Re: [secdir] secdir review of draft-ietf-csi-proxy-send-04
"Murphy, Sandra" <Sandra.Murphy@cobham.com> Tue, 14 September 2010 17:35 UTC
Return-Path: <Sandra.Murphy@cobham.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7D75D3A69EB; Tue, 14 Sep 2010 10:35:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id byzsUeo3H0rm; Tue, 14 Sep 2010 10:35:54 -0700 (PDT)
Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by core3.amsl.com (Postfix) with ESMTP id 8888A3A69C8; Tue, 14 Sep 2010 10:35:54 -0700 (PDT)
Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id o8EHaEK0026653; Tue, 14 Sep 2010 12:36:14 -0500
Received: from nemo.columbia.ads.sparta.com (nemo.columbia.sparta.com [157.185.80.75]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id o8EHaDgN025475; Tue, 14 Sep 2010 12:36:14 -0500
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CB5432.FC12282A"
Date: Tue, 14 Sep 2010 13:33:46 -0400
Message-ID: <5ABE30CE099A524CBF95C715D37BCACC3D015B@nemo.columbia.ads.sparta.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [secdir] secdir review of draft-ietf-csi-proxy-send-04
Thread-Index: ActUHz3htVDFZX13TVyPZZq6jCQoWQAEt9Tp
References: <E7FA9617215B4AE08B038FC422C42568@bombo> <8984FD9D-2516-437A-AEF3-8E0F5DDAD6EB@cisco.com> <E78B1895-1C34-4C74-96E2-21A6D267FC6C@gmail.com> <241F9803-ED2F-48B2-B192-2AC02B280433@cisco.com> <4C8E41F6.906@it.uc3m.es> <4C8F90D4.3040301@ieca.com>
From: "Murphy, Sandra" <Sandra.Murphy@cobham.com>
To: Sean Turner <turners@ieca.com>, marcelo bagnulo braun <marcelo@it.uc3m.es>
X-Mailman-Approved-At: Tue, 14 Sep 2010 10:41:32 -0700
Cc: Roque Gagliano <rogaglia@cisco.com>, draft-ietf-csi-send-cert@tools.ietf.org, secdir@ietf.org, "Alberto "@core3.amsl.com, García <alberto@it.uc3m.es>, draft-ietf-csi-proxy-send.all@tools.ietf.org, Ralph Droms <rdroms.ietf@gmail.com>, csi-chairs@tools.ietf.org, IESG IESG <iesg@ietf.org>
Subject: Re: [secdir] secdir review of draft-ietf-csi-proxy-send-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Sep 2010 17:35:57 -0000
Hopefully readable. As it is sent from a smartphone. Roque and I have communicated about timing of my rereview. He says I might as well wait for the wg to decide. I am interested, iirc, in what actions or messages require what certs Sandy -----Original Message---. Looking forward to (having time to) reviewing the new draft. -- From: Sean Turner [mailto:turners@ieca.com] Sent: Tue 9/14/2010 11:12 AM To: marcelo bagnulo braun Cc: Roque Gagliano; draft-ietf-csi-send-cert@tools.ietf.org; secdir@ietf.org; Murphy, Sandra; García; draft-ietf-csi-proxy-send.all@tools.ietf.org; "Alberto "@core3.amsl.com; Ralph Droms; csi-chairs@tools.ietf.org; IESG IESG; Russ Housley Subject: Re: [secdir] secdir review of draft-ietf-csi-proxy-send-04 marcelo bagnulo braun wrote: > > > El 13/09/10 16:29, Roque Gagliano escribió: >> Hi Ralph, >> >> I can answer for the draft-ietf-csi-send-cert document. The new >> revision addressed all the DISCUSS positions for that document. >> >> As I mentioned in a previous email, we came back to the WG to ask one >> change that is been requested by one of the authors of the >> draft-ietf-csi-proxy-send document. The change consist of adding a new >> EKU. >> >> I think is best to wait for the WG opinion on this issue because if >> this additional EKU is needed, it makes sense to have it in this same >> document. >> > Right, the problem is that the WG is slient, so we probably need to > solve this in some other way i.e. propose something to the WG and see if > anybody objects. > > The new EKU is the proposed way to deal with one comment from Sandy's > review of the proxy send document. It seems we could live without, but > it would be a somehow inferior solution. I would suggest that unless > getting