IETF Logo Mail Archive

RE: 6MAN Adoption call on draft-rafiee-6man-ssas-07

"Hosnieh Rafiee" <ietf@rozanak.com> Tue, 03 December 2013 21:22 UTC

Return-Path: <ietf@rozanak.com>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 066951A8032 for <ipv6@ietfa.amsl.com>; Tue, 3 Dec 2013 13:22:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.301
X-Spam-Level:
X-Spam-Status: No, score=-1.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_61=0.6, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FBq84MV-bcMp for <ipv6@ietfa.amsl.com>; Tue, 3 Dec 2013 13:22:05 -0800 (PST)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.195]) by ietfa.amsl.com (Postfix) with ESMTP id B33861ADED6 for <ipv6@ietf.org>; Tue, 3 Dec 2013 13:22:02 -0800 (PST)
Received: from kopoli (g225037169.adsl.alicedsl.de [92.225.37.169]) by mrelay.perfora.net (node=mrus4) with ESMTP (Nemesis) id 0MZl3O-1W1dAm3mZi-00Lu14; Tue, 03 Dec 2013 16:21:44 -0500
From: Hosnieh Rafiee <ietf@rozanak.com>
To: 'Tina TSOU' <Tina.Tsou.Zouting@huawei.com>
References: <919625362.501424.1385988393789.open-xchange@email.1and1.com> <BBDF302A-D08C-433F-8248-44B16CD6D341@huawei.com>
In-Reply-To: <BBDF302A-D08C-433F-8248-44B16CD6D341@huawei.com>
Subject: RE: 6MAN Adoption call on draft-rafiee-6man-ssas-07
Date: Tue, 03 Dec 2013 22:21:31 +0100
Message-ID: <008501cef06d$aa543570$fefca050$@rozanak.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQMF8ANb2wQAhlgl6tUVE1rLm5e8dAHtAevwl8WJqjA=
Content-Language: en-us
X-Provags-ID: V02:K0:eQoVeNtcSsaDY/ABaz+eLZtlOiR7I6T17COgUz6Haxk pXkXFOMlz9h3RwI54QOqiqkxhfu6IyLPi8KZo0MQ+x7oQCffR2 mv1y6/7wK4UJg1qrQSLxmLH+klh6XLzSzsHKUHbF8Dnf0EQmIK E2IyjxEf0fmKlrad7l08OhxZm7xdABZRtKAzLMgWgeVx1PCNDe XMleHt+pHlTwkbgkWWAeTisogVDoboLK/lAp+pjVwGaSfkETun 4unBD7ESbkEZTwcOvgyQpY5d20/StcUGbXiulTvZXLFqsbACiG dprp0+Z/g7yhMc3J+Vy6BKNcggLc5FMvtn2ueLKiM4CqH83xDM domWYLeHEhwSHXUwe4Y4=
Cc: 6man-chairs@tools.ietf.org, ipv6@ietf.org, 'Erik Nordmark' <nordmark@sonic.net>, 'Michael Richardson' <mcr+ietf@sandelman.ca>, 'Tim Chown' <tjc@ecs.soton.ac.uk>, huitema@microsoft.com
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Dec 2013 21:22:08 -0000

Hi Tina,

Thank you very much for your support. You’re right that version 7 was
confusing and had a lot of unrelated sections. I actually removed them in
the new version in the following link http://rozanak.com/ssas.txt. I am
going to upload this version on IETF server on Thursday. My waiting is due
to the fact that I am improving attack draft and also almost finished
writing a draft for local security deployment that can complement SSAS. Then
I want also to add this as one of useful references to SSAS while avoid
versioning. During this time, I also would like to apply any comments I
would receive. As I explained before, I am open to improve this document
based on any reasonable comments I receive in the mailinglist and willing to
apply them.

By the way, about IP spoofing if one wants to use it for DNS attack
prevention then one needs to include the SSAS parameters in the packet which
is the public key. In this case, it can prevent/complicate the IP spoofing
but only using this mechanism as an IP generation would not help since the
parameters are only valid in local link and they are not sent to other nodes
over the internet or in other networks.

Thanks,
smile,
Hosnieh
-------------------------------------


Dear all,
I support the adoption of this document as a 6man wg item, since this is
an interesting technology to have in our toolbox. However, I should note
that it will need substantive work before it can be published as an RFC.
Below you will find some comments that will help improve this document.

Meta:

Throughout this document you talk about "IP spoofing". This document
does not really prevent IP spoofing, but rather mitigates ND-message
falsification. For example, this document does not mitigate DNS
reflectin attacks or the like.


Section 1:

The IEEE

  Standards Association [1] (section 2.5.1 RFC-4291) [RFC4291] offered

  a standard for the generation of IPv6 Interface IDs (IID) called the

  Extended Unique Identifier (EUI-64).

IEEE does not standardize IPv6 things.


Section 3:

  The drawback to using IIDs that do not change over time is one of

  privacy. The node will generate the same IID whenever it joins a new

  network thus making it easy for an attacker to track that node when

  it moves to different networks.

Actually, tracking is a product of constant addresses across networks.
Time variance is not required to prevent network tracking. Please see:
<http://tools.ietf.org/id/draft-ietf-6man-ipv6-address-generation-privacy-00
.txt>


Section 3:

  of attack in the IP layer. Our experimental results [2] show that

  SSAS is more secure and faster than CGA when using a sec value of 0

  (Brute force attacks against 64 bits (when using first SSAS

  algorithm) while in CGA this value is 59 bits) and much faster than

  CGA when using a sec value of 1.

Why do you meantion Sec of 0 and then Sec of 1?



  Also the attacker has a few seconds

  to attack 64 bits in SSAS. This is because the neighboring nodes keep

  the public key of this node in their cache after the first successful

  verification.

Doesn't this happen for CGA, too?



3.1.1.3. Denial of Service (DoS) attacks



  An attacker might send many NDP messages, using invalid signatures,

  to a victim?s node which then forces the node to busy itself with the

  verification process. To mitigate this attack, a node SHOULD set a

  limit on the number of messages (x) that should be verified within a

  certain period of time. Implementations MUST provide a conservative

  default and SHOULD provide a means for detecting when this limit is

  reached.



Section 3.1.2:


The current problem with the addressing mechanism

  in a mobile node is that no privacy is observed when a node moves to

  another network while usually keeping its Home Address.

You should clarify what you mean by "mobile networks" -- here you imply
mobile-IP, but people usually refer to "mobile networks" for other
(non-mobile-ip) things.


Section 4:

The second

  algorithm addresses the problem with the security level and tries to

  use the security of the whole public key during the first time

  verification.

It is unclear what you mean with this paragraph.

Thank you,
Tina

v2.23.0 | Report a Bug | By Email