[Mip6] AD review of draft-ietf-mip6-bootstrapping-split
Jari Arkko <jari.arkko@piuha.net> Tue, 02 January 2007 13:13 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H1jSG-0007iv-FF; Tue, 02 Jan 2007 08:13:24 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H1jSF-0007io-6J for mip6@ietf.org; Tue, 02 Jan 2007 08:13:23 -0500
Received: from p130.piuha.net ([193.234.218.130]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H1jSE-00065x-CN for mip6@ietf.org; Tue, 02 Jan 2007 08:13:23 -0500
Received: from p130.piuha.net (localhost [127.0.0.1]) by p130.piuha.net (Postfix) with ESMTP id 3A66B898C8; Tue, 2 Jan 2007 15:13:16 +0200 (EET)
Received: from [127.0.0.1] (p130.piuha.net [193.234.218.130]) by p130.piuha.net (Postfix) with ESMTP id D9FA8898C6; Tue, 2 Jan 2007 15:13:15 +0200 (EET)
Message-ID: <459A5A6C.5070602@piuha.net>
Date: Tue, 02 Jan 2007 15:13:16 +0200
From: Jari Arkko <jari.arkko@piuha.net>
User-Agent: Thunderbird 1.5.0.8 (X11/20061117)
MIME-Version: 1.0
To: Mobile IPv6 Mailing List <mip6@ietf.org>, Giaretta Gerardo <gerardo.giaretta@telecomitalia.it>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV using ClamSMTP
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 7e267523e0685e5aa2dbbdde4b659686
Cc:
Subject: [Mip6] AD review of draft-ietf-mip6-bootstrapping-split
X-BeenThere: mip6@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: mip6.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mip6>, <mailto:mip6-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:mip6@ietf.org>
List-Help: <mailto:mip6-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mip6>, <mailto:mip6-request@ietf.org?subject=subscribe>
Errors-To: mip6-bounces@ietf.org
Hi all, I have reviewed this specification. Overall, I like the basic approach and this will be very useful. The document is generally in good shape. However, there are a few technical issues that need to be resolved before we can move forward. In particular, the authorization steps need to be specified in greater detail, and I also had question marks about the particular approach to anycast. Also, I have asked the DNS directorate to review the DNS-relevant parts. Please find the detailed comments below: Technical: > This > implies that the mobility service is bootstrapped independently > from the authentication protocol for network access used (e.g. > PANA, EAP). Perhaps you should allow for the possibility that there is no access authorization. Suggested edit: "... from the security mechanisms used for network access (e.g., EAP or even open access) > Additionally, the ability to provide a mobile node with a > localized home agent (e.g. on the visited link) can help to > optimize handover signaling and improve routing efficiency in bi- > directional tunneling mode. There are a variety of ways this can > be achieved in an interoperable way. One way is to provision the > mobile node with an FQDN for a local home agent when it configures > for the local link. Another way is to specify an interoperable > naming convention for constructing home agent FQDNs based on > location. For example, an operator might assign the FQDN > "ha.locationA.operator.com" to the Home Agent located in "location > A" and the FQDN "ha.locationB.operator.com" to the Home Agent > located in "location B". If the Mobile Node wants to use a Home > Agent located in "location A", it will set the QNAME to > "ha.locationA.operator.com" in the DNS request. The exact way in > which localized Home Agents are configured is out of scope for > this draft. This part is rather handwavy. I could not implement anything interoperable based on it. I realize that we debated this in 2005, based on my earlier review of the same document. From the mailing list discussion that I went through, it seemed that there was some support in the WG for keeping the local assignments out of scope. Here's a suggested rewrite: Note that the configuration of a fixed home agent FQDN does allow dynamic assignment of a localized home agent. Such dynamic assignment would be useful, however, for instance from the point of view of improving routing efficiency in bidirectional tunneling mode. Enhancements or conventions for dynamic assignment are possible, but are outside the scope of this specification. > If an anycast address is returned in response to DNS resolution of > an FQDN, the IKEv2 transaction between the Mobile Node and Home > Agent is slightly modified. The Mobile Node sends the IKE_SA_INIT > request to the anycast address. The node which has the anycast > address assigned to one of its network interfaces selects a Home > Agent address from the set of Home Agents managed by the node, and > forwards the IKE_SA_INIT. If the set of Home Agents is empnty, the > node simply drops the packet. The Home Agent answers using its own > address, and includes an "under attack" cookie, in accordance with > RFC 4306 [7]. The Mobile Node notes the Home Agent address and > resends the IKE_SA_INIT message to the Home Agent, along with the > cookie. There are several issues in this. First, I think I understand at least one reason why the cookie exchange makes sense, but is that something that has to be mandated? What if the home network simply figures out what HA should be used and responds in the usual IKEv2 way? Secondly, responding with the home agent's own address is in violation of a MUST in RFC 4306, Section 2.11. I talked to one of the IKEv2 designers about this and his advice was that the MUST may have been a mistake. Or at least it should be limited to unicast addresses, and leave the behaviour for anycast addresses for future documents. In any case, this deviation