IETF Logo Mail Archive

Re: [manet] AODVv2 security: Key Management to BCP107

Thomas Heide Clausen <ietf@thomasclausen.org> Thu, 28 April 2016 20:27 UTC

Return-Path: <ietf@thomasclausen.org>
X-Original-To: manet@ietfa.amsl.com
Delivered-To: manet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30DD012B04A for <manet@ietfa.amsl.com>; Thu, 28 Apr 2016 13:27:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=thomasclausen.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fk7K3g8nThqG for <manet@ietfa.amsl.com>; Thu, 28 Apr 2016 13:27:32 -0700 (PDT)
Received: from maila2.tigertech.net (maila2.tigertech.net [208.80.4.152]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D226A12D9D0 for <manet@ietf.org>; Thu, 28 Apr 2016 13:27:32 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by maila2.tigertech.net (Postfix) with ESMTP id D149F24097D; Thu, 28 Apr 2016 13:27:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thomasclausen.org; s=1.tigertech; t=1461875251; bh=R8bNPOOElp35RJ0mxniZs/dTflg+WCQqXcKtd6JOrak=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=L2+1/KHu531T0+nk1Y30TMPVssoYoG8bcip50UOqj7jJqlGWmYWt2lnhtI6RCSwUB pSdnIeD3aBZtZA3/I6jrwxLggjYb0mYwW+r2NB5yj8RrID8/TRzyp/LvVtA/EWBwlO fGW29FT5cXpoLTAQop9LhcgFK3ga4N/Jb735HRgg=
X-Virus-Scanned: Debian amavisd-new at maila2.tigertech.net
Received: from [192.168.147.246] (mtg91-1-82-227-24-173.fbx.proxad.net [82.227.24.173]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by maila2.tigertech.net (Postfix) with ESMTPSA id 51DFB25101D; Thu, 28 Apr 2016 13:27:30 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-D3338415-67A1-461A-8507-6BBF41225163"
Mime-Version: 1.0 (1.0)
From: Thomas Heide Clausen <ietf@thomasclausen.org>
X-Mailer: iPad Mail (13F51a)
In-Reply-To: <78037F3E-95E6-413D-933F-F238D82FED60@gmail.com>
Date: Thu, 28 Apr 2016 22:27:26 +0200
Content-Transfer-Encoding: 7bit
Message-Id: <1D0F865B-CECE-4D49-B73E-C788E2B24478@thomasclausen.org>
References: <937ABB81-CCD9-4FD0-A7CF-5114384B3B94@gmail.com> <8D383418-4CBF-49C6-9871-4E31042E29E5@mnemosyne.demon.co.uk> <C95859AA-BF4B-4220-84D7-D30E5B179133@gmail.com> <9E042F54-58E4-4C1B-8F7B-ECAD41341D48@gmail.com> <C9D6A421-3CD3-4456-9593-CE0638286374@gmail.com> <78037F3E-95E6-413D-933F-F238D82FED60@gmail.com>
To: John Dowdell <john.dowdell.ietf@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/manet/Y_MmfRPHJMEH_XrHdQiKiSxaAqU>
Cc: Christopher Dearlove <christopher.dearlove@gmail.com>, manet@ietf.org
Subject: Re: [manet] AODVv2 security: Key Management to BCP107
X-BeenThere: manet@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Mobile Ad-hoc Networks <manet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/manet>, <mailto:manet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/manet/>
List-Post: <mailto:manet@ietf.org>
List-Help: <mailto:manet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/manet>, <mailto:manet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Apr 2016 20:27:37 -0000

I must say, I fully share Chris' strong reservations. This is not the solution. 

