RE: AERO/OMNI dropping support for SEND/CGA

Vasilenko Eduard <vasilenko.eduard@huawei.com> Tue, 01 December 2020 11:27 UTC

Return-Path: <vasilenko.eduard@huawei.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 790FC3A1148 for <ipv6@ietfa.amsl.com>; Tue, 1 Dec 2020 03:27:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NUGG4yaGUWzc for <ipv6@ietfa.amsl.com>; Tue, 1 Dec 2020 03:27:10 -0800 (PST)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 753463A1145 for <ipv6@ietf.org>; Tue, 1 Dec 2020 03:27:10 -0800 (PST)
Received: from fraeml713-chm.china.huawei.com (unknown [172.18.147.201]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4Clfrr2vSfz67KDl for <ipv6@ietf.org>; Tue, 1 Dec 2020 19:24:44 +0800 (CST)
Received: from msceml701-chm.china.huawei.com (10.219.141.159) by fraeml713-chm.china.huawei.com (10.206.15.32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Tue, 1 Dec 2020 12:27:03 +0100
Received: from msceml703-chm.china.huawei.com (10.219.141.161) by msceml701-chm.china.huawei.com (10.219.141.159) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Tue, 1 Dec 2020 14:27:02 +0300
Received: from msceml703-chm.china.huawei.com ([10.219.141.161]) by msceml703-chm.china.huawei.com ([10.219.141.161]) with mapi id 15.01.2106.002; Tue, 1 Dec 2020 14:27:02 +0300
From: Vasilenko Eduard <vasilenko.eduard@huawei.com>
To: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
CC: "Templin (US), Fred L" <Fred.L.Templin@boeing.com>, "ipv6@ietf.org" <ipv6@ietf.org>
Subject: RE: AERO/OMNI dropping support for SEND/CGA
Thread-Topic: AERO/OMNI dropping support for SEND/CGA
Thread-Index: AdbHZPpW7fZRe+sEQcisGsnlYu6uigAWT2pQAAOYk4AAAe3XcA==
Date: Tue, 01 Dec 2020 11:27:02 +0000
Message-ID: <42c98e52bcf2488d97dd7d21e973f453@huawei.com>
References: <efdbcaedd3264c00bd435abdb0ea5c3a@huawei.com> <9753C964-07FE-42A6-9C6A-1F7D0BA3B5DF@cisco.com>
In-Reply-To: <9753C964-07FE-42A6-9C6A-1F7D0BA3B5DF@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.47.204.70]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipv6/i8xvz79TaF-42KmMTDfCP8qz8Xc>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2020 11:27:13 -0000

Hi Pascal,
Yes, centralized model (no SLAAC) greatly improve security.
But FCFS (1st come - 1st serve) is still the big security hole.
Server could be in reload (software or hardware refresh), Intruder could claim it's IP address. Then everybody would show credentials to Intruder (fortunately hashed - but it would not help too much, about 50% is possible to revert to plain text).

Digital Certificate does resolve this situation too. It has additional value.
Ed/
> -----Original Message-----
> From: Pascal Thubert (pthubert) [mailto:pthubert@cisco.com]
> Sent: 1 декабря 2020 г. 13:28
> To: Vasilenko Eduard <vasilenko.eduard@huawei.com>
> Cc: Templin (US), Fred L <Fred.L.Templin@boeing.com>; ipv6@ietf.org
> Subject: Re: AERO/OMNI dropping support for SEND/CGA
> 
> Hello Eduard
> 
> I believe your question about a replacement for secure ND deserves its own
> thread to ensure a better visibility.
> 
> Note: RFC 8928 was designed for a network where all nodes have a virtual P2P
> link with the router and the prefix shows as not-onlink; this way nodes only need
> to prove the ownership to the router and that makes things a lot simpler.
> 
> Keep safe,
> 
> Pascal
> 
> > Le 1 déc. 2020 à 10:07, Vasilenko Eduard <vasilenko.eduard@huawei.com> a
> écrit :
> >
> > Hi Fred,
> > SeND needs a refresh. CGA looks ridicules now in principle. You should not use
> it.
> >
> > I am not sure: does it make sense to develop something else instead (based on
> ecliptic curves).
> > As Fernando pointed many times: many things in ND could be resolved only by
> digital signature (he calls it "untrusted model").
> > But as we see: market has rejected PKI. Digital signature is not useful without
> proper key management.
> > IMHO: it is better to keep digital signature as a separate standard.
> > Therefore, if you have cycles for separate OMNI addendum, then it is better to
> have it for completeness. If not - not much to lose now.
> > But make sure that Open Key Cryptography and PKI (!) would be possible to
> add later.
> > What if something would be innovated in PKI and it became popular?
> > Reminder: PKI is needed not just for ND. Enterprises have the big pressure to
> protect all applications by TLS.
> > Your vertical would probable lead on PKI adoption.
> >
> > As an alternative: you could talk with IT and Security people in your vertical: if
> they believe in massive deployment of PKIs then you have to have Digital
> Signature for ND.
> > It would still not guaranty that it would be used, because hosts would need
> support for it at ND level, but it is already the good situation to try.
> > Hence again, better to keep it in separate specification.
> >
> > Eduard
> >> -----Original Message-----
> >> From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Templin (US),
> >> Fred L
> >> Sent: 1 декабря 2020 г. 1:12
> >> To: ipv6@ietf.org
> >> Subject: AERO/OMNI dropping support for SEND/CGA
> >>
> >> Folks, this is a big decision point for the AERO/OMNI drafts but I am
> >> preparing to drop support for SEND/CGA (RFC3971; RFC3972). This means
> >> that IPv6 ND message authentication on OMNI interfaces will use a
> >> simple HMAC the same as is done for Teredo (RFC4380; RFC6081). If
> >> anyone knows why that might cause problems, it would be best to speak up
> now.
> >>
> >> Fred
> >>
> >> --------------------------------------------------------------------
> >> IETF IPv6 working group mailing list
> >> ipv6@ietf.org
> >> Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> >> --------------------------------------------------------------------
> >
> > --------------------------------------------------------------------
> > IETF IPv6 working group mailing list
> > ipv6@ietf.org
> > Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
> > --------------------------------------------------------------------