Re: [Mip6] comments on draft-haddad-mipv6-omipv6-01.txt
Francis Dupont <Francis.Dupont@enst-bretagne.fr> Mon, 01 March 2004 12:52 UTC
Received: from optimus.ietf.org (optimus.ietf.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA16014 for <mip6-archive@odin.ietf.org>; Mon, 1 Mar 2004 07:52:33 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1Axmtw-000890-12 for mip6-archive@odin.ietf.org; Mon, 01 Mar 2004 07:52:05 -0500
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i21Cq3pG031283 for mip6-archive@odin.ietf.org; Mon, 1 Mar 2004 07:52:03 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1Axmtu-00088Q-0h for mip6-web-archive@optimus.ietf.org; Mon, 01 Mar 2004 07:52:02 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA15913 for <mip6-web-archive@ietf.org>; Mon, 1 Mar 2004 07:51:59 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1Axmtt-0002uw-00 for mip6-web-archive@ietf.org; Mon, 01 Mar 2004 07:52:01 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1AxmsL-0002XZ-00 for mip6-web-archive@ietf.org; Mon, 01 Mar 2004 07:50:26 -0500
Received: from [65.246.255.50] (helo=mx2.foretec.com) by ietf-mx with esmtp (Exim 4.12) id 1Axmqr-0002Ci-01 for mip6-web-archive@ietf.org; Mon, 01 Mar 2004 07:48:53 -0500
Received: from optimus.ietf.org ([132.151.1.19]) by mx2.foretec.com with esmtp (Exim 4.24) id 1Axmdl-0005zE-96 for mip6-web-archive@ietf.org; Mon, 01 Mar 2004 07:35:21 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AxmdT-0005lu-8U; Mon, 01 Mar 2004 07:35:03 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1AxmdA-0005kg-80 for mip6@optimus.ietf.org; Mon, 01 Mar 2004 07:34:44 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id HAA14886 for <mip6@ietf.org>; Mon, 1 Mar 2004 07:34:41 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1Axmd9-0000g3-00 for mip6@ietf.org; Mon, 01 Mar 2004 07:34:43 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1AxmcH-0000Yk-00 for mip6@ietf.org; Mon, 01 Mar 2004 07:33:51 -0500
Received: from laposte.rennes.enst-bretagne.fr ([192.44.77.17]) by ietf-mx with esmtp (Exim 4.12) id 1AxmbT-0000ML-00 for mip6@ietf.org; Mon, 01 Mar 2004 07:32:59 -0500
Received: from givry.rennes.enst-bretagne.fr (givry.rennes.enst-bretagne.fr [193.52.74.194]) by laposte.rennes.enst-bretagne.fr (8.11.6p2/8.11.6/2003.04.01) with ESMTP id i21CTCw02574; Mon, 1 Mar 2004 13:29:12 +0100
Received: from givry.rennes.enst-bretagne.fr (localhost.rennes.enst-bretagne.fr [127.0.0.1]) by givry.rennes.enst-bretagne.fr (8.12.3/8.12.3) with ESMTP id i21CTCSj054045; Mon, 1 Mar 2004 13:29:12 +0100 (CET) (envelope-from dupont@givry.rennes.enst-bretagne.fr)
Message-Id: <200403011229.i21CTCSj054045@givry.rennes.enst-bretagne.fr>
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
To: Jari Arkko <jari.arkko@kolumbus.fi>
cc: mip6@ietf.org, Wassim Haddad <whaddad@tcs.hut.fi>
Subject: Re: [Mip6] comments on draft-haddad-mipv6-omipv6-01.txt
In-reply-to: Your message of Mon, 01 Mar 2004 05:44:32 +0200. <4042B1A0.3050307@kolumbus.fi>
Date: Mon, 01 Mar 2004 13:29:12 +0100
X-Virus-Scanned: by amavisd-milter (http://amavis.org/) at enst-bretagne.fr
Sender: mip6-admin@ietf.org
Errors-To: mip6-admin@ietf.org
X-BeenThere: mip6@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mip6>, <mailto:mip6-request@ietf.org?subject=unsubscribe>
List-Id: <mip6.ietf.org>
List-Post: <mailto:mip6@ietf.org>
List-Help: <mailto:mip6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mip6>, <mailto:mip6-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.60
In your previous mail you wrote: But you mention that your intent is to provide a more secure signaling scheme than RR is. => in fact OMIPv6 is not more or less secure than the initial mechanism, RR today or any replacement in the future. OMIPv6 plays with the PBK trade-off, i.e., narrower window of vulnerability and longer impact of successful attack. But OMIPv6 is really optimized, i.e., it gives better performance (a RTT per renew or movement). However (and perhaps I'm missing something obvious), it seems that the proposed use of Diffie-Hellman has security impacts which actually make it less secure than standard RR. => I disagree: the security level is the same (i.e., it is poor but this another issue :-). My concerns are listed below; after that there are some suggested modifications which can make your protocol more secure. "Kilroy was here first" -attack If I have understood correctly, in OMIPv6, any change to the binding cache must be authenticated via the derived shared secret. It is even not possible to rerun RR and OMIPv6 without proving the possession of the shared secret. => this is required because if an RR can be rerun at any time an attacker who missed the vulnerability window has just to restart the whole stuff from the beginning. (more about recovery after) As a result, once a shared secret is established, it is hard for other parties to change the binding. This is normally a positive thing, => this is and RR should have this: without this you can't even speak about a vulnerability *window*... however, it becomes negative if it happens that the initial DH exchange was compromised and is now in control of the binding. It can perhaps be argued that this attack is hard, because the attacker would have to be both on the mobile node - correspondent node and home agent - correspondent node paths. => this is the trade-off and as a trade-off it has advantages and disadvantages. However, there is another attack, much more serious that can be executed easily [draft-aura]. More specifically, an attacker can initiate an RR and DH exchange all by himself, without compromising any ongoing legitimate exchange. If the attacker does this before the mobile node in question has established the