[Hipsec] a review of ietf-hip-rfc5206-bis-10

Miika Komu <miika.komu@ericsson.com> Sun, 17 April 2016 20:27 UTC

Return-Path: <miika.komu@ericsson.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C41012D806 for <hipsec@ietfa.amsl.com>; Sun, 17 Apr 2016 13:27:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TUiJOkL1pLy6 for <hipsec@ietfa.amsl.com>; Sun, 17 Apr 2016 13:27:19 -0700 (PDT)
Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E8E912D771 for <hipsec@ietf.org>; Sun, 17 Apr 2016 13:27:18 -0700 (PDT)
X-AuditID: c1b4fb25-f79f26d00000327e-c1-5713f1a49bec
Received: from ESESSHC002.ericsson.se (Unknown_Domain [153.88.253.124]) by sesbmg23.ericsson.net (Symantec Mail Security) with SMTP id C7.85.12926.4A1F3175; Sun, 17 Apr 2016 22:27:16 +0200 (CEST)
Received: from [153.88.190.38] (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.26) with Microsoft SMTP Server id 14.3.248.2; Sun, 17 Apr 2016 22:26:40 +0200
To: hip WG <hipsec@ietf.org>
From: Miika Komu <miika.komu@ericsson.com>
Organization: Ericsson AB
Message-ID: <5713F17F.1060405@ericsson.com>
Date: Sun, 17 Apr 2016 23:26:39 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="------------ms020506060408060302040805"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFrrLLMWRmVeSWpSXmKPExsUyM+Jvje6Sj8LhBusb9CymLprM7MDosWTJ T6YAxigum5TUnMyy1CJ9uwSujLMH57EWrO5krPi/aAFjA+PNki5GTg4JAROJ5taJ7BC2mMSF e+vZuhi5OIQEjjJKPDhxhx3CWc0ocXPxdhaQKhEBGYkNm16wgthsAloSq+5cZwaxhQV0JP5P WsYEYvMLSEpsaNgNFucV0JY4snQvI4jNIqAqcezMLjYQW1QgQuLJ3JOMEDWCEidnPmEBWcYs 0M0oMWH9H6DNHECbVSQuHguewMg3C0nZLGRlIAlmATOJeZsfMkPY2hLLFr6Gsq0lZvw6yAZh K0pM6X4IVW8q8froR0YI21hi2bq/bAsYOVYxihanFiflphsZ66UWZSYXF+fn6eWllmxiBAb0 wS2/VXcwXn7jeIhRgINRiYdX4Z1QuBBrYllxZe4hRhWgOY82rL7AKMWSl5+XqiTC+/O1cLgQ b0piZVVqUX58UWlOavEhRmkOFiVx3uzIf2FCAumJJanZqakFqUUwWSYOTqkGxpL+xB3XzOYm fk09oz8/k5tHO+Ok8+k3+kf6clar53Ck3Vntt2S2/VIWRvNLGuHJ1kejl55ZcmRym22XQ9Hm nxuMPRzW75kkN7cwttq5JEAw+Xljz+S/u/76VORNdJmTsXNVuwZ7c0Dl6alJDyfOimks9lzr HXzi1ucnLManvrRHn5dkmXL+lxJLcUaioRZzUXEiABwvRzBwAgAA
Archived-At: <http://mailarchive.ietf.org/arch/msg/hipsec/0bKkmDFWyTnhtK8w2UoAh8JATG0>
Subject: [Hipsec] a review of ietf-hip-rfc5206-bis-10
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Apr 2016 20:27:21 -0000

Hi,

I read through ietf-hip-rfc5206-bis-10, and it is in pretty good shape. 
Below are a few nits.

 > 3.1.  Operating Environment
 >
 > [...]
 >
 > Consider next a mobility event, in which a host moves to another IP
 > address.  Two things must occur in this case.  First, the peer must
 > be notified of the address change using a HIP UPDATE message.
 > Second, each host must change its local bindings at the HIP sublayer
 > (new IP addresses).  It may be that both the SPIs and IP addresses
 > are changed simultaneously in a single UPDATE; the protocol described
 > herein supports this.  However, elements of procedure to recover from

I think simultaneous mobility is covered as already mentioned in the intro?

 > 3.2.3.  Mobility messaging through rendezvous server
 >
 > 3.  A host receiving an UPDATE packet MUST be prepared to process the
 > FROM and RVS_HMAC parameters, and MUST include a VIA_RVS
 > parameter in the UPDATE reply that contains the ACK of the UPDATE
 > SEQ.

