IETF Logo Mail Archive

Re: [secdir] secdir review of draft-templin-aero-10

"Fred L. Templin" <fltemplin@acm.org> Tue, 24 April 2012 23:16 UTC

Return-Path: <fltemplin@acm.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0990B21F84A7 for <secdir@ietfa.amsl.com>; Tue, 24 Apr 2012 16:16:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.443
X-Spam-Level:
X-Spam-Status: No, score=-102.443 tagged_above=-999 required=5 tests=[AWL=0.155, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mSRaFC9RkMVE for <secdir@ietfa.amsl.com>; Tue, 24 Apr 2012 16:16:22 -0700 (PDT)
Received: from nm30.bullet.mail.bf1.yahoo.com (nm30.bullet.mail.bf1.yahoo.com [98.139.212.189]) by ietfa.amsl.com (Postfix) with SMTP id 2E69A21F84A2 for <secdir@ietf.org>; Tue, 24 Apr 2012 16:16:22 -0700 (PDT)
Received: from [98.139.212.145] by nm30.bullet.mail.bf1.yahoo.com with NNFMP; 24 Apr 2012 23:16:21 -0000
Received: from [98.139.212.251] by tm2.bullet.mail.bf1.yahoo.com with NNFMP; 24 Apr 2012 23:16:21 -0000
Received: from [127.0.0.1] by omp1060.mail.bf1.yahoo.com with NNFMP; 24 Apr 2012 23:16:21 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 563802.84343.bm@omp1060.mail.bf1.yahoo.com
Received: (qmail 1700 invoked by uid 60001); 24 Apr 2012 23:16:21 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1335309381; bh=+H0AjVaKRI3KKCm7u7eSr1uM4Y9BB3+JoPUofQVRFBA=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=Q5aR0YHo7WY9qHdR3BLJhYuhHAFp+QUqBJhK/9Jt4kbV9DxM/PVlISC/hIrjJHV0ZBI0ycbF5/vOlNIbEZznWX6EIxXLu82QxsQTeNWZ0ysKhlJa9Zb7roFTdnztqG5YkCVE9o5PSOqEPmp1HQnr3T0QVfbysssrgONhtligUu8=
X-YMail-OSG: omqnlzUVM1lPFGu0vnsBlY.s_0.Ut2gjygQeK02AEeDt295 o_NowiUA6IIeOLV4zniO7Pj77j70SWO.Mnv5Hu5AnO7ktX824IhR5ld8VOkG ztgEI4IjENquScONZ3tP_A81VI_Y22MWXj2aOpDhjmcNtMoCG1rKTJhIEiCb M4huV5sIUtXIo9mSnRr9_YUgt947519UGYequtVpqoEsWCnS8zdPci_JKQXJ rqC75ClSo3qBfnnh_7hUIs_nYHy_rr8PwElYwB0_KCa4KNZoLxGNtPeQAWUY NPf5lESloykq8U__5_MDA_ex_buX85I_aT24mm4YsPhJAHWMIVW3Xocqp8SN SdW.OlCiwv0c0HA2AbytPvNAOCaaa1pHmop72B_dg8eCjixg7FFh36u4fiCe knhrFufJRjjht3NGQSefr6azHZP1uCoX5L.E1tVpihHDkt8WYMtYNn54nksb ut5PiQpdcaVWJwPfEuWyZN0Y3dGm1CcSh4U3Wq02pRlpB1Hoi
Received: from [130.76.32.212] by web161606.mail.bf1.yahoo.com via HTTP; Tue, 24 Apr 2012 16:16:21 PDT
X-RocketYMMF: fltemplin
X-Mailer: YahooMailWebService/0.8.117.340979
References: <36214B77-821E-47B9-8349-A89D2800E24C@cisco.com> <1335199956.12137.YahooMailNeo@web161604.mail.bf1.yahoo.com> <94CFA5A8-1D03-4BA2-993E-073B523538D7@cisco.com> <1335291276.47915.YahooMailNeo@web161603.mail.bf1.yahoo.com> <FBAF9900-9778-421A-8563-85806E97A47C@cisco.com>
Message-ID: <1335309381.87321.YahooMailNeo@web161606.mail.bf1.yahoo.com>
Date: Tue, 24 Apr 2012 16:16:21 -0700
From: "Fred L. Templin" <fltemplin@acm.org>
To: Joe Salowey <jsalowey@cisco.com>
In-Reply-To: <FBAF9900-9778-421A-8563-85806E97A47C@cisco.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="1989420431-639094091-1335309381=:87321"
X-Mailman-Approved-At: Sun, 29 Apr 2012 06:46:22 -0700
Cc: "draft-templin-aero.all@tools.ietf.org" <draft-templin-aero.all@tools.ietf.org>, The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] secdir review of draft-templin-aero-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: "Fred L. Templin" <fltemplin@acm.org>
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Apr 2012 23:16:24 -0000


