Re: [saag] security consideration of CGA and SSAS - I-D action : draft-rafiee-6man-ssas
"Sujing Zhou"<zhou.sujing@zte.com.cn> Mon, 25 March 2013 04:06 UTC
Return-Path: <zhou.sujing@zte.com.cn>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 576ED21F8DF1; Sun, 24 Mar 2013 21:06:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -98.293
X-Spam-Level:
X-Spam-Status: No, score=-98.293 tagged_above=-999 required=5 tests=[AWL=0.102, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_BASE64_TEXT=1.753, MIME_CHARSET_FARAWAY=2.45, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rdVXudRxM-hY; Sun, 24 Mar 2013 21:06:32 -0700 (PDT)
Received: from zte.com.cn (mx5.zte.com.cn [63.217.80.70]) by ietfa.amsl.com (Postfix) with ESMTP id 75B2721F8E59; Sun, 24 Mar 2013 21:06:31 -0700 (PDT)
Received: from zte.com.cn (unknown [192.168.168.119]) by Websense Email Security Gateway with ESMTP id 2100A1287BB3; Mon, 25 Mar 2013 12:06:06 +0800 (CST)
Received: from mse02.zte.com.cn (unknown [10.30.3.21]) by Websense Email Security Gateway with ESMTPS id B43F071816D; Mon, 25 Mar 2013 12:06:04 +0800 (CST)
Received: from notes_smtp.zte.com.cn ([10.30.1.239]) by mse02.zte.com.cn with ESMTP id r2P464ZB001451; Mon, 25 Mar 2013 12:06:04 +0800 (GMT-8) (envelope-from zhou.sujing@zte.com.cn)
In-Reply-To: <C91E67751B1EFF41B857DE2FE1F68ABA0BFD9B01@TK5EX14MBXC273.redmond.corp.microsoft.com>
MIME-Version: 1.0
To: Christian Huitema <huitema@microsoft.com>
X-Mailer: Lotus Notes Release 6.5.6 March 06, 2007
Message-ID: <OF06268D73.B09D3C7A-ON48257B39.00165DD2-48257B39.00169419@zte.com.cn>
From: Sujing Zhou <zhou.sujing@zte.com.cn>
Date: Mon, 25 Mar 2013 12:06:00 +0800
X-MIMETrack: Serialize by Router on notes_smtp/zte_ltd(Release 8.5.3FP1 HF212|May 23, 2012) at 2013-03-25 12:05:52, Serialize complete at 2013-03-25 12:05:52
Content-Type: multipart/alternative; boundary="=_alternative 0016941948257B39_="
X-MAIL: mse02.zte.com.cn r2P464ZB001451
Cc: "ipv6@ietf.org" <ipv6@ietf.org>, 'Erik Nordmark' <nordmark@cisco.com>, 'Ray Hunter' <v6ops@globis.net>, 'Jari Arkko' <jari.arkko@piuha.net>, 'Jeffrey Hutzelman' <jhutz@cmu.edu>, "saag@ietf.org" <saag@ietf.org>
Subject: Re: [saag] security consideration of CGA and SSAS - I-D action : draft-rafiee-6man-ssas
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2013 04:06:33 -0000
Christian Huitema <huitema@microsoft.com> 写于 2013-03-22 07:56:20: > > Hosnieh, > > You should probably split your proposal in two parts: the proposal > to replace CGA by just checking an extract of the address; and > potential improvements to SEND that are independent of whether we > use CGA or your direct comparison alternative. > > Your replacement of CGA works by copying some bits of the public key > in the IID field, instead of using bits from a hash function. I > think this is a really bad idea, since the number of bits that you > can copy is limited. Your initial design copied just 48 bits; you > could change that to 56 bits or maybe 62 bits in an improved design. > Cracking the 48 bit version is trivial. Cracking the 62 bit version > will take longer, but with Moore's law there will come a point in > the future where this too will be easy to crack. In contrast, CGA > implementations can simply in the future increment the SEC value for > added robustness. What is the pointing of adding sec since the ratio of effor required by attacker and user is always 2^59, as Jari argued. > > Your draft is making other contributions, such as added verification > steps, or caching o results to prevent DOS attacks. These > contributions could be used to improve SEND. It would be better to > separate them