Re: [Hipsec] Benjamin Kaduk's No Objection on draft-ietf-hip-native-nat-traversal-28: (with COMMENT)

Miika Komu <miika.komu@ericsson.com> Sun, 22 March 2020 16:57 UTC

Return-Path: <miika.komu@ericsson.com>
X-Original-To: hipsec@ietfa.amsl.com
Delivered-To: hipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F199C3A086A; Sun, 22 Mar 2020 09:57:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.091
X-Spam-Level:
X-Spam-Status: No, score=-2.091 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, T_SPF_HELO_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OWZcn-IjasfC; Sun, 22 Mar 2020 09:57:30 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2060b.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e1a::60b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C616C3A086C; Sun, 22 Mar 2020 09:57:29 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; =?utf-8?q?b=3DRLsER3MMJzgRI7xETR962To0qEkiBwjHjzpyEHEkks9X+ahDEZRCrlNpSYLw0?= =?utf-8?q?Xr+jjM8+1wWWE+yEtFsAQGZSAwpVMs10PhvimBLfJ9kWIywC+DdP00qSB86Af6s2o?= =?utf-8?q?y10EoODq7kJLZpQkMA2msT2Q7oSwbTOIBBIcaBMFNoq+wij6z0abCTbC+khVR2cJg?= =?utf-8?q?FJ7ITL9bNoSO4C66nZGhEFs8U08ZidFTP6ev4Nu/stUEpijTmqMKJ2JJ0tZPA2/8j?= =?utf-8?q?K7whGv8iwpQSrkMVKVZZSyCVho2Tk2NB5IlR8i0jehh8nwoS8mMsVXNZVr7HZHQfC?= =?utf-8?q?z0qsiw/OxoEcT6ffajdlQ=3D=3D?=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; =?utf-8?q?h=3DFrom=3ADate=3ASubject=3AMessage-ID=3ACont?= =?utf-8?q?ent-Type=3AMIME-Version=3AX-MS-Exchange-SenderADCheck=3B?= =?utf-8?q?bh=3D6lZQTXUdCEiIyEYqAi/WD3NoEpXNmxKnHOkSkqp94bU=3D=3B_b=3DaCS4Wv?= =?utf-8?q?3DOJQUygYxZGiRkXdedZTQyup0/yU9F+lLw//0wFbcDMgeK/phgd2SLxGiLN+qAni?= =?utf-8?q?rgNAgvQjxT7LP6slxJLyqOTy7ySEGzf/bkXJt4k3+wRrLA0+2dtShTkQWdJz7ItlE?= =?utf-8?q?BXH1SeLP8AdZguWKkbd0Jq2cFsXEWnmwuGToX3vI40weItFnVVUJCqFMMKc2iCEi/?= =?utf-8?q?W/ILXSCZ5Vyv5CSrseW/MrfF+lLpryeT5XgB8LQlK+JFFS5fX/68ahmpzan1PQsoD?= =?utf-8?q?Rk4ZuK9WaC/tjurguKZbEr5HisUkpn51FNFe8aj6VIMgWFxvYFnXl3uaPyYR7EuSt?= =?utf-8?q?jjTzMt+2D0w=3D=3D?=
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; =?utf-8?q?h=3DFrom=3ADate=3ASubject=3AMessage-ID=3AContent-Typ?= =?utf-8?q?e=3AMIME-Version=3AX-MS-Exchange-SenderADCheck=3B?= =?utf-8?q?bh=3D6lZQTXUdCEiIyEYqAi/WD3NoEpXNmxKnHOkSkqp94bU=3D=3B_b=3DLZ+xjE?= =?utf-8?q?dPbHIIb8D4PeTzlMOsNsy8wn7F/++ah1uYBmIh7M1C4ZeZhYyhH3CK6Latw8JGWTl?= =?utf-8?q?EofTyVEgCTspG3o8cE+3rrADsqn5C9MIRNzj4WKZNjfTTNoSDP/5MdAnEuqC1n4t3?= =?utf-8?q?tsqfUMS3dW1d28qqOqcCPCd5PcfCFm5nbOs=3D?=
