IETF Logo Mail Archive

Re: [Gen-art] Gen-ART Telechat review of draft-ietf-pcp-authentication-13.txt

Paul Kyzivat <pkyzivat@alum.mit.edu> Tue, 07 July 2015 18:11 UTC

Return-Path: <pkyzivat@alum.mit.edu>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A598B1A00ED for <gen-art@ietfa.amsl.com>; Tue, 7 Jul 2015 11:11:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.235
X-Spam-Level:
X-Spam-Status: No, score=-1.235 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_SOFTFAIL=0.665] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z2PnDnz3Ock7 for <gen-art@ietfa.amsl.com>; Tue, 7 Jul 2015 11:11:03 -0700 (PDT)
Received: from resqmta-ch2-09v.sys.comcast.net (resqmta-ch2-09v.sys.comcast.net [IPv6:2001:558:fe21:29:69:252:207:41]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F8541A013B for <gen-art@ietf.org>; Tue, 7 Jul 2015 11:11:03 -0700 (PDT)
Received: from resomta-ch2-11v.sys.comcast.net ([69.252.207.107]) by resqmta-ch2-09v.sys.comcast.net with comcast id pWAi1q0082Ka2Q501WB22a; Tue, 07 Jul 2015 18:11:02 +0000
Received: from Paul-Kyzivats-MacBook-Pro.local ([50.138.229.151]) by resomta-ch2-11v.sys.comcast.net with comcast id pWB01q00k3Ge9ey01WB1cc; Tue, 07 Jul 2015 18:11:02 +0000
Message-ID: <559C1633.10700@alum.mit.edu>
Date: Tue, 07 Jul 2015 14:10:59 -0400
From: Paul Kyzivat <pkyzivat@alum.mit.edu>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Sam Hartman <hartmans@painless-security.com>
References: <20150703040329.26422.22765.idtracker@ietfa.amsl.com> <913383AAA69FF945B8F946018B75898A478836EC@xmb-rcd-x10.cisco.com> <5599A773.40701@alum.mit.edu> <913383AAA69FF945B8F946018B75898A478868AF@xmb-rcd-x10.cisco.com> <559BE75E.9010904@alum.mit.edu> <tslh9pgng78.fsf@mit.edu>
In-Reply-To: <tslh9pgng78.fsf@mit.edu>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=comcast.net; s=q20140121; t=1436292662; bh=IgisRopnWBxO8Igm2cuwWNyQOiYNjiGVjhDvNsOD/b8=; h=Received:Received:Message-ID:Date:From:MIME-Version:To:Subject: Content-Type; b=VzFzx4yut32Kp7lEjaehcb8OJb9/7/d6iqZKD49w1fXcN/PJtShjWxuX+zahaYqe0 Ijh/QcZijcEWDEAbLJhnoDlrxvKdaCD0AYjo9cV9GC4C6KiDArhI+Uur7y/Juh9iTZ TQ6WQTmQBpfS2LhXcigxKQMwZkHZlBPFTpU/AJ0HLZYnOSYTa1jLZO5DNRXc00iC8k GZJRb9oui3RYoEgzto89uhKyLJ8pOUSeqKctydMbHrX50eBuj2MtHdDvY9aN9nrpC5 5aFWKAQ9EJh0+Fr9ljyziLFOdhsKnVE2iOhgNm0y0MpiaDAKSwV4U9cn+Z20r1AU5z /z8TZYG2EOiZg==
Archived-At: <http://mailarchive.ietf.org/arch/msg/gen-art/BwUggN6DUUesNWy_on7MPRHDT0A>
Cc: General Area Review Team <gen-art@ietf.org>, "Tirumaleswar Reddy (tireddy)" <tireddy@cisco.com>, "draft-ietf-pcp-authentication.all@tools.ietf.org" <draft-ietf-pcp-authentication.all@tools.ietf.org>
Subject: Re: [Gen-art] Gen-ART Telechat review of draft-ietf-pcp-authentication-13.txt
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jul 2015 18:11:08 -0000

Hi Sam,

On 7/7/15 11:24 AM, Sam Hartman wrote:
>>>>>> "Paul" == Paul Kyzivat <pkyzivat@alum.mit.edu> writes:
>
>      Paul> Do you agree with this conclusion? If not, please explain why
>      Paul> you think my logic is wrong.
>
> I partially agree with your conclusion.
> I agree that we need a mechanism to resynchronize state, and I agree
> that unsolicited announces aren't really good enough.
>
> I think it's highly undesirable to permit some requests over a
> five-tuple to be authenticated and some to not be authenticated.