from the debate about hash functions. > > -- Christian > > > > > -----Original Message----- > From: Hosnieh Rafiee [mailto:ietf@rozanak.com] > Sent: Thursday, March 21, 2013 4:08 PM > To: 'Jari Arkko' > Cc: 'Santosh Chokhani'; ipv6@ietf.org; saag@ietf.org; 'Ray Hunter'; > Christian Huitema; 'Erik Nordmark'; zhou.sujing@zte.com.cn; 'JeffreyHutzelman' > Subject: RE: [saag] security consideration of CGA and SSAS - I-D > action : draft-rafiee-6man-ssas > > Jari, > > > What changes from RFC 3972 to your draft in this high-level analysis? > > The difference between my draft and that of RFC 3972 is that I make > use of the public key in the IP address directly. Doing it the way I > have explained in my draft eliminates the need for the use of those > SHAx steps because I believe the use of those steps does not lend > itself to improved security. My reason for this opinion is that RFC > 3972 can only prevent DAD attacks and not the other types of > attacks. This attack can also be prevented by using CGA if we add > this extra verification step (that of the node checking the public > key of the sender to his own), otherwise RPKI would be used. This is > the same procedure as outlined in my draft. So the security of both > depends on the security of the public/ private keys. After a > successful verification (which could have resulted from a fast relay > attack) the attacker's link-layer address is included in a cache as > a legitimate address, and if routing is based on the link-layer > address, then the node has no way of knowing that it was just a > replay attack. Otherwise, the use of RPKI, where the node that has > this IP address/or link layer is specified, would contain this > public key. This is why, in this case, the keys' security is very important. > > Thanks, > Hosnieh > > -----Original Message----- > From: Jari Arkko [mailto:jari.arkko@piuha.net] > Sent: Thursday, March 21, 2013 10:56 PM > To: Hosnieh Rafiee > Cc: 'Jari Arkko'; 'Santosh Chokhani'; ipv6@ietf.org; saag@ietf.org; > 'Ray Hunter'; 'Christian Huitema'; Erik Nordmark; zhou.sujing@zte. > com.cn; 'Jeffrey Hutzelman' > Subject: Re: [saag] security consideration of CGA and SSAS - Ii-D action : > draft-rafiee-6man-ssas > > > Hosnieh, > > > What is it that you don't understand. I will be happy to explain it to > you. > > Thanks. I read the details, but I'm missing the big picture. I.e., some > effort is required from the owner to create an address. By repeating that > effort (2^59)/2 times, someone else is likely to hit the same key with a key > pair that he or she controls, and an attack can be launched. What changes > from RFC 3972 to your draft in this high-level analysis? > > > There has been no resolution to the topic of the thread. > > Ok. Well that clarifies at least the state of the discussion. Thanks. > > Jari > >
- Re: [saag] security consideration of CGA and SSAS… Francis Dupont
- Re: [saag] security consideration of CGA and SSAS… Hosnieh Rafiee
- Re: [saag] security consideration of CGA and SSAS… Christian Huitema
- Re: [saag] security consideration of CGA and SSAS… Francis Dupont
- Re: [saag] security consideration of CGA and SSAS… Hosnieh Rafiee
- Re: [saag] security consideration of CGA and SSAS… Sujing Zhou
- Re: [saag] security consideration of CGA and SSAS… Christian Huitema
- Re: [saag] security consideration of CGA and SSAS… Sujing Zhou
- Re: [saag] security consideration of CGA and SSAS… Ray Hunter
- Re: [saag] security consideration of CGA and SSAS… Christian Huitema
- Re: [saag] security consideration of CGA and SSAS… Bob Hinden
- Re: [saag] security consideration of CGA and SSAS… Steven Bellovin