a new EKU is a lot of work, we go ahead with that. Getting an EKU is pretty easy. Ask Russ Housley <housley@vigilsec.com> (cced) for one. He controls assigning the OID out of the PKIX arc. Obvioulsy, you'll need to add some text in the document to explain its use. spt > would that make sense? > > Regards, marcelo > > >> Regards, >> Roque. >> >> ---------------------------------------------------------------------------------------------------------------------------------------------- >> >> Roque >> Gagliano >> Cisco Systems International Sàrl >> Software Engineer Mailstop >> ROL01/2/ >> Corporate Development Technology Group Avenue des >> Uttins 5 >> 1180 Rolle >> rogaglia@cisco.com Switzerland >> Phone: +41 21 823 2805 >> >> For corporate legal information go to: >> http://www.cisco.com/web/about/doing_business/legal/cri/index.html >> >> On Sep 13, 2010, at 4:21 PM, Ralph Droms wrote: >> >>> Can you clarify the status of draft-ietf-csi-send-cert and >>> draft-ietf-csi-proxy-send? Does the new rev of >>> draft-ietf-csi-send-cert address the DISCUSS positions on both docs? >>> >>> - Ralph >>> >>> On Sep 1, 2010, at 10:11 PM 9/1/10, Roque Gagliano wrote: >>> >>>> Hi Sandra, >>>> >>>> I issued a new version of the draft draft-ietf-csi-send-cert documents. >>>> >>>> I believe the new version addresses all the concerns expressed in >>>> this mail exchange. >>>> >>>> Regards, >>>> >>>> Roque >>>> >>>> >>>> >>>> >>>> On Jul 6, 2010, at 5:32 PM, Alberto García wrote: >>>> >>>>> Hi, >>>>> The text of this email has been extracted from a thorough review of >>>>> draft-ietf-csi-proxy-send being made by Sandra Murphy. >>>>> The reason why the email has been separated is to include the >>>>> authors of draft-ietf-csi-send-cert in the discussion of this part >>>>> of the text, since I think some of the issues raised by Sandra >>>>> affect this document. >>>>> >>>>> I include my comments inline. >>>>> >>>>> | -----Mensaje original----- >>>>> | De: Sandra Murphy [mailto:Sandra.Murphy@sparta.com] >>>>> | Enviado el: viernes, 02 de julio de 2010 2:31 >>>>> | Para: iesg@ietf.org; secdir@ietf.org; >>>>> draft-ietf-csi-proxy-send.all@tools.ietf.org >>>>> | Asunto: secdir review of draft-ietf-csi-proxy-send-04 >>>>> | >>>>> | This is a review of draft draft-ietf-csi-proxy-send-04.txt. >>>>> | >>>>> | I have reviewed this document as part of the security directorate's >>>>> | ongoing effort to review all IETF documents being processed by >>>>> the IESG. >>>>> | These comments were written primarily for the benefit of the >>>>> security area >>>>> | directors. Document editors and WG chairs should treat these >>>>> comments just >>>>> | like any other last call comments. >>>>> | >>>>> | This document provides new Neighbor Discovery options that will >>>>> secure >>>>> | proxied Neighbor Discovery messages. It is an update to: >>>>> | >>>>> | RFC4861: Neighbor Discovery in IPv6 >>>>> | RFC4389: Neighbor Discovery Proxies (ND Proxy) >>>>> | RFC3971: Send Neighbor Discovery (SEND) >>>>> | >>>>> | This draft relies on draft draft-ietf-csi-send-cert-04.txt. >>>>> | >>>>> | The need for new mechanisms for security for proxied messages is >>>>> explained >>>>> | in draft-ietf-csi-sndp-prob-04.txt. >>>>> | >>>>> | I've read all of these, but it is pretty new to me, so I could >>>>> have missed >>>>> | something. >>>>> | >>>>> | The Neighbor Discovery protocol communicates link-level >>>>> addresses in the >>>>> | protocol messages. The ND Proxy extension would make changes to >>>>> those >>>>> | fields. SEND, which secures the base ND protocol, relies on the >>>>> sender of >>>>> | a message computing a signature associated with the source IP >>>>> address of >>>>> | the message. Any ND Proxy changes to messages would