick it to believe
>> that a very high value of replay detection was sent previously, it will
>> continue to reject reconfigure messages. So you effectively disabled the
>> reconfigure mechanism on that client, but it continues to operate and
>> can still renew its configure, just after t1 timer, not immediately.
>>
>> Note that the replay detection is intended to be used with RKAP. So in
>> principle you could perform an attack by sending a packet with high
>> replay detection to confuse the client, but to do that you'd have to
>> also put the correct HMAC-MD5 digest. Otherwise the client will discard
>> your packet. If you have that ability, then you can do worse things than
>> confuse client's notion of a replay value.
>>
>> There is a text about possibility of exploiting the reconfigure key
>> mechanism to attack a client. Do you think we should extend it to also
>> mention the replay attack?
>>
>> Tomek
>>
>
>

v2.23.0 | Report a Bug | By Email