[secdir] secdir review of draft-ietf-mext-rfc3775bis-10
Nicolas Williams <Nicolas.Williams@oracle.com> Tue, 30 November 2010 21:42 UTC
Return-Path: <Nicolas.Williams@oracle.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E72C73A6C30; Tue, 30 Nov 2010 13:42:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.531
X-Spam-Level:
X-Spam-Status: No, score=-6.531 tagged_above=-999 required=5 tests=[AWL=0.067, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oRVBWaRCrIfC; Tue, 30 Nov 2010 13:42:25 -0800 (PST)
Received: from rcsinet10.oracle.com (rcsinet10.oracle.com [148.87.113.121]) by core3.amsl.com (Postfix) with ESMTP id 3FB953A6BB4; Tue, 30 Nov 2010 13:42:25 -0800 (PST)
Received: from rcsinet15.oracle.com (rcsinet15.oracle.com [148.87.113.117]) by rcsinet10.oracle.com (Switch-3.4.2/Switch-3.4.2) with ESMTP id oAULhQ05025567 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 30 Nov 2010 21:43:27 GMT
Received: from acsmt355.oracle.com (acsmt355.oracle.com [141.146.40.155]) by rcsinet15.oracle.com (Switch-3.4.2/Switch-3.4.1) with ESMTP id oAUGD26X030070; Tue, 30 Nov 2010 21:43:25 GMT
Received: from abhmt020.oracle.com by acsmt354.oracle.com with ESMTP id 828577751291153296; Tue, 30 Nov 2010 13:41:36 -0800
Received: from oracle.com (/129.153.128.104) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 30 Nov 2010 13:41:36 -0800
Date: Tue, 30 Nov 2010 15:41:31 -0600
From: Nicolas Williams <Nicolas.Williams@oracle.com>
To: secdir@ietf.org, tim.polk@nist.gov, turners@ieca.com
Message-ID: <20101130214131.GL20162@oracle.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.20 (2010-03-02)
Cc: charliep@computer.org, dbj@cs.rice.edu, iesg@ietf.org, jari.arkko@ericsson.com
Subject: [secdir] secdir review of draft-ietf-mext-rfc3775bis-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Nov 2010 21:42:27 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This is a rather lengthy document. I have begun by reviewing the introductory sections, sections 5 and 6, and the security considerations section. The security considerations section of this I-D is very well written and thorough, and I believe it covers all of the threats and risks of IPv6 mobility support, though little is said about cryptographic aspects of the protocol, nor cryptographic algorithm agility. A more thorough review may follow this one. A few comments: - Bibliographic reference style. I find references with name anchors much easier to use than numeric anchors. For example, "[RFC1234]" versus "[17]", as well as named references for references to documents other than RFCs. I can very quickly decide whether I'm familiar with a given reference or must look it up, and the way I read I-Ds and RFCs I can more quickly lookup an RFC if I don't have to first jump to the references section of the document I'm reading. This is really a personal bias of mine, thus safely ignored. If I were reading HTML renderings of this document I could just click through the references, but even so, it helps to be able to recognize a reference at a glance -- that's hard to do when references are numbered. - Binding of home addresses to mobile node credentials when using IKEv2. The security considerations text suggests that it will or may be common for home addresses to be listed in PKIX certificates as subject alternative names for the purpose of enabling home address authorization checks. I believe that such an authorization approach requires at least additional text to the effect that the certificate issuer must check that home addresses claimed by requestors have not already been handed out to others whose certificates are still live. Given that a database is necessary in order to authorize home addresses, the only question is whether that database should be accessibly only by CAs or also by home agents, and I find no reason why home agents shouldn't have read access to it. Besides, the IPsec model (RFC4301) already requires a DB that can easily be extended to host mobile address authorization information: the SAD. I would prefer text discouraging the use of certificate subject alternative names (or any other certificate extensions) for authorization of home addresses as I suspect that CAs are not really and likely never will be prepared to perform the home address authorization check. - Enrolment/assignment of home address bindings to mobile node credentials. Nothing much is said about automation of enrolment of home address bindings to mobile node credentials. I see that there is work in progress in that space, via CGA (cryptographically-generated addresses). Such work should be referenced in both, the security considerations and future work sections of this I-D. If such work is not in progress, then such work ought to be, though there isn't anything that can be done about that here. A dynamic association protocol seems likely to be quite useful in at least some scenarios. - Hash/MAC algorithm agility. This protocol uses SHA-1 and HMAC-SHA-1 for the return routability tests (whereby a mobile node's correspondent nodes test the mobile node's home and care-of addresses are both routable). Nothing is said about hash agility, nor about the cryptographic properties of SHA-1 that the protocol depends on (collision resistance? first pre-image resistance? 2nd pre-image resistance? pseudo-random number generation?). We (the IETF) still believe that HMAC-SHA-1 is secure, therefore I will ignore that question for now. I believe that the protocol does not depend on collision resistance, since to find collisions an attacker would need to see the inputs to the hash function, and if it could see them then there are other attacks the attacker could mount. I believe the protocol also does not depend on any pre-image resistance... ...I believe the protocol depends only on SHA-1 being a PRG. As such I am not sure that hash agility is at all important. And since it seems to me that hash agility could easily be added in the future (via a "mobile option" in Home Test Init, Care Of Test Init messages and their replies, as well as Binding messages), I think hash algorithm agility is a non-issue for this protocol. However, a few words on the subject in the Security Considerations section may prove useful. - Mobile-to-mobile operation does not appear to be covered. Is it supported? Are there any security considerations that might be special to mobile-to-mobile communications? I believe mobile-to-mobile operation is implicitly supported, and should work well enough. I don't believe there's any special security considerations regarding mobile-to-mobile operation, but maybe I missed something? Nico --
- [secdir] secdir review of draft-ietf-mext-rfc3775… Nicolas Williams