Hi Joe,

>________________________________
> From: Joe Salowey <jsalowey@cisco.com>
>To: Fred Templin <fltemplin@yahoo.com> 
>Cc: "secdir@ietf.org" <secdir@ietf.org>; The IESG <iesg@ietf.org>; "draft-templin-aero.all@tools.ietf.org" <draft-templin-aero.all@tools.ietf.org> 
>Sent: Tuesday, April 24, 2012 3:55 PM
>Subject: Re: secdir review of draft-templin-aero-10
> 
>
>On Apr 24, 2012, at 11:14 AM, Fred Templin wrote:
>
>> Hello Joe,
>> 
>> Thank you for your comments. To your question on specifying a digital
>> signing mechanism, would the concern be addressed if I were to say
>> something like: "e.g., using IPsec AH, etc." ?
>> 
>[Joe] Not really.  What I'm looking for is something that specifies the mechanism and how its used.  Something like 
>
>"Implementations MUST support <IPSEC AH> as a means to authenticate the origin of the AERO messages.  AERO peers MUST support establishing an <IPSEC SA> using <IKEv2> with <certificates> as specified in <external reference>.   During <SA> establishment AERO hosts MUST be able identify AERO intermediate routers through mechanism defined in <RFCxxxx or section y.yy>.  "

Your text looks good, but I really don't want to exclusively wrap this
around IPsec AH - ultimately, I would like to have something much
lighter-weight, but its design is still pending. As this is going for
experimental, part of the experiment should be to investigate alternatives
and bring forth the best option or options in a follow-on standards-track
effort. And it is also not at all the case that all AERO use cases would
require a digital signing mechanism - I have several in mind that do not.


>
>The stuff in the <> should be replaced with something that makes sense.  I'm not sure that IPSEC AH or any of the other things in <> are really appropriate in this case.  The idea here is that there is some minimum mechanism that implementations can use to secure these messages. Securing the messages involves the transform for authenticating the messages (perhaps IPSEC AH), mechanism for key management perhaps (IKV2 with certificates) and a way to establish that you are taking to the right router (perhaps be able to match a field in a certificate to a particular name or domain).   My hope is that there already is something that would fit the bill and we could just reference that specification.  Some of the SEND variants may be useful in this scenario,  but I didn't get a chance to dig into this.

I would be happy to hear about alternatives that would satisfy the need,
but I don't think it would be based on SEND since signatures would be
required on all packets and not just ND messages. Or, perhaps you have
heard of SEND variants that extend to cover data packets as well as ND?


