Re: [secdir] Token (was RE: Secdir review of draft-ohba-pana-relay)
Robert Cragie <robert.cragie@gridmerge.com> Wed, 15 December 2010 14:21 UTC
Return-Path: <robert.cragie@gridmerge.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 27C2028C164; Wed, 15 Dec 2010 06:21:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uUy5-0Usc+t7; Wed, 15 Dec 2010 06:21:18 -0800 (PST)
Received: from mail78.extendcp.co.uk (mail78.extendcp.co.uk [79.170.40.78]) by core3.amsl.com (Postfix) with ESMTP id A06B73A6E8C; Wed, 15 Dec 2010 06:21:17 -0800 (PST)
Received: from client-86-31-167-78.oxfd.adsl.virginmedia.com ([86.31.167.78] helo=[192.168.1.80]) by mail78.extendcp.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.72) id 1PSsFb-0002pO-2L; Wed, 15 Dec 2010 14:22:41 +0000
Message-ID: <4D08CF2A.9080909@gridmerge.com>
Date: Wed, 15 Dec 2010 14:22:34 +0000
From: Robert Cragie <robert.cragie@gridmerge.com>
Organization: Gridmerge Ltd.
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.2.13) Gecko/20101207 Lightning/1.0b2 Thunderbird/3.1.7
MIME-Version: 1.0
To: Alan DeKok <aland@deployingradius.com>
References: <4D009D34.1020809@deployingradius.com> <4D01DABF.6060604@toshiba.co.jp> <001101cb9aa0$367b3480$a3719d80$@yegin@yegin.org> <4D064683.30009@deployingradius.com> <4D07A874.4010702@gridmerge.com> <4D07D090.9020407@deployingradius.com> <4D087AD5.8020901@gridmerge.com> <4D089C73.6050107@deployingradius.com>
In-Reply-To: <4D089C73.6050107@deployingradius.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms010706090200090107000708"
X-Mailman-Approved-At: Fri, 17 Dec 2010 14:07:10 -0800
Cc: 'Yoshihiro Ohba' <yoshihiro.ohba@toshiba.co.jp>, secdir@ietf.org, draft-ohba-pana-relay@tools.ietf.org, Alper Yegin <alper.yegin@yegin.org>, margaretw42@gmail.com, pana@ietf.org, paduffy@cisco.com, samitac@ipinfusion.com, 'Ralph Droms' <rdroms.ietf@gmail.com>
Subject: Re: [secdir] Token (was RE: Secdir review of draft-ohba-pana-relay)
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: robert.cragie@gridmerge.com
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Dec 2010 14:21:20 -0000
Hi Alan, Some further comments below, bracketed by <RCC></RCC> Robert Robert Cragie (Pacific Gas & Electric) Gridmerge Ltd. 89 Greenfield Crescent, Wakefield, WF4 4WA, UK +44 1924 910888 +1 415 513 0064 http://www.gridmerge.com <http://www.gridmerge.com/> On 15/12/2010 10:46 AM, Alan DeKok wrote: > Robert Cragie wrote: >> Alan, >> >> Thanks for your response. Some further comments below, bracketed by >> <RCC></RCC>. >> >> In summary, I think there are two security considerations in addition to >> the other text already proposed which need to be addressed: >> >> 1. The PRE, as a protocol-aware relay, MUST only relay PRY messages >> and MUST only accept valid PANA messages >> 2. The use of a PRE causes additional state at the PAA (IP address >> and port of PRE) which may need to be stored >> >> Whilst the language Alper has used so far is probably sufficient, I do >> think that it is important to strenuously recommended that the PRE-PAA >> connection is secured using either DTLS, PANA SA or L2 protection; > >> <RCC>Unless I am missing something, a token generated and validated by >> the PRE could only authenticate the immutable parts of the PRY, i.e. the >> PaC-Information AVP. You would need a full security association between >> PRE and PAA to authenticate different messages in both directions.</RCC> > I'm not sure what "different messages" means. My goal was to ensure > that rogue PAAs could only send PANA messages to the IP and source port > used by a PaC to send PANA messages. > > I'm not concerned about protecting messages to the PAA. It's already > on an open network, and anyone on that network can send any content to > any port. So adding PRE to PAA security is useless. > > i.e. authenticating messages in *both* directions is not the goal of > the token. <RCC>OK, understood, we are talking about the same thing.</RCC> >>> So adding a PRE opens the PaC to attacks from arbitrary sources on a >>> wide-area network, which would seem to be a violation of the PANA >>> assumptions. >> <RCC>That is true. However, I think Alper's point is that an equivalent >> MiTM router on a wider network in the vicinity of the PaC could still be >> the target for a rogue PAA and that the PRE model was really no >> different. So this doesn't necessarily pose an *additional* threat.</RCC> > If the PaC has access to the wider network before it's authenticated, > then there is no need for any PRE-PAA token. > > If the PaC has access to the wider network before it's authenticated, > then I'm not really sure why PANA is being used at all. <RCC> I was considering the case where the PaC has link-local access to a MiTM router which has access to the wider network, not the PaC itself. One of the models we considered prior to the relay was one of simply performing first-hop access to a router that has access to the PAA. But we dismissed this approach for a number of security reasons in favour of the relay approach. Actually, there is one additional consideration - the PRE has to have prior knowledge of the PAA address. It is not stated how this is achieved but is state which is stored in the PRE which means not just any rogue device can masquerade as the PAA as the PRE would check the source address. A rogue PAA would either have to hijack the PRE-PAA address resolution phase or somehow obtain the PAA address and spoof it. </RCC> > Alan DeKok. >
- [secdir] Secdir review of draft-ohba-pana-relay Alan DeKok
- Re: [secdir] Secdir review of draft-ohba-pana-rel… Yoshihiro Ohba
- Re: [secdir] Secdir review of draft-ohba-pana-rel… Alan DeKok
- [secdir] PRE enforcing message validity (was RE: … Alper Yegin
- [secdir] Token (was RE: Secdir review of draft-oh… Alper Yegin
- Re: [secdir] PRE enforcing message validity (was … Alan DeKok
- Re: [secdir] Token (was RE: Secdir review of draf… Alan DeKok
- Re: [secdir] Token (was RE: Secdir review of draf… Alan DeKok
- Re: [secdir] Token (was RE: Secdir review of draf… Robert Cragie
- Re: [secdir] Token (was RE: Secdir review of draf… Robert Cragie
- Re: [secdir] Token (was RE: Secdir review of draf… Alan DeKok
- Re: [secdir] Token (was RE: Secdir review of draf… Alan DeKok
- Re: [secdir] Token (was RE: Secdir review of draf… Robert Cragie
- Re: [secdir] Token (was RE: Secdir review of draf… Robert Cragie
- [secdir] pana-relay security considerations Alper Yegin
- Re: [secdir] pana-relay security considerations Alan DeKok
- Re: [secdir] pana-relay security considerations Alper Yegin
- Re: [secdir] pana-relay security considerations Alan DeKok
- Re: [secdir] pana-relay security considerations Alper Yegin
- Re: [secdir] pana-relay security considerations Alan DeKok
- Re: [secdir] pana-relay security considerations Alan DeKok
- Re: [secdir] pana-relay security considerations Margaret Wasserman
- Re: [secdir] pana-relay security considerations Alper Yegin