from RFC 4306 should be highlighted and justified in the document. The third issue is the above notion of a node that owns an anycast address. How does this relate to the usual arrangement where the routing system handles the delivery of the anycast packets to the "closest" place that advertises that address? When you say "forwards", do you mean that the packet is forwarded unmodified, or that the particular home agent's address replaces the destination address? Do you allow each home agent to configure the same anycast address? Four: What happens when the IKE SA dies or is deleted, but a binding for the mobile node remains in the selected home agent? Will the mobile node re-establish the IKE SA using the anycast address, or the address of the selected home agent? Finally, I wonder how useful the anycast part of this spec is given that DNS can already provide a set of addresses. > o MN identity - the identity of the Mobile Node to be used by the > Home Agent to send a Dynamic DNS update. It is a variable > length field. What format is this in? Please specify. > The Home Agent MUST set up authorization by linking the home > address to the identity of the IPsec SAs used to authenticate the > Binding Update message. The linking MUST be done either during the > IKE_AUTH phase or CREATE_CHILD_SA phase when the IPsec SAs are > constructed. > > If the address is auto-configured, RFC 3775 requires the Home > Agent to proxy-defend the address on the home link after the > Mobile Node performs the initial Binding Update. Since it is not > currently possible to securely proxy CGAs using SEND, attacks on > address resolution for Neighbor Discovery listed in RFC 3756 are > possible on dynamically assigned home addresses that are proxied > by the Home Agent. I do not know what to implement based on the above description. Its clear that a link must be established between the IKE identity and the requested home address. But how? What should be done with the information about the link? By the way, why does the text say "identity of the IPsec SAs"? I believe you should talk about the identity used in the IKEv2 authentication process. There are other reasons beyond lack of SEND proxy mode that make the use of DAD for authorization bad. Its not reliable, not all nodes may be on or reachable at all times, etc. Here's a possible rewrite of the text. Let me know if this is what you intended to do: "The home agent MUST authorize each home address allocation and use. This authorization is based on linking the mobile node identity used in the IKEv2 authentication process and the home address. Home agents MUST support at least the following two modes of authorization: o Configured home address(es) for each mobile node. In this mode, the home agent or infrastructure nodes behind it know what addresses a specific mobile node is authorized to use. The mobile node is allowed to request these addresses, or if the mobile node requests any home address, these addresses are returned to it. o First-come-first-served (FCFS). In this mode, the home agent maintains a pool of "used" addresses, and allows mobile nodes to request any address, as long as it is not used by another mobile node. Addresses MUST be marked as used for at least as long as the binding exists, and are associated with the identity of the mobile node that made the allocation. In addition, the home agent MUST ensure that the requested address is not the authorized address of any other mobile node, if both FCFS and configured modes use the same address space." > Mobile IPv6 bootstrapping recommends the Home Agent to update the > Mobile Node's FQDN with a dynamically assigned home address rather > than have the Mobile Node itself do it (see Section 6 above). This > choice was motivated by a concern for preventing redirection-based > flooding attacks (see draft-ietf-mip6-ro-sec [21] for more > information about redirection-based flooding attacks and the role > preventing them played in the design of Mobile IPv6 route > optimization security). Exactly as for route optimization, it is > possible for a node that is the legitimate owner of a DNS FQDN - > in the sense that it has a security association with the DNS > server allowing it to perform dynamic DNS update of its FQDN - to > bind its FQDN to the address of a victim, then redirect large > volumes of traffic at the victim. The attack may be propagated > without the owner's knowledge, for example, if the node is > compromised by malware, or it may be intentional if the node > itself is the attacker. > > While it is possible to prevent redirection attacks through > ingress filtering on access routers, ISPs have little or no > incentive to deploy ingress filtering. In some cases, if an attack > could result in substantial financial gain, it is even possible > that a corrupt ISP may have an incentive not to deploy ingress > filters such as has been the case for spam. Consequently, the > security for dynamic Mobile Node FQDN update has been assigned to > the Home Agent, where active network administration and vigilant > defense measures are more likely to (but are not assured of) > mitigating problems, and the owner of the Mobile Node is more > likely to detect a problem if it occurs. There are good reasons why using a proxy to do the DynDNS update from your behalf makes sense. But I don't think the above is such a good reason. The route optimization redirect problem assumes that traffic from an ongoing session is suddenly moved to a new address. If you just change the DNS information, ongoing sessions are not affected, and all new sessions go through the usual TCP slow start