IETF Logo Mail Archive

Re: [manet] I-D Action: draft-ietf-manet-nhdp-sec-threats-01.txt

Henning Rogge <henning.rogge@fkie.fraunhofer.de> Mon, 25 February 2013 08:07 UTC

Return-Path: <henning.rogge@fkie.fraunhofer.de>
X-Original-To: manet@ietfa.amsl.com
Delivered-To: manet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C95D721F908D for <manet@ietfa.amsl.com>; Mon, 25 Feb 2013 00:07:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.32
X-Spam-Level:
X-Spam-Status: No, score=-1.32 tagged_above=-999 required=5 tests=[AWL=0.024, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_PBL=0.905]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y3Nczic3FKNY for <manet@ietfa.amsl.com>; Mon, 25 Feb 2013 00:07:51 -0800 (PST)
Received: from a.mx.fkie.fraunhofer.de (mailguard.fkie.fraunhofer.de [IPv6:2001:638:401:102:1aa9:5ff:fe5f:7f22]) by ietfa.amsl.com (Postfix) with ESMTP id 29DB121F8FA4 for <manet@ietf.org>; Mon, 25 Feb 2013 00:07:50 -0800 (PST)
Received: from rufsun5.fkie.fgan.de ([128.7.2.5] helo=mailhost.fkie.fraunhofer.de) by a.mx.fkie.fraunhofer.de with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from <henning.rogge@fkie.fraunhofer.de>) id 1U9t6D-0006QX-Al; Mon, 25 Feb 2013 09:07:49 +0100
Received: from mailserv2acas.fkie.fraunhofer.de ([128.7.96.54] helo=mailserv2.fkie.fraunhofer.de) by mailhost.fkie.fraunhofer.de with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.72) (envelope-from <henning.rogge@fkie.fraunhofer.de>) id 1U9t6D-00009M-84; Mon, 25 Feb 2013 09:07:49 +0100
Received: from [128.7.5.36] (128.7.5.36) by MAILSERV2ACAS.lorien.fkie.fgan.de (128.7.96.58) with Microsoft SMTP Server (TLS) id 14.2.247.3; Mon, 25 Feb 2013 09:07:48 +0100
Message-ID: <512B1BD3.8080303@fkie.fraunhofer.de>
Date: Mon, 25 Feb 2013 09:07:47 +0100
From: Henning Rogge <henning.rogge@fkie.fraunhofer.de>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130106 Thunderbird/17.0.2
MIME-Version: 1.0
To: Abdussalam Baryun <abdussalambaryun@gmail.com>
References: <20121022205917.15922.83347.idtracker@ietfa.amsl.com> <CADnDZ8_CGk-DMzcArFGkBVNa8J5=DSdzFpuA1tV5Nsz9kSe8nA@mail.gmail.com> <92A0E0AF-F962-4BC6-A1DA-27D7C26945C1@jiaziyi.com> <CADnDZ89Bge5RkTcMgfTp0Vz9epb+PagRRdet1ncfc9dKNvZ8YA@mail.gmail.com> <CAK=bVC--_HKdrqFkogPtieg6G6r7ABkBzz326rhNk8_1tCsEog@mail.gmail.com> <CADnDZ8-UUh-vnNEEMTECSS1Zarhe72=QTi0P34A=podEFm7Gtw@mail.gmail.com> <CAK=bVC8DtniriGpAi6Rhd4y4=4xEhH91eDepWZeZXUjSb4qKjg@mail.gmail.com> <CADnDZ89h6ePrk0SLyr7NhXJJV73jnLsgf8iKmiMFaLf4XG2yLw@mail.gmail.com> <CAGnRvuri3qXtDf-4KMsCCA1CHS=bhS33-ZkgvBJ-+v5V3+WX4w@mail.gmail.com> <CAK=bVC96NDWJ6dJJ_VMe9JRjnMJa8X9cakUvqhd9aLO-3zuctw@mail.gmail.com> <CADnDZ88a0w64ffxjbU=oqnMOG25yLhAVrDg7o5CfV1_TGpRWgg@mail.gmail.com> <CAK=bVC-X6fCU7rAqmY2KfiaEy=Amy04_HwFPpkv_Lq=vkejPRA@mail.gmail.com> <CADnDZ88QAHrmNjJO87tuVGTZ8YDcYt0-YJuYX=oOm+L6Fy-Xgg@mail.gmail.com> <512B15DC.1030002@fkie.fraunhofer.de> <CADnDZ88f-ah1S+Vscg3VyC28z+uuye0PCD9SK1oG5KqVaadKFA@mail.gmail.com>
In-Reply-To: <CADnDZ88f-ah1S+Vscg3VyC28z+uuye0PCD9SK1oG5KqVaadKFA@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms060807020006090409020107"
X-Originating-IP: [128.7.5.36]
X-Virus-Scanned: yes (ClamAV 0.97.6/16735/Mon Feb 25 00:42:27 2013) by a.mx.fkie.fraunhofer.de
X-Scan-Signature: ab3a174db55cc7687c315337a34e1612
Cc: manet@ietf.org
Subject: Re: [manet] I-D Action: draft-ietf-manet-nhdp-sec-threats-01.txt
X-BeenThere: manet@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mobile Ad-hoc Networks <manet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/manet>, <mailto:manet-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/manet>
List-Post: <mailto:manet@ietf.org>
List-Help: <mailto:manet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/manet>, <mailto:manet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Feb 2013 08:07:52 -0000

