Re: RES: RES: (ngtrans) IPv6 tranisition issues

[Pekka Savola <pekkas@netcore.fi>]

On Mon, 6 Jan 2003, Marcelo Barbosa Lima wrote:
>    Sorry for my "market speak" but, of the RFC 2461:
> 
>    "Neighbor Discovery protocol packet exchanges can be authenticated
>    using the IP Authentication Header [IPv6-AUTH].  A node SHOULD
>    include an Authentication Header when sending Neighbor Discovery
>    packets if a security association for use with the IP Authentication
>    Header exists for the destination address.  The security associations
>    may have been created through manual configuration or through the
>    operation of some key management protocol.
> 
>    Received Authentication Headers in Neighbor Discovery packets MUST be
>    verified for correctness and packets with incorrect authentication
>    MUST be ignored.

Yeah, the language is wishy-washy -- when specifying, people didn't sit 
down and consider what it actually requires to make it work.
 
>    It SHOULD be possible for the system administrator to configure a
>    node to ignore any Neighbor Discovery messages that are not
>    authenticated using either the Authentication Header or Encapsulating
>    Security Payload.  The configuration technique for this MUST be
>    documented.  Such a switch SHOULD default to allowing unauthenticated
>    messages.
> 
>    Confidentiality issues are addressed by the IP Security Architecture
>    and the IP Encapsulating Security Payload documents [IPv6-SA, IPv6-
>    ESP]."
> 
>   In a local enviroment is relatively more simple to create secutity
> associates between peers. Even PKI solution can be implemented. There
> are some purposes regarding authentication in Neighbor discovery
> protocol. I looked for a RFC/draft about it, but I did not find it.
> Please, who know where I can find it email me. If it is hard to
> implement, I think that it is not, because is more simple to establish
> SAs in local network. Regards,

How do you implement automatic keying when you don't have an IP address?
Therein is a bootstrapping problem.

Manual keying is possible but very burdensome, as you will also have to
create security associations with link-local multicast addresses.  Of
course, this is only possible in subnets where you know which nodes will
be there so pre-configuration will be possible (wrt. e.g. WLAN hotspots
are not so.)

The IETF web page is down at the moment, but check SEND working group 
page when it's available.  In particular check out these drafts:

draft-ietf-send-psreq-00.txt (under revision, new tentative version posted 
on the list)
draft-arkko-manual-icmpv6-sas-01.txt

> -----Mensagem original-----
> De: Pekka Savola [mailto:pekkas@netcore.fi]
> Enviada em: segunda-feira, 6 de janeiro de 2003 10:10
> Para: Marcelo Barbosa Lima
> Cc: nick@arc.net.my; Thakur, Anand; ngtrans@sunroof.eng.sun.com;
> engsg@i2r.a-star.edu.sg
> Assunto: Re: RES: (ngtrans) IPv6 tranisition issues
> 
> 
> On Mon, 6 Jan 2003, Marcelo Barbosa Lima wrote:
> > >Yes, in a typing fury I forgot/missed the IPv6 solution for mobility.
> > >IPv6 is streamlined and designed for mobility in mind. Again there are
> > >the patches in IPv4, although riddled with triangular routing issues.
> > >But then again is there anyone really into mobile IP? And I use NTT
> > >DoCoMo and likes in Japan as examples for this and not a 'hotspot' cafe
> > >answer on 802.11.
> > >
> > 
> >   In IPv4, attacks against ARP protocol (mobile IPv4 trusts in ARP
> > protocol) are easy to implment. DHCP can also be bypassed easily. So,
> > neighbour protocol with AH is more secure solution. Regards,
> 
> Less market speak, more technology, please.
> 
> Securing the neighbor protocol with AH is _hard_.
> 
> Please check out SEND working group.
> 
> 

-- 
Pekka Savola                 "Tell me of difficulties surmounted,
Netcore Oy                   not those you stumble over and fall"
Systems. Networks. Security.  -- Robert Jordan: A Crown of Swords