RE: CGA Security improvement
"Hosnieh Rafiee" <ietf@rozanak.com> Sun, 23 August 2015 10:55 UTC
Return-Path: <ietf@rozanak.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEA981A8864 for <ipv6@ietfa.amsl.com>; Sun, 23 Aug 2015 03:55:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.79
X-Spam-Level:
X-Spam-Status: No, score=0.79 tagged_above=-999 required=5 tests=[BAYES_50=0.8, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fEviyGnZCjkV for <ipv6@ietfa.amsl.com>; Sun, 23 Aug 2015 03:55:38 -0700 (PDT)
Received: from mail.rozanak.com (mail.rozanak.com [IPv6:2a01:238:42ad:1500:aa19:4238:e48f:61cf]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E68AA1A8861 for <6man@ietf.org>; Sun, 23 Aug 2015 03:55:37 -0700 (PDT)
Received: from localhost (unknown [127.0.0.1]) by mail.rozanak.com (Postfix) with ESMTP id 0D4FE25CA2C4; Sun, 23 Aug 2015 10:55:36 +0000 (UTC)
X-Virus-Scanned: amavisd-new at rozanak.com
Received: from mail.rozanak.com ([127.0.0.1]) by localhost (mail.iknowlaws.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9b24VKtzLPF1; Sun, 23 Aug 2015 12:55:34 +0200 (CEST)
Received: from kopoli (p200300864F67D061585788CDEB68C6EB.dip0.t-ipconnect.de [IPv6:2003:86:4f67:d061:5857:88cd:eb68:c6eb]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.rozanak.com (Postfix) with ESMTPSA id E7AC925CA2C3; Sun, 23 Aug 2015 12:55:33 +0200 (CEST)
From: Hosnieh Rafiee <ietf@rozanak.com>
To: 'Roland Bless' <roland.bless@kit.edu>, 6man@ietf.org
References: <814D0BFB77D95844A01CA29B44CBF8A7015D2C0A@lhreml504-mbs> <55C3D5F9.8060803@kit.edu>
In-Reply-To: <55C3D5F9.8060803@kit.edu>
Subject: RE: CGA Security improvement
Date: Sun, 23 Aug 2015 12:55:29 +0200
Message-ID: <000001d0dd92$3a2d5ec0$ae881c40$@rozanak.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQG6t9TPY2t5uEhnSd1aM5UiVt/Z6gEPI6itnj06RBA=
Content-Language: en-us
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/nbMCbGQ-Ck0RArX97Ox6vZWA8Eg>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Aug 2015 10:55:40 -0000
Roland, Thanks for your review. > Am 31.07.2015 um 09:33 schrieb Hosnieh Rafiee: > > I would like to update draft-rafiee-rfc3972-bis-00 draft with the following > content. What do you think about it? Any comments or questions? > > 1) I still don't understand your "attack scenario" > > - https://tools.ietf.org/html/draft-rafiee-6man-cga-attack-01 is > not clear enough. What is course of the attack precisely? The latest version of CGA attack is 03. https://tools.ietf.org/html/draft-rafiee-6man-cga-attack-03 check section 6.1 and 6.2 > - Two addresses A0 and A1 that only differ in the > sec value (e.g., sec=0 and sec=1) are considered being > different, i.e., A0 != A1. So your attacker that uses > A0 instead of A1 has got a different address with a > different public/private key pair. > They are absolutely different but the way the document consider them are the same. In other word, how the document verify the other node. Therefore the attacker has a chance to spoof the IP of other node. Again please read the latest version. > - CGA prevents _hijacking_ of IPv6 addresses only. It cannot prevent this if the implementation do not consider the modification that was suggested in CGA_improvement document Or the latest version that I am going to upload and sent the information on the list before uploading it > 2) given the presumably small real world deployment of CGAs, > I think there are currently more important problems this > WG needs to solve first... Not sure about that. Maybe not for SeND protocol. But in other working group they think differently about this. They are going to use it as an authentication way for DHCP... or in SAVI it is still considered. Best , Hosnieh
- CGA Security improvement Hosnieh Rafiee
- Re: CGA Security improvement Roland Bless
- RE: CGA Security improvement Hosnieh Rafiee