IETF Logo Mail Archive

Re: [ipwave] draft-ietf-ipwave-ipv6-over-80211ocb-00 Security of WSMP and WSA is FYI only

William Whyte <wwhyte@securityinnovation.com> Sat, 11 February 2017 11:01 UTC

Return-Path: <wwhyte@securityinnovation.com>
X-Original-To: its@ietfa.amsl.com
Delivered-To: its@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3730129410 for <its@ietfa.amsl.com>; Sat, 11 Feb 2017 03:01:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=securityinnovation.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RVjjBRdJAQZB for <its@ietfa.amsl.com>; Sat, 11 Feb 2017 03:01:18 -0800 (PST)
Received: from mail-io0-x229.google.com (mail-io0-x229.google.com [IPv6:2607:f8b0:4001:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31A13127601 for <its@ietf.org>; Sat, 11 Feb 2017 03:01:18 -0800 (PST)
Received: by mail-io0-x229.google.com with SMTP id j13so67176897iod.3 for <its@ietf.org>; Sat, 11 Feb 2017 03:01:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=securityinnovation.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=mXnbcMFuC5Y5kvfLM41wuxA6uteQgf+mQV7ynmonhwY=; b=UR2CLGEMbEF/TpPbZ0uNo4fEq0khFu27gWuJnPlV9pNFL5iFb0sGwR37kOEk9q/wMQ Ybea/OPNGWJoAsb5D7C6ffDjsdsNgY14LTdi5FMZ7iBq88EcBFE9osaNvAH8dKYW9N4/ AxvRckkvYKMGd6rVjmmHdzJZ7KKVI1AxV87kU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=mXnbcMFuC5Y5kvfLM41wuxA6uteQgf+mQV7ynmonhwY=; b=E26477md79RJ30iID3XEQm1emfeqSO50w6USMM92j3bNeI02KO4GW/QjhtPhHL0SXu JxkwlmUjnoyuTEN4l07o3lTG/mm3cGO77B4/DK+uUs9q8raavqISIJXC9wk2ZRA2nopi 2RjMFNjwUEfVBn3wzFIHSc6haXIx/x4YAAIIrek1M6DvRD2rlVEtg/Cv8bEmjoqyYq9t Mfz/SlT2jqDGCJNMw4v4UE7ArE8qMgDynwW9xJVeDTwIL6VpDDc/NuG92T5VqhHwJfRx MyGr106v9+6/gXz3JFLlzULITRnGjWBe8iuKYrVEFR2xS2gpRO+5v3NjGVpFkRIPtS30 HKvg==
X-Gm-Message-State: AMke39kS2gAP6ud7ytncJ+kviEX1GB6y3XAKRycvBPziRsyFVFRKAk3RLAF3euNYOEJrCNXnhuuNN4kmFg9lHHLQ
X-Received: by 10.107.160.140 with SMTP id j134mr14336106ioe.180.1486810877284; Sat, 11 Feb 2017 03:01:17 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.176.209 with HTTP; Sat, 11 Feb 2017 03:01:15 -0800 (PST)
In-Reply-To: <EFF8E744B9DA464EB36A5DB4CCF455E2@SRA6>
References: <148052970170.9607.12043916621198119260.idtracker@ietfa.amsl.com> <d5a73f15-9658-dc0d-3706-13dc11dd484f@cea.fr> <CACz1E9qAtpgt=ZMTZGpu7dXJBbTaP5bveOHc8WCfqvFfX7Y76g@mail.gmail.com> <EFF8E744B9DA464EB36A5DB4CCF455E2@SRA6>
From: William Whyte <wwhyte@securityinnovation.com>
Date: Sat, 11 Feb 2017 03:01:15 -0800
Message-ID: <CACz1E9qp=0RYEK42tXZM_tmtEzWa6b+TP06T4pwUemty4D1=hw@mail.gmail.com>
To: Dick Roy <dickroy@alum.mit.edu>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/its/BPBwDfMLd9B7mCKgje-kMI37bTQ>
Cc: Alexandre Petrescu <alexandre.petrescu@gmail.com>, its@ietf.org
Subject: Re: [ipwave] draft-ietf-ipwave-ipv6-over-80211ocb-00 Security of WSMP and WSA is FYI only
X-BeenThere: its@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IPWAVE - IP Wireless Access in Vehicular Environments WG at IETF <its.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/its>, <mailto:its-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/its/>
List-Post: <mailto:its@ietf.org>
List-Help: <mailto:its-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/its>, <mailto:its-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Feb 2017 11:01:20 -0000