binding, the mobile node can no longer communicate with the correspondent node at all. Moreover, all the communications from the correspondent node intended to the mobile node go to a location selected by the attacker. => this is the counter part to be immune to the fake RR attack at any time, i.e., with current RR when an attacker wants to mess communications between a mobile node and a correspondent it can initiate a new RR and redirect the traffic to the hell. The only defense for the mobile node, in the case it understands what's happen, is to enter in a race with the attacker. In order to execute this attack, one needs to defeat the RR protocol. => if your hidden argument is that OMIPv6 is more interesting with a stronger mechanism than RR I agree... But this only requires presence on the path from the home agent to the correspondent node. It is not an issue in RR, since nodes that are on that path can perform equally bad attacks anyway and RR limits the vulnerability by requiring that the attack is all the time on this path. With OMIPv6, the attacker would no longer need to be on the path permanently, only once. => this is *again* the trade-off... And if you'd like to use shorter lifetime for OMIPv6 you'll get more vulnerability windows. Perhaps you'd like to adapt the OMIPv6 lifetime to the strength of the initial mechanism? This attack is particularly dangerous for non-mobile nodes. One would normally not assume that hosts without Mobile IPv6 support are vulnerable to problems in Mobile IPv6. => so one should bann RR which has this unfortunate property. However, when the correspondent node supports OMIPv6, an attacker who is at least temporarily on the path between the victim and the correspondent node can now cause the victim's traffic to be permanently redirected (the attacker may have to refresh => s/permanently/for a longer time/ the binding now and then, but he no longer has to be on the path). For instance, an attacker who temporarily visits an office Wireless LAN could set up an OMIPv6-protected binding at www.cnn.com for the office proxy server. As a result, all communications between the proxy server and the www server would fail. => the attack is harder but has when it successful a longer impact... This vulnerability is serious, because a temporary problem expands into a more permanent problem, and can affect any IPv6 node even without Mobile IPv6 support. => I agree for the first statement (with something weaker than permanent) but not for the second which already stands for RR. "Recovery mechanism" -attack Nodes can reboot and forget their state, => IMHO the best is to use stable storage because I don't want to require longer reboot delays (:-). Note that there are some protocols to solve this problem, even with very weak assumptions as in RR. or get an address that someone else was using a while ago. => mobile nodes are supposed to delete previous bindings so there is another condition for this case which is already so unlikely that IMHO it should happen only during attacks. As discussed in [draft-aura], it is necessary to have a recovery mechanism. In essence, such recovery mechanism should be able to undo an OMIPv6-protected binding. For instance, a persistent ICMP error could lead to the correspondent node into believing that the binding is invalid. => the example is just to give a very poor mechanism, isn't it? (:-) Unfortunately, such recovery mechanisms can be exploited by attackers, making it possible to undo a legitimately created OMIPv6-protected binding, and create a new one in place (for instance in the method discussed in the previous section). => so any weak recovery mechanism should be associated with an hold-down, i.e., the correspondent must forbid the creation of a new binding via a restart of the whole stuff during a reasonable delay. There is no hold-down in Mobile IPv6, perhaps we should add this in order to mitigate some attacks? OMIPv6 is currently missing a recovery mechanism, however. Perhaps it can be designed in a way that there is no attack. => I propose stable storage when it is possible for the mobile node side and hold-down against restarts when a binding is detected as being broken for the correspondent node side. Summary While the first attack described above is similar to the one that exists in RR, its results are worse than in OMIPv6. => worse results/harder attacks Findings in [draft-aura] make it hard to see an easy way to fix this; basically a "leap-of-faith" or PBK like approach does not sound suitable for the RO problem, even if they can be successfully used in, e.g., application layer protocols. => please note that PBKs were introduced in the RO context so this is your personal opinion only. The basic problem is that there is no user confirmation about making the leap of faith, leading to the possibility of the attacker doing the operation before you. => and the basic advantage is the attacker has to be before you. Then again, I could be missing something. Let me know what. Possible suggestions on how to improve the security of your approach: - In [draft-roe] we proposed a scheme that incorporated Diffie-Hellman which did not rely _just_ on the RR as its initial authentication. => OMIPv6 doesn't rely just on RR, it just uses what is available which is RR today. Instead, it used a combination of RR and CGA tests. I don't remember => please either give a free license for CGAs to everybody or avoid to use them. if we actually eliminated all but the first home test messages; it seems that at least some optimization is possible there even if we didn't do in the draft. => this is well known that stronger mechanisms than RR exist but: - some of them already provide long term protection - none