IETF Logo Mail Archive

Re: [saag] security consideration of CGA and SSAS - I-D action : draft-rafiee-6man-ssas

"Sujing Zhou"<zhou.sujing@zte.com.cn> Mon, 25 March 2013 04:06 UTC

Return-Path: <zhou.sujing@zte.com.cn>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 576ED21F8DF1; Sun, 24 Mar 2013 21:06:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -98.293
X-Spam-Level:
X-Spam-Status: No, score=-98.293 tagged_above=-999 required=5 tests=[AWL=0.102, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_BASE64_TEXT=1.753, MIME_CHARSET_FARAWAY=2.45, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rdVXudRxM-hY; Sun, 24 Mar 2013 21:06:32 -0700 (PDT)
Received: from zte.com.cn (mx5.zte.com.cn [63.217.80.70]) by ietfa.amsl.com (Postfix) with ESMTP id 75B2721F8E59; Sun, 24 Mar 2013 21:06:31 -0700 (PDT)
Received: from zte.com.cn (unknown [192.168.168.119]) by Websense Email Security Gateway with ESMTP id 2100A1287BB3; Mon, 25 Mar 2013 12:06:06 +0800 (CST)
Received: from mse02.zte.com.cn (unknown [10.30.3.21]) by Websense Email Security Gateway with ESMTPS id B43F071816D; Mon, 25 Mar 2013 12:06:04 +0800 (CST)
Received: from notes_smtp.zte.com.cn ([10.30.1.239]) by mse02.zte.com.cn with ESMTP id r2P464ZB001451; Mon, 25 Mar 2013 12:06:04 +0800 (GMT-8) (envelope-from zhou.sujing@zte.com.cn)
In-Reply-To: <C91E67751B1EFF41B857DE2FE1F68ABA0BFD9B01@TK5EX14MBXC273.redmond.corp.microsoft.com>
MIME-Version: 1.0
To: Christian Huitema <huitema@microsoft.com>
X-Mailer: Lotus Notes Release 6.5.6 March 06, 2007
Message-ID: <OF06268D73.B09D3C7A-ON48257B39.00165DD2-48257B39.00169419@zte.com.cn>
From: Sujing Zhou <zhou.sujing@zte.com.cn>
Date: Mon, 25 Mar 2013 12:06:00 +0800
X-MIMETrack: Serialize by Router on notes_smtp/zte_ltd(Release 8.5.3FP1 HF212|May 23, 2012) at 2013-03-25 12:05:52, Serialize complete at 2013-03-25 12:05:52
Content-Type: multipart/alternative; boundary="=_alternative 0016941948257B39_="
X-MAIL: mse02.zte.com.cn r2P464ZB001451
Cc: "ipv6@ietf.org" <ipv6@ietf.org>, 'Erik Nordmark' <nordmark@cisco.com>, 'Ray Hunter' <v6ops@globis.net>, 'Jari Arkko' <jari.arkko@piuha.net>, 'Jeffrey Hutzelman' <jhutz@cmu.edu>, "saag@ietf.org" <saag@ietf.org>
Subject: Re: [saag] security consideration of CGA and SSAS - I-D action : draft-rafiee-6man-ssas
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2013 04:06:33 -0000

Christian Huitema <huitema@microsoft.com> 写于 2013-03-22 07:56:20:

> 
> Hosnieh,
> 
> You should probably split your proposal in two parts: the proposal 
> to replace CGA by just checking an extract of the address; and 
> potential improvements to SEND that are independent of whether we 
> use CGA or your direct comparison alternative. 
> 
> Your replacement of CGA works by copying some bits of the public key
> in the IID field, instead of using bits from a hash function. I 
> think this is a really bad idea, since the number of bits that you 
> can copy is limited. Your initial design copied just 48 bits; you 
> could change that to 56 bits or maybe 62 bits in an improved design.
> Cracking the 48 bit version is trivial. Cracking the 62 bit version 
> will take longer, but with Moore's law there will come a point in 
> the future where this too will be easy to crack. In contrast, CGA 
> implementations can simply in the future increment the SEC value for
> added robustness.
What is the pointing of adding sec since the ratio of effor required by 
attacker and user is always 2^59, as Jari argued.


> 
> Your draft is making other contributions, such as added verification
> steps, or caching o results to prevent DOS attacks. These 
> contributions could be used to improve SEND. It would be better to 
> separate them from the debate about hash functions.
> 
> -- Christian
> 
> 
> 
> 
> -----Original Message-----
> From: Hosnieh Rafiee [mailto:ietf@rozanak.com] 
> Sent: Thursday, March 21, 2013 4:08 PM
> To: 'Jari Arkko'
> Cc: 'Santosh Chokhani'; ipv6@ietf.org; saag@ietf.org; 'Ray Hunter'; 
> Christian Huitema; 'Erik Nordmark'; zhou.sujing@zte.com.cn; 
'JeffreyHutzelman'
> Subject: RE: [saag] security consideration of CGA and SSAS - I-D 
> action : draft-rafiee-6man-ssas
> 
> Jari,
> 
> > What changes from RFC 3972 to your draft in this high-level analysis?
> 
> The difference between my draft and that of RFC 3972 is that I make 
> use of the public key in the IP address directly. Doing it the way I
> have explained in my draft eliminates the need for the use of those 
> SHAx steps  because I believe the use of those steps does not lend 
> itself to improved security. My reason for this opinion is that RFC 
> 3972 can only prevent DAD attacks and not the other types of 
> attacks. This attack can also be prevented by using CGA if we add 
> this extra verification step (that of the node checking the public 
> key of the sender to his own), otherwise RPKI would be used. This is
> the same procedure as outlined in my draft. So the security of both 
> depends on the security of the public/ private keys. After a 
> successful verification (which could have resulted from a fast relay
> attack) the attacker's link-layer address is included in a cache as 
> a legitimate address, and if routing is based on the link-layer 
> address,  then the node has no way of knowing that it was just a 
> replay attack. Otherwise, the use of RPKI, where the node that has 
> this IP address/or link layer is specified, would contain this 
> public key. This is why, in this case, the keys' security is very 
important.
> 
> Thanks,
> Hosnieh
> 
> -----Original Message-----
> From: Jari Arkko [mailto:jari.arkko@piuha.net]
> Sent: Thursday, March 21, 2013 10:56 PM
> To: Hosnieh Rafiee
> Cc: 'Jari Arkko'; 'Santosh Chokhani'; ipv6@ietf.org; saag@ietf.org; 
> 'Ray Hunter'; 'Christian Huitema'; Erik Nordmark; zhou.sujing@zte.
> com.cn; 'Jeffrey Hutzelman'
> Subject: Re: [saag] security consideration of CGA and SSAS - Ii-D action 
:
> draft-rafiee-6man-ssas
> 
> 
> Hosnieh,
> 
> > What is it that you don't understand. I will be happy to explain it to
> you.
> 
> Thanks. I read the details, but I'm missing the big picture. I.e., some
> effort is required from the owner to create an address. By repeating 
that
> effort (2^59)/2 times, someone else is likely to hit the same key with a 
key
> pair that he or she controls, and an attack can be launched. What 
changes
> from RFC 3972 to your draft in this high-level analysis?
> 
> > There has been no resolution to the topic of the thread. 
> 
> Ok. Well that clarifies at least the state of the discussion. Thanks.
> 
> Jari
> 
>

v2.23.0 | Report a Bug | By Email