Re: [secdir] secdir review of draft-ietf-csi-proxy-send-04
Sandra Murphy <Sandra.Murphy@sparta.com> Tue, 06 July 2010 16:55 UTC
Return-Path: <Sandra.Murphy@cobham.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 85D783A69B0; Tue, 6 Jul 2010 09:55:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.149
X-Spam-Level:
X-Spam-Status: No, score=-1.149 tagged_above=-999 required=5 tests=[AWL=1.150, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LG5OtfvlYrj2; Tue, 6 Jul 2010 09:55:43 -0700 (PDT)
Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by core3.amsl.com (Postfix) with ESMTP id E7C613A699C; Tue, 6 Jul 2010 09:55:42 -0700 (PDT)
Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id o66GtiRh009030; Tue, 6 Jul 2010 11:55:44 -0500
Received: from nemo.columbia.ads.sparta.com (nemo.columbia.sparta.com [157.185.80.75]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id o66GtiwB029134; Tue, 6 Jul 2010 11:55:44 -0500
Received: from SMURPHY-LT.columbia.ads.sparta.com ([157.185.81.96]) by nemo.columbia.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Tue, 6 Jul 2010 12:55:43 -0400
Date: Tue, 06 Jul 2010 12:55:43 -0400
From: Sandra Murphy <Sandra.Murphy@sparta.com>
To: Alberto García <alberto@it.uc3m.es>
In-Reply-To: <E7FA9617215B4AE08B038FC422C42568@bombo>
Message-ID: <Pine.WNT.4.64.1007061253310.4996@SMURPHY-LT.columbia.ads.sparta.com>
References: <E7FA9617215B4AE08B038FC422C42568@bombo>
X-X-Sender: sandy@nemo.columbia.sparta.com
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="326479267-6848-1278435343=:4996"
X-OriginalArrivalTime: 06 Jul 2010 16:55:43.0592 (UTC) FILETIME=[1279A680:01CB1D2C]
Cc: draft-ietf-csi-proxy-send.all@tools.ietf.org, csi-chairs@tools.ietf.org, iesg@ietf.org, draft-ietf-csi-send-cert@tools.ietf.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-csi-proxy-send-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Jul 2010 16:55:46 -0000
Thank you. I was debating whether a message about message authorization vs cert authorization values was more appropriately directed to the csi group or the send-cert authors. This spares me the trouble of trying to make up my mind. :-) I think this should prove to be an interesting discussion. --Sandy On Tue, 6 Jul 2010, Alberto García wrote: > Hi, > > The text of this email has been extracted from a thorough review of > draft-ietf-csi-proxy-send being made by Sandra Murphy. > > The reason why the email has been separated is to include the authors of > draft-ietf-csi-send-cert in the discussion of this part of the text, since I > think some of the issues raised by Sandra affect this document. > > > > I include my comments inline. > > > > | -----Mensaje original----- > > | De: Sandra Murphy [mailto:Sandra.Murphy@sparta.com] > > | Enviado el: viernes, 02 de julio de 2010 2:31 > > | Para: iesg@ietf.org; secdir@ietf.org; > draft-ietf-csi-proxy-send.all@tools.ietf.org > > | Asunto: secdir review of draft-ietf-csi-proxy-send-04 > > | > > | This is a review of draft draft-ietf-csi-proxy-send-04.txt. > > | > > | I have reviewed this document as part of the security directorate's > > | ongoing effort to review all IETF documents being processed by the IESG. > > | These comments were written primarily for the benefit of the security > area > > | directors. Document editors and WG chairs should treat these comments > just > > | like any other last call comments. > > | > > | This document provides new Neighbor Discovery options that will secure > > | proxied Neighbor Discovery messages. It is an update to: > > | > > | RFC4861: Neighbor Discovery in IPv6 > > | RFC4389: Neighbor Discovery Proxies (ND Proxy) > > | RFC3971: Send Neighbor Discovery (SEND) > > | > > | This draft relies on draft draft-ietf-csi-send-cert-04.txt. > > | > > | The need for new mechanisms for security for proxied messages is > explained > > | in draft-ietf-csi-sndp-prob-04.txt. > > | > > | I've read all of these, but it is pretty new to me, so I could have > missed > > | something. > > | > > | The Neighbor Discovery protocol communicates link-level addresses in the > > | protocol messages. The ND Proxy extension would make changes to those > > | fields. SEND, which secures the base ND protocol, relies on the sender > of > > | a message computing a signature associated with the source IP address of > > | the message. Any ND Proxy changes to messages would invalidate the > > | signature and the ND Proxy itself could not generate a new signature > > | (since it would not have the private key associated with the source IP > > | address). This draft introduces a Proxy Signature (PS) option to secure > > | the proxied messages. > > | > > | RFC3971, the base SEND spec, defines a new Router Authorization > > | Certificate profile, dependent on RFC3779, which authorizes the router to > > | act as a router and act for certain prefixes. Message authorization in > > | SEND of some ND messages checks the prefixes listed in the certificate > > | against the prefixes mentioned in those messages. There is no explicit > > | representation in the certificate of the authority to act as a router. > > | Possession of the certificate in SEND serves as implicit authorization to > > | act as a router, as that was the only authorization defined. > > | > > | With the introduction of proxies, there was a need to distinguish the > > | various roles that a node might have in the network. No longer is > > | possession of a certificate adequate authorization. The draft > > | draft-ietf-csi-send-cert-04.txt uses the KeyPurposeId field to > distinguish > > | three different roles: router, proxy and owner. That draft notes that > > | multiple key purposes