IETF Logo Mail Archive

Re: [rfc2461bis issue 252] Security considerations issues

"James Kempf" <kempf@docomolabs-usa.com> Wed, 11 February 2004 16:50 UTC

Received: from optimus.ietf.org (optimus.ietf.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA09037 for <ipv6-archive@odin.ietf.org>; Wed, 11 Feb 2004 11:50:15 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AqxYX-0007AZ-Hu for ipv6-archive@odin.ietf.org; Wed, 11 Feb 2004 11:49:47 -0500
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i1BGnjHg027555 for ipv6-archive@odin.ietf.org; Wed, 11 Feb 2004 11:49:45 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AqxYX-0007AM-Bx for ipv6-web-archive@optimus.ietf.org; Wed, 11 Feb 2004 11:49:45 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA09015 for <ipv6-web-archive@ietf.org>; Wed, 11 Feb 2004 11:49:42 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AqxYW-0001L6-00 for ipv6-web-archive@ietf.org; Wed, 11 Feb 2004 11:49:44 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1AqxXc-0001G2-00 for ipv6-web-archive@ietf.org; Wed, 11 Feb 2004 11:48:49 -0500
Received: from optimus.ietf.org ([132.151.1.19]) by ietf-mx with esmtp (Exim 4.12) id 1AqxXP-0001Au-00 for ipv6-web-archive@ietf.org; Wed, 11 Feb 2004 11:48:35 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AqxWs-0006s3-3I; Wed, 11 Feb 2004 11:48:02 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AqxWf-0006qb-Ji for ipv6@optimus.ietf.org; Wed, 11 Feb 2004 11:47:49 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA08929 for <ipv6@ietf.org>; Wed, 11 Feb 2004 11:47:47 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AqxWe-00019d-00 for ipv6@ietf.org; Wed, 11 Feb 2004 11:47:48 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1AqxVk-00013p-00 for ipv6@ietf.org; Wed, 11 Feb 2004 11:46:53 -0500
Received: from key1.docomolabs-usa.com ([216.98.102.225] helo=fridge.docomolabs-usa.com ident=fwuser) by ietf-mx with esmtp (Exim 4.12) id 1AqxUx-0000xt-00 for ipv6@ietf.org; Wed, 11 Feb 2004 11:46:03 -0500
Message-ID: <009801c3f0be$9953e310$936015ac@dclkempt40>
From: James Kempf <kempf@docomolabs-usa.com>
To: Soliman Hesham <H.Soliman@flarion.com>, ipv6@ietf.org
References: <9E3BA3946476AD4EB94672712B12A85F042127@ftmail.lab.flarion.com>
Subject: Re: [rfc2461bis issue 252] Security considerations issues
Date: Wed, 11 Feb 2004 08:46:26 -0800
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: ipv6-admin@ietf.org
Errors-To: ipv6-admin@ietf.org
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Id: IP Version 6 Working Group (ipv6) <ipv6.ietf.org>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.1 required=5.0 tests=AWL autolearn=no version=2.60
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit

Hi Hesham,

Comments embedded.

> - explain context in which IPSec can be used to secure NDP messages.
> This should include a reference to the SEND work.
>
> - Expand Security Considerations section to discuss more security
> threats defined in draft-ietf-send-psreq-xx.txt.
>
> - Need more elaborate discussion on manual vs. dynamic keying.
>
> I'm currently doing the following:
>
> 1. Adding a new section (3.2) before the message formats
> to briefly explain that security is outside the scope of
> this doc and refer to SEND work. It also explains when IPsec
> can be used.
>

I think it might be wise to discuss whether the document should continue to
recommend IPsec with the Security ADs and get some input from the community
and the security directorate. draft-arkko-manual-icmpv6-sas-01.txt outlines
some scalability problems with IPsec, even if manual keying is used, as you
mention below. There is a potential deployment issue as to what constitutes
a "small" network and at what point the network hits the scalability barrier
when the network provider will have to completely reconfigure their network
and turn SEND on. I'm not sure whether it makes sense to recommend manual
keying for small networks when SEND would work as well and wouldn't require
a flag day reconfigure if the network grew too large. Also, manual keying
doesn't make sense for zeroconf networks, because it isn't zeroconf. The ND
part of SEND could be used for disconnected zeroconf networks, and the
router part could too if the host came preconfigured with a collection of
cert trust anchors.

> 2. Remove the "AH" sections included under the message formats.
> They're not wrong per se, but they give the impression that
> IPsec is always possible. Any objections to this step?
>
> 3. Remove the IPsec checks in the sections describing the
> validation of various ND messages.
>
> 4. Rewrite most of section 11.
>

These look OK.

> Here is section 3.2 so far:
>
> 3.2 Securing Neighbor Discovery messages
>
> "Neighbor Discovery messages are needed for various functions. Several
> functions are designed to allow hosts to ascertain the ownership of an
> address or the mapping between link layer and IP layer addresses. Having
> Neighbor Discovery functions on the ICMP layer allows for the use of IP
> layer security mechanisms, which are available independently of the
> availability of security on the link layer.
>

I would say "requires the use of IP layer", since if the user chooses to use
security in ND, they must use IP layer security.

> In order to allow for IP layer security, a mechanism is required to allow
> for dynamic keying between neighbors. The use of the Internet Key Exchange
> [IKE] is not suited for creating dynamic security associations that can be
> used to secure address resolution or neighbor solicitation messages as
> documented in [ICMPIKE]. The security of Neighbor Discovery messages
through
> dynamic keying is outside the scope of this document and is addressed in
> [SEND].
>
> In some cases, it may be acceptable to use statically configured security
> associations with either [IPv6-AH] or [IPv6-ESP] to secure Neighbor
> Discovery messages. However, it is important to note that statically
> configured security associations are not scalable (especially when
> considering multicast links) and are therefore limited to small networks
> with known hosts."
>

Reads well.

If there is support for completely deprecating IPsec for ND, I'd suggest
adding that instead.

> Informative references:
>
> [ICMPIKE]Arkko, J., "Effects of ICMPv6 on IKE",
>          draft-arkko-icmpv6-ike-effects-02 (work in progress), March
>          2003.
>
>          Arkko, J., "Manual Configuration of Security Associations for
>          IPv6 Neighbor  Discovery", draft-arkko-manual-icmpv6-sas-02
>          (work in progress), March 2003.
>
> Section 11 is too long to send. I'm interested to know if the
> above steps are ok with everyone.
>

I assume you will also put a reference to draft-send-ndopts (to be changed
into the RFC when it passes IESG review) in the normative references
section?

            jak


--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email