IETF Logo Mail Archive

Re: [manet] Security documents for OLSRv2/NHDP

Christopher Dearlove <christopher.dearlove@googlemail.com> Sun, 17 March 2013 08:12 UTC

Return-Path: <christopher.dearlove@googlemail.com>
X-Original-To: manet@ietfa.amsl.com
Delivered-To: manet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58D5421F880B for <manet@ietfa.amsl.com>; Sun, 17 Mar 2013 01:12:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.279
X-Spam-Level:
X-Spam-Status: No, score=-1.279 tagged_above=-999 required=5 tests=[AWL=-0.698, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MIME_QP_LONG_LINE=1.396]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e5RrIkjkuqqj for <manet@ietfa.amsl.com>; Sun, 17 Mar 2013 01:12:50 -0700 (PDT)
Received: from mail-wi0-x231.google.com (mail-wi0-x231.google.com [IPv6:2a00:1450:400c:c05::231]) by ietfa.amsl.com (Postfix) with ESMTP id 1F02721F8803 for <manet@ietf.org>; Sun, 17 Mar 2013 01:12:49 -0700 (PDT)
Received: by mail-wi0-f177.google.com with SMTP id hm14so1651257wib.10 for <manet@ietf.org>; Sun, 17 Mar 2013 01:12:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=x-received:references:in-reply-to:mime-version :content-transfer-encoding:content-type:message-id:cc:x-mailer:from :subject:date:to; bh=s+QnfBsXrsi3c0dEEhPA6TIUdT8y2xzvLTcnxHM2pdc=; b=GuffEkki6iB6PWmW55cD3AzrZ6XeU2LKTi1nQL6FwfLi3QYVe86J+K/joovf3+KeTy M/flyj6FWMLvtmkYdQyfV9+RvhuWwAN2qQxeR7rn7kZlVxhx3CihyG7ZUujRtm0bc62K ThSYdYZ8mEGNhq6UdYTIRAahtmYXdCBcssnw7p81Kqr2EPiwA6cmhA8gIr9vF+PfFykc UVnQxAqTDDi9sItE2acGYbmrjtarN+Df8hQD7FBcPRE0T9orDKnoQnf6W+B49XUoFhzV yD+4w/MmgzVDcDRzFGE/RK0FGjPYMnQxDwoUgiBD1LXiBgMn8JaAYPxV4PwTt4E8Nrn3 FLUQ==
X-Received: by 10.180.101.41 with SMTP id fd9mr10710973wib.20.1363507969305; Sun, 17 Mar 2013 01:12:49 -0700 (PDT)
Received: from [192.168.254.3] (mnemosyne.demon.co.uk. [62.49.16.209]) by mx.google.com with ESMTPS id h10sm7782614wic.8.2013.03.17.01.12.46 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 17 Mar 2013 01:12:48 -0700 (PDT)
References: <CAK=bVC-dubQKrdR7H8etpah7OibKjuG0aBm1FFdPf5y4n-wftw@mail.gmail.com> <CADnDZ88vE=pAYKFPne=71qN1-rhbay2QC=hD6dSYEDkTdMhgdQ@mail.gmail.com> <D621FF09-1DD5-4205-9E81-4C129075E66B@gmail.com> <CADnDZ88hLjpUtvEJvJLonq3op7xtiUdEG+FUpyvBNVH7c9muvw@mail.gmail.com> <005e01ce2297$97702bc0$c6508340$@olddog.co.uk> <CAK=bVC8V0qEHGQ_QNkBOMzJHoRGGShjv8z=LdA35SUyWqCfo0A@mail.gmail.com> <2ED1D3801ACAAB459FDB4EAC9EAD090C10057F19@xmb-aln-x03.cisco.com>
In-Reply-To: <2ED1D3801ACAAB459FDB4EAC9EAD090C10057F19@xmb-aln-x03.cisco.com>
Mime-Version: 1.0 (iPhone Mail 8B117)
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"
Message-Id: <FA01CBC0-C53A-451B-AA0E-527DBCA6EDEF@gmail.com>
X-Mailer: iPhone Mail (8B117)
From: Christopher Dearlove <christopher.dearlove@googlemail.com>
Date: Sun, 17 Mar 2013 08:13:01 +0000
To: "Stan Ratliff (sratliff)" <sratliff@cisco.com>
Cc: manet <manet@ietf.org>
Subject: Re: [manet] Security documents for OLSRv2/NHDP
X-BeenThere: manet@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mobile Ad-hoc Networks <manet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/manet>, <mailto:manet-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/manet>
List-Post: <mailto:manet@ietf.org>
List-Help: <mailto:manet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/manet>, <mailto:manet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Mar 2013 08:12:51 -0000

As Ulrich said, done that way we end up repeating a whole lot of text in both documents, which really isn't sensible, and introduces an editorial issue of keeping the two aligned. Putting it all together gives a much more coherent presentation.

