Re: [Mip4] Does MIP support RegReq authentication without having to do timekeeping?
"Kent Leung (kleung)" <kleung@cisco.com> Thu, 14 March 2013 20:15 UTC
Return-Path: <kleung@cisco.com>
X-Original-To: mip4@ietfa.amsl.com
Delivered-To: mip4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC66A11E81B5 for <mip4@ietfa.amsl.com>; Thu, 14 Mar 2013 13:15:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4UfgccY4StIC for <mip4@ietfa.amsl.com>; Thu, 14 Mar 2013 13:15:26 -0700 (PDT)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) by ietfa.amsl.com (Postfix) with ESMTP id 9CAAB11E81A8 for <mip4@ietf.org>; Thu, 14 Mar 2013 13:15:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4202; q=dns/txt; s=iport; t=1363292126; x=1364501726; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=1jzkNj5RBhcYaCY2jH7PhL3hNwGwND+U0QhRibeY8kg=; b=nA/1Gjz3s04D7uxbc7Y1BlEES1nMNpt+NG66w01T4RdNKCm1vRiucVLJ gUN3AZo32pf0aiu+4JAYsbCsqHvY+7oOFE0KofUtTY75QKMLUH/f6yYO5 FtPTY7B+SWyuE/bPRX3nYZl044puueOTqTqPvG4/RglfwwGL52y6FVzvK U=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgEFAGsvQlGtJV2c/2dsb2JhbABDxQKBZRZ0gisBAQEDAQEBAWQHCwwEAgEIEQQBAQsdByEGCxQJCAIEDgUIAYd5AwkGDLgIDYlbjEyCGSYLAgUGgllhA4g+jDqNSIUagVSBNoIo
X-IronPort-AV: E=Sophos;i="4.84,846,1355097600"; d="scan'208";a="187577049"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-2.cisco.com with ESMTP; 14 Mar 2013 20:15:07 +0000
Received: from xhc-rcd-x07.cisco.com (xhc-rcd-x07.cisco.com [173.37.183.81]) by rcdn-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id r2EKF6OC017660 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Thu, 14 Mar 2013 20:15:06 GMT
Received: from xmb-aln-x03.cisco.com ([169.254.6.8]) by xhc-rcd-x07.cisco.com ([173.37.183.81]) with mapi id 14.02.0318.004; Thu, 14 Mar 2013 15:15:06 -0500
From: "Kent Leung (kleung)" <kleung@cisco.com>
To: Alexandru Petrescu <alexandru.petrescu@gmail.com>
Thread-Topic: [Mip4] Does MIP support RegReq authentication without having to do timekeeping?
Thread-Index: AQHOIOVj5IvDl6+vSUiwtmVfOnfckpilj5BAgABVXgD//6zD0IAAVrCA//+sqlCAAFRfgP//rJ+wAAsO3oAACm8KMP//rgCAgABTfsD//679AIAAU29A
Date: Thu, 14 Mar 2013 20:15:06 +0000
Message-ID: <CD85F32117029D4F9AEF48BDEF5536AB10215CEC@xmb-aln-x03.cisco.com>
References: <514206FE.7050807@gmail.com> <3359F724933DFD458579D24EAC769098857A51DC@Redwood.usa.awardsolutions.com> <51421CB9.1080100@gmail.com> <CD85F32117029D4F9AEF48BDEF5536AB10215B92@xmb-aln-x03.cisco.com> <514223C4.8010905@gmail.com> <CD85F32117029D4F9AEF48BDEF5536AB10215BCB@xmb-aln-x03.cisco.com> <514226A9.9020700@gmail.com> <CD85F32117029D4F9AEF48BDEF5536AB10215C28@xmb-aln-x03.cisco.com> <51422787.5060509@gmail.com> <CD85F32117029D4F9AEF48BDEF5536AB10215C72@xmb-aln-x03.cisco.com> <51422BCB.30409@gmail.com> <CD85F32117029D4F9AEF48BDEF5536AB10215CA7@xmb-aln-x03.cisco.com> <51422D07.9070901@gmail.com> <CD85F32117029D4F9AEF48BDEF5536AB10215CD2@xmb-aln-x03.cisco.com> <51422F1C.7000705@gmail.com>
In-Reply-To: <51422F1C.7000705@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.21.115.74]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "mip4@ietf.org" <mip4@ietf.org>
Subject: Re: [Mip4] Does MIP support RegReq authentication without having to do timekeeping?