I had no a priori understanding of what the thinking was on this. I was 
going only be what I could learn by reading the document, and wasn't 
able to discern the intent from the document.

So I at least make a plea that the document be clarified so that future 
readers will understand the intended use model.

> You seem to be thinking of authentication as something that tends to
> benefit the server.
> In some deployments that's certainly true.
> However, the client may gain significant benefit from:
>
> * Gaining integrity protection over its communications
>
> * Preventing third-parties from disrupting state it establishes.

Sure. That is certainly an argument for *allowing* all PCP requests to 
be sent over the PA session once one has been established.

> So, for these reasons, I think it's very important that once a session
> is established, only authenticated requests be accepted over that
> five-tuple.

I looked at the Advanced Threat Model of RFC6887. And I see some cases 
(e.g. "Any implementation that wants to be more permissive in 
authorizing explicit mappings than it is in authorizing implicit 
mappings") where a mixed model might make sense. In particular that 
query/manipulation of implicit mappings (or mappings that would be 
allowed implicitly) might not require authentication, while some or all 
explicit mappings that wouldn't be allowed implicitly require 
authentication.

In that case, authentication might never happen until the client 
requires one of the explicit mappings. It may be that user intervention 
is required for authentication to succeed, so it is undesirable to force 
it before it is needed.

Of course this is still compatible with requiring all PCP messages 
(except re-authentication) to go over the PA session once one has been 
established.

> In addition, I think it's desirable that once a session is established,
> a client be expected to re-authenticate if session state is lost, *not*
> to send requests and let the server force re-authentication.

IIUC, when a client is first started it may not know if authentication 
will be required. Rather it may learn that only by being forced by the 
server to authenticate. If it then reboots, losing its PA SA state, it 
will be back in the same position it was initially. Else you will be 
forcing it to maintain persistent state across reboots.

Surely if it *knows* it can preemptively authenticate. But if it doesn't 
know then things should still work.

> However, I do agree with you that we need a mechanism for the server to
> indicate that it has lost state.
> That's only a hint to the client.  Since that indication will not be
> integrity-protected, it may be sent by an attacker.
> A client MAY disregard it, for example if the client suspects a DOS
> attack.  Generally, though a client SHOULD try and re-authenticate,
> discarding the session state only when re-authentication is successful.

Re-authentication requires the client and server to both have the prior 
session state. So that path won't work in cases where one has forgotten 
the state.

> To get this right, it sounds like we need to:
>
> * Describe how the server indicates session state lost

Also what the client does if *it* has lost state (while noting that it 
may not *know* it has lost state as a result of rebooting)

> * Describe what clients do if the client is starting re-authentication
>    but gets a response under the old session.  Presumably this is an
>    indication that an attacker is trying to force re-authentication.

I think we have a terminology issue here. The term "re-authentication" 
has at least two meanings:

1) as currently defined in the document. Doing a new EAP authentication 
under the protection of the prior one, preserving the session id.

2) doing a new EAP authentication when there is no prior PA session, or 
when client or server has no info about it.

I think you must here be using meaning (2).

It would be possible to restructure things so that there is no 
distinction - that the two are handled identically. But I guess there is 
some benefit to using (1) when possible.

> * Describe sufficient server behavior for what our client behavior is to
>    work out well.  That is, if we say that when a client gains evidence
>    the server actually does still have the session, we abandon the
>    re-authentication, we need to make sure servers are still maintaining
>    session state.

Yes.

It is actually hard to describe exactly what is needed in this context. 
Everything needs to hang together consistently and that depends on the 
details.

	Thanks,
	Paul

v2.23.0 | Report a Bug | By Email