IETF Logo Mail Archive

RE: [saag] security consideration of CGA and SSAS - I-D action : draft-rafiee-6man-ssas

Christian Huitema <huitema@microsoft.com> Thu, 21 March 2013 23:56 UTC

Return-Path: <huitema@microsoft.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C81721F8DDB; Thu, 21 Mar 2013 16:56:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.579
X-Spam-Level:
X-Spam-Status: No, score=-2.579 tagged_above=-999 required=5 tests=[AWL=0.020, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D5FxpYol89gz; Thu, 21 Mar 2013 16:56:29 -0700 (PDT)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2lp0211.outbound.protection.outlook.com [207.46.163.211]) by ietfa.amsl.com (Postfix) with ESMTP id 6071F21F8D8D; Thu, 21 Mar 2013 16:56:24 -0700 (PDT)
Received: from BY2FFO11FD028.protection.gbl (10.1.15.203) by BY2FFO11HUB012.protection.gbl (10.1.14.83) with Microsoft SMTP Server (TLS) id 15.0.651.3; Thu, 21 Mar 2013 23:56:21 +0000
Received: from TK5EX14MLTC103.redmond.corp.microsoft.com (131.107.125.37) by BY2FFO11FD028.mail.protection.outlook.com (10.1.15.217) with Microsoft SMTP Server (TLS) id 15.0.641.9 via Frontend Transport; Thu, 21 Mar 2013 23:56:21 +0000
Received: from TK5EX14MBXC273.redmond.corp.microsoft.com ([169.254.1.69]) by TK5EX14MLTC103.redmond.corp.microsoft.com ([157.54.79.174]) with mapi id 14.02.0318.003; Thu, 21 Mar 2013 23:56:20 +0000
From: Christian Huitema <huitema@microsoft.com>
To: Hosnieh Rafiee <ietf@rozanak.com>, 'Jari Arkko' <jari.arkko@piuha.net>
Subject: RE: [saag] security consideration of CGA and SSAS - I-D action : draft-rafiee-6man-ssas
Thread-Topic: [saag] security consideration of CGA and SSAS - I-D action : draft-rafiee-6man-ssas
Thread-Index: Ac4miO9wnDeN9z2TTPqHolB7zORLMAABYOmw
Date: Thu, 21 Mar 2013 23:56:20 +0000
Message-ID: <C91E67751B1EFF41B857DE2FE1F68ABA0BFD9B01@TK5EX14MBXC273.redmond.corp.microsoft.com>
References: <000001ce2688$fa38b070$eeaa1150$@rozanak.com>
In-Reply-To: <000001ce2688$fa38b070$eeaa1150$@rozanak.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.78]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(377454001)(199002)(189002)(13464002)(164054002)(46406002)(79102001)(44976002)(20776003)(56816002)(23726001)(53806001)(31966008)(54356001)(4396001)(47446002)(56776001)(51856001)(55846006)(74662001)(561944001)(69226001)(49866001)(47776003)(74502001)(76482001)(46102001)(77982001)(47736001)(47976001)(59766001)(66066001)(50466001)(54316002)(80022001)(16406001)(63696002)(65816001)(33656001)(50986001); DIR:OUT; SFP:; SCL:1; SRVR:BY2FFO11HUB012; H:TK5EX14MLTC103.redmond.corp.microsoft.com; RD:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 0792DBEAD0
Cc: "ipv6@ietf.org" <ipv6@ietf.org>, 'Erik Nordmark' <nordmark@cisco.com>, 'Ray Hunter' <v6ops@globis.net>, "saag@ietf.org" <saag@ietf.org>, 'Santosh Chokhani' <SChokhani@cygnacom.com>, 'Jeffrey Hutzelman' <jhutz@cmu.edu>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Mar 2013 23:56:30 -0000

Hosnieh,

You should probably split your proposal in two parts: the proposal to replace CGA by just checking an extract of the address; and potential improvements to SEND that are independent of whether we use CGA or your direct comparison alternative. 

Your replacement of CGA works by copying some bits of the public key in the IID field, instead of using bits from a hash function. I think this is a really bad idea, since the number of bits that you can copy is limited. Your initial design copied just 48 bits; you could change that to 56 bits or maybe 62 bits in an improved design. Cracking the 48 bit version is trivial. Cracking the 62 bit version will take longer, but with Moore's law there will come a point in the future where this too will be easy to crack. In contrast, CGA implementations can simply in the future increment the SEC value for added robustness.

Your draft is making other contributions, such as added verification steps, or caching o results to prevent DOS attacks. These contributions could be used to improve SEND. It would be better to separate them from the debate about hash functions.

-- Christian




-----Original Message-----
From: Hosnieh Rafiee [mailto:ietf@rozanak.com] 
Sent: Thursday, March 21, 2013 4:08 PM
To: 'Jari Arkko'
Cc: 'Santosh Chokhani'; ipv6@ietf.org; saag@ietf.org; 'Ray Hunter'; Christian Huitema; 'Erik Nordmark'; zhou.sujing@zte.com.cn; 'Jeffrey Hutzelman'
Subject: RE: [saag] security consideration of CGA and SSAS - I-D action : draft-rafiee-6man-ssas

Jari,

> What changes from RFC 3972 to your draft in this high-level analysis?

The difference between my draft and that of RFC 3972 is that I make use of the public key in the IP address directly. Doing it the way I have explained in my draft eliminates the need for the use of those SHAx steps  because I believe the use of those steps does not lend itself to improved security. My reason for this opinion is that RFC 3972 can only prevent DAD attacks and not the other types of attacks. This attack can also be prevented by using CGA if we add this extra verification step (that of the node checking the public key of the sender to his own), otherwise RPKI would be used. This is the same procedure as outlined in my draft. So the security of both depends on the security of the public/ private keys. After a successful verification (which could have resulted from a fast relay attack) the attacker's link-layer address is included in a cache as a legitimate address, and if routing is based on the link-layer address,  then the node has no way of knowing that it was just a replay attack. Otherwise, the use of RPKI, where the node that has this IP address/or link layer is specified, would contain this public key. This is why, in this case, the keys' security is very important.

Thanks,
Hosnieh

-----Original Message-----
From: Jari Arkko [mailto:jari.arkko@piuha.net]
Sent: Thursday, March 21, 2013 10:56 PM
To: Hosnieh Rafiee
Cc: 'Jari Arkko'; 'Santosh Chokhani'; ipv6@ietf.org; saag@ietf.org; 'Ray Hunter'; 'Christian Huitema'; Erik Nordmark; zhou.sujing@zte.com.cn; 'Jeffrey Hutzelman'
Subject: Re: [saag] security consideration of CGA and SSAS - Ii-D action :
draft-rafiee-6man-ssas


Hosnieh,

> What is it that you don't understand. I will be happy to explain it to
you.

Thanks. I read the details, but I'm missing the big picture. I.e., some
effort is required from the owner to create an address. By repeating that
effort (2^59)/2 times, someone else is likely to hit the same key with a key
pair that he or she controls, and an attack can be launched. What changes
from RFC 3972 to your draft in this high-level analysis?

> There has been no resolution to the topic of the thread. 

Ok. Well that clarifies at least the state of the discussion. Thanks.

Jari

v2.23.0 | Report a Bug | By Email