etc. (A good reason why it makes sense to use a proxy is that then you just need a secret between the DNS server and the home agent, not between the DNS server and every mobile node.) > Notice that if certificates are used in > IKEv2, the authorization information about the FQDN for DNS update > MUST be present in the certificate provided by the Mobile Node. Yes -- but can you write this in more explicit form? For instance, I assume that you meant the FQDN must appear in some specific field in the certificate. > Regardless of whether the AAA server or Home Agent performs DNS > update, the authorization of the Mobile Node to update a FQDN MUST > be checked prior to the performance of the update. It is an > implementation issue as to how authorization is determined. > However, in order to allow this authorization step, the Mobile > Node MUST use a FQDN as the IDi in IKE_AUTH step of the IKEv2 > exchange. The FQDN MUST be the same that will be provided by the > Mobile Node in the DNS Update Option. This allows the Home Agent > to get authorization information about the Mobile Node's FQDN via > the AAA back end communication performed during IKEv2 exchange. > The outcome of this step will give the Home Agent the necessary > information to authorize the DNS update request of the Mobile > Node. See draft-ietf-mip6-aaa-ha-goals [14] for details about the > communication between the AAA server and the Home Agent needed to > perform the authorization. Notice that if certificates are used in > IKEv2, the authorization information about the FQDN for DNS update > MUST be present in the certificate provided by the Mobile Node. This is another case where I believe the important authorization step is underspecified, and needs to be specified in more detail to make sure people actually can implement it. And that they will get it right. Also, I am unsure if the requirement to use the FQDN in the IKEv2 exchange is helpful. If an FQDN X is used in the IKEv2 exchange, but the actual authentication employs IKEv2/EAP with a method that does its own identity exchange with FQDN Y, what happens? Also, you are preventing privacy NAI usage in the IKEv2 exchange. And if you use a FQDN (no "@", i.e., not a NAI) in the IKEv2 identity, how will the gateway be able to route the AAA request? One alternative approach would be to require the following: - If certificates are used, then the FQDN must appear there (but see my previous comment). - Otherwise, the mobile node's identity is taken as asserted in the EAP method where available and otherwise from the IKEv2 exchange. - Home agent must be able to match mobile node identities to allowed FQDNs. For certs, step 1 above suffices. In other cases its basically configured information. - The division of work between the home agent and AAA is outside the scope of this document. Note that there may be non-trivial issues, such as when the actual identity is end-to-end hidden between the mobile node and the AAA server. Editorial: > mobility service.. s/.././ > MSP. Figure 3 illustrates. s/illustrates/illustrates this/ > forwards the IKE_SA_INIT. If the set of Home Agents is empnty, the Typo > o Home Prefix (16 octets) - The prefix of the home link through > which the Mobile Node must auto-configure its Home Address. s/must/may/ -- there can be multiple such prefixes, so the mobile node cannot be mandated to use _this_ prefix. Alternatively, you can explain that the use of a particular prefix or auto-configuration is optional, but that if autoconfiguration is used, then one of the provided prefixes must be used. > Security considerations for discovering HA using DHCP are covered > in draft-jang-dhc-haopt-01 [15]. > [15] Koodli, R., Devarapalli, V., Perkins, C., Flinck, H., > "Solutions for IP Address Location Privacy in the presence > of IP Mobility", Internet-Draft, draft-koodli-mip6-location- > privacy-solutions-00, February 2005. I suppose referring to draft-jang is no longer necessary, if the contents are being moved to a MIP6 WG item draft. Also, the draft name and reference number do not match. _______________________________________________ Mip6 mailing list Mip6@ietf.org https://www1.ietf.org/mailman/listinfo/mip6
- [Mip6] AD review of draft-ietf-mip6-bootstrapping… Jari Arkko
- Re: [Mip6] AD review of draft-ietf-mip6-bootstrap… Gerardo Giaretta
- Re: [Mip6] AD review of draft-ietf-mip6-bootstrap… Vijay Devarapalli
- Re: [Mip6] AD review of draft-ietf-mip6-bootstrap… Jari Arkko
- Re: [Mip6] AD review of draft-ietf-mip6-bootstrap… Jari Arkko
- Re: [Mip6] AD review of draft-ietf-mip6-bootstrap… Vijay Devarapalli
- Re: [Mip6] AD review of draft-ietf-mip6-bootstrap… Kilian Weniger
- Re: [Mip6] AD review of draft-ietf-mip6-bootstrap… Gerardo Giaretta
- Re: [Mip6] AD review of draft-ietf-mip6-bootstrap… Vijay Devarapalli
- Re: [Mip6] AD review of draft-ietf-mip6-bootstrap… Gerardo Giaretta
- Re: [Mip6] AD review of draft-ietf-mip6-bootstrap… Vijay Devarapalli
- Re: [Mip6] AD review of draft-ietf-mip6-bootstrap… Gerardo Giaretta
- Re: [Mip6] AD review of draft-ietf-mip6-bootstrap… Vijay Devarapalli
- Local HA assignment using DNS (was Re: [Mip6] AD … Vijay Devarapalli
- Re: [Mip6] AD review of draft-ietf-mip6-bootstrap… Vijay Devarapalli
- Re: [Mip6] AD review of draft-ietf-mip6-bootstrap… Gerardo Giaretta
- RE: [Mip6] AD review of draft-ietf-mip6-bootstrap… Kilian Weniger
- Re: [Mip6] AD review of draft-ietf-mip6-bootstrap… Vijay Devarapalli
- Re: [Mip6] AD review of draft-ietf-mip6-bootstrap… Vijay Devarapalli
- RE: [Mip6] AD review of draft-ietf-mip6-bootstrap… Kilian Weniger
- Re: [Mip6] AD review of draft-ietf-mip6-bootstrap… James Kempf