invalidate the >>>>> | signature and the ND Proxy itself could not generate a new >>>>> signature >>>>> | (since it would not have the private key associated with the >>>>> source IP >>>>> | address). This draft introduces a Proxy Signature (PS) option >>>>> to secure >>>>> | the proxied messages. >>>>> | >>>>> | RFC3971, the base SEND spec, defines a new Router Authorization >>>>> | Certificate profile, dependent on RFC3779, which authorizes the >>>>> router to >>>>> | act as a router and act for certain prefixes. Message >>>>> authorization in >>>>> | SEND of some ND messages checks the prefixes listed in the >>>>> certificate >>>>> | against the prefixes mentioned in those messages. There is no >>>>> explicit >>>>> | representation in the certificate of the authority to act as a >>>>> router. >>>>> | Possession of the certificate in SEND serves as implicit >>>>> authorization to >>>>> | act as a router, as that was the only authorization defined. >>>>> | >>>>> | With the introduction of proxies, there was a need to >>>>> distinguish the >>>>> | various roles that a node might have in the network. No longer is >>>>> | possession of a certificate adequate authorization. The draft >>>>> | draft-ietf-csi-send-cert-04.txt uses the KeyPurposeId field to >>>>> distinguish >>>>> | three different roles: router, proxy and owner. That draft >>>>> notes that >>>>> | multiple key purposes are possible. I believe that it is also >>>>> possible to >>>>> | have single roles - so a node could be a proxy but not a router. >>>>> >>>>> Yes, of course single roles are supported. >>>>> >>>>> | With the extensions of the csi-send-cert draft, possession of a >>>>> | certificate is no longer proof of any particular authorization. >>>>> It seem >>>>> | clear to me that the authorization validation described in >>>>> RFC3971 is no >>>>> | longer sufficient. I believe that a discussion is needed of >>>>> what messages >>>>> | require or allow each particular key purpose authorization. >>>>> Issuing an >>>>> | RA, for example, seems likely to require the "router" value of >>>>> the key >>>>> | purpose field, if the new certificate format was used for >>>>> authorization. >>>>> | Issuing an NA may require the "owner" value of the key purpose >>>>> field, if >>>>> | the new certificate format was used for authorization rather >>>>> than a CGA. >>>>> | I do not know if that discussion would be more appropriate here >>>>> or in the >>>>> | csi-send-cert draft, or another draft entirely that updates RFC3971 >>>>> | directly. >>>>> | >>>>> | If a SPND proxy was using SEND to communicate with other nodes that >>>>> | understood SPND, would it be OK to use a new format cert (with the >>>>> | "router" KeyPurposeId) as a router certificate for the SEND RSA >>>>> Signature >>>>> | Options? >>>>> | >>>>> I see. I agree that this needs more precision. >>>>> >>>>> In draft-ietf-csi-send-cert-05, section 7 (it is the same text as >>>>> in cert-04) it discusses the messages that are authorized by each >>>>> KeyPurposeId >>>>> - "router authorization value indicates that the >>>>> certificate has been issued for allowing the router to advertise >>>>> prefix(es)" >>>>> (I understand that implicitly states that it authorizes the >>>>> generation of RA messages. It is not crystal clear for me if it >>>>> authorizes NA for routers, although if I had to take this text >>>>> literally, I would suppose routers would need an 'owner' >>>>> authorization if this PKI model substitutes RFC3971 CGA >>>>> authorization, considering that the prefix for NA would be narrowed >>>>> in general to one address, while the RA authorization is prefix-wide) >>>>> - "proxy authorization value indicates that the >>>>> certificate has been issued for allowing