IETF Logo Mail Archive

Re: [dhcwg] Eric Rescorla's No Objection on draft-ietf-dhc-rfc3315bis-10: (with COMMENT)

Eric Rescorla <ekr@rtfm.com> Tue, 23 January 2018 02:11 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40E7012D887 for <dhcwg@ietfa.amsl.com>; Mon, 22 Jan 2018 18:11:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xGt1v_d67BRg for <dhcwg@ietfa.amsl.com>; Mon, 22 Jan 2018 18:11:21 -0800 (PST)
Received: from mail-yb0-x230.google.com (mail-yb0-x230.google.com [IPv6:2607:f8b0:4002:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD07C127011 for <dhcwg@ietf.org>; Mon, 22 Jan 2018 18:11:21 -0800 (PST)
Received: by mail-yb0-x230.google.com with SMTP id u35so4224836ybi.1 for <dhcwg@ietf.org>; Mon, 22 Jan 2018 18:11:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=paYUGW9pbUDIu/T5aD1qoCa4D0tOT6hrJZZqa30Fqp8=; b=0bgjgPziW407KWxYSoOPMQi2FPPvlLiudoT+d3m5tzz4BYm3A8GlNx+pyhyZJo6yJd IkRXeIiHluMX5jBnqQ8myp+v9QW70Dn5EimOeCvqmu4C0zSTAHIdewPQVO91QVdviQXm ikK7Pd/Uqg2MUhgoFwVUcUeMCSF/LpfYV9IbLBq+lZEfgTdZJUYL+fiEIn+zx3ILfYK1 TzcU9dpafdakPt5yp1fdrzGDKfK5TlRCwJcvY5Y/w9mghlVgJQrpJfNrpWkk9HXsMHXd gO7NiV8nxPkK/+d0AJibfyx5IpQ40+0TcVYm6FzMRg8/8hmNiJtipqo/qAHySR5HosYf pN/A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=paYUGW9pbUDIu/T5aD1qoCa4D0tOT6hrJZZqa30Fqp8=; b=jL+nF4K2XL2Fug7CW1nssMW3Wv/IK7KxnQtKa4AgmADqE+uxIdfSlT5BfZye5pxmU1 HKXmUj5jH9xmPpoZox9P8FYxWAgzHquFByCyFyiw16GrS8thV1BwH4OXnjqDm7yFalKD 4y/7+RodhfYmpmnl03D2mjD+tKM6nNaCPbQAA8NduAk93m9NNgBaVDKMgBz/q0K7Ut5h vz+o8YCvB/91RkIo4Bbb77wIwAlY/WCFMQ9fpqoAMGHbGupXnSoRqndOPaSHPv0jmSjJ ygCcsBszAGvS9ouWZbB5XCDRqAxYAUKOhb82FswLcqn5fGmB4cAmBiCt7DFbuP0UA5un 1gJQ==
X-Gm-Message-State: AKwxytc/sSjmC1zHCB6uMK2Wr2qQ9u0YANSauYligLXZ6ixxcbF0k7GM wmQb3jROUuv4K519+dkGH/QPa6ElursGhMZdAbIO+Q==
X-Google-Smtp-Source: AH8x2250xWdP4bLqwnAfG9oPMW9CTQ0qZYwJxlUMwraahdUHJyb1HO6kUJ2UeyVfbjJ5w60xOHdGlH2C4CMxCycNgyQ=
X-Received: by 10.13.226.194 with SMTP id l185mr872422ywe.47.1516673480815; Mon, 22 Jan 2018 18:11:20 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.160.201 with HTTP; Mon, 22 Jan 2018 18:10:40 -0800 (PST)
In-Reply-To: <39b6f692-ca0f-fd8c-f6af-3410f0e8387e@gmail.com>
References: <151656279222.3388.17356187412394517479.idtracker@ietfa.amsl.com> <85bba58c-e7ef-ce42-50a5-3ba83f2abba0@gmail.com> <CABcZeBNN1GFBZHo2kbvNKwbh1ehHaCcu4yOjz7cuEHcNGkxcxg@mail.gmail.com> <39b6f692-ca0f-fd8c-f6af-3410f0e8387e@gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 22 Jan 2018 18:10:40 -0800
Message-ID: <CABcZeBOnYjOtitSpu9KEiDFb5AkV4iHe2da14X5N__qvdFg+sw@mail.gmail.com>
To: Tomek Mrugalski <tomasz.mrugalski@gmail.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-dhc-rfc3315bis@ietf.org, Ralph Droms <rdroms.ietf@gmail.com>, dhc-chairs@ietf.org, dhcwg@ietf.org
Content-Type: multipart/alternative; boundary="001a114fc3d6108f4705636810ff"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/xE3fcvCKR3CFwjwMpncVtFiiotY>
Subject: Re: [dhcwg] Eric Rescorla's No Objection on draft-ietf-dhc-rfc3315bis-10: (with COMMENT)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jan 2018 02:11:24 -0000

