Re: [secdir] secdir review of draft-ietf-mpls-gach-adv-06

Leif Johansson <leifj@sunet.se> Mon, 18 February 2013 15:07 UTC

Return-Path: <leifj@sunet.se>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0C0E21F87AD; Mon, 18 Feb 2013 07:07:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_12=0.6]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yxQqaRTaGaDy; Mon, 18 Feb 2013 07:07:33 -0800 (PST)
Received: from backup-server.nordu.net (backup-server.nordu.net [IPv6:2001:948:4:1::66]) by ietfa.amsl.com (Postfix) with ESMTP id 9575B21F875C; Mon, 18 Feb 2013 07:07:32 -0800 (PST)
Received: from [10.33.3.161] ([212.247.15.226]) (authenticated bits=0) by backup-server.nordu.net (8.14.5/8.14.3) with ESMTP id r1IF7NKL024283 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 18 Feb 2013 16:07:26 +0100 (CET)
Message-ID: <512243AB.7000400@sunet.se>
Date: Mon, 18 Feb 2013 16:07:23 +0100
From: Leif Johansson <leifj@sunet.se>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130106 Thunderbird/17.0.2
MIME-Version: 1.0
To: Dan Frost <danfrost@cisco.com>
References: <512227BF.6050207@sunet.se> <20130218143142.GA26032@cisco.com>
In-Reply-To: <20130218143142.GA26032@cisco.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: draft-ietf-mpls-gach-adv.all@tools.ietf.org, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] secdir review of draft-ietf-mpls-gach-adv-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Feb 2013 15:07:34 -0000

On 02/18/2013 03:31 PM, Dan Frost wrote:
> Hi Leif,
>
> On Mon, Feb 18, 2013 at 02:08:15PM +0100, Leif Johansson wrote:
>> I have reviewed this document as part of the security directorate's
>> ongoing effort to review all IETF documents being processed by the IESG.
>> These comments were written primarily for the benefit of the security
>> area directors.  Document editors and WG chairs should treat these
>> comments just like any other last call comments.
>>
>> The technology is somewhat outside my area of expertise but I found
>> the document relatively easy to follow anyway.
> Thanks for your review.
>
>> I'm a fan of writing crypto-related algorithms with very little left 
>> for the imagination of the reader. To that end I would strongly suggest 
>> specifying what goes into the GAP message hash even more clearly. 
>>
>> In this case I suspect the intent is that the inner hash is over all 
>> bytes of GAP message except the GAP authentication TLV which is added 
>> to the message _after_ the hash is computed.
> No need to suspect; the current text is explicit.  ;)  It says:
>
>    2.  First Hash
>
>           First, the Authentication Data field is filled with the value
>           Apad.
>
>           Then, a first hash, also known as the inner hash, is computed
>           as follows:
>
>              First-Hash = H(Ko XOR Ipad || (GAP Message))
>
>           Here the GAP Message is the portion of the packet that follows
>           the Associated Channel Header.
>
> The last paragraph specifies that the hash is computed over all bytes of
> the GAP Message that follow the Associated Channel Header.  This
> includes the Authentication TLV, which is not a problem because "First,
> the Authentication Data field is filled with the value Apad."
if you would just add that last sentence it would have been that
much clearer to me at least.
>
>> Conversely the validation phase needs to clearly say what bits of the
>> message are to be included in computing the hash.
> The text states that "When the message is received, the receiver
> computes a hash for it as described below", where "below" is Section 6.3
> (we should probably s/below/Section 6.3/ here).  In other words, the
> transmitter and receiver perform the same computation with the same
> input (modulo the Authentication Data field, which is normalised by the
> computation itself).
So in the verification phase you first fill the Authentication Data
field with Apad? That wasn't clear to me from reading the text.
>
>> Also I would change the timestamp verification step to use normative
>> language, eg: "... the receiver MUST, upon successfully authenticating
>> a message verify that the timestamp field corresponds... The receiver 
>> MUST silently discard a GAP message that fails timestamp verification."
> Well, use of the replay mitigation mechanism is not required, so I'm not
> sure that adding "MUST" language is appropriate.
I guess I'm then questioning the judgement of not making replay
checking a requirement since it seems fairly simple to do.
>
> Cheers,
> -d
>