X-BeenThere: mip4@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mobility for IPv4 <mip4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mip4>, <mailto:mip4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mip4>
List-Post: <mailto:mip4@ietf.org>
List-Help: <mailto:mip4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2013 20:15:27 -0000
Timestamp is one of the fields in the message that is protected by key using a hash function. Since we are at IETF, let's talk offline as this seems to need some clarification and hand waving. :) Kent -----Original Message----- From: Alexandru Petrescu [mailto:alexandru.petrescu@gmail.com] Sent: Thursday, March 14, 2013 1:12 PM To: Kent Leung (kleung) Cc: mip4@ietf.org Subject: Re: [Mip4] Does MIP support RegReq authentication without having to do timekeeping? Le 14/03/2013 21:07, Kent Leung (kleung) a écrit : > The Authenticator value is different for RRQ vs RRP. The extension > carries different value based on the message. The way to calculate the > value requires the shared key between MR and HA. So it's not easy for > an attacker to know the key. Yes, there is a key which is hardly guessable. Do you think the same key could be used precisely in the same manner in the first place, for the first RREQ, without timestamp? Alex > > Kent > > -----Original Message----- From: Alexandru Petrescu > [mailto:alexandru.petrescu@gmail.com] Sent: Thursday, March 14, 2013 > 1:03 PM To: Kent Leung (kleung) Cc: mip4@ietf.org Subject: Re: > [Mip4] Does MIP support RegReq authentication without having to do > timekeeping? > > Le 14/03/2013 20:59, Kent Leung (kleung) a écrit : >> The RRP1 cannot be faked since the MN-HA Auth Ext protects the >> message. > > I strongly doubt that. Were it so, then the same extension could > protect the first RRQ1 as well. > > I believe it is possible for an attacker HA to intercept the initial > RRQ1(time=1970), and the RRP1(time=2013) and fake a RREP towards the > MR. No? > > Alex > >> >> Kent >> >> -----Original Message----- From: Alexandru Petrescu >> [mailto:alexandru.petrescu@gmail.com] Sent: Thursday, March 14, >> 2013 12:58 PM To: Kent Leung (kleung) Cc: mip4@ietf.org Subject: >> Re: [Mip4] Does MIP support RegReq authentication without having to >> do timekeeping? >> >> Le 14/03/2013 20:47, Kent Leung (kleung) a écrit : >>> Hmm, I'm not clear with your response. >>> >>> Let's assume the following scenario. >>> >>> 1. MR sends initial RRQ1 (time=a) to HA 2. HA sends RRP1 (time=b) >>> with code 133 >> >> Ok. Do you think MR receiving this RRP1 will be able to safele >> verify it is legitimate? Or is it possible than an attacker HA fakes >> this RRP1 message? >> >>> 3. MR sends RRQ2 (time=b+) 4. HA sends RRP2(time=b+) => registration >>> successful 5. After MR recovers from failure, MR sends RRQ3(time=c) >>> 6. HA sends RRP3(time=d) with code 133 7. MR sends RRQ4(time=d+) 8. >>> HA sends RRP4(time=d+) => reregistration successful >> >> These latter steps 3-8 make sense. >> >> Alex >> >>> >>> We would need to confirm if #6 happens properly for a specific >>> vendor. :) But I would expect #7 should happen if code 133 is >>> received. >>> >>> Kent >>> >>> -----Original Message----- From: mip4-bounces@ietf.org >>> [mailto:mip4-bounces@ietf.org] On Behalf Of Alexandru Petrescu >>> Sent: Thursday, March 14, 2013 12:40 PM To: mip4@ietf.org >>> Subject: Re: [Mip4] Does MIP support RegReq authentication without >>> having to do timekeeping? >>> >>> Le 14/03/2013 20:38, Kent Leung (kleung) a écrit : >>>> >>>> It needs to have the time, even if it does second registration. >>>> It's not a problem it takes longer (we can send easily two >>>> messages). But the second message will also be refused by the HA >>>> because it still has the wrong time. >>>> >>>> KL> Why is the timestamp in the 2nd RRQ wrong? >>> >>> Because the computer has lost its time, because it was turned off >>> long time (vehicle in garage for several weeks in winter time). >>> It now has year 1970. >>> >>> Alex >>> >>>> >>>> Kent >>>> >>>> >>> >>> >>> -- Mip4 mailing list: Mip4@ietf.org Web interface: >>> https://www.ietf.org/mailman/listinfo/mip4 Charter page: >>> http://www.ietf.org/html.charters/mip4-charter.html Supplemental >>> site: http://www.mip4.org/ >>> >>> >> >> >> >> > > > >
- [Mip4] Does MIP support RegReq authentication wit… Alexandru Petrescu
- Re: [Mip4] Does MIP support RegReq authentication… Ahmad Muhanna
- Re: [Mip4] Does MIP support RegReq authentication… Alexandru Petrescu
- Re: [Mip4] Does MIP support RegReq authentication… Kent Leung (kleung)
- Re: [Mip4] Does MIP support RegReq authentication… Ahmad Muhanna
- Re: [Mip4] Does MIP support RegReq authentication… Alexandru Petrescu
- Re: [Mip4] Does MIP support RegReq authentication… Kent Leung (kleung)
- Re: [Mip4] Does MIP support RegReq authentication… Alexandru Petrescu
- Re: [Mip4] Does MIP support RegReq authentication… Ahmad Muhanna
- Re: [Mip4] Does MIP support RegReq authentication… Kent Leung (kleung)
- Re: [Mip4] Does MIP support RegReq authentication… Alexandru Petrescu
- Re: [Mip4] Does MIP support RegReq authentication… Alexandru Petrescu
- Re: [Mip4] Does MIP support RegReq authentication… Ahmad Muhanna
- Re: [Mip4] Does MIP support RegReq authentication… Kent Leung (kleung)
- Re: [Mip4] Does MIP support RegReq authentication… Alexandru Petrescu
- Re: [Mip4] Does MIP support RegReq authentication… Alexandru Petrescu
- Re: [Mip4] Does MIP support RegReq authentication… Ahmad Muhanna
- Re: [Mip4] Does MIP support RegReq authentication… Kent Leung (kleung)
- Re: [Mip4] Does MIP support RegReq authentication… Alexandru Petrescu
- Re: [Mip4] Does MIP support RegReq authentication… Kent Leung (kleung)
- Re: [Mip4] Does MIP support RegReq authentication… Alexandru Petrescu
- Re: [Mip4] Does MIP support RegReq authentication… Kent Leung (kleung)
- Re: [Mip4] Does MIP support RegReq authentication… Ahmad Muhanna
- Re: [Mip4] Does MIP support RegReq authentication… Alexandru Petrescu
- Re: [Mip4] Does MIP support RegReq authentication… Alexandru Petrescu
- Re: [Mip4] Does MIP support RegReq authentication… Kent Leung (kleung)
- Re: [Mip4] Does MIP support RegReq authentication… Alexandru Petrescu
- Re: [Mip4] Does MIP support RegReq authentication… Ahmad Muhanna
- Re: [Mip4] Does MIP support RegReq authentication… Alexandru Petrescu
- Re: [Mip4] Does MIP support RegReq authentication… Ahmad Muhanna