On 02/25/2013 08:49 AM, Abdussalam Baryun wrote:
>> after this you should read the NHDP RFC again, especially the
>> section you are talking about (Section 14.4 I think).
>>
>> after doing this too, you will notice RFC6130 talks about the
>> possibility to use **packet** sequence numbers.
>>
>> Packet sequence numbers are not used to detect incoming duplicates,
>> you are mixing things up with message sequence numbers.
>
> I mean both sequence are important otherwise why do we have them in
> our work,

You certainly do not understand the "duplicate detection poison" attack.

>> In my opinion message sequence numbers are USELESS for hysteresis
>> calculation, because the NHDP Hello messages will not have a
>> continuous sequence (no pun intended) of message sequence numbers
>> (unless you ONLY run NHDP and do not combine it with another
>> protocol).
>
> If useless then you should remove them why making things difficult,

Okay, I will explain it once again.

RFC6130 mentions the possibility (among other things) to use packet
sequence numbers for hysteresis calculations, without going into details
what to do with them.

Because of this its a not a good idea to describe the "drop duplicate 
because of spoofed high sequence numbers attack", because the attack 
does not apply to this case at all. The duplicate detection described 
for RFC5444 does only work for message sequence numbers.

An attack on packet sequence level would not be a NHDP attack but a 
RFC5444 (de-)multiplixer attack, which would belong into a 
packetbb-sec-threats document.

>> Any attack mitigation for NHDP sequence numbers will highly depend
>> on the hysteresis implementation, which makes the value of your
>> request dubious at best.
>
> Ok why does the document not talk about the hysteresis implementation
> then :)

There was a hysteresis implementation example in OLSRv1 (RFC3626)... it
didn't worked well. I think that is the reason NHDP only gives some 
hints what you could look at when implementing a hysteresis function.

NHDP also mentions the possibility to use signal-to-noise ratio or 
packet-acknowledgements.

Do you want to add "threats descriptions and mitigations" to this 
attacks too?

If I ever write down my "packet sequence number based ETX", it should 
contain a "security" section because it would be the first Manet-WG 
document using the packet sequence numbers I think.

Henning Rogge

-- 
Diplom-Informatiker Henning Rogge , Fraunhofer-Institut für
Kommunikation, Informationsverarbeitung und Ergonomie FKIE
Kommunikationssysteme (KOM)
Fraunhofer Straße 20, 53343 Wachtberg, Germany
Telefon +49 228 9435-961,   Fax +49 228 9435 685
mailto:henning.rogge@fkie.fraunhofer.de http://www.fkie.fraunhofer.de

v2.23.0 | Report a Bug | By Email