Received: from AM0PR07MB3876.eurprd07.prod.outlook.com (52.134.81.144) by AM0PR07MB4019.eurprd07.prod.outlook.com (52.134.83.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2835.12; Sun, 22 Mar 2020 16:57:27 +0000
Received: from AM0PR07MB3876.eurprd07.prod.outlook.com ([fe80::c93a:7b44:e182:cef6]) by AM0PR07MB3876.eurprd07.prod.outlook.com ([fe80::c93a:7b44:e182:cef6%6]) with mapi id 15.20.2856.003; Sun, 22 Mar 2020 16:57:27 +0000
From: Miika Komu <miika.komu@ericsson.com>
To: "kaduk@mit.edu" <kaduk@mit.edu>
CC: "draft-ietf-hip-native-nat-traversal@ietf.org" <draft-ietf-hip-native-nat-traversal@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "hip-chairs@ietf.org" <hip-chairs@ietf.org>, Gonzalo Camarillo <gonzalo.camarillo@ericsson.com>, "hipsec@ietf.org" <hipsec@ietf.org>
Thread-Topic: Benjamin Kaduk's No Objection on draft-ietf-hip-native-nat-traversal-28: (with COMMENT)
Thread-Index: AQHT56bIW3pBexwvIU6mnAuiqBSniKglMLKAgAsbmgCAKLpTAA==
Date: Sun, 22 Mar 2020 16:57:27 +0000
Message-ID: <8f6fb915f35c890ae12b25ad3744bdea393ffe14.camel@ericsson.com>
References: <152587816145.3957.17385929656409014655.idtracker@ietfa.amsl.com> <83fe234a038ca40ab181523bbbe3e4eb253c9e06.camel@ericsson.com> <20200225190010.GB56312@kduck.mit.edu>
In-Reply-To: <20200225190010.GB56312@kduck.mit.edu>
Accept-Language: fi-FI, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.1
authentication-results: spf=none (sender IP is ) smtp.mailfrom=miika.komu@ericsson.com;
x-originating-ip: [88.148.205.35]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 35cca59a-82ca-4661-fea2-08d7ce821a00
x-ms-traffictypediagnostic: AM0PR07MB4019:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: =?utf-8?q?=3CAM0PR07MB4019945961696DB83D8ABCCEFCF?= =?utf-8?q?30=40AM0PR07MB4019=2Eeurprd07=2Eprod=2Eoutlook=2Ecom=3E?=
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0350D7A55D
