Re: [rfc2461bis issue 252] Security considerations issues
Jari Arkko <jari.arkko@kolumbus.fi> Wed, 11 February 2004 09:05 UTC
Received: from optimus.ietf.org (optimus.ietf.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA23252 for <ipv6-archive@odin.ietf.org>; Wed, 11 Feb 2004 04:05:58 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AqqJF-0001uv-QT for ipv6-archive@odin.ietf.org; Wed, 11 Feb 2004 04:05:30 -0500
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i1B95T9t007364 for ipv6-archive@odin.ietf.org; Wed, 11 Feb 2004 04:05:29 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AqqJF-0001uf-45 for ipv6-web-archive@optimus.ietf.org; Wed, 11 Feb 2004 04:05:29 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA23227 for <ipv6-web-archive@ietf.org>; Wed, 11 Feb 2004 04:05:27 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AqqJC-0002C5-00 for ipv6-web-archive@ietf.org; Wed, 11 Feb 2004 04:05:26 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1AqqIH-00026p-00 for ipv6-web-archive@ietf.org; Wed, 11 Feb 2004 04:04:30 -0500
Received: from optimus.ietf.org ([132.151.1.19]) by ietf-mx with esmtp (Exim 4.12) id 1AqqHN-000223-00 for ipv6-web-archive@ietf.org; Wed, 11 Feb 2004 04:03:33 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AqqGt-0001ZE-Bf; Wed, 11 Feb 2004 04:03:03 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AqqGM-0001Rj-Oz for ipv6@optimus.ietf.org; Wed, 11 Feb 2004 04:02:30 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id EAA23174 for <ipv6@ietf.org>; Wed, 11 Feb 2004 04:02:28 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1AqqGK-0001wQ-00 for ipv6@ietf.org; Wed, 11 Feb 2004 04:02:28 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1AqqFT-0001rp-00 for ipv6@ietf.org; Wed, 11 Feb 2004 04:01:36 -0500
Received: from p2.piuha.net ([131.160.192.2]) by ietf-mx with esmtp (Exim 4.12) id 1AqqEf-0001mM-00 for ipv6@ietf.org; Wed, 11 Feb 2004 04:00:45 -0500
Received: from kolumbus.fi (p3.piuha.net [131.160.192.3]) by p2.piuha.net (Postfix) with ESMTP id 6C8C86A902; Wed, 11 Feb 2004 11:00:40 +0200 (EET)
Message-ID: <4029EECF.9050704@kolumbus.fi>
Date: Wed, 11 Feb 2004 10:58:55 +0200
From: Jari Arkko <jari.arkko@kolumbus.fi>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5) Gecko/20031007
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Soliman Hesham <H.Soliman@flarion.com>
Cc: ipv6@ietf.org
Subject: Re: [rfc2461bis issue 252] Security considerations issues
References: <9E3BA3946476AD4EB94672712B12A85F042127@ftmail.lab.flarion.com>
In-Reply-To: <9E3BA3946476AD4EB94672712B12A85F042127@ftmail.lab.flarion.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: ipv6-admin@ietf.org
Errors-To: ipv6-admin@ietf.org
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Id: IP Version 6 Working Group (ipv6) <ipv6.ietf.org>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.60
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Soliman Hesham wrote:
> This issue addresses RFC 2461's assumptions about
> securing ND messages.
Thanks for taking this up.
> The following is needed:
>
> - explain context in which IPSec can be used to secure NDP messages.
> This should include a reference to the SEND work.
>
> - Expand Security Considerations section to discuss more security
> threats defined in draft-ietf-send-psreq-xx.txt.
>
> - Need more elaborate discussion on manual vs. dynamic keying.
I think the general approach is correct. You may wish to
avoid an extensive discussion of the threats and just list
the main ones, then refere to the details through psreq
(which I believe has been approved by IESG).
Also, I think what you are trying to achieve is (a) make
it still possible to use the old AH-based approach but
explain its limitations better, (b) inform the reader about
the availability of another approach, SEND, and (c) inform the
reader about the various vulnerabilities associated with
running ND without security. This is a good approach. But
there's the additional issue of what you actually are mandating
in this document, and with what keywords. Do you have a suggestion
on what it should be?
> I'm currently doing the following:
>
> 1. Adding a new section (3.2) before the message formats
> to briefly explain that security is outside the scope of
> this doc and refer to SEND work. It also explains when IPsec
> can be used.
Perhaps the latter explanation could go into the security
considerations section.
> 2. Remove the "AH" sections included under the message formats.
> They're not wrong per se, but they give the impression that
> IPsec is always possible. Any objections to this step?
>
> 3. Remove the IPsec checks in the sections describing the
> validation of various ND messages.
>
> 4. Rewrite most of section 11.
Ok.
> Here is section 3.2 so far:
>
> 3.2 Securing Neighbor Discovery messages
>
> "Neighbor Discovery messages are needed for various functions. Several
> functions are designed to allow hosts to ascertain the ownership of an
> address or the mapping between link layer and IP layer addresses. Having
> Neighbor Discovery functions on the ICMP layer allows for the use of IP
> layer security mechanisms, which are available independently of the
> availability of security on the link layer.
>
> In order to allow for IP layer security, a mechanism is required to allow
> for dynamic keying between neighbors. The use of the Internet Key Exchange
> [IKE] is not suited for creating dynamic security associations that can be
> used to secure address resolution or neighbor solicitation messages as
> documented in [ICMPIKE]. The security of Neighbor Discovery messages through
> dynamic keying is outside the scope of this document and is addressed in
> [SEND].
>
> In some cases, it may be acceptable to use statically configured security
> associations with either [IPv6-AH] or [IPv6-ESP] to secure Neighbor
> Discovery messages. However, it is important to note that statically
> configured security associations are not scalable (especially when
> considering multicast links) and are therefore limited to small networks
> with known hosts."
How about this for 3.2:
Vulnerabilities related to Neighbor Discovery are discussed in
Section 11.1. A general solution for securing Neighbor Discovery
is outside the scope of this specification and is discussed in
[SEND]. However, Section 11.2 explains how and under which constraints
IPsec AH or ESP can be used to secure Neighbor Discovery.
And then in 11.1 and 11.2 you would include text from the above.
> Informative references:
>
> [ICMPIKE]Arkko, J., "Effects of ICMPv6 on IKE",
> draft-arkko-icmpv6-ike-effects-02 (work in progress), March
> 2003.
>
> Arkko, J., "Manual Configuration of Security Associations for
> IPv6 Neighbor Discovery", draft-arkko-manual-icmpv6-sas-02
> (work in progress), March 2003.
And
[SEND] Arkko, J., Kempf, J., Sommerfeld, B., Zill, B. and P.
Nikander, "SEcure Neighbor Discovery (SEND)",
draft-ietf-send-ndopt-04 (work in progress), February 2004.
> Section 11 is too long to send. I'm interested to know if the
> above steps are ok with everyone.
--Jari
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
- [rfc2461bis issue 252] Security considerations is… Soliman Hesham
- Re: [rfc2461bis issue 252] Security consideration… Jari Arkko
- RE: [rfc2461bis issue 252] Security consideration… Soliman Hesham
- Re: [rfc2461bis issue 252] Security consideration… James Kempf
- Re: [rfc2461bis issue 252] Security consideration… James Kempf
- RE: [rfc2461bis issue 252] Security consideration… Soliman Hesham
- Re: [rfc2461bis issue 252] Security consideration… James Kempf
- Re: [rfc2461bis issue 252] Security consideration… Steven M. Bellovin