[Mip6] Re: draft-ietf-mip6-precfgkbm-03.txt
Margaret Wasserman <margaret@thingmagic.com> Mon, 12 September 2005 12:22 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EEnK4-0002A8-9n; Mon, 12 Sep 2005 08:22:08 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EETmt-0008Bi-FR for mip6@megatron.ietf.org; Sun, 11 Sep 2005 11:31:35 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA09639 for <mip6@ietf.org>; Sun, 11 Sep 2005 11:30:09 -0400 (EDT)
Received: from [204.9.221.21] (helo=thingmagic.com) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EETqX-00073Q-7u for mip6@ietf.org; Sun, 11 Sep 2005 11:34:21 -0400
Received: from [66.30.121.250] (account margaret HELO [192.168.2.7]) by thingmagic.com (CommuniGate Pro SMTP 4.1.8) with ESMTP-TLS id 516317; Sun, 11 Sep 2005 11:31:47 -0400
Mime-Version: 1.0
Message-Id: <p062007d1bf49fc6d5dfe@[192.168.2.7]>
In-Reply-To: <42C434F2.43EE050D@iprg.nokia.com>
References: <p06200720bea6b90f0ade@[10.0.0.171]> <428114C9.8020002@ericsson.com> <4287B454.1010509@ericsson.com> <p06200732bec4f4aa5b55@[192.168.0.9]> <429F550D.957B21FA@iprg.nokia.com> <429F6BA0.3060305@ericsson.com> <p06200712bee9bf3e9eb5@[10.0.0.171]> <42C434F2.43EE050D@iprg.nokia.com>
Date: Sun, 11 Sep 2005 11:29:51 -0400
To: "Charles E.Perkins" <charliep@iprg.nokia.com>
From: Margaret Wasserman <margaret@thingmagic.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 325b777e1a3a618c889460b612a65510
X-Mailman-Approved-At: Mon, 12 Sep 2005 08:22:06 -0400
Cc: Gopal Dommety <gdommety@cisco.com>, Ted Hardie <hardie@qualcomm.com>, david.kessens@nokia.com, mip6@ietf.org, Pekka Savola <pekkas@netcore.fi>, Bernard Aboba <aboba@internaut.com>, Allison Mankin <mankin@psg.com>, Sam Hartman <hartmans-ietf@mit.edu>, Basavaraj Patil <basavaraj.patil@nokia.com>
Subject: [Mip6] Re: draft-ietf-mip6-precfgkbm-03.txt
X-BeenThere: mip6@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: mip6.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mip6>, <mailto:mip6-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:mip6@ietf.org>
List-Help: <mailto:mip6-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mip6>, <mailto:mip6-request@ietf.org?subject=subscribe>
Sender: mip6-bounces@ietf.org
Errors-To: mip6-bounces@ietf.org
Hi Charlie, Do you have an ETA for a revision to draft-ietf-mip6-precfgkbm-03.txt that will address the discusses and comments raised by the IESG during IESG review? For everyone's reference, I've included our discusses and comments below. Some of these issues may require discussion by the WG, so I have cc:ed the WG above. Thanks, Margaret Ted Hardie: Comment: [2005-07-05] I think I'm confused. The document says in the Introduction: This mechanism is also limited to use only in scenarios where mobile nodes can be trusted to not misbehave, as the validity of the claimed care-of addresses is not verified. In the applicability statement, it goes on to say: - The correspondent node has good reason to trust the actions of the mobile node. In particular, the correspondent node needs to be certain that the mobile node will not launch flooding attacks against a third party as described in [2]. But the Security Considerations don't contain any details about what happens if this trust is misplaced. draft-ietf-mip6-ro-sec-03 has quite a taxonomy of potential issues; I would have thought that a basic run-through of those would be useful. Not that it needs to go through the whole document, but a statement about whether any existing consideration (one of the flooding attacks?) are worsened by this approach or that none are would seem like a valuable addition. Sam Hartman: Discuss: [2005-07-07] Allison points out that this document uses manual key management in the sense of BCP 107. That BCP requires explicit justification for manual key management. Please go through the analysis in BCP 107 and explain why manual key management is used. Also, please examine the guidance in section 2.3 and make sure that these guidelines are met or explain why they are not. David Kessens: Discuss: [2005-07-07] I received the following comments from Pekka Savola on the Ops Directorate that need to be addressed: substantial issue (maybe the security ADs can comment more on this as needed) ----------------- (I believe this can be easily addressed with a little bit of text tweaking.) There is no upper bound on the lifetime defined for the precomputable Kbm. As noted, the key is very likely to be quite secure over the lifetime of the security association and usefulness of applications between a mobile node and correspondent node that fit the terms specified in section 3. ==> this is the only place (AFAICS) that even touches the topic of the security properties of a manually configured Kcn. With RFC3775, Kbm is generated by hashing a number of changing inputs together, so it can be guaranteed to have be pretty unique, and have pretty good randomness properties against brute-force or dictionary attack attempts. On the other hand, this specification proposes a manually configured, static secret of (at least) 20 bytes. Further, it seems that the expectation is that the statically configured key never changes. This seems to make the key significantly more vulnerable to dictionary and other attacks compared to RFC3775. [an aside observation: RFC3775 specifies that Kcn MUST be exactly 20 bytes; this says at least 20 bytes. Kcn is munged by a hash function so this difference should not be relevant though] This all boils down to how careful the user is in supplying the Kcn with sufficient randomness. As this is going on Standards Track, I believe some additional warnings should be needed; for example: * The assumptions should explicitly mention that the users are assumed to be able to generate/select a sufficiently good value for Kcn, * Section 2, when discussing Kcn, should