IETF Logo Mail Archive

[Mipshop] Re: AD review of draft-ietf-mipshop-handover-key

"James Kempf" <kempf@docomolabs-usa.com> Mon, 29 October 2007 16:38 UTC

Return-path: <mipshop-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1ImXde-0002aN-KF; Mon, 29 Oct 2007 12:38:54 -0400
Received: from mipshop by megatron.ietf.org with local (Exim 4.43) id 1ImXdY-0001eQ-IR for mipshop-confirm+ok@megatron.ietf.org; Mon, 29 Oct 2007 12:38:48 -0400
Received: from [10.90.34.44] (helo=chiedprmail1.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1ImXdX-00016n-Lz for mipshop@ietf.org; Mon, 29 Oct 2007 12:38:48 -0400
Received: from key1.docomolabs-usa.com ([216.98.102.225] helo=fridge.docomolabs-usa.com) by chiedprmail1.ietf.org with esmtp (Exim 4.43) id 1ImXdR-0000BJ-UQ for mipshop@ietf.org; Mon, 29 Oct 2007 12:38:42 -0400
Message-ID: <01e801c81a4a$29352530$576115ac@dcml.docomolabsusa.com>
From: James Kempf <kempf@docomolabs-usa.com>
To: Jari Arkko <jari.arkko@piuha.net>, draft-ietf-mipshop-handover-key@tools.ietf.org
References: <47260A0A.8030005@piuha.net>
Date: Mon, 29 Oct 2007 09:38:39 -0700
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Spam-Score: -97.2 (---------------------------------------------------)
X-Scan-Signature: 6e922792024732fb1bb6f346e63517e4
Cc: Mipshop <mipshop@ietf.org>
Subject: [Mipshop] Re: AD review of draft-ietf-mipshop-handover-key
X-BeenThere: mipshop@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: mipshop.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mipshop>, <mailto:mipshop-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:mipshop@ietf.org>
List-Help: <mailto:mipshop-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mipshop>, <mailto:mipshop-request@ietf.org?subject=subscribe>
Errors-To: mipshop-bounces@ietf.org

I reviewed this specification. It is mostly in very good shape,
but there were a few issues. I'd like to discuss them before
moving forward -- and a new draft revision may be needed.

jak>> OK.

> The MN can reuse the key pair on different
> access routers but MUST NOT use the key pair for
> any other encryption or for signature operation.

I hope this does not imply that the same key pair could not be
used for SEND. Essentially, this would mean that SEND and
FMIP are incompatible. OTOH, I see no reason why this should
apply to anything involving the CGA address itself. Suggested
rewrite:

The MN can reuse the key pair on different
access routers but MUST NOT use the key pair for
any encryption or signature beyond operations
involving the given CGA address (such as Neighbor
Advertisements for the given address, secured
with SEND).

jak>> The handover key encryption key should not be used for any 
authentication operation including SEND. A separate key was introduced for 
encrypting because RSA has a vulnerability if the same key is used for both 
encryption and authentication. I can modify it to:

jak>> The MN can reuse the key pair on different
access routers for encrypting a handover key
but MUST NOT use the key pair for
any other encryption or signature operations, especially
for authentication with SEND.

> The AR MUST use its CGA as the source address for the
> PrRtAdv and include a SEND CGA Option and a SEND Signature
> Option with the SEND signature of the message.

This is unusual and unexpected compared to what one would
do in SEND. CGA does not help you protect against someone
pretending to be a router. I would suggest a mechanisms similar
to SEND be applied here, i.e., router side is protected with
trusted root configuration in the mobile nodes and certificates
assigned to each router. This is similar to how TLS works for web,
and is fairly easily deployable.

jak>> I can add some text to this effect. The intent was that the
router's key is certified, but I agree that this should be explicitly
called out.

> The handover key MUST be stored by the AR
> for  future  use,  indexed  by  the  CGA,  and  the  authentication
> algorithm type (i.e., the resolution of the AT field processing)
> and HK-LIFETIME MUST be recorded with the key.
...
> To avoid
>      state depletion attacks, the handover key MUST NOT be generated
>      prior to SEND processing that verifies the originator of RtSolPr.
>      State depletion attacks are possible if this ordering is not
>      respected.

The last statement is not true. Any number of hosts may appear on the link,
existing hosts may generate O(2^64) addresses and demand keys for them,
etc.

The document does not need a big change to fix this, though. Basically
s/MUST/SHOULD/ in the first piece of text, and then some explanation
of how to deal with state depletion in the second piece.

jak>> OK.

> Upon receipt of one or more PrRtAdvs secured with SEND and having
> the Handover Key Reply Option, the MN MUST first validate the
> PrRtAdvs  as  described  in  RFC  3971.  From  the  messages  that
> validate, the MN SHOULD choose one with an AT flag in the Handover
> Key Reply Option indicating an authentication algorithm that the
> MN supports. From that message, the MN MUST determine which
> handover key encryption public key to use in the event the MN has
> more than one. The MN finds the right public key to use by
> matching the SEND nonce from the RtSolPr. The MN MUST use the
> matching  private  key  to  decrypt  ...

I think it would be helpful to have a statement where the MN MUST drop
the PrRtAdv if it does not see a nonce from itself.

jak> OK.

>        Encrypted Handover Key:
>
>                      The shared handover key, encrypted with the MN's
>                      handover key encryption public key.
>

In which format? Can you specify this more explicitly?

jak>> I'll look into this. Do you have any preferences about the format?

            jak 




_______________________________________________
Mipshop mailing list
Mipshop@ietf.org
https://www1.ietf.org/mailman/listinfo/mipshop

v2.23.0 | Report a Bug | By Email