IETF Logo Mail Archive

RE: FW: New Version Notification for draft-rafiee-6man-cga-attack-00.txt

Christian Huitema <huitema@microsoft.com> Wed, 27 November 2013 02:21 UTC

Return-Path: <huitema@microsoft.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 772881AE0BB for <ipv6@ietfa.amsl.com>; Tue, 26 Nov 2013 18:21:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EkjmmErMehCG for <ipv6@ietfa.amsl.com>; Tue, 26 Nov 2013 18:21:15 -0800 (PST)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0238.outbound.protection.outlook.com [207.46.163.238]) by ietfa.amsl.com (Postfix) with ESMTP id 138761AE051 for <ipv6@ietf.org>; Tue, 26 Nov 2013 18:21:14 -0800 (PST)
Received: from BY2PR03CA030.namprd03.prod.outlook.com (10.242.234.151) by BY2PR03MB059.namprd03.prod.outlook.com (10.255.241.151) with Microsoft SMTP Server (TLS) id 15.0.837.10; Wed, 27 Nov 2013 02:21:13 +0000
Received: from BL2FFO11FD041.protection.gbl (2a01:111:f400:7c09::125) by BY2PR03CA030.outlook.office365.com (2a01:111:e400:2c2c::23) with Microsoft SMTP Server (TLS) id 15.0.825.14 via Frontend Transport; Wed, 27 Nov 2013 02:21:13 +0000
Received: from mail.microsoft.com (131.107.125.37) by BL2FFO11FD041.mail.protection.outlook.com (10.173.161.137) with Microsoft SMTP Server (TLS) id 15.0.825.6 via Frontend Transport; Wed, 27 Nov 2013 02:21:12 +0000
Received: from TK5EX14MBXC272.redmond.corp.microsoft.com ([169.254.2.174]) by TK5EX14HUBC103.redmond.corp.microsoft.com ([157.54.86.9]) with mapi id 14.03.0158.002; Wed, 27 Nov 2013 02:20:13 +0000
From: Christian Huitema <huitema@microsoft.com>
To: Hosnieh Rafiee <ietf@rozanak.com>, 'Ray Hunter' <v6ops@globis.net>
Subject: RE: FW: New Version Notification for draft-rafiee-6man-cga-attack-00.txt
Thread-Topic: FW: New Version Notification for draft-rafiee-6man-cga-attack-00.txt
Thread-Index: AQFcy6ZEAgkCvPF12cG9eyx+VjbUApsaydgAgAEmRICAAA4MgIAAk56g
Date: Wed, 27 Nov 2013 02:20:13 +0000
Message-ID: <C91E67751B1EFF41B857DE2FE1F68ABA2FBC2ACC@tk5ex14mbxc272.redmond.corp.microsoft.com>
References: <20131125140405.14510.36261.idtracker@ietfa.amsl.com> <007701ceea31$05106260$0f312720$@rozanak.com> <5294CAC7.3060509@globis.net> <002801ceeaca$c082e420$4188ac60$@rozanak.com>
In-Reply-To: <002801ceeaca$c082e420$4188ac60$@rozanak.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.35]
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(199002)(189002)(51704005)(83072001)(74366001)(46102001)(54356001)(33656001)(53806001)(51856001)(63696002)(47776003)(20776003)(66066001)(47446002)(74662001)(65816001)(76482001)(74502001)(79102001)(31966008)(76786001)(87936001)(80022001)(69226001)(76796001)(56816003)(77096001)(81816001)(74876001)(74706001)(50466002)(80976001)(81686001)(23746002)(47736001)(49866001)(56776001)(54316002)(81342001)(85306002)(77982001)(4396001)(2656002)(87266001)(55846006)(83322001)(59766001)(6806004)(44976005)(81542001)(50986001)(47976001); DIR:OUT; SFP:; SCL:1; SRVR:BY2PR03MB059; H:mail.microsoft.com; CLIP:131.107.125.37; FPR:; RD:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Forefront-PRVS: 004395A01C
X-OriginatorOrg: microsoft.com
Cc: 'marcelo bagnulo braun' <marcelo@it.uc3m.es>, 'Derek Atkins' <DAtkins@mocana.com>, "ipv6@ietf.org" <ipv6@ietf.org>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Nov 2013 02:21:17 -0000

>> I agree the CGA information will match in the case mentioned, and thus it is
>> possible to make CGA verification succeed for two different hashes for two
>> different values of sec (one with lower sec value being easier to generate
>> than the other).
>> 
>> But didn't we know that already?
>
> NO, as far as I know, up to now everybody thought that it is not possible to attack CGA with lower sec value while CGA node uses 
> higher sec value. We knew that it is faster to break CGA sec value 0. 

The CGA mechanism protects an IPv6 address. All the identifier bits are part of the IPv6 address. If an attacker uses a different SEC value, it is not attacking the protected IPv6 address, but a different one. 

> We also thought that it would take 2^59 but this is not true too based on Birthday paradox attack. 

This is a serious misunderstanding of the birthday paradox. The paradox states that if a number can take N values, it takes about sqrt(N) random trials for having 50% chance to find the same number twice. But the number found is a random number.

The birthday paradox does not apply in the scenario where you try to find a specific value. If a number can take N values, it takes about N/2 trials before having 50% chance to find the target number. 

>> Since the 3 bits of the sec level are copied from the IID, won't any mismatch in
>> the sec value used to create the hash be picked up by a simple comparison of
>> the received IID with the machines local IID in the case of DAD?
> 
> The CGA node retrieve sec value from the source IP address of the attacker and not from his own packet and do not get it from his own.
> The following sentence is after step 4 that already the victim node retrieved the source IP address from the attacker's packet.

So what? The attacker ends up using an IPv6 address that has many bits in common as the target address, but it different. There is no masquerading. The attack that you are describing just does not work.


Hosnieh, your draft also mentions a duplicate address attack. That attack is already described in RFC 3971 (SEND), with a proposed mitigation:

   9.2.3.  Duplicate Address Detection DoS Attack

   This attack is described in Section 4.1.3 of [22].  SEND counters
   this attack by requiring that the Neighbor Advertisements sent as
   responses to DAD include an RSA Signature option and proof of
   authorization to use the interface identifier in the address being
   tested.  If these prerequisites are not met, the node performing DAD
   discards the responses.

Do you have a novel way to break these mitigations?

-- Christian Huitema

v2.23.0 | Report a Bug | By Email