Re: [Gen-art] Gen-ART LC Review of draft-ietf-dhc-forcerenew-nonce-03

Ben Campbell <ben@nostrum.com> Mon, 13 February 2012 20:37 UTC

Return-Path: <ben@nostrum.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0878A21E802A; Mon, 13 Feb 2012 12:37:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.512
X-Spam-Level:
X-Spam-Status: No, score=-102.512 tagged_above=-999 required=5 tests=[AWL=0.088, BAYES_00=-2.599, SPF_PASS=-0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qTR9jmPo2784; Mon, 13 Feb 2012 12:37:15 -0800 (PST)
Received: from nostrum.com (nostrum-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:267::2]) by ietfa.amsl.com (Postfix) with ESMTP id 049A221E8029; Mon, 13 Feb 2012 12:37:14 -0800 (PST)
Received: from dn3-53.estacado.net (vicuna-alt.estacado.net [75.53.54.121]) (authenticated bits=0) by nostrum.com (8.14.3/8.14.3) with ESMTP id q1DKbCd5031086 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Mon, 13 Feb 2012 14:37:13 -0600 (CST) (envelope-from ben@nostrum.com)
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: text/plain; charset=iso-8859-1
From: Ben Campbell <ben@nostrum.com>
In-Reply-To: <282BBE8A501E1F4DA9C775F964BB21FE3EC1467FB2@GRFMBX704BA020.griffon.local>
Date: Mon, 13 Feb 2012 14:37:26 -0600
Content-Transfer-Encoding: quoted-printable
Message-Id: <7A76A706-9B9C-4911-A4E6-AEC187385557@nostrum.com>
References: <A57C4722-5E13-451E-ACB4-CAA8064FA68B@nostrum.com> <282BBE8A501E1F4DA9C775F964BB21FE3EC1467FB2@GRFMBX704BA020.griffon.local>
To: Maglione Roberta <roberta.maglione@telecomitalia.it>
X-Mailer: Apple Mail (2.1257)
Received-SPF: pass (nostrum.com: 75.53.54.121 is authenticated by a trusted mechanism)
Cc: "'Henderickx, Wim \(Wim\)'" <wim.henderickx@alcatel-lucent.com>, "gen-art@ietf.org Review Team" <gen-art@ietf.org>, Ullio Mario <mario.ullio@telecomitalia.it>, "draft-ietf-dhc-forcerenew-nonce.all@tools.ietf.org" <draft-ietf-dhc-forcerenew-nonce.all@tools.ietf.org>, The IETF <ietf@ietf.org>
Subject: Re: [Gen-art] Gen-ART LC Review of draft-ietf-dhc-forcerenew-nonce-03
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Feb 2012 20:37:16 -0000

Hi, thanks for the response. See additional comments inline. (I removed sections for which no further comment seems necessary)

On Feb 10, 2012, at 7:52 AM, Maglione Roberta wrote:

[...]

> 
> -- I admit to not being a DHCP expert, but If I understand this draft correctly, it proposes to send what is effectively a secret-key in a DHCPACK request, then use that key to authenticate a force renew message. It seems like any eavesdropper could sniff that key, and use it to spoof force renew requests. The introduction mentions that there may be some environments where the use of RFC3118 authentication could be relaxed, and offers an example of such an environment. But nowhere does this draft appear to be limited in scope to such environments.
> 
> [RM] The intention is to use this method only for environments with native security mechanisms, such as the Broadband Access network. You are right it is not clearly said in the document I can add the following sentence at the end of the introduction in order to clarify this point:
> 
> "This   mechanism is intended to be use in networks that already have native security mechanisms that provide sufficient protection against
> spoofing of DHCP traffic."

That helps, although I would suggest an additional sentence mentioning the specific risk in using it in environments without sufficient protection. I note, however, that Ted objected to this in a separate email--I will reply there as well.

> 
> 
> I think some additional text in (perhaps in the security considerations) is needed to explain either why the vulnerability to eavesdroppers is either okay in general, or limits the mechanism's use to environment where it is okay. It also seems like that, in the best case, this mechanism proves only that a Forcerenew request comes from the same DHCP server as in the original transaction, but otherwise does not prove anything about the identity of that server. If so, it would be worth mentioning it.
> 
> [RM] That's correct this mechanism only proves only that a Forcerenew request comes from the same DHCP server: let me say this is a trade off between the total security provided by RFC 3118 and no security at all. In addition this method relays on the same mechanism already used for DHCPv6 Reconfigure message

Understood, and your suggested text from the previous comment mitigates this a bit. It would help to include text describing exactly what security properties you expect from the mechanism. (e.g. Proving (with limitations) that Forcerenew requests come from the same server as the original transaction response, etc.)

> 
> -- The mechanism appears to be limited to HMAC-MD5, and there does not appear to be any way of selecting other algorithms. Is HMAC-MD5 really sufficient as the only choice? Is there some expectation that stronger mechanisms or algorithm extensibility would be too expensive? (Perhaps the extensibility method would be to specify another mechanism that's identical except for a different HMAC algorithm. But if that's the intent it should be mentioned.)
> [RM] This is because this mechanism relays on the authentication protocol defined in section 21.5 of RFC 3315 for DHCPv6 Reconfigure and there HMAC-MD5 is used.

RFC 3315 was published in 2003. I'm not sure the general impression of HMACMD5 is the same now as it was in 2003. For example, http://www.ietf.org/mail-archive/web/cfrg/current/msg01197.html . I'm willing to accept that HMACMD5 is perfectly okay for this application, but it would be good to document more motivation than the fact it was used in 3315. If 3315 was being written today, would they use it? Is matching 3315 an important goal? I'm more interested in whether HMACMD5 is adequate for this particular use case based on today's knowledge about possible vulnerabilities or operational issues.

[I mentioned in my original review that I think this draft should get a SecDir review. They could certainly access whether hmacmd5 is an issue better than I can.]

> 
> *** Minor issues:
> 

[...]

> 
> -- section 3.1.3, 2nd paragraph: "The server SHOULD NOT include this option unless the client has indicated its capability in a DHCP Discovery message."
> 
> Why not; what harm would it do? And on the other hand, if you want to discourage it, why not go all the way to "MUST NOT"?
> 
> [RM] For backward compatibility: if the client did not indicate its capability for this feature it means it is a legacy client and it does not support it, so the server should not send the nonce to this client

The text is not talking about sending the nonce--it's talking about sending the FORCERENEW_NONCE_CAPABLE option. Unless I read it wrong, it is saying the server SHOULD not advertise support unless the client has already indicated support.

> 
> -- section 3.1.3, 5th paragraph: "...  computes an HMAC-MD5 of the Forcerenew message using the Forcerenew nonce ."
> 
> Using it how? Is it the secret key for the HMAC calculation? (If so, why aren't we calling it a "key" in the first place?)
> [RM] based on the procedure specified in section 21.5 of RFC 3315

It would help to say that in the text.

[...]

> 
> 
> -- section 3.1.4, 4th paragraph: ".
> the client computes an HMAC-MD5 over the DHCP Forcerenew message, using the Forcerenew Nonce ."
> 
> Using it how?
> [RM] based on the procedure specified in section 21.5 of RFC 3315
> 

It would help to say that in the text.

> -- section 6:
> 
> You mention this mechanism is vulnerable to MiTM attacks. Why is this okay? Are there some environments where it is good enough and others where it is not? (Also, do they really need to be MitM attackers? Seems like any eavesdropper could learn the nonce.)
> 

You did not address this in your response. I think the "why is this okay" part is probably covered by other discussion, but the "do they really need to be MitM" question remains.


[...]