Re: [Pana] Security Comment: draft-ohba-pana-relay-02.txt
"Alper Yegin" <alper.yegin@yegin.org> Mon, 22 November 2010 11:25 UTC
Return-Path: <alper.yegin@yegin.org>
X-Original-To: pana@core3.amsl.com
Delivered-To: pana@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0B57F3A6998 for <pana@core3.amsl.com>; Mon, 22 Nov 2010 03:25:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.15
X-Spam-Level:
X-Spam-Status: No, score=-101.15 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MSGID_MULTIPLE_AT=1.449, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CDn9e5yLAWwV for <pana@core3.amsl.com>; Mon, 22 Nov 2010 03:25:20 -0800 (PST)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.195]) by core3.amsl.com (Postfix) with ESMTP id 306983A68C1 for <pana@ietf.org>; Mon, 22 Nov 2010 03:25:20 -0800 (PST)
Received: from ibm (dsl.static.85-105-43069.ttnet.net.tr [85.105.168.61]) by mrelay.perfora.net (node=mrus3) with ESMTP (Nemesis) id 0M7p1M-1OY98i167E-00vVHg; Mon, 22 Nov 2010 06:26:02 -0500
From: Alper Yegin <alper.yegin@yegin.org>
To: 'Margaret Wasserman' <margaretw42@gmail.com>, paduffy@cisco.com, 'Samita Chakrabarti' <samitac@ipinfusion.com>, robert.cragie@gridmerge.com, yoshihiro.ohba@toshiba.co.jp
References: <10506E23-EE49-4355-BE7E-CE0151DDD34D@lilacglade.org>
In-Reply-To: <10506E23-EE49-4355-BE7E-CE0151DDD34D@lilacglade.org>
Date: Mon, 22 Nov 2010 13:25:47 +0200
Message-ID: <064801cb8a38$0aba1500$202e3f00$@yegin>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Content-language: en-us
Thread-index: AcuIKVWEQ2JDUI4pT+24+X2+swlbLACDh6Kw
X-Provags-ID: V02:K0:4Af21fgYt30Edw1dC6Ek4x7afC2G6rr0ZgiN0uy00Ah LCbgp+fo4Nsu9euwwmj3nWeDWDD1H3fUvhl1HVHeA/DXNA7MsC 5pg/tq6inr7oA0RqcDNMMNL85YAzQJgogXkHEhGrQE57b2xFJh x4xj+cXIAPeSwq2ElEiuHMHRiNAHHoEeZKAw4JYDD6hudGnXbd /t9nWWNG7FRftHAIMqocCi+84haXgfOGIgY1LVkZgM=
Cc: 'Ralph Droms' <rdroms.ietf@gmail.com>, pana@ietf.org
Subject: Re: [Pana] Security Comment: draft-ohba-pana-relay-02.txt
X-BeenThere: pana@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Protocol for carrying Authentication for Network Access <pana.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pana>
List-Post: <mailto:pana@ietf.org>
List-Help: <mailto:pana-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Nov 2010 11:25:21 -0000
Hi Margaret, EAP and PANA protocols are designed to operate over unsecure links. They don't expect any encryption, integrity/replay protection, data origin authentication from the layers below. As far as the EAP and PANA are concerned, PRE is no different than a bridge or a router relaying the EAP/PANA payloads between the PaC and the PAA. In fact, PRE's only role is to transport the PANA packets. Therefore, there does not need to be a security association between the PRE and the PAA in order to carry out the EAP/PANA authentication. Alper > -----Original Message----- > From: Margaret Wasserman [mailto:margaretw42@gmail.com] > Sent: Friday, November 19, 2010 10:28 PM > To: paduffy@cisco.com; Samita Chakrabarti; robert.cragie@gridmerge.com; > yoshihiro.ohba@toshiba.co.jp; Alper Yegin > Cc: Ralph Droms; pana@ietf.org > Subject: Security Comment: draft-ohba-pana-relay-02.txt > > Hi All, > > As part of asking the Security Directorate to review draft-ohba-pana- > relay-02.txt, I reviewed the Security Considerations section and tried > to determine how/if this relay changes the security model for PANA. > > As I understand it, the original PANA protocol relied on return > routability... We didn't worry about address spoofing, because the > credentials were returned to the address they were meant for, meaning > that only an on-link (or on path? -- but we didn't allow a path > originally) attacker could spoof a client address and see the > response. With introduction of relay code on the PAA, any node can > pretend to be a PRE > and get credentials for any other node. > > This isn't mentioned in the Security considerations section, but it is > potentially significant. So, there might be a need for the PAA to > authorize the PRE before responding to messages from it. If there is > some reason why you don't believe the PAA needs to authorize the PRE, > you would (at the very least) need to explain that in the Security > Considerations section. > > Thanks, > Margaret >
- [Pana] Security Comment: draft-ohba-pana-relay-02… Margaret Wasserman
- Re: [Pana] Security Comment: draft-ohba-pana-rela… Alper Yegin
- Re: [Pana] Security Comment: draft-ohba-pana-rela… Margaret Wasserman
- Re: [Pana] Security Comment: draft-ohba-pana-rela… Alper Yegin
- Re: [Pana] Security Comment: draft-ohba-pana-rela… Margaret Wasserman
- Re: [Pana] Security Comment: draft-ohba-pana-rela… Samita Chakrabarti