x-forefront-antispam-report: SFV:NSPM; =?utf-8?q?SFS=3A=2810009020=29=284636?= =?utf-8?b?MDA5KSgzOTg2MDQwMDAwMikoMzQ2MDAyKSgxMzYwMDMpKDM5NjAwMykoMzc2?= =?utf-8?b?MDAyKSgzNjYwMDQpKDE5OTAwNCkoNDc4NjAwMDAxKSg2OTE2MDA5KSg5MTk1?= =?utf-8?q?6017=29=2876116006=29=286486002=29=2844832011=29=2871200400001=29?= =?utf-8?b?KDQzMjYwMDgpKDI2MTYwMDUpKDg5MzYwMDIpKDMxNjAwMikoOTY2MDA1KSg1NjYw?= =?utf-8?b?MzAwMDAyKSgxODYwMDMpKDg2MzYyMDAxKSgzNjc1NjAwMykoNjUwNjAwNyko?= =?utf-8?q?66446008=29=2866556008=29=2864756008=29=2826005=29=282906002=29?= =?utf-8?q?=288676002=29=286512007=29=2866476007=29=2866946007=29=2866574012?= =?utf-8?b?KSg1NDkwNjAwMykoODExNTYwMTQpKDgxMTY2MDA2KSg5OTEwNjAwMik7?= DIR:OUT; SFP:1101; SCL:1; SRVR:AM0PR07MB4019; H:AM0PR07MB3876.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: =?utf-8?q?SSZsGmTDhyLOXpgidg1E8TcUIjx+gVw?= =?utf-8?q?na+iJAZr6wxdjsK8ZmDrrdGx4HHk2hyQb502PC3nhmvPVpv6hwjNY92XPujLMhul0?= =?utf-8?q?j5n+6o5EmCPKyHHgDQSEi7D/fud9O8C05VX92Sh1/gGonll2YjdbC5pDDoGVVQxm6?= =?utf-8?q?smNMi2AijiGTo3DsYRHQoSdGLuvZKJ86JD7K7EOT2zqB9iMOTdqc53khPhYbSKNj/?= =?utf-8?q?LnCU2xE8FZrtux7lIXBiJRDExlGxND0dhvuz7le3we+05iwpPz7Oal6Ikr+S2x99x?= =?utf-8?q?msW8xzX2JJC/eRnSSDnb7AaBzf9Vw9ed11P2UGRo/Y3ngIsS0KZL/iKQoyf6VO8av?= =?utf-8?q?nhPfnSMgtkIyfff3HyUkmznjE7WL32y0o+ioWNh5mNACTM9cqDdeieD9xpMDpyDnF?= =?utf-8?q?FHHTmrTbN0cXPiYcYG/pggFWpjHoC3Ts0+QQEz/YweGp70ZfHT/H/lEoFC8BmV2DK?= =?utf-8?q?PjlfA/CwAiuiJD+swHV3Ab++96QCkkSnOmYRGyGeg5IeYfT3hNXSQBhy8fPyyCpM8?= =?utf-8?q?AceB7t5cBbUtCLvqTbJXZHN4q?=
x-ms-exchange-antispam-messagedata: =?utf-8?q?Qy3IzNy3/ZOUzUPg1yM3VSOcmvVvgO?= =?utf-8?q?PHKqibIg1x/UOWpkV798XpLiIoZNzKAL+TfH0W5jFkGdEkV2fOQTU+djM03lRRPh6?= =?utf-8?q?WfPw7vhvZKpp3liAR0ausmS49SrHgjqltC6zWASAdlBMUpG5aOBYqZA=3D=3D?=
Content-Type: text/plain; charset="utf-8"
Content-ID: <65E6F1592AF96D4AABD8ABE0ADA70A73@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 35cca59a-82ca-4661-fea2-08d7ce821a00
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Mar 2020 16:57:27.2208 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: =?utf-8?q?IX4PcncDhfSWSRRaT2RXG?= =?utf-8?q?oyDUFWYX5arzqfHVxCKWtdJT5y91nP+3mUE0fX528H9o0ZJngMM7BV+BZ2/lR8G3A?= =?utf-8?q?=3D=3D?=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR07MB4019
Archived-At: <https://mailarchive.ietf.org/arch/msg/hipsec/38L3_sKwOPIJs-otFUbelyzEwAo>
Subject: Re: [Hipsec] Benjamin Kaduk's No Objection on draft-ietf-hip-native-nat-traversal-28: (with COMMENT)
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/hipsec/>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Mar 2020 16:57:35 -0000

