Re: [Pana] Security Comment: draft-ohba-pana-relay-02.txt
Margaret Wasserman <margaretw42@gmail.com> Mon, 29 November 2010 20:51 UTC
Return-Path: <margaretw42@gmail.com>
X-Original-To: pana@core3.amsl.com
Delivered-To: pana@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 56A8E28C108 for <pana@core3.amsl.com>; Mon, 29 Nov 2010 12:51:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2D75dHLtGCDQ for <pana@core3.amsl.com>; Mon, 29 Nov 2010 12:51:48 -0800 (PST)
Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) by core3.amsl.com (Postfix) with ESMTP id C8DFA28C0D7 for <pana@ietf.org>; Mon, 29 Nov 2010 12:51:47 -0800 (PST)
Received: by vws7 with SMTP id 7so1550564vws.31 for <pana@ietf.org>; Mon, 29 Nov 2010 12:52:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:cc:message-id:from:to :in-reply-to:content-type:content-transfer-encoding:mime-version :subject:date:references:x-mailer; bh=zv1yU2r5NouvcXDPd5HQtuoHCYX4tlc50684oZkgx4c=; b=t7DhF+WacYUtbWZ4R+1SLs7GPx1lVC3oNDe/IYDwRg/5ajZJ/S5GsLnW7ee22EXgfb RG3B8a1rEEx3sXfy61gWguBjQzBGdi1vzzrhFyojOnKTN4zDOqZ8wC8KkxIAmtSQN2nM jClLmBHGCLF1NSTZdcX9uZzcPpLPtPRyOqxaM=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=cc:message-id:from:to:in-reply-to:content-type :content-transfer-encoding:mime-version:subject:date:references :x-mailer; b=gV77AvIdYY9wUHgHeWcRJf3b+3Q6ysXuvsWstRoQXWnXjW9eiJ2TlDZwBYNpvDghMC X17TUOWisU8wz+A1Z8N9IyRLdJ9o0wM7+SuhIAq0pPDO9jFV+pW9HHL6cn0i52fzJ2k0 FUBKLojzdLRyBUtwvP1iwN9dg4CrAmnVWN1k8=
Received: by 10.220.171.13 with SMTP id f13mr1624141vcz.204.1291063977175; Mon, 29 Nov 2010 12:52:57 -0800 (PST)
Received: from [10.36.0.42] (pool-108-20-27-240.bstnma.fios.verizon.net [108.20.27.240]) by mx.google.com with ESMTPS id h28sm769478vcr.19.2010.11.29.12.52.55 (version=TLSv1/SSLv3 cipher=RC4-MD5); Mon, 29 Nov 2010 12:52:56 -0800 (PST)
Message-Id: <5292D095-AB48-4DD3-A70A-ACC39D2FBF71@gmail.com>
From: Margaret Wasserman <margaretw42@gmail.com>
To: Samita Chakrabarti <samitac@ipinfusion.com>
In-Reply-To: <07cb01cb9000$6cc3eb90$464bc2b0$@com>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Mon, 29 Nov 2010 15:52:54 -0500
References: <10506E23-EE49-4355-BE7E-CE0151DDD34D@lilacglade.org> <645DDAC5-3104-4BEF-9CA1-6E0362CEFF2C@lilacglade.org> <025601cb8cd6$d23a57c0$76af0740$@yegin@yegin.org> <07cb01cb9000$6cc3eb90$464bc2b0$@com>
X-Mailer: Apple Mail (2.936)
Cc: pana@ietf.org, robert.cragie@gridmerge.com, 'Ralph Droms' <rdroms.ietf@gmail.com>
Subject: Re: [Pana] Security Comment: draft-ohba-pana-relay-02.txt
X-BeenThere: pana@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Protocol for carrying Authentication for Network Access <pana.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pana>
List-Post: <mailto:pana@ietf.org>
List-Help: <mailto:pana-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Nov 2010 20:51:49 -0000
Hi Samita, On Nov 29, 2010, at 3:03 PM, Samita Chakrabarti wrote: > I'd also think that the security section of the draft could clarify > the > PANA-relay differences and if there is any need to have a prior > security > association between PAA and PANA-Relay or not depending on the > nature of the > network or bootstrapping steps etc. etc. This is exactly what I am hoping to see. If there is a secure (authenticated and integrity protected) association between a PANA Relay (PRE) and a PAA, then the introduction of the PRE does not change the security model of PANA. There may be possible attacks on PANA when a PRE is used, but they would be essentially the same as the case where no PRE is used. You have, instead, proposed a model where the PRE is not securely associated with the PAA, and he PAA will accept a request from any PRE. This has possible security implications that need to be explored. It is possible that we will explore these implications and determine that the use of an unauthenticated PRE does not pose any serious new issues, due to the nature of PANA, EAP or other associated protocols. Even in that case, though, we should state, in the Security Considerations section, what situations were analyzed and why they are not issues in this case. That way , if we ever change the other protocols, it will be clear how the security of using a PRE depends upon them. If an attacker knows that a site (with a particular IP prefix) uses a particular PAA, I believe that the attacker could use a rogue PRE to attempt to initiate a PANA session for each of the possible clients within that site. There are four things that I think you need to consider in the Security Considerations section regarding this case: 1) An attacker could potentially collect a large set of EAP responses. Would that enable any type of brute force attack? Is there any value to a potential attacker in being able to collect these responses for an entire site? This is quite different from an attacker who simply sniffs the site communication, as that requires on- path access and the attacker may need to wait much longer to see a large number of request/responses. 2) By sending requests to a PAA, an attacker using a rogue PRE might be able to change the state of various resources on the network -- poking holes through firewalls, provisioning client access, logging access attempts, billing clients for access, or whatever happens in a typical PANA use case... Are there any security implications to the fact that an off-path attacker could cause these things to happen? 3) You've gone to some lengths to ensure that the PRE itself is not prone to DoS attacks through resource exhaustion. However, I am concerned that the addition of the relay feature to a PAA may open the PAA up to resource-exhaustion attacks from a third-party, off-path attacker. Can you explore how/if this can be prevented while allowing any PRE to send requests to the PAA? Are there other possible attacks that may be enabled by the existence of the PRE? Margaret
- [Pana] Security Comment: draft-ohba-pana-relay-02… Margaret Wasserman
- Re: [Pana] Security Comment: draft-ohba-pana-rela… Alper Yegin
- Re: [Pana] Security Comment: draft-ohba-pana-rela… Margaret Wasserman
- Re: [Pana] Security Comment: draft-ohba-pana-rela… Alper Yegin
- Re: [Pana] Security Comment: draft-ohba-pana-rela… Margaret Wasserman
- Re: [Pana] Security Comment: draft-ohba-pana-rela… Samita Chakrabarti