RE: [v6ops] [EXTERNAL] Re: Improving ND security

[Vasilenko Eduard <vasilenko.eduard@huawei.com>]

Hi Pascal,
I believe that you are a little misleading audience on SeND.

Yes, they did something terrible: they have invented their own crypto algorithm for Interface ID generation.
It is something like HMAC: based on “proof of work”. It is a some sort of signature, but weak and expensive (a lot of computations). Yet could be simple -  complexity regulated by special 3 bits.
Good security rule has been broken: never ever develop your own crypto algorithm! One should have very good reasons to do it. Even more, never develop crypto protocol. Remember how many vulnerabilities have been found in SSL or TLS on the protocol level.
When I was reading about this requirement that bits should be 0 – it reminded me block chain☺ Is Satoshi Nakamoto was behind this 0 version of block chain?

HMAC-like is the big computation burden for any processor. It is really “killing application” for IoT. Literally “killing”.

I was not capable to understand why it has been done for SeND. Why it was not acceptable to generate Interface ID in typical way?
Why in principle we need “Cryptographically Generated Addresses”?!?

I was really laughing when I have read this justification in SeND: “second signature algorithm is only necessary as a recovery mechanism, in case a flaw is found in RSA”

But what if a flaw would be found in 2nd mechanism – may be 3rd mechanism would be needed? Why 2nd mechanism (CGA) is so miserable from cryptographic point of view (low protection, high computation)?

After this jumping around proprietary HMAC (in IID),

Normal Private key of RSA is used over whole packet – it is real protection. Look to very small section 6 of RFC 3972 (CGA).
Pascal, protection is strong, but real assurance is given from RSA, not from this simplified HMAC that everybody would probably keep on minimal level of complexity (as you said).

IMHO: CGA part of SeND should be just discarded as redundant. It is exactly what Pascal did in his draft that he is promoting here.

I agree that SeND have seen dinosaurs. Zero chances that it would be accepted by the market.

Eduard
From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Pascal Thubert (pthubert)
Sent: 5 августа 2020 г. 8:35
To: Fernando Gont <fernando@gont.com.ar>
Cc: 6man <ipv6@ietf.org>; v6ops list <v6ops@ietf.org>
Subject: Re: [v6ops] [EXTERNAL] Re: Improving ND security

I agree that a valuable ND security should not only protect address ownership but also provide SAVi, which send does not.

SeND has to protect distributed stateless address claim so they decided to embed the proof of ownership in the address. This limits the size of the security proof to 64 bits which is far from sufficient. So CGA added those 3 bits that optionally make the computational cost more cumbersome. Nobody uses that so the protection is low. Very powerful devices could potentially do that but smaller devices will be left with little protection and hardship to form new addresses.

In a stateful architecture the proof of ownership can be separated from the address and made bigger. It is stored in the infrastructure together with the address on the first come. A same proof can be used for multiple addresses (and obfuscated with rehashing) so it does not affect privacy addressing.

https://datatracker.ietf.org/doc/draft-ietf-6lo-ap-nd/ Is sitting in the rfc editor queue and soon on the shelf. It does all the above. SAVI. Proof of ownership. But it only works for addresses that are registered through rfc 8505, which makes ND proactive/stateful.
All the best,

Pascal


Le 5 août 2020 à 01:41, Fernando Gont <fernando@gont.com.ar<mailto:fernando@gont.com.ar>> a écrit :
Hi, Fred,

On 3/8/20 16:55, Templin (US), Fred L wrote:
[....]


That is fine; we can accommodate CGAs in OMNI, cumbersome as they are.
I have this on my TODO list for after the adoption call.

Why "cumbersome"?
I realize the addresses are cryptographically-generated, which implies a security property
which is good. But, they would not be the primary link-local addresses that neighbor
nodes will know each other by - the CGAs will be found in the IPv6 ND message source
and destination addresses, while the primary addresses will be carried in an additional
IPv6 encapsulation header and would be the addresses that the NCEs are indexed by.

Not sure what you mean...




So, all the CGAs really are is placeholders in the IPv6 header to run security checks over.
They need not even be checked for uniqueness on the link, because it is the primary
addresses and not the CGAs which need to be maintained as unique.

The point of CGAs is that in order for you to ND-answer for PREFIX:IID, you need to have the key identified by "IID". So, assuming /64s, you'd need to be lucky to, given a CGA (PREFIX:IID), generate a key-pair where the public key is identified by "IID".




But then, RFC4380 offers a “poor-man’s” alternative to SEND/CGA. It
places a message authentication code in the encapsulation headers of IPv6 ND messages so
that the messages can pass a rudimentary authentication check.

You mean the Teredo spec? If so, I don't think it includes any sort of
poor-man's SEND-CGA.

It provides for message authentication,

But what's special about SEND/CGAs is that they tie the address to a key...
OK, that sounds good. So, we like that property but AFAICT that is about all the
CGA is good for in my application.

The thing is that, while in theory you could *theoretically* extend the use of CGAs as a spoofing mitigation, in the context of SEND CGAs are just employed for mitigating ND attacks... and that's kind a lot of effort for mitigating something that we have learned to live_with/mitigate in IPv4 in simpler ways.

i.e., I find SEND smart... but, in the bigger picture, not very compelling to deploy.


[...]

The usage we have for OMNI is that of an Internet-based Client sending an
authenticated, encapsulated, unicast RS message to an Internet-based Server
which then must authenticate the message.

Depends on what you mean by "authenticated". CGAs prove that the node that sends the packet is the owner of the address. Not more than that.

That's different than authenticating the client.

Similarly, you could authenticate the client, but that wouldn't mean that a client is the owner of a given address.





So someone with
security experience please help me out here – is RFC4380 authentication an acceptably
secure  replacement for SEND/CGA that might be easier to work with and less
cumbersome?

Nope. Tee point of CGAs is that they allow you to prove address
ownership. There's nothing in RFC4380 that provides the same or similar
functionality.

Why do we have to prove address ownership

Well, that's one of the goals of SEND/CGAs. :-)


and use a whacky address format like CGA?

The *address format* is not really whacky. At the end of the day, it's a
random number, with the specific property that it's part of the hash of
a public key.

looking at a CGA, you probably wouldn't be able to tell CGA from RFC7217.
[...]

I think if you look inside the IPv6 ND message and find a CG option you can
infer that the address in the IPv6 header is a CGA.

Yep... but CGA != CGA option.

Thanks,
--
Fernando Gont
e-mail: fernando@gont.com.ar<mailto:fernando@gont.com.ar> || fgont@si6networks.com<mailto:fgont@si6networks.com>
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1