[Pana] FW: Token (was RE: Secdir review of draft-ohba-pana-relay)
"Alper Yegin" <alper.yegin@yegin.org> Tue, 14 December 2010 08:39 UTC
Return-Path: <alper.yegin@yegin.org>
X-Original-To: pana@core3.amsl.com
Delivered-To: pana@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6A92D3A6E59 for <pana@core3.amsl.com>; Tue, 14 Dec 2010 00:39:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.779
X-Spam-Level:
X-Spam-Status: No, score=-100.779 tagged_above=-999 required=5 tests=[AWL=0.371, BAYES_00=-2.599, MSGID_MULTIPLE_AT=1.449, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oblMd-9WYpDI for <pana@core3.amsl.com>; Tue, 14 Dec 2010 00:39:06 -0800 (PST)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.195]) by core3.amsl.com (Postfix) with ESMTP id A28073A6F7F for <pana@ietf.org>; Tue, 14 Dec 2010 00:39:06 -0800 (PST)
Received: from ibm (dsl88-247-34762.ttnet.net.tr [88.247.135.202]) by mrelay.perfora.net (node=mrus2) with ESMTP (Nemesis) id 0Lrvza-1QSjTB3i9e-013l1H; Tue, 14 Dec 2010 03:40:45 -0500
From: Alper Yegin <alper.yegin@yegin.org>
To: pana@ietf.org
Date: Tue, 14 Dec 2010 10:40:41 +0200
Message-ID: <002e01cb9b6a$99e71cd0$cdb55670$@yegin>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcuYPqjxXV+rcKfeSK63xsDrVdaSlACYQXfAADK45AA=
Content-Language: en-us
X-Provags-ID: V02:K0:dHVMEpxUVWIQpuTywiMO6yiwoH5hnA1k8lUFPetnP1a FTulMb71lGbqRf709d3n2vITAlaocB+Dn/52YN9gk4g8Pm3aBu sA9XJ7eI4fNjDs3s46TRfgagaF34sq/CTXJe5MIFVOE6Vrwr3k kot7KY2u6cewjjrM9E1cG6DtsSEWEIrq7GYnM3pjQ7FS8JMRUc 9L1BvBCYwiy3FSlvsqoNUkP3ShAZYUA6/GaBJ1RdEk=
Subject: [Pana] FW: Token (was RE: Secdir review of draft-ohba-pana-relay)
X-BeenThere: pana@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Protocol for carrying Authentication for Network Access <pana.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pana>
List-Post: <mailto:pana@ietf.org>
List-Help: <mailto:pana-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pana>, <mailto:pana-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Dec 2010 08:39:07 -0000
Resending to the list... -----Original Message----- From: Alper Yegin [mailto:alper.yegin@yegin.org] Sent: Monday, December 13, 2010 10:32 AM To: 'Yoshihiro Ohba'; 'Alan DeKok' Cc: 'secdir@ietf.org'; 'draft-ohba-pana-relay@tools.ietf.org'; 'margaretw42@gmail.com'; 'Ralph Droms'; 'paduffy@cisco.com'; 'samitac@ipinfusion.com'; 'robert.cragie@gridmerge.com'; 'pana@ietf.org' Subject: Token (was RE: Secdir review of draft-ohba-pana-relay) Alan, > > Since the behavior of the PAA is also changing, it would be good > to > > leverage the PAA session tracking to add a cryptographic token > between > > the PRE and PAA. This token would be added by the PRE prior to > relaying > > a message, and the PAA could echo it back in the response. This > > ability means that the PRE is still stateless (in terms of tracking > > packets), but gains a little bit of security by maintaining > additional > > state. > > > > The token would be subject to eavesdropping, so it offers small > > additional security. Adding it is a recommendation, not a > requirement > > of this review. > > > > The token could be (for example) a signature of the PaC source IP > and > > port, using a secret known only to the PaC, and generated > automatically. > > The secret would also need to change periodically. > > > > Along with Message Validation, this token would increase the bar > for > > attackers sending packets to the PaC. Rather than simply being able > to > > leverage the PRE to send arbitrary traffic to the PaC, the attacker > > would need to be able to monitor PRE -> PAA traffic, and to then > send > > well-formed PANA messages to the PaC, to the port used by the PaC for > > receiving PANA messages. That minimizes the attack exposure. Arbitrary traffic cannot pass the validation on the PaC, as the sequence numbers need to match. And there is also state machine match needed. PaC's is in certain state and would not react to any arbitrary message unless the message is expected in the current state. Alper