Re: [Pana] Security Comment: draft-ohba-pana-relay-02.txt
"Alper Yegin" <alper.yegin@yegin.org> Thu, 25 November 2010 19:26 UTC
Return-Path: <alper.yegin@yegin.org>
X-Original-To: pana@core3.amsl.com
Delivered-To: pana@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B37903A6A7E for <pana@core3.amsl.com>; Thu, 25 Nov 2010 11:26:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.15
X-Spam-Level:
X-Spam-Status: No, score=-101.15 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MSGID_MULTIPLE_AT=1.449, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8NxTAXw7K-tb for <pana@core3.amsl.com>; Thu, 25 Nov 2010 11:26:42 -0800 (PST)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.195]) by core3.amsl.com (Postfix) with ESMTP id E22193A6A4A for <pana@ietf.org>; Thu, 25 Nov 2010 11:26:41 -0800 (PST)
Received: from ibm (dsl.static.85-105-43069.ttnet.net.tr [85.105.168.61]) by mrelay.perfora.net (node=mrus2) with ESMTP (Nemesis) id 0M0yOt-1ORG6o1wrP-00ufRf; Thu, 25 Nov 2010 14:27:39 -0500
From: Alper Yegin <alper.yegin@yegin.org>
To: 'Margaret Wasserman' <margaretw42@gmail.com>
References: <10506E23-EE49-4355-BE7E-CE0151DDD34D@lilacglade.org> <645DDAC5-3104-4BEF-9CA1-6E0362CEFF2C@lilacglade.org>
In-Reply-To: <645DDAC5-3104-4BEF-9CA1-6E0362CEFF2C@lilacglade.org>
Date: Thu, 25 Nov 2010 21:27:27 +0200
Message-ID: <025601cb8cd6$d23a57c0$76af0740$@yegin>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcuMrVfFm49RQzmUR+CDVUYQ06nyGwAKDMng
Content-Language: en-us
X-Provags-ID: V02:K0:kyNgjmN8ilIVuGWAc/54RquKLBh2zdKb52+eq6dzgR9 GMEDLMrL6aNF390NwQPeMLGyHzLVQyH/P14wOz8FqWv+dYkiWg YB3zp2cwe7PwEdncl4FCZqnzTvzR7CRROP6BdteT6uXeG73PE+ 5E1P3ii5gQkxjziTdhI4ICDEhzlZxe1CSMD1s5g/7khzkW7XHf M7SQO4woaSd4/BGm/33k1mBvftyst3R6wU+R7GNyoY=
Cc: pana@ietf.org, robert.cragie@gridmerge.com, 'Samita Chakrabarti' <samitac@ipinfusion.com>, 'Ralph Droms' <rdroms.ietf@gmail.com>
Subject: Re: [Pana] Security Comment: draft-ohba-pana-relay-02.txt
X-BeenThere: pana@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Protocol for carrying Authentication for Network Access <pana.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pana>
List-Post: <mailto:pana@ietf.org>
List-Help: <mailto:pana-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Nov 2010 19:26:42 -0000
Hi Margaret, > On Nov 22, 2010, at 6:25 AM, Alper Yegin wrote: > > Hi Margaret, > > > > EAP and PANA protocols are designed to operate over unsecure links. > > They don't expect any encryption, integrity/replay protection, data > > origin authentication from the layers below. > > As far as the EAP and PANA are concerned, PRE is no different than a > > bridge or a router relaying the EAP/PANA payloads between the PaC > > and the PAA. > > > I think there is an important difference between a Pana Relay (PRE) > and a bridge or router relaying EAP/PANA packets. In the router/ > bridge case, the replies from the PAA are sent in an IP packet with a > destination address of the Pana Client (PaC). In order to snoop or > intercept those packets, an attacker would need to be on-path between > the PAA and the PaC. When using PRE, the PAA responses are sent back > to the PRE addresses which are not validated or authenticated in any > way, so this would allow an easy way for an attacker to harvest a > large number of replies for different PaCs without having to be on- > path between the PAA and those PaCs. The L2 access point/bridge, or the first hop IP router are in the same position when we consider the PANA RFC 5191. A PRE is in the same position as those legacy nodes, against which PANA is subjected to as well. (in fact, in the case of Zigbee Alliance work PRE is located on such nodes). If I can understand the specific threat scenario you have in midn, then probably I can think of some text to address it. > That is a significant difference in the security model when a PRE is > used. Whether it is a difference that needs to be addressed in the > protocol depends on whether it would be problematic (within PANA/EAP, > specifically) for a third-party to be able to harvest PAA replies for > multiple clients. > > The Security Considerations section needs to acknowledge this > difference, and it (at least) needs to include some analysis of why > this isn't a problem (if, in fact, it isn't). EAP, EAP methods, and PANA are designed in such a way that a MitM can do certain things (such as dropping packets, spoofing packets), but cannot do certain other things (such as obtaining master key, or MSK). Such MitMs include L2 bridges, IP routers [considering RFC 5191], and PAR [considering pana-relay extension]. Maybe you have a very specific threat in mind that puts PAR in a different (stronger) position than what L2 bridges/IP routers can do on RFC 5191. If you can elaborate on such a threat, I'd appreciate. Alper > > Thanks, > Margaret
- [Pana] Security Comment: draft-ohba-pana-relay-02… Margaret Wasserman
- Re: [Pana] Security Comment: draft-ohba-pana-rela… Alper Yegin
- Re: [Pana] Security Comment: draft-ohba-pana-rela… Margaret Wasserman
- Re: [Pana] Security Comment: draft-ohba-pana-rela… Alper Yegin
- Re: [Pana] Security Comment: draft-ohba-pana-rela… Margaret Wasserman
- Re: [Pana] Security Comment: draft-ohba-pana-rela… Samita Chakrabarti