Re: [Mip4] Does MIP support RegReq authentication without having to do timekeeping?

Alexandru Petrescu <alexandru.petrescu@gmail.com> Thu, 14 March 2013 20:03 UTC

Return-Path: <alexandru.petrescu@gmail.com>
X-Original-To: mip4@ietfa.amsl.com
Delivered-To: mip4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E15D411E80D7 for <mip4@ietfa.amsl.com>; Thu, 14 Mar 2013 13:03:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.988
X-Spam-Level:
X-Spam-Status: No, score=-9.988 tagged_above=-999 required=5 tests=[AWL=0.261, BAYES_00=-2.599, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TtAf67zO+N1g for <mip4@ietfa.amsl.com>; Thu, 14 Mar 2013 13:03:55 -0700 (PDT)
Received: from sainfoin-out.extra.cea.fr (sainfoin-out.extra.cea.fr [132.167.192.145]) by ietfa.amsl.com (Postfix) with ESMTP id 5939111E80F2 for <mip4@ietf.org>; Thu, 14 Mar 2013 13:03:55 -0700 (PDT)
Received: from pisaure.intra.cea.fr (pisaure.intra.cea.fr [132.166.88.21]) by sainfoin.extra.cea.fr (8.14.2/8.14.2/CEAnet-Internet-out-2.3) with ESMTP id r2EK3p9s007683 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 14 Mar 2013 21:03:52 +0100
Received: from muguet1.intra.cea.fr (muguet1.intra.cea.fr [132.166.192.6]) by pisaure.intra.cea.fr (8.14.4/8.14.4) with ESMTP id r2EK3p7c027401; Thu, 14 Mar 2013 21:03:51 +0100 (envelope-from alexandru.petrescu@gmail.com)
Received: from [127.0.0.1] ([132.166.86.3]) by muguet1.intra.cea.fr (8.13.8/8.13.8/CEAnet-Intranet-out-1.2) with ESMTP id r2EK3n2F032731; Thu, 14 Mar 2013 21:03:50 +0100
Message-ID: <51422D07.9070901@gmail.com>
Date: Thu, 14 Mar 2013 21:03:19 +0100
From: Alexandru Petrescu <alexandru.petrescu@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20130307 Thunderbird/17.0.4
MIME-Version: 1.0
To: "Kent Leung (kleung)" <kleung@cisco.com>
References: <514206FE.7050807@gmail.com> <3359F724933DFD458579D24EAC769098857A51DC@Redwood.usa.awardsolutions.com> <51421CB9.1080100@gmail.com> <CD85F32117029D4F9AEF48BDEF5536AB10215B92@xmb-aln-x03.cisco.com> <514223C4.8010905@gmail.com> <CD85F32117029D4F9AEF48BDEF5536AB10215BCB@xmb-aln-x03.cisco.com> <514226A9.9020700@gmail.com> <CD85F32117029D4F9AEF48BDEF5536AB10215C28@xmb-aln-x03.cisco.com> <51422787.5060509@gmail.com> <CD85F32117029D4F9AEF48BDEF5536AB10215C72@xmb-aln-x03.cisco.com> <51422BCB.30409@gmail.com> <CD85F32117029D4F9AEF48BDEF5536AB10215CA7@xmb-aln-x03.cisco.com>
In-Reply-To: <CD85F32117029D4F9AEF48BDEF5536AB10215CA7@xmb-aln-x03.cisco.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Cc: "mip4@ietf.org" <mip4@ietf.org>
Subject: Re: [Mip4] Does MIP support RegReq authentication without having to do timekeeping?
X-BeenThere: mip4@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mobility for IPv4 <mip4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mip4>, <mailto:mip4-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mip4>
List-Post: <mailto:mip4@ietf.org>
List-Help: <mailto:mip4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mip4>, <mailto:mip4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2013 20:03:57 -0000

Le 14/03/2013 20:59, Kent Leung (kleung) a écrit :
> The RRP1 cannot be faked since the MN-HA Auth Ext protects the
> message.

I strongly doubt that.  Were it so, then the same extension could
protect the first RRQ1 as well.

I believe it is possible for an attacker HA to intercept the initial
RRQ1(time=1970), and the RRP1(time=2013) and fake a RREP towards the MR. 
  No?

Alex

>
> Kent
>
> -----Original Message----- From: Alexandru Petrescu
> [mailto:alexandru.petrescu@gmail.com] Sent: Thursday, March 14, 2013
> 12:58 PM To: Kent Leung (kleung) Cc: mip4@ietf.org Subject: Re:
> [Mip4] Does MIP support RegReq authentication without having to do
> timekeeping?
>
> Le 14/03/2013 20:47, Kent Leung (kleung) a écrit :
>> Hmm, I'm not clear with your response.
>>
>> Let's assume the following scenario.
>>
>> 1. MR sends initial RRQ1 (time=a) to HA 2. HA sends RRP1 (time=b)
>> with code 133
>
> Ok.  Do you think MR receiving this RRP1 will be able to safele
> verify it is legitimate?  Or is it possible than an attacker HA
> fakes this RRP1 message?
>
>> 3. MR sends RRQ2 (time=b+) 4. HA sends RRP2(time=b+) =>
>> registration successful 5. After MR recovers from failure, MR
>> sends RRQ3(time=c) 6. HA sends RRP3(time=d) with code 133 7. MR
>> sends RRQ4(time=d+) 8. HA sends RRP4(time=d+) => reregistration
>> successful
>
> These latter steps 3-8 make sense.
>
> Alex
>
>>
>> We would need to confirm if #6 happens properly for a specific
>> vendor. :) But I would expect #7 should happen if code 133 is
>> received.
>>
>> Kent
>>
>> -----Original Message----- From: mip4-bounces@ietf.org
>> [mailto:mip4-bounces@ietf.org] On Behalf Of Alexandru Petrescu
>> Sent: Thursday, March 14, 2013 12:40 PM To: mip4@ietf.org Subject:
>> Re: [Mip4] Does MIP support RegReq authentication without having
>> to do timekeeping?
>>
>> Le 14/03/2013 20:38, Kent Leung (kleung) a écrit :
>>>
>>> It needs to have the time, even if it does second registration.
>>> It's not a problem it takes longer (we can send easily two
>>> messages). But the second message will also be refused by the HA
>>> because it still has the wrong time.
>>>
>>> KL> Why is the timestamp in the 2nd RRQ wrong?
>>
>> Because the computer has lost its time, because it was turned off
>> long time (vehicle in garage for several weeks in winter time).
>> It now has year 1970.
>>
>> Alex
>>
>>>
>>> Kent
>>>
>>>
>>
>>
>> -- Mip4 mailing list: Mip4@ietf.org Web interface:
>> https://www.ietf.org/mailman/listinfo/mip4 Charter page:
>> http://www.ietf.org/html.charters/mip4-charter.html Supplemental
>> site: http://www.mip4.org/
>>
>>
>
>
>
>