I wasn't that tired :-)

1609.3 section 6.2.4.2.1 specifies how a WSA can be protected with
1609.2 mechanisms. 1609.3 Annex H gives the 1609.2 security profile
for WSA. So I think it's accurate to say that 1609.3 specifies
security mechanisms, which are defined in 1609.2, to protect WSA.
1609.2 only mentions WSA twice, once in an example, once in an
informative annex. So I think "1609.3 specifies security mechanisms
(from 1609.2)" is an accurate way to say this, just as if WSAs were
sent over TLS, "1609.3 specifies security mechanisms (from TLS)" would
be accurate.

The reason why this matters is that it emphasizes that when you're
going over WSMP, it's up to the specification of the higher layer
entity (in this case, the WME) to specify the security; WSMP itself
doesn't provide any security, and 1609.2 is just a set of tools that
have to be explicitly referenced in the higher layer entity
specification.

Cheers,

William





On Fri, Feb 10, 2017 at 9:20 PM, Dick Roy <dickroy@alum.mit.edu> wrote:
> William is a bit tired ... it was a long flight!  The security mechanisms
> are found in 1609.2, not 1609.3 :^))) Other than that, he is absolutely
> right as usual, if for no other reason than he was and still is the most
> significant contributor to this effort.
>
> Cheers,
>
> RR
>
> -----Original Message-----
> From: William Whyte [mailto:wwhyte@securityinnovation.com]
> Sent: Friday, February 10, 2017 8:32 AM
> To: Alexandre Petrescu
> Cc: its@ietf.org
> Subject: Re: [ipwave] draft-ietf-ipwave-ipv6-over-80211ocb-00 Security of
> WSMP and WSA is FYI only
>
> To be clear, WSMP has no inbuilt security. Higher layer entities that
> use WSMP may send secured payloads but this is part of the application
> specification, not provided by WSMP.
>
> WSA is an example of such a higher layer entity; 1609.3 specifies
> security mechanisms (from 1609.2) that are applied before sending the
> WSA over WSMP. Note that whether or not to use the 1609.3 security
> approach is up to individual deployments -- a private deployment, for
> example, could conceivably decide to use different security or no
> security, but the recommended approach is the one in 1609.3.
>
> Cheers,
>
> William
>
> On Fri, Feb 10, 2017 at 2:52 AM, Alexandre Petrescu
> <alexandre.petrescu@gmail.com> wrote:
>> draft-ietf-ipwave-ipv6-over-80211ocb-00
>> Security of WSMP and WSA is FYI only
>>
>> Hello IPWAVErs,
>>
>> We received a comment suggesting that our mentioning of IEEE WSMP and
>> WSA being secure should be FYI only (i.e. not req on IEEE, nor a
>> statement about IEEE mechanism).  As such I remove the following
> paragraph:
>>
>> old:
>>>
>>> The WAVE protocol stack provides for strong security when using the
>>> WAVE Short Message Protocol and the WAVE Service Advertisement
>>> [ieeep1609.2-D17].
>>
>>
>> Alex
>>
>>
>>
>> _______________________________________________
>> its mailing list
>> its@ietf.org
>> https://www.ietf.org/mailman/listinfo/its
>>
>
>
>

v2.23.0 | Report a Bug | By Email