[Mip4] AD review of draft-ietf-mobileip-aaa-key-13.txt
Thomas Narten <narten@us.ibm.com> Wed, 30 July 2003 15:57 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA05999 for <mip4-archive@odin.ietf.org>; Wed, 30 Jul 2003 11:57:26 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19htK1-0005uk-OF for mip4-archive@odin.ietf.org; Wed, 30 Jul 2003 11:57:01 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h6UFv1WJ022729 for mip4-archive@odin.ietf.org; Wed, 30 Jul 2003 11:57:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19htK1-0005uW-Jn for mip4-web-archive@optimus.ietf.org; Wed, 30 Jul 2003 11:57:01 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA05992 for <mip4-web-archive@ietf.org>; Wed, 30 Jul 2003 11:56:56 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19htK0-0001Iz-00 for mip4-web-archive@ietf.org; Wed, 30 Jul 2003 11:57:00 -0400
Received: from ietf.org ([132.151.1.19] helo=optimus.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19htJz-0001Iw-00 for mip4-web-archive@ietf.org; Wed, 30 Jul 2003 11:56:59 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19htK0-0005tT-Gl; Wed, 30 Jul 2003 11:57:00 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19htJf-0005r4-3k for mip4@optimus.ietf.org; Wed, 30 Jul 2003 11:56:39 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA05967 for <mip4@ietf.org>; Wed, 30 Jul 2003 11:56:33 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19htJd-0001IS-00 for mip4@ietf.org; Wed, 30 Jul 2003 11:56:37 -0400
Received: from e32.co.us.ibm.com ([32.97.110.130]) by ietf-mx with esmtp (Exim 4.12) id 19htJc-0001IH-00 for mip4@ietf.org; Wed, 30 Jul 2003 11:56:36 -0400
Received: from westrelay01.boulder.ibm.com (westrelay01.boulder.ibm.com [9.17.195.10]) by e32.co.us.ibm.com (8.12.9/8.12.2) with ESMTP id h6UFu5Uj044670 for <mip4@ietf.org>; Wed, 30 Jul 2003 11:56:05 -0400
Received: from cichlid.adsl.duke.edu (sig-9-65-225-201.mts.ibm.com [9.65.225.201]) by westrelay01.boulder.ibm.com (8.12.9/NCO/VER6.5) with ESMTP id h6UFu3VC011670 for <mip4@ietf.org>; Wed, 30 Jul 2003 09:56:03 -0600
Received: from cichlid.adsl.duke.edu (narten@localhost) by cichlid.adsl.duke.edu (8.11.6/8.9.3) with ESMTP id h6UFsxS09191 for <mip4@ietf.org>; Wed, 30 Jul 2003 11:55:00 -0400
Message-Id: <200307301555.h6UFsxS09191@cichlid.adsl.duke.edu>
To: mip4@ietf.org
Date: Wed, 30 Jul 2003 11:54:59 -0400
From: Thomas Narten <narten@us.ibm.com>
Subject: [Mip4] AD review of draft-ietf-mobileip-aaa-key-13.txt
Sender: mip4-admin@ietf.org
Errors-To: mip4-admin@ietf.org
X-BeenThere: mip4@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=unsubscribe>
List-Id: Mobility for IPv4 <mip4.ietf.org>
List-Post: <mailto:mip4@ietf.org>
List-Help: <mailto:mip4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=subscribe>
Here are my review comments. Overall, I think the document is in pretty good shape, but some wording clarifications would be good. Also, more analysis of the security weaknesses is probably warranted. Thomas Substantative: > AAA security association > A security association between a AAA entity > and another node needing the services of that > AAA entity. In this document all AAA security > associations are between a mobile node and its home > AAA server (AAAH). A mobile node's AAA security > association with its home AAA server (AAAH) may be > based either on the mobile node's IP address or on > its NAI [1]. Could be more clear. In particular (based on later reading), the AAA association appears to consist of a name for it (i.e, the SPI plus addresses so that peers can agree on what AAA SA is being referred to) plus a key. The key of some size (used in Section 5). Is there anything else that is contained in this SA? It would be good to just state that the it is simply a shared symetric key. > Mobility security association > A Mobility Security Association is a simplex > connection that serves to authenticate MIPv4 control > traffic such as between a MN and HA and/or a MN and > FA. A Mobility Security Association is identified > by the two end points, such as a MN IP address and > a HA IP address, and a SPI. Two nodes may have one > or more Mobility Security Associations established > between each other; however, typically there is > no reason to have more than one Mobility Security > Association between two nodes. I.e., suggested rewording (and corrections, if I understand correctly): Mobility security association A Mobility Security Association is a bi-directional connection that applies security services to RFC 3344 MIPv4 control traffic between a MN and HA (or MN and FA) using RFC 3344 Authentication Extensions. A Mobility Security Association is uniquely identified by the peer source and destination IP addresses and an SPI. Two nodes may have one or more Mobility Security Associations established between each other; however, typically there is no reason to have more than one Mobility Security Association between two nodes. > Registration Key > A key used as the basis of a Mobility Security > Association between a mobile node and a foreign > agent. A registration key is typically only used > once or a very few times, and only for the purposes > of verifying a small volume of Authentication data. don't understand first sentence. Is Registration Key actually the key in the AAA Security Association? If so, better to just say so. > 2. If the mobile node does not have a Mobility Security Association > with the home agent, it MUST add an MN-HA Key Request extension > (see Section 7.3) as part of its Registration Request that it > sends to the Foreign Agent. Is there no other way for the MN to set up the MN-HA key other than via AAA? (Seems like the MUST is a bit strong.) > 1. Using the Key Material from the extension, the mobile node > calculates > > key = HMAC-MD5 (AAA-key, {Key Material || home address}) what is AAA-key? Is this the key that is part of the AAA SA? Would be good to define this better (e.g, define a term, and use the term consistently). Also, does this key have any particular length or other properties? > MN-FA Key Request Subtype Data > Data needed to carry out the creation of the > registration key on behalf of the mobile node. > This field is zero in length and carries no data. Would be better to have this field have the same name as is used in (say) section 5, where "Key Material" is used. Can we define a proper name for this field? Actually, why do you