explicitly give a recommendation or warning on the randomness requirement of Kcn, and * Security considerations might include some of this discussion. It might also be worth considering adding an informative reference to RFC3562 because the key randomness properties are similar. Comment: [2005-07-07] I received the following comments from Pekka Savola on the Ops Directorate: minor editorial issues ---------------------- When a Binding Update is to be authenticated using such a precomputable binding key (Kbm), the Binding Authorization Data suboption MUST be present. The Nonce Indices option SHOULD NOT be present. If it is present, the nonce indices supplied MAY be ignored and are not included as part of the calculation for the authentication data, which is to be carried exactly as specified in [1]. ==> "MAY be ignored" ? What is the alternative? Shouldn't this be "MUST be ignored" or "SHOULD be ignored"? (This seems like an editorial issue, because AFAIR "may be ignored" in English can be interpreted with at least two levels of normativeness) A correspondent node and a mobile node MAY use a precomputable binding management key (Kbm) to manage the authentication requirements for binding cache management messages. ==> I'd replace "MAY" with "may", because this doesn't seem to be something that requires uppercasing. Allison Mankin: Discuss: [2005-07-07] I'll put in this Discuss because of Russ's absence. My attention has been drawn for some Transport documents to the expertise in BCP 107 (RFC 4107), and especially given the fact that there is self-definition of the applicability of the trust model for this usage, the manual keys here at least seems to me to need to meet the cryptographic requirements in BCP 107, such as: When manual key management is used, long-term shared secrets MUST be unpredictable "random" values, ensuring that an adversary will have no greater expectation than 50% of finding the value after searching half the key search space. There are other discusses like this, but I'm not sure if they call for specifying the key generation procedure to ensure randomness. There's also a SHOULD in BCP 107 for a sufficiently long key. BCP 107 may need to be normative here. I'm sorry if this did not come up in the working group - the BCP has been in an approved status for quite a long time, though the RFC publication was recent. Jon Peterson: Comment: [2005-07-06] The Abstract might be a bit more concrete. Unusual way of splitting the references... Margaret Wasserman: Discuss: [2005-07-07] Review sent to IESG by Bernard Aboba: From: Bernard Aboba <aboba@internaut.com> To: iesg@ietf.org Subject: Review of draft-ietf-mip6-precfgkbm-03.txt Overall, I do think it makes sense to have a pre-configuration option for route optimization, if only for testing purposes. The document does include discussion of applicability, ableit in Section 3 (I'd suggest this discussion be placed earlier in the document, by swapping Sections 2 and 3). Section 1: This section is somewhat unclear about the security properties as compared to RFC 3775. In particular, there are two statements that appear ambiguous: "In addition, the right to use a specific address is assured in a stronger manner than in [1]." and "This mechanism is also limited to use only in scenarios where mobile nodes can be trusted to not misbehave, as the validity of the claimed care-of addresses is not verified." My assumption is that the address referred to in the first statement is the HoA. Otherwise, the statements appear to contradict each other. Section 4 " A mobile node MUST use a different value for Kcn for each node in its Binding Update List, and a correspondent node MUST ensure that every mobile node uses a different value of Kcn. " What is the correspondent node supposed to do if it finds that more than one mobile node has the same value of Kcn? Is there an error message that is supposed to be sent, or is the implementation supposed to flag this error when it is configured incorrectly? " Given typical mobility patterns, there is little danger of replay problem" I think this assumes that the replay counter is committed to stable storage. This requirement is not stated explicitly in the document; "keeping track" might just mean keeping a value in memory. " Note that where a node has been configured to use the mechanism specified in this document with a particular peer, it SHOULD NOT attempt to use another mechanism, even if the peer requests this or claims to not support the mechanism in this document. This is necessary in order to prevent bidding down attacks." Actually "bidding down" attacks are prevented by verifying that the nodes have negotiated the highest possible security level. It would appear that this advice requires that the MN and CN use preconfiguration, even if a higher level of security is available. Given the use of this draft in testing, I think the issue is not "bidding down" per se, but more one of reproducibility. You'd want preconfiguration to be used so that a particular code path can be tested, and not some other path that might be triggered by a negotiation. References ---------- RFC 3775 has been assigned an RFC #, so it can be cited. Typical practice is to have a different subsection for normative and informative references. Bert Wijnen: Comment: [2005-07-06] It seems to me that a normative reference to RFC2119 (use of RECOMMENDED and MUST) needs to be added. And a citation of course. _______________________________________________ Mip6 mailing list Mip6@ietf.org https://www1.ietf.org/mailman/listinfo/mip6
- [Mip6] Re: draft-ietf-mip6-precfgkbm-03.txt Margaret Wasserman
- [Mip6] Re: draft-ietf-mip6-precfgkbm-03.txt Charles E. Perkins
- Re: [Mip6] Re: draft-ietf-mip6-precfgkbm-03.txt Charles E. Perkins
- Re: [Mip6] Re: draft-ietf-mip6-precfgkbm-03.txt Pekka Savola