Hi Benjamin,

ti, 2020-02-25 kello 11:00 -0800, Benjamin Kaduk kirjoitti:

> > > [...]
> > > Some section-by-section comments follow.
> > > 
> > > Section 2
> > > 
> > >    Responder:
> > >       The Responder is the host that receives the I1 packet from
> > > the
> > >       Initiator.
> > > 
> > > Does this still hold if the message is misdelivered or an
> > > attacker
> > > is in the network?
> > 
> > If misdelivered, the HITs don't match and the receiver host drops
> > the
> > packet as documented in the base exchange specification in RFC7401
> 
> A well-behaved receiver host drops the packet; what if the host is
> under
> the control of an attacker?

let's say the recipient of I1 message is an attacker that does not have
the necessary private key (to generate the same destination HIT as in
the I1 message) but responds with an R1. The initiator receives the R1
and starts processing it:

a) Assuming the attacker just generated a random private + public key,
the source HIT of R1 does not match with destination HIT of I1, and the
Initiator just drops the message. It is worth noting that the Initiator
can also check the public key when it has been configured to it or
obtained from DNS (RFC8005).

b) Assuming the attacker has replayed an R1, this protected by R1
generation counter as documented in 
https://tools.ietf.org/html/rfc7401#section-4.1.4

This not really related to draft-ietf-hip-native-nat-traversal-28 but
the underlying protocol (RFC7401); do you still think something should
be mentioned?

> > > [...]
> > > Section 4.5
> > > 
> > >    In step 2, the Control Relay Server receives the I1
> > > packet.  If
> > > the
> > >    destination HIT belongs to a registered Responder, the Control
> > > Relay
> > >    Server processes the packet.
> > > 
> > > Do HIP participants register specifically as Responder/Initiator,
> > > or
> > > is this just that the entity that is Responder in this exchange,
> > > has
> > > registered at the Control Relay Server?
> > 
> > I think this is common confusion stemming from RFC8003 and  RFC8004
> > :)
> > 
> > Initiator just means the participant sending the I1 of the base
> > exchange, and responder is the participant receiving the I1 and
> > responding with an R1. And there are two base exchanges involved:
> > one
> > during registration and the other one where the actual NAT
> > traversal
> > procedures take place. Perhaps this clarifies the situation:
> > 
> > Base exchange 1: the registration (=base exchange with some extra
> > parameters) you have the following roles:
> > * Control Relay Client = Initiator1
> > * Control Relay Server = Responder1
> > 
> > Base exchange 2: during a base exchange via a HIP relay, the roles
> > are
> > as follows:
> > * Initiator2 = (for example a web browser connecting to a HIT of
> > Responder2)
> > * Control Relay Server = same as above (i.e. HIP message forwarder)
> > * Responder2 = (for example a web server)
> > 
> > (Note that the numbers 1-1 and 2-2 are coupled with each other)
> > 
> > After the second base echange, Initiator2 and Responder2 initiate
> > the
> > NAT traversal procedures with each other.
> > 
> > We have chosen to name the end-hosts just as "Initiator" and
> > "Responder" in this section because the registration is documented
> > in a
> > separate section. The terminology is aligned with RFC7401 but I can
> > understand your confusion :)
> 
> I don't think I'm actually confused, but I'm saying that if we talk
> about a
> "registered Responder", a reasonable reader might infer that there is
> some
> entity that has registered to be a Responder, which is not exactly
> what's
> going on -- there's an entity that has registered, and registration
> is
> needed in order to be a responder when behind a NAT, and it happens
> to be the
> responder this time.  But it is free to be an initiator for other
> exchanges
> without additional registration.

I hope this change resolves the ambiguity:

If the destination HIT belongs to a successfully registered Control
Relay Client (i.e., the host marked "Responder" in Figure 4), the
Control Relay Server processes the packet.

> > > [...]
> > > Section 6.1
> > > 
> > > The RFC 5770 text talks about TURN servers, but that's no longer
> > > applicable in this document (instead, Data Relay Sfrom an Control
> > > Data Server server.ervers are used to
> > > relay data in a similar usage).
> > 
> > fixed:
> > 
> > With such a legacy NAT, the only option left would be to use a
> > relayed
> > transport address from an *Control Relay Server* server.
> 
> The "fixed" version says "Control Relay" but I thought it was going
> to be
> "Data Relay"; you didn't explicitly tell me I was wrong about it, so
> please
> confirm one way or the other...
> 
> Thanks for the updates!

sorry, my bad, of course it should be Data Relay. Double fixed version
will be:

With such a legacy NAT, the only option left would be to use a relayed
transport address from an Data Relay Server.