have this field at all, when it is defined to have zero lengh and carry no data? Security considerations seems pretty weak. Where is the analysis of the weaknesses/vulnerabilities in the system? I.e, nothing is said about how keys are distributed within the AAA and how if that is weak, how it might result in compromise of the AAA key... > One further detail deserves mention. The Mobility Security > Association to be established between the mobile node and the foreign > agent have to be communicated to the foreign agent as well as to the > mobile node. The way that the key is distributed to the foreign > agent is not relevant to any material in this document, and is > expected to be handled as part of the AAA protocol processing between > the AAAH and AAAL, and the further AAA protocol processing between > the AAAL and the foreign agent. Any method by which the key can be > securely transmitted to the AAAL and then relayed (possibly with > re-encryption) to the foreign agent, is outside the jurisdiction > of any Mobile IP specification, and thus compatible (by reason of > non-interference) with the protocol extensions specified in this > document. Note: the above is not quite true. To understand the weaknesses of the proposed extensions, one has to make assumptions about the above. I.e, is the AAA SA key actually communicated to the FA via AAA? If so, there are huge potential vulnerabilities here (one can't just assume the AAA protocols are secure enough to not worry about this). I.e, is there an assumption that the AAA Key itself will be communicated from the AAAH to AAAL (and the FA?). Nits: Could use a TOC (see ID nits, http://www.ietf.org/ID-nits.html) > AAA Registration Keys for Mobile IP title doesn't satisfy ID nits? (Not sure AAA will be acceptable to rfc editor). > the Authentication Data need by authentication extensions used in s/need/needed/ ? > It is also assumed that the AAA entities involved (i.e., the AAAH, > AAAL, and the AAA interface features of the foreign agents and home AAAH and AAAL not defined/expanded in first use. > The key material may be requested by the mobile node in new > extensions to Mobile IP Registration Request messages, and supplied > to the mobile node in extensions to the Mobile IP Registration Reply > messages. Alternatively, the AAA server MAY provide unsolicited key s/new extensions/new extensions (defined below)/ > messages. Alternatively, the AAA server MAY provide unsolicited key > material to mobile nodes; the mobile node MUST then calculate new s/material/material via mobility agents/ > 8. If a MN-HA Key Material from AAA Key Material extension is > present in the Registration Reply message, then the mobile node > MUST create or update its Mobility Security Association with the > Home Agent indicated in the Registration Reply, using the key > computed from the Key Material in the AAA extension. In this > case, if no Key Material extension is present, the mobile node > MUST discard the Registration Reply. If the mobile node does > not already have a Mobility Security Association with the Home > Agent indicated in the Registration Reply message, and if no Key > Material extension is present, the mobile node MUST discard the > Registration Reply. > Is this last sentence needed? There is an AND in the if. But one o the ANDs is already covered bythe previous sentence (I think), in which case the RR is already supposed to be discarded. > The following steps are performed on the AAA server: AAAL or AAAH? (I assume the former). > 2. The mobile node creates the Mobility Security Association, using > the key and the other relevant information in the Key Extension. > which MSA? the one to the HA or the one to the FA? > The Generalized MN-FA Key Reply extension supplies a registration key > requested by using one of the subtypes of the Generalized MN-FA Key not a "registration key", but "keying material" > MN-FA Key Reply Subtype Data > An encoded copy of the registration key, along with any > other information needed by the recipient to create the > designated Mobility Security Association. needs better text; this is not a key, its keying material. (do the same throughout document) > If the foreign agent receives a Registration Reply that has no MN-FA > Key Reply extension, and if it has no existing Mobility Security > Association with the mobile node, the foreign agent MAY change > the Code value of the Registration Reply to MISSING_MN_FA (see > section 8), effectively causing the registration to fail. Is this a typo? I thought the MN would get the RR, not the FA. How is the FA getting this? > 6.1. Generalized MN-FA Key Request Extension Note: It would seem to be better to rename this extension to be "Key Material" request or something, as this is NOT requesting a Key per se. IANA Considerations: > The Code value specified for error MISSING_MN_FA, listed in > section 8, MUST NOT conflict with any other code values listed in > RFC 3344, RFC 3024 [10], or RFC 2356 [11]. This value is to be > taken from the space of error values conventionally associated with > rejection by the foreign agent (i.e., 64-127). Above doesn't quite make sense in IANA considerations. IANA doens't assign values that have already been assigned for other purposes. Or rather, they only do so if folks have just used a number for some purpose without bothering to allocate it properly from IANA. So, the above paragraph should be reworded to just say IANA assigns a TBD, and if there is a recommended value, suggest what it is). I.e, does the WG know more than IANA about the code values that are already in use? > Section 4 introduces the Replay Method Identifier namespace that > requires IANA management. This specification makes use of 1-3; > all other values other than zero (0) or one (1) are available for > assignment, pending review and approval by a Designated Expert [12]. Better to use words like: IANA will create and maintain namespace for Replay Method Identifier as defined in Section 4. This specification... In appendix C, I think you want to use a term other than "IP Security Association". First, its a term that is not defined. Second, it can be read to mean IPsec SAs, which I suspect is not actually the case. _______________________________________________ Mip4 mailing list Mip4@ietf.org https://www.ietf.org/mailman/listinfo/mip4
- [Mip4] AD review of draft-ietf-mobileip-aaa-key-1… Thomas Narten