are possible. I believe that it is also possible > to > > | have single roles - so a node could be a proxy but not a router. > > > > Yes, of course single roles are supported. > > > > | With the extensions of the csi-send-cert draft, possession of a > > | certificate is no longer proof of any particular authorization. It seem > > | clear to me that the authorization validation described in RFC3971 is no > > | longer sufficient. I believe that a discussion is needed of what > messages > > | require or allow each particular key purpose authorization. Issuing an > > | RA, for example, seems likely to require the "router" value of the key > > | purpose field, if the new certificate format was used for authorization. > > | Issuing an NA may require the "owner" value of the key purpose field, if > > | the new certificate format was used for authorization rather than a CGA. > > | I do not know if that discussion would be more appropriate here or in the > > | csi-send-cert draft, or another draft entirely that updates RFC3971 > > | directly. > > | > > | If a SPND proxy was using SEND to communicate with other nodes that > > | understood SPND, would it be OK to use a new format cert (with the > > | "router" KeyPurposeId) as a router certificate for the SEND RSA Signature > > | Options? > > | > > I see. I agree that this needs more precision. > > > > In draft-ietf-csi-send-cert-05, section 7 (it is the same text as in > cert-04) it discusses the messages that are authorized by each KeyPurposeId > > - "router authorization value indicates that the > > certificate has been issued for allowing the router to advertise > > prefix(es)" > > (I understand that implicitly states that it authorizes the generation of RA > messages. It is not crystal clear for me if it authorizes NA for routers, > although if I had to take this text literally, I would suppose routers would > need an 'owner' authorization if this PKI model substitutes RFC3971 CGA > authorization, considering that the prefix for NA would be narrowed in > general to one address, while the RA authorization is prefix-wide) > > - "proxy authorization value indicates that the > > certificate has been issued for allowing the proxy to perform > > proxying of neighbor discovery messages for the prefix(es) that are > > mentioned using the X.509 extensions for IP addresses" > > (I understand it now implicitly states it authorizes for ANY neighbor > discovery message. By the way, this is the assumption underlying in general > draft-ietf-csi-proxy-send-04: in the application scenarios, some require RA > proxying, which is assumed to be performed by means of the proxy cert) > > - "owner authorization [...]For an > > address in such certificate the host can assign the address, send/ > > receive traffic from this address, and can respond to NSes about that > > address" > > (this is the clearest of all statements - although I think issuing secured > NS and RS should also be considered) > > > > So, as defined now in draft-ietf-csi-proxy-send-04, proxy certificates > provide authorization for securing *any* ND message. Considering the > application scenarios, some require proxying RA (PMIPv6 and RFC4389), and > the MIPv6 scenario just require NS/NA proxying. > > > > In summary so far, there is some specification of the authorization in > draft-csi-send-cert, which I think it would be nice that it could be > refined, and if so, my opinion is that the refinement of which ND message is > authorized by each KeyPurposeId should be in that document. > > However, continuing with this issue, I must say that the way the 'proxy > authorization' is defined, and the relationship with the other cases, is not > satisfactory for me. > > I think the use of 'owner' should be restricted for hosts that really own > the address (therefore, a substitution of the CGA mechanism) - as opposed to > proxies. > > For the 'proxy authorization', I think it could be refined into something > like "proxy host" authorization, and "proxy router" authorization. > > 'Proxy host' would authorize for proxying NA, NS and RS, and "proxy router" > authorization would authorize RA and Redirect. This would provide a finer > grain which I think would be desirable (for example, MIPv6 does not need > protecting neither RA nor redirect). > > I think this would work (if so, it should be changed in > draft-csi-send-cert). > > > > What do you think? (both authors of draft-csi-send-cert, Sandra, etc.). > > > > Regards, > > Alberto > > > > > >
- [secdir] secdir review of draft-ietf-csi-proxy-se… Sandra Murphy
- Re: [secdir] secdir review of draft-ietf-csi-prox… Alberto García
- Re: [secdir] (MAIN) secdir review of draft-ietf-c… Alberto García
- Re: [secdir] secdir review of draft-ietf-csi-prox… Sandra Murphy
- Re: [secdir] secdir review of draft-ietf-csi-prox… Roque Gagliano
- Re: [secdir] secdir review of draft-ietf-csi-prox… Alberto García
- Re: [secdir] secdir review of draft-ietf-csi-prox… Roque Gagliano
- Re: [secdir] secdir review of draft-ietf-csi-prox… Alberto García
- Re: [secdir] secdir review of draft-ietf-csi-prox… Roque Gagliano
- Re: [secdir] secdir review of draft-ietf-csi-prox… Ralph Droms
- Re: [secdir] secdir review of draft-ietf-csi-prox… Roque Gagliano
- Re: [secdir] secdir review of draft-ietf-csi-prox… marcelo bagnulo braun
- Re: [secdir] secdir review of draft-ietf-csi-prox… Sean Turner
- Re: [secdir] secdir review of draft-ietf-csi-prox… Murphy, Sandra
- Re: [secdir] secdir review of draft-ietf-csi-prox… Jeffrey Hutzelman
- Re: [secdir] (MAIN) secdir review of draft-ietf-c… Alberto García
- Re: [secdir] secdir review of draft-ietf-csi-prox… Roque Gagliano