On Mon, Jan 22, 2018 at 5:07 PM, Tomek Mrugalski <tomasz.mrugalski@gmail.com
> wrote:

> On 01/23/18 01:25, Eric Rescorla wrote:
> > On Mon, Jan 22, 2018 at 4:14 PM, Tomek Mrugalski
> > <tomasz.mrugalski@gmail.com <mailto:tomasz.mrugalski@gmail.com>> wrote:
> >
> >     On 01/21/18 20:26, Eric Rescorla wrote:
> >     > Eric Rescorla has entered the following ballot position for
> >     > draft-ietf-dhc-rfc3315bis-10: No Objection
> >     Hi Eric,
> >
> >     Thank you for your review and your favourable ballot. See my answers
> >     below.
> >
> >     > ------------------------------------------------------------
> ----------
> >     > COMMENT:
> >     > ------------------------------------------------------------
> ----------
> >     >
> >     > Document: draft-ietf-dhc-rfc3315bis-10.txt
> >     >
>
> >     Anyway, this part of the spec hasn't changed in bis. It would be
> >     extremely difficult to make any changes as there are millions of
> devices
> >     that already use those DUID types.
> > Well, we could encourage people to move to a UUID type for sending, no?
> In many environments there is no standard way of getting the UUID. As an
> implementor of DHCPv6 client I have no idea how to check whether the
> hardware provides access to its UUID. Also, sysadmins like usage of LLT
> and LL, because it has MAC address in it. This is something they know
> and can read from the box or from the device itself. It's reasonable to
> ask a user "what's your mac address?" but it's much more tricky to ask
> "what's your uuid?" and expect to get a coherent answer.
>
> There may be privacy concerns, too. Once your phone discloses its UUID,
> it's much easier to track it and changing MAC address wouldn't help you
> at all. Devices using anonymity profile (RFC7844) must use LL type.
>
> I'm not saying that UUID is a bad type of DUID, just pointing out that
> it has its own issues. But does it matter that much? DUID is just a blob
> that must be unique and the server uses it to identify a client. If the
> DUID is of certain type, additional information about the client can be
> printed and that's about it.
>

I think you're misunderstanding me. What I am proposing is that you take the
DUID input values, hash them, and use them as input to a name-based
UUID: https://tools.ietf.org/rfcmarkup?doc=4122#section-4.3


>     > The description of how to actually do replay detection seems pretty
> >     > thin. Do you think more detail would be helpful here.
> >     It would. How about this text added to the end of Section 20.3:
> >
> >     "The client that receives a message with RDM field set to 0x00 MUST
> >     compare its replay detection field with the previous value sent by
> >     the same server. If this is the first time a client sees
> Authentication
> >     option sent by the server, it MUST record the replay detection value,
> >     but otherwise skip the replay detection check.
> >
> >     The servers that support reconfigure mechanism MUST ensure the replay
> >     detection value is retained after restarts. Failing to do that will
> >     cause the clients to refuse reconfigure messages sent by the server,
> >     effectively rendering the reconfigure mechanism useless."
> > This seems like it scales badly as you need to keep an infinite replay
> > list.
> Not at all, unless your client interacted with infinite number of
> servers and intends to visit them again. The server stores a single 64
> bit integer. Every time a packet is sent, that value is incremented. The
> client stores one value for every server it wants to continue
> communicating with. For great majority of cases this would be one
> server. For mobile clients that visited multiple locations and have the
> capability to retain the information to possibly resume operation in
> previous locations that would be a handful of servers at most.
>

It seems like you're assuming that the client can only have one outstanding
transaction with the server. Is that correct?

-Ekr



> What happens if you falsely declare something a replay?
> If you falsely declare something a replay (why would you do that?), the
> reconfigure packet is dropped by the client. The server will retransmit
> its reconfigure message with a higher value which hopefully be accepted
> by the client. If you somehow sabotage the client or trick it to believe
> that a very high value of replay detection was sent previously, it will
> continue to reject reconfigure messages. So you effectively disabled the
> reconfigure mechanism on that client, but it continues to operate and
> can still renew its configure, just after t1 timer, not immediately.
>
> Note that the replay detection is intended to be used with RKAP. So in
> principle you could perform an attack by sending a packet with high
> replay detection to confuse the client, but to do that you'd have to
> also put the correct HMAC-MD5 digest. Otherwise the client will discard
> your packet. If you have that ability, then you can do worse things than
> confuse client's notion of a replay value.
>
> There is a text about possibility of exploiting the reconfigure key
> mechanism to attack a client. Do you think we should extend it to also
> mention the replay attack?
>
> Tomek
>

v2.23.0 | Report a Bug | By Email