(I would add that the return routability test should be invoked to the
end-host's addresses rather than the ones in VIA_RVS)

 > 4.  This scenario requires that hosts using rendezvous servers also
 > take steps to update their current address bindings with their
 > rendezvous server upon a mobility event.
 > [I-D.ietf-hip-rfc5204-bis] does not specify how to update the
 > rendezvous server with a client host's new address.
 > [I-D.ietf-hip-rfc5203-bis] Section 3.2 describes how a host may
 > send a REG_REQUEST in either an I2 packet (if there is no active
 > association) or an UPDATE packet (if such association exists).

(Maybe this should have been actually step 0)

 > The procedures described in [I-D.ietf-hip-rfc5203-bis] for
 > sending a REG_REQUEST and REG_RESPONSE to the rendezvous server
 > apply also to this mobility scenario.

This was a bit vague, how?

 > 3.2.4.  Network Renumbering
 >
 > It is expected that IPv6 networks will be renumbered much more often
 > than most IPv4 networks.  From an end-host point of view, network
 > renumbering is similar to mobility.

...and?

 > 3.3.  Other Considerations
 >
 > 3.3.1.  Address Verification
 >
 > When a HIP host receives a set of locators from another HIP host in a
 > LOCATOR_SET, it does not necessarily know whether the other host is
 > actually reachable at the claimed addresses.  In fact, a malicious
 > peer host may be intentionally giving bogus addresses in order to
 > cause a packet flood towards the target addresses [RFC4225].
 > Therefore, the HIP host must first check that the peer is reachable
 > at the new address.
 >
 > An additional potential benefit of performing address verification is
 > to allow middleboxes in the network along the new path to obtain the
 > peer host's inbound SPI.
 >
 > Address verification is implemented by the challenger sending some
 > piece of unguessable information to the new address, and waiting for
 > some acknowledgment from the Responder that indicates reception of
 > the information at the new address.  This may include the exchange of
 > a nonce, or the generation of a new SPI and observation of data
 > arriving on the new SPI.

I suggest would move the second paragraph after the third one.

 > 3.3.2.  Credit-Based Authorization
 >
 > On this basis, rather than eliminating malicious packet redirection
 > in the first place, Credit-Based Authorization prevents
 > amplifications.  This is accomplished by limiting the data a host can
 > send to an unverified address of a peer by the data recently received
 > from that peer.  Redirection-based flooding attacks thus become less
 > attractive than, for example, pure direct flooding, where the
 > attacker itself sends bogus packets to the victim.

Reference section 5.6?

 > 4.3.  UPDATE Packet with Included LOCATOR_SET
 >
 > A number of combinations of parameters in an UPDATE packet are
 > possible (e.g., see Section 3.2).  In this document, procedures are
 > defined only for the case in which one LOCATOR_SET and one ESP_INFO
 > parameter is used in any HIP packet.  Furthermore, the LOCATOR_SET
 > SHOULD list all of the locators that are active on the HIP
 > association (including those on SAs not covered by the ESP_INFO
 > parameter).

What do you mean by "including those on SAs..."?

 > Any UPDATE packet that includes a LOCATOR_SET parameter
 > SHOULD include both an HMAC and a HIP_SIGNATURE parameter.

Please add a paragraph break here.

 > The UPDATE MAY also include a HOST_ID parameter (which may be useful for
 > middleboxes inspecting the HIP messages for the first time).  If the
 > UPDATE includes the HOST_ID parameter, the receiving host MUST verify
 > that the HOST_ID corresponds to the HOST_ID that was used to
 > establish the HIP association, and the HIP_SIGNATURE must verify with
 > the public key assodiated with this HOST_ID parameter.

assodiated -> associated

Please add a paragraph break here.

 > The relationship between the announced Locators and any ESP_INFO
 > parameters present in the packet is defined in Section 5.2.  This
 > draft does not support any elements of procedure for sending more
 > than one LOCATOR_SET or ESP_INFO parameter in a single UPDATE.

draft -> document

 > 5.4.  Verifying Address Reachability
 >
 > A host typically starts the address-verification procedure by sending
 > a nonce to the new address.  For example, when the host is changing
 > its SPI and sending an ESP_INFO to the peer, the NEW SPI value SHOULD
 > be random and the value MAY be copied into an ECHO_REQUEST sent in
 > the rekeying UPDATE.

(The copying is an implementation strategy)

 > However, if the host is not changing its SPI,
 > it MAY still use the ECHO_REQUEST parameter in an UPDATE message sent
 > to the new address.

For what?

 > 5.5.  Changing the Preferred Locator
 >
 > [...]
 >
 > 3.  If the peer host has not indicated a preference for any address,
 > then the host picks one of the peer's ACTIVE addresses randomly
 > or according to policy.  This case may arise if, for example,

local policy

 > 5.6.  Credit-Based Authorization
 >
 > To prevent redirection-based flooding attacks, the use of a Credit-
 > Based Authorization (CBA) approach is mandatory when a host sends
 > data to an UNVERIFIED locator.  The following algorithm meets the
 > security considerations for prevention of amplification and time-
 > shifting attacks.  Other forms of credit aging, and other values for
 > the CreditAgingFactor and CreditAgingInterval parameters in

mandatory or MUST?