> On 28 Apr 2016, at 22:22, John Dowdell <john.dowdell.ietf@gmail.com> wrote:
> 
> 
>> On 28 Apr 2016, at 21:11, Christopher Dearlove <christopher.dearlove@gmail.com> wrote:
>> 
>> I really wouldn't be interested in a system in which each router had to have knowledge of all other routers. Far too restrictive, and scales poorly. It just might fly as a solution. As the solution, definitely not.
> 
> Not all individual routers, just the implementors. Implementor A knows of and (at least partly) trusts routers made by Implementor B. You could break that down by model and year of manufacture if you wanted.
> 
> John
> 
>> 
>> Each router needing some preconfiguration, sure. See the IBS draft for example.
>> 
>> --  
>> Christopher Dearlove
>> christopher.dearlove@gmail.com (iPhone)
>> chris@mnemosyne.demon.co.uk (home)
>> 
>>> On 28 Apr 2016, at 20:37, John Dowdell <john.dowdell.ietf@gmail.com> wrote:
>>> 
>>> By the way I have re-ordered the emails in this post to make it easier to read for flow.
>>>> 
>>>>>> On 27 Apr 2016, at 21:10, John Dowdell <john.dowdell.ietf@gmail.com> wrote:
>>>>>> 
>>>>>> Hi all
>>>>>> 
>>>>>> As an AODVv2 co-author I’d like to propose this position regarding key management against BCP107, one of the artefacts we are being asked to state a position over. I’d also like to state that I’m open to contributions from others knowledgeable on this topic or who have been this way previously.
>>>>>> 
>>>>>> If you’re not familiar (and I wasn’t), RFC4107 aka BCP107 is the set of guidelines for choosing either automated or manual key management for cryptographic purposes. It’s not a long read and guides the reader through a set of tests as to whether automated or manual key management would be suitable for the application in hand.
>>>>>> 
>>>>>> The very first question is does AODVv2 need key management at all? I would contend that it does, since we require to secure the signalling traffic for the routing algorithm. The aim here is therefore to purely assist in the security of the signalling traffic; security of user data that is forwarded once an AODVv2 route has been established is out of scope.
>>>>>> 
>>>>>> Section 1 of BCP107 states that automated key management SHOULD be used.. Thus my answer will be in favour of that unless I can contend otherwise.
>>>>>> 
>>>>>> The guidelines in section 2 outline that automated key management derives short-term session keys between two parties. In the case of AODVv2, this would correspond to two routers that form or wish to form an adjacency.
>>>>>> 
>>>>>> The guidelines state that the short-term keys may be derived from long-term keys, and that the dissemination of long term keys is out of scope of BCP107. I would envisage that an AODVv2 router, given that it would form ephemeral ad hoc networks with other routers as it went about its business, would be supplied with one or more long term keys for a period of time, to be determined by the system integrator, and that the long term keys would then be used to derive short term keys which are used in the forming of adjacBy the way I have re-ordered the emails in this post to make it easier to read for flow.
>>>> 
>>>>>> On 27 Apr 2016, at 21:10, John Dowdell <john.dowdell.ietf@gmail.com> wrote:
>>>>>> 
>>>>>> Hi all
>>>>>> 
>>>>>> As an AODVv2 co-author I’d like to propose this position regarding key management against BCP107, one of the artefacts we are being asked to state a position over. I’d also like to state that I’m open to contributions from others knowledgeable on this topic or who have been this way previously.
>>>>>> 
>>>>>> If you’re not familiar (and I wasn’t), RFC4107 aka BCP107 is the set of guidelines for choosing either automated or manual key management for cryptographic purposes. It’s not a long read and guides the reader through a set of tests as to whether automated or manual key management would be suitable for the application in hand.
>>>>>> 
>>>>>> The very first question is does AODVv2 need key management at all? I would contend that it does, since we require to secure the signalling traffic for the routing algorithm. The aim here is therefore to purely assist in the security of the signalling traffic; security of user data that is forwarded once an AODVv2 route has been established is out of scope.
>>>>>> 
>>>>>> Section 1 of BCP107 states that automated key management SHOULD be used. Thus my answer will be in favour of that unless I can contend otherwise.
>>>>>> 
>>>>>> The guidelines in section 2 outline that automated key management derives short-term session keys between two parties. In the case of AODVv2, this would correspond to two routers that form or wish to form an adjacency.
>>>>>> 
>>>>>> The guidelines state that the short-term keys may be derived from long-term keys, and that the dissemination of long term keys is out of scope of BCP107. I would envisage that an AODVv2 router, given that it would form ephemeral ad hoc networks with other routers as it went about its business, would be supplied with one or more long term keys for a period of time, to be determined by the system integrator, and that the long term keys would then be used to derive short term keys which are used in the forming of adjacencies plural.
>>>>>> 
>>>>>> Section 2.1 of BCP107 describes the conditions under which automated key management MUST be used.
>>>>>> 
>>>>>> - If a large number of static keys would have to be managed. It is not known how many routers could be deployed, but if this is aimed at ad hoc applications then the number of routers could quickly become large. I consider this condition is met.
>>>>>> 
>>>>>> - Any stream cipher is used. This is a choice for the system integrator, but an AES based cipher is a real possibility. There is more likelihood this condition is met than not met.
>>>>>> 