As for late in the day, we worked on the assumption that what was good enough for NHDP was good enough for OLSRv2. We were, as you know, working towards security in the WG. However in effect a new security AD had a different view to an old security AD, that something had to be done now, before OLSRv2 was published, and held a DISCUSS accordingly. And as OLSRv2 security depends on NHDP security that needed doing too.

No one wants everything finished as soon as soon as possible more than I and the other authors do. But we are here, and doing the best we can.

-- 
Christopher Dearlove
christopher.dearlove@gmail.com (iPhone)
chris@mnemosyne.demon.co.uk (home)

On 17 Mar 2013, at 03:53, "Stan Ratliff (sratliff)" <sratliff@cisco.com> wrote:

> Ulrich, 
> 
> Just to be clear: Since the plan is to add a normative reference to OLSRv2, it (meaning the OLSRv2 draft) will be held up, pending WG adoption/acceptance/WGLC of this new draft…
> 
> (Taking my co-chair hat off, and speaking just as a WG participant): 
> I would have preferred inserting the text directly into OLSRv2 (and NHDP if need be) instead of creating the normative reference. I think this is a tad late in the game to be doing such a thing. 
> 
> Regards,
> Stan
> 
> 
> On Mar 16, 2013, at 7:46 PM, Ulrich Herberg wrote:
> 
>> AB,
>> 
>> we specified a integrity and replay security protection for OLSRv2, as
>> requested by Stephen. We could have added that directly in OLSRv2, but
>> since NHDP uses the same security mechanism, that would have been a
>> copy of the same text. So we decided to specify the mechanism in a new
>> draft, which is normatively referenced by OLSRv2, e.g.:
>> "A conformant implementation of OLSRv2 MUST, at minimum, implement the
>> security mechanisms specified in [draft-herberg-manet-nhdp-olsrv2-sec]
>> ..."
>> At the same time this new draft "updates" (in the IETF sense) NHDP by
>> mandating to implement the security mechanism.
>> 
>> The new OLSRv2 revision (as well as new revisions of the two security
>> drafts) will be submitted in the next few days, we are just doing
>> final reviews amongst the authors.
>> 
>> Best regards
>> Ulrich
>> 
>> 
>> On Sat, Mar 16, 2013 at 6:42 PM, Adrian Farrel <adrian@olddog.co.uk> wrote:
>>> Yes, I believe the plan is to add more security text to the OLSRv2 draft. The
>>> choice of words is confusing :-)
>>> "Update" has a general meaning: to update a draft means to make some revisions.
>>> "Update" has a specific meaning: to update an RFC means to add a meta-data tag
>>> formally noting that one RFC updates another.
>>> 
>>> Adrian
>>> 
>>>> -----Original Message-----
>>>> From: manet-bounces@ietf.org [mailto:manet-bounces@ietf.org] On Behalf Of
>>>> Abdussalam Baryun
>>>> Sent: 16 March 2013 20:54
>>>> To: manet
>>>> Subject: Re: [manet] Security documents for OLSRv2/NHDP
>>>> 
>>>> I agreed to update of RFC6130 and have no objection of others, but
>>>> want to discuss/ask.
>>>> 
>>>> If IESG-DISCUSS was about OLSRv2 document why the process was to
>>>> update RFC6130 only? and if publication 1 mandates OLSRv2 messages,
>>>> then IMO it needs to update OLSRv2 document as well, or do you mean
>>>> the publication-3 is a new version -18 that includes the security of
>>>> OLSRv2 messaging and refers to publication-1.
>>>> 
>>>> AB
>>>> 
>>>> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>>> This message is owned by the author and sent to IETF MANET address and
>>>> not sent to private mail-boxes. This message is an IETF input not
>>>> private input.
>>>> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>>>> 