 > 6.  Security Considerations
 >
 > In Section 6.1 and Section 6.2, we assume that all users are using
 > HIP.  In Section 6.3 we consider the security ramifications when we
 > have both HIP and non-HIP users.  Security considerations for Credit-
 > Based Authorization are discussed in [SIMPLE-CBA].

users -> hosts?

 > 6.1.  Impersonation Attacks
 >
 > An attacker wishing to impersonate another host will try to mislead
 > its victim into directly communicating with them, or carry out a man-
 > in-the-middle (MitM) attack between the victim and the victim's
 > desired communication peer.  Without mobility support, both attack
 > types are possible only if the attacker resides on the routing path
 > between its victim and the victim's desired communication peer, or if
 > the attacker tricks its victim into initiating the connection over an
 > incorrect routing path (e.g., by acting as a router or using spoofed
 > DNS entries).

Without HIP and its mobility support, ...

By the way, I didn't get why the lack of mobility support can lead
MiTM attacks?

 > The HIP extensions defined in this specification change the situation
 > in that they introduce an ability to redirect a connection (like
 > IPv6), both before and after establishment.  If no precautionary

like in IPv6 (why is this an issue for IPv6, btw?)

 > measures are taken, an attacker could misuse the redirection feature
 > to impersonate a victim's peer from any arbitrary location.  The
 > authentication and authorization mechanisms of the HIP base exchange
 > [RFC7401] and the signatures in the UPDATE message prevent this
 > attack.  Furthermore, ownership of a HIP association is securely
 > linked to a HIP HI/HIT.  If an attacker somehow uses a bug in the
 > implementation or weakness in some protocol to redirect a HIP

what protocol?

 > MitM attacks are always possible if the attacker is present during
 > the initial HIP base exchange and if the hosts do not authenticate
 > each other's identities.  However, once the opportunistic base

...once such an opportunistic...

 > exchange has taken place, even a MitM cannot steal the HIP connection
 > anymore because it is very difficult for an attacker to create an
 > UPDATE packet (or any HIP packet) that will be accepted as a
 > legitimate update.  UPDATE packets use HMAC and are signed.  Even
 > when an attacker can snoop packets to obtain the SPI and HIT/HI, they
 > still cannot forge an UPDATE packet without knowledge of the secret
 > keys.

Also, replay attacks are impossible because the HMAC keys are and
nonces echo_requests are new.

 > 6.2.1.  Flooding Attacks
 >
 >
 > An effective DoS strategy is distributed denial of service (DDoS).
 > Here, the attacker conventionally distributes some viral software to
 > as many nodes as possible.  Under the control of the attacker, the
 > infected nodes, or "zombies", jointly send packets to the victim.
 > With such an 'army', an attacker can take down even very high
 > bandwidth networks/victims.

zombies -> botnets

 > With the ability to redirect connections, an attacker could realize a
 > DDoS attack without having to distribute viral code.  Here, the
 > attacker initiates a large download from a server, and subsequently
 > redirects this download to its victim.

via HIP mobility UPDATE, right?

 > 6.2.2.  Memory/Computational-Exhaustion DoS Attacks
 >
 > We now consider whether or not the proposed extensions to HIP add any
 > new DoS attacks (consideration of DoS attacks using the base HIP
 > exchange and updates is discussed in [RFC7401]).  A simple attack is
 > to send many UPDATE packets containing many IP addresses that are not
 > flagged as preferred.  The attacker continues to send such packets
 > until the number of IP addresses associated with the attacker's HI
 > crashes the system.  Therefore, there SHOULD be a limit to the number
 > of IP addresses that can be associated with any HI.

where there?

 > A central server that has to deal with a large number of mobile
 > clients may consider increasing the SA lifetimes to try to slow down
 > the rate of rekeying UPDATEs or increasing the cookie difficulty to
 > slow down the rate of attack-oriented connections.

may or MAY?

 > 6.3.  Mixed Deployment Environment
 >
 > We now assume an environment with both HIP and non-HIP aware hosts.
 > Four cases exist.
 >
 > 4.  A HIP host attempts to steal a non-HIP host's session.  A HIP
 > host could spoof the non-HIP host's IP address during the base
 > exchange or set the non-HIP host's IP address as its preferred
 > address via an UPDATE.  Other possibilities exist, but a simple
 > solution is to prevent the use of HIP address check information
 > to influence non-HIP sessions.

er... how?