Thanks - Fred
fltemplin@acm.org

>
>Joe
>
>
>> Fred
>> fltemplin@acm.org
>> 
>> ----- Original Message -----
>> > From: Joe Salowey <jsalowey@cisco.com>
>> > To: Fred Templin <fltemplin@yahoo.com>
>> > Cc: "secdir@ietf.org" <secdir@ietf.org>; The IESG <iesg@ietf.org>; "draft-templin-aero.all@tools.ietf.org" <draft-templin-aero.all@tools.ietf.org>
>> > Sent: Tuesday, April 24, 2012 10:47 AM
>> > Subject: Re: secdir review of draft-templin-aero-10
>> > 
>> >T hanks for the quick response, comments inline:
>> > On Apr 23, 2012, at 9:52 AM, Fred Templin wrote:
>> > 
>> >> (Resending with comments as inline text)
>> >> 
>> >> Hello Joe,
>> >> 
>> >> Thank you for these comments. Please see below for my proposed
>> >> resolutions:
>> >> 
>> >> Fred
>> >> fltemplin@acm.org
>> >> 
>> >> From: Joe Salowey <jsalowey@cisco.com>
>> >> To: secdir@ietf.org; The IESG <iesg@ietf.org>; 
>> > draft-templin-aero.all@tools.ietf.org 
>> >> Sent: Sunday, April 22, 2012 3:00 PM
>> >> Subject: secdir review of draft-templin-aero-10
>> >> 
>> >> I have reviewed this document as part of the security directorate's 
>> >> ongoing effort to review all IETF documents being processed by the 
>> >> IESG.  These comments were written primarily for the benefit of the 
>> >> security area directors.  Document editors and WG chairs should treat 
>> >> these comments just like any other last call comments.
>> >> 
>> >> I apologize for the delay in getting this review out.  Hopefully it is 
>> > still useful.  
>> >> 
>> >> This first set of comments is primarily for the authors.
>> >> 
>> >> 1. In section 4.4.4 on Data origin authentication the last paragraph states 
>> > that only the 3rd of the above conditions is acceptable, do you really mean the 
>> > 4th?
>> >> 
>> >> >>> Begin FLT response
>> >> You are correct; this should say the 4th and can be fixed in the next 
>> > version.
>> >> >>> End FLT response
>> >> 
>> > 
>> > [Joe] OK
>> > 
>> >> 2. In section 4.4.4 there is reference to the packet including a digital 
>> > signature to authenticate the origin.  What is the signature mechanism?  Is this 
>> > SEND or something different? I did not see a reference to it.
>> >> 
>> >> >>> Begin FLT response
>> >> The digital signature mechanism is out of scope for this document. The text
>> >> could be adjusted to say: “…, AERO nodes may be obliged to require the
>> >> use of digital signatures applied through means outside the scope of this
>> >> document.”
>> >> >>> End FLT response
>> >> 
>> > 
>> > [Joe] I was hoping that something would be specified for interoperability,  I 
>> > think there are many cases where you would have to resort to a signing 
>> > mechanism, however it may be the case that AERO may be deployed where spoofing 
>> > of messages is not a concern (perhaps this should be the recommendation until a 
>> > signing mechanism is specified).  The ADs can decide if this is an issue or not.
>> >
>> >> 3. The security considerations do not say much about the consequences of 
>> > trusting an inappropriate intermediate router, ingress node or egress node. 
>> > Clearly DOS to the ingress node is a possibility.  Data modification and 
>> > disclosure can be a goal of an attacker who tries to control the routing.  Are 
>> > there other issues the reader should be aware of (perhaps other DOS attacks such 
>> > as amplification attacks).  Anything outside the considerations of RFC4861)?
>> >> 
>> >> >>> Begin FLT response
>> >> Proposed resolution is to re-write the first paragraph of Section 6 as 
>> > follows:
>> >>  
>> >> “AERO link security considerations are the same as for standard IPv6 
>> > Neighbor Discovery
>> >> (RFC4861) except that AERO improves on some aspects. In particular, AERO is 
>> > dependent
>> >> on a trust basis between AERO edge nodes and intermediate routers, where 
>> > the edge nodes
>> >> must only engage in the AERO mechanism when it is facilitated by a trusted 
>> > intermediate
>> >> router.”
>> >> >>> End FLT response
>> >> 
>> > 
>> > [Joe] OK thanks.
>> > 
>> >> 4. The security consideration section indicates that spoofing protection 
>> > can be provided by links that provide link layer security mechanisms.    Link 
>> > Layer security mechanisms may or may not help.  I believe more information is 
>> > needed here.  L2 mechanisms may not provide adequate protection of upper layer 
>> > address bindings.  In some cases L2 mechanisms do not provide source origin 
>> > authentication such as multicast  traffic protected with the group  key in WiFi 
>> > and group security associations in 802.1AE (MACSEC).
>> >> 
>> >> >>> Begin FLT response
>> >> Proposed resolution is to re-write the second paragraph of Section 6 as 
>> > follows:
>> >> “AERO links must be protected against spoofing attacks in which an attacker
>> >> on the link pretends to be a trusted neighbor.  Links that provide 
>> > link-layer
>> >> securing mechanisms (e.g., WiFi networks) and links that provide physical
>> >> security (e.g., enterprise network LANs) provide only a fist-line of 
>> > defense.
>> >> In some instances, therefore, additional securing assurances against 
>> > on-link
>> >> spoofing attacks are required. For example, if the source can through some
>> >> means digitally sign its messages the destination can verify the signatures 
>> > to
>> >> ensure data origin authentication. Exact mechanisms for digitally signing 
>> > and
>> >> verifying signatures are outside the scope of this document.”
>> >> >>> End FLT response
>> >> 
>> > [Joe] Thanks. (same comment on the specification of the signing mechanism as 
>> > above). 
>> > 
>> >> This set of comments is mostly for the area directors:
>> >> 
>> >> 1. I am mostly concerned about the lack of definition for the digital 
>> > signature mechanism.  Perhaps this is easily rectified by a reference to an 
>> > existing specification. Its not clear to me what the specification would be 
>> > (perhaps SEND??)?  Is something needed in addition? 
>> >> 2.  The risks of not securing the proposal are not defined in the security 
>> > considerations section. I think this would be helpful, but may not be strictly 
>> > necessary.  There is some mention of Link-Layer security helping in some aspects 
>> > of this, but its not clear on what characteristics the lower layer security 
>> > needs to provide. 
>> >> 
>> >> Cheers,
>> >> 
>> >> Joe
>> >> 
>> >
>
>
>
>

v2.23.0 | Report a Bug | By Email