>>>> On 3/15/13, Christopher Dearlove <christopher.dearlove@googlemail.com>
>>>> wrote:
>>>>> OLSRv2 will reference this draft, and therefore it's not an update in the
>>>>> technical sense in which the term is being used here, as a formal update to
>>>>> RFC 6130.
>>>>> 
>>>>> On 15 Mar 2013, at 21:09, Abdussalam Baryun wrote:
>>>>> 
>>>>>> Hi Ulrich,
>>>>>> 
>>>>>> Do I understand that publication 1 updates both RFC6130 and OLSRv2, or
>>>>>> do you mean only updates RFC6130,
>>>>>> 
>>>>>> AB
>>>>>> On 3/15/13, Ulrich Herberg <ulrich@herberg.name> wrote:
>>>>>>> Dear all,
>>>>>>> 
>>>>>>> The OLSRv2 authors have had a discussion with Stephen Farrell (Security
>>>>>>> AD)
>>>>>>> and Adrian about how to resolve the remaining security related DISCUSS
>>>>>>> on OLSRv2, and we agreed on a way forward that involves the following
>>>>>>> steps:
>>>>>>> 
>>>>>>> 1) Publication of:
>>>>>>> http://tools.ietf.org/html/draft-herberg-manet-nhdp-olsrv2-sec-01
>>>>>>> 
>>>>>>> This document mandates (at least) implementation of HMAC/SHA2
>>>>>>> integrity protection of OLSRv2 messages. Deployments of OLSRv2 should
>>>>>>> use that mechanism unless they have a more appropriate solution (e.g.,
>>>>>>> different cipher) for that particular deployment. This document also
>>>>>>> updates NHDP and mandates to implement the same HMAC/SHA2
>>>> protection
>>>>>>> for HELLO messages.
>>>>>>> 
>>>>>>> 2) Publication of:
>>>>>>> http://tools.ietf.org/html/draft-herberg-manet-rfc6622-bis-01
>>>>>>> 
>>>>>>> This document obsoletes RFC6622bis by fixing an oversight in RFC6622.
>>>>>>> The differences are minor to RFC6622 and can be seen here:
>>>>>>> http://tools.ietf.org/rfcdiff?url1=rfc6622&url2=draft-herberg-manet-
>>>> rfc6622-bis
>>>>>>> Essentially, RFC6622 does not protect the IP source address of the
>>>>>>> interface over which the control message is sent. Since that address
>>>>>>> is used to establish neighbors in NHDP (and therefore must be
>>>>>>> protected), a new type extension 3 of the ICV TLV has been added to
>>>>>>> the registry.
>>>>>>> 
>>>>>>> 3) Publication of an update to OLSRv2, referencing the use of the
>>>>>>> defined security mechanism, and resolving other smaller issues from
>>>>>>> Stephen's DISCUSS.
>>>>>>> 
>>>>>>> In order to not hold up OLSRv2 further, and upon discussions with Stan
>>>>>>> and Adrian, we would like to request WG adoption of these two new
>>>>>>> documents - asking that the chairs will officially poll the WG on this
>>>>>>> matter shortly. The documents are brief, and addresses issues
>>>>>>> requested by the ADs, so we hope that processing them should also be a
>>>>>>> brief affair.
>>>>>>> 
>>>>>>> Best regards
>>>>>>> Ulrich
>>>>>>> _______________________________________________
>>>>>>> manet mailing list
>>>>>>> manet@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/manet
>>>>>>> 
>>>>>> _______________________________________________
>>>>>> manet mailing list
>>>>>> manet@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/manet
>>>>> 
>>>>> 
>>>> _______________________________________________
>>>> manet mailing list
>>>> manet@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/manet
>>> 
>>> _______________________________________________
>>> manet mailing list
>>> manet@ietf.org
>>> https://www.ietf.org/mailman/listinfo/manet
>> _______________________________________________
>> manet mailing list
>> manet@ietf.org
>> https://www.ietf.org/mailman/listinfo/manet
> 
> _______________________________________________
> manet mailing list
> manet@ietf.org
> https://www.ietf.org/mailman/listinfo/manet

v2.23.0 | Report a Bug | By Email