the proxy to perform >>>>> proxying of neighbor discovery messages for the prefix(es) that are >>>>> mentioned using the X.509 extensions for IP addresses" >>>>> (I understand it now implicitly states it authorizes for ANY >>>>> neighbor discovery message. By the way, this is the assumption >>>>> underlying in general draft-ietf-csi-proxy-send-04: in the >>>>> application scenarios, some require RA proxying, which is assumed >>>>> to be performed by means of the proxy cert) >>>>> - "owner authorization [...]For an >>>>> address in such certificate the host can assign the address, send/ >>>>> receive traffic from this address, and can respond to NSes about >>>>> that >>>>> address" >>>>> (this is the clearest of all statements - although I think issuing >>>>> secured NS and RS should also be considered) >>>>> >>>>> So, as defined now in draft-ietf-csi-proxy-send-04, proxy >>>>> certificates provide authorization for securing *any* ND message. >>>>> Considering the application scenarios, some require proxying RA >>>>> (PMIPv6 and RFC4389), and the MIPv6 scenario just require NS/NA >>>>> proxying. >>>>> >>>>> In summary so far, there is some specification of the authorization >>>>> in draft-csi-send-cert, which I think it would be nice that it >>>>> could be refined, and if so, my opinion is that the refinement of >>>>> which ND message is authorized by each KeyPurposeId should be in >>>>> that document. >>>>> However, continuing with this issue, I must say that the way the >>>>> 'proxy authorization' is defined, and the relationship with the >>>>> other cases, is not satisfactory for me. >>>>> I think the use of 'owner' should be restricted for hosts that >>>>> really own the address (therefore, a substitution of the CGA >>>>> mechanism) - as opposed to proxies. >>>>> For the 'proxy authorization', I think it could be refined into >>>>> something like "proxy host" authorization, and "proxy router" >>>>> authorization. >>>>> 'Proxy host' would authorize for proxying NA, NS and RS, and "proxy >>>>> router" authorization would authorize RA and Redirect. This would >>>>> provide a finer grain which I think would be desirable (for >>>>> example, MIPv6 does not need protecting neither RA nor redirect). >>>>> I think this would work (if so, it should be changed in >>>>> draft-csi-send-cert). >>>>> >>>>> What do you think? (both authors of draft-csi-send-cert, Sandra, >>>>> etc.). >>>>> >>>>> Regards, >>>>> Alberto >>>>> >>>>> > > _______________________________________________ > secdir mailing list > secdir@ietf.org > https://www.ietf.org/mailman/listinfo/secdir >
- [secdir] secdir review of draft-ietf-csi-proxy-se… Sandra Murphy
- Re: [secdir] secdir review of draft-ietf-csi-prox… Alberto García
- Re: [secdir] (MAIN) secdir review of draft-ietf-c… Alberto García
- Re: [secdir] secdir review of draft-ietf-csi-prox… Sandra Murphy
- Re: [secdir] secdir review of draft-ietf-csi-prox… Roque Gagliano
- Re: [secdir] secdir review of draft-ietf-csi-prox… Alberto García
- Re: [secdir] secdir review of draft-ietf-csi-prox… Roque Gagliano
- Re: [secdir] secdir review of draft-ietf-csi-prox… Alberto García
- Re: [secdir] secdir review of draft-ietf-csi-prox… Roque Gagliano
- Re: [secdir] secdir review of draft-ietf-csi-prox… Ralph Droms
- Re: [secdir] secdir review of draft-ietf-csi-prox… Roque Gagliano
- Re: [secdir] secdir review of draft-ietf-csi-prox… marcelo bagnulo braun
- Re: [secdir] secdir review of draft-ietf-csi-prox… Sean Turner
- Re: [secdir] secdir review of draft-ietf-csi-prox… Murphy, Sandra
- Re: [secdir] secdir review of draft-ietf-csi-prox… Jeffrey Hutzelman
- Re: [secdir] (MAIN) secdir review of draft-ietf-c… Alberto García
- Re: [secdir] secdir review of draft-ietf-csi-prox… Roque Gagliano