is standardized for RO. I think we are going to need something like this, maybe not exactly the same proposal, but something better than RR if the Kbm is to be made more permanent. => see before. And with the stronger proposed mechanism, IPsec, the lifetime can be unbound (still less than permanent :-). - While avoiding security infrastructure and configuration is indeed very much desired, I would note that a DH authenticated by a pre-configured shared key between the home agent (or mobile node) and correspondent node would NOT be vulnerable to issues that I described above. => with a pre-configured shared secret between the mobile node and the correspondent node there is no reason not to jump to IPsec. About the home agent I'd like to see a reason to trust it more than somebody else... Similarly, AAA could be used to authenticate the D-H somehow. I think this is what [draft-le] did. => an AAA infrastructure covering the mobile and correspondent nodes is a very strong assumption. And in this case you can again jump to IPsec... - If RR as initial authentication for D-H is deemed sufficient, there would be simpler protocols that would accomplish what you want to do. As you know, unauthenticated Diffie-Hellman is vulnerable to MiTM attacks by active attackers. => this is why OMIPv6 is using another mechanism to provide authentication. Today it is RR so OMIPv6 is as good/poor as RR. It seems that this holds true of RR itself as well; nothing is gained by attackers who just eavesdrop; they have to at least send the Binding Update. => yes, RR is not so poor! (:-) So, if RR as initial authentication was deemed sufficient, it would seem that simply using RR-derived Kbm as the long-term key would be sufficient, and no D-H would be needed. => (assuming you are not joking) D-H has stronger security properties, for instance the shared secret can't be computed from messages so you have PFS and even more... - I won't comment here about skipping care-of address tests as there are other threads in this mailing list about that. But I think something along the lines of draft-vogt sounds promising to reduce the signaling delays related to care-of address tests. => someone proposed to add a *delayed* binding complete message to OMIPv6. Perhaps this will make you happy... BTW this adds no real security too. Some other notes: > and a correspondent node (CN). Such mode is efficient, but it > raises many security concerns and generates an excessive amount > of redundant mobility signaling messages. As I have said before on the list in other contexts, IMHO it would be good if people who feel there are significant issues would document these issues and make it possible for the rest of us to review the findings. Existing analysis in e.g. draft-nikander and in the old design team notes points to very similar risks that exist for on-path attackers anyway. => direct reflection attacks are easier than (mis)using mobile IPv6 RO and there are still some people which are afraid when you'd like to remove/delayed/etc the care-of test... (:-) > long shared secret Hmm... I think the length is not the issue here. Generally in cryptography we feel relatively safe after a certain key length. In base MIPv6, this is 20 octets for the Kbm. I don't think we need more. => there are two reasons to be long: - long enough to be immune to the brute force attack - each time you use a secret you reveal something about it, i.e., you consume its entropy. The 20 octets of the Kbm are used in a very small number of times, this is not the case for the Kabm even IMHO you should not have to refresh it (by a new D-H exchange signed by the previous Kabm). What may be more relevant, however, is *how* you get those key octets => I don't believe there can be an issue about this. and how much security that procedure offers. => this is the point. As I explain at the beginning IMHO the security of the initial mechanism (RR currently) and OMIPv6 are exactly the same from the authentication point of view. > In order to reduce the handover latency, the MN will send the > BU on the direct path immediately after receiving a BA message > from its HA. Note that the MN MAY duplicate the BU message and > send a copy on the path going via its HA. Only one copy is > enough to update the CN's binding cache entry. In this case, > the BU sent via the HA MUST have the same sequence number than > the one sent via the direct path. I didn't quite get this. If the sequence numbers are the same, won't the other BU be dropped. Why would then want to send two? Can you explain? => two paths are available, the same BU is sent over both paths, one should win the race and update the binding, the other one should arrive after and will be dropped as it is recognized as a dupplicate. There are two advantages: - resulting delay is the min of both path delays - there is a lower chance that both BUs are lost (maths show that the lost probability for both is between the min and the product of individual lost probabilities). My rationale is one should use all the possible paths when they are in a reasonable number and likely to be reasonably independent. References => A URL to an "all I-D" repository (like watersprings) and the "expired" mention are enough. [draft-le] draft-le-mobileip-dh-01.txt, expired => I can send it to you (I keep Frank's draft because he was a student of my school :-). Regards Francis.Dupont@enst-bretagne.fr _______________________________________________ Mip6 mailing list Mip6@ietf.org https://www.ietf.org/mailman/listinfo/mip6
- [Mip6] comments on draft-haddad-mipv6-omipv6-01.t… Jari Arkko
- Re: [Mip6] comments on draft-haddad-mipv6-omipv6-… Francis Dupont
- Re: [Mip6] comments on draft-haddad-mipv6-omipv6-… Jari Arkko