>>>>>> - An initialisation vector (IV) might be re-used. I am open to advice on this point.
>>>>>> 
>>>>>> - Large amounts of data need to be encrypted in a short time. Even if there is no specific guidance on ‘large’, I do not consider this condition to be met, since signalling messages are likely to be short relative to the user data that could be exchanged.
>>>>>> 
>>>>>> - Long-term session keys are used by more than two parties, including multicast applications. AODVv2 uses multicast extensively, and therefore I consider this condition to be met.
>>>>>> 
>>>>>> - Device turnover is frequent. This is a certainty in ad hoc networks, so I consider this condition to be met.
>>>>>> 
>>>>>> I believe the outcomes from section 2.1 guidance is more in favour of automated key management.
>>>>>> 
>>>>>> However, to consider the guidance on manual key management in section 2.2 of BCP107, where such management may be reasonable:
>>>>>> 
>>>>>> - the environment has very limited bandwidth or high round trip times. Some applications for AODVv2 may use very low bandwidths, perhaps for low-power sensor networks. The point is made that "public key systems require long exchanges and lots of computation”. The AODVv2 author team believe that very low power hardware might be used by some implementors, which may give problems when being required to use public key exchanges. Such implementors need to carefully consider the tradeoff between the need for security and the need for very low power consumption. Such implementors should also consider whether some functions should be realised in hardware or software, and the resulting impact on system performance and power consumption.
>>>>>> 
>>>>>> - the information being protected is of low value. I do not consider this condition to be met; on the contrary, the signalling traffic in AODVv2 is of high value to a potential attacker.
>>>>>> 
>>>>>> - the scale of each deployment is limited. I consider that this is an unknown, but I also consider that we should engineer for larger networks with ephemeral connections rather than smaller ones.
>>>>>> 
>>>>>> Discussion welcome.
>>>>>> 
>>>>>> Regards
>>>>>> John
>>>>>> 
>>>>>> 
>>>>>> 
>>>> 
>>>>> On 27 Apr 2016, at 21:27, Christopher Dearlove <chris@mnemosyne.demon.co.uk> wrote:
>>>>> 
>>>>> I really don't know what you are proposing. I think you have a great big can of worms here that hasn't been thought through.
>>>>> 
>>>>> So AODVv2 is sending, as it's very first message, an RREQ. We want to authenticate this. How? You can't negotiate a key, you haven't got a route. You don't know who your neighbours are. You plan to multicast to them in fact, what's your key plan for that?
>>>>> 
>>>>> If you say use long term key, what are you actually going to use the short term key for? And if you plan to exchange message with your neighbours, that rather preempts a significant part of your protocol (why establish bidirectionality when your key negotiation must have done that?)
>>>>> 
>>>>> And then we've spent some time discussing end to end authentication. That doesn't work with short term keys for adjacencies only.
>>>>> 
>>>>> We (OLSRv2) went through, more than once, a hard argument why automated key management wasn't appropriate here, and why the exceptions did apply.
>>>>> 
>>>>> But in a nutshell (though this wasn't the argument we used, just why we needed it) how can you agree a key without communicating? How do you communicate more than one hop without a route? How do you authenticate the messages to create that route without a key?
>>>>> 
>>>>> Something has to give. And in giving you might end up redesigning your whole protocol. Or using something quite clever that there's no hint of here. Or using the simplest fallback of a single shared key (our 7183 default) which isn't automatically managed.
>>>>> 
>>>>> -- 
>>>>> Christopher Dearlove
>>>>> 
>>>> On 27 Apr 2016, at 22:38, John Dowdell <john.dowdell.ietf@gmail.com> wrote:
>>>> 
>>>> OK so there’s a really big problem here. We were asked to run the guidance. Running the guidance gives the result below. In this case, the guidance is not giving a result that makes sense. The routers themselves are almost certainly on the move, there is no other reason why you would want to only determine the path at send time. You now have routers potentially from multiple organisations occasionally conversing with other routers. I do not see that a single shared key is going to pass muster; I certainly wouldn’t recommend such a use case.
>>>> 
>>>> Regards
>>>> John
>>> 
>>> One possible way forwards is to require all routers to have knowledge of some credentials of the other routers before AODVv2 can begin signalling. This isn’t so crazy as it might seem. Suppose such routers are installed in cars, and each manufacturer pre-loads the car with credentials of all the other manufacturers that it trusts for signalling purposes. Thus Ford (say) might pre-load credentials for Volkswagens. When a Ford and a Volkswagen meet, they already have some degree of trust, and therefore the burden of proof of identity in AODVv2 signalling is reduced, but not eliminated, because then we would be open to spoofing.
>>> 
>>> We are also here acting as part of a (hopefully) layered authentication system. The wireless devices will presumably be authenticated to each other, through some system that is suitable for the task in hand, and above routing there should be some checks on incoming user data to see if that is sensible.
>>> 
>>> Regards
>>> John
>>> 
>>>>>> 
>>>>>> _______________________________________________
>>>>>> manet mailing list
>>>>>> manet@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/manet
> 
> _______________________________________________
> manet mailing list
> manet@ietf.org
> https://www.ietf.org/mailman/listinfo/manet

v2.23.0 | Report a Bug | By Email