Re: [secdir] review of draft-ietf-dhc-secure-dhcpv6-04.txt

Stephen Kent <kent@bbn.com> Thu, 23 February 2012 01:32 UTC

Return-Path: <kent@bbn.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61D2821E801D for <secdir@ietfa.amsl.com>; Wed, 22 Feb 2012 17:32:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.37
X-Spam-Level:
X-Spam-Status: No, score=-106.37 tagged_above=-999 required=5 tests=[AWL=0.228, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EQieTOQxVdwn for <secdir@ietfa.amsl.com>; Wed, 22 Feb 2012 17:32:16 -0800 (PST)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id 95A6E21E8013 for <secdir@ietf.org>; Wed, 22 Feb 2012 17:32:16 -0800 (PST)
Received: from dommiel.bbn.com ([192.1.122.15]:55370 helo=[172.20.8.192]) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1S0NXP-000GSf-E6; Wed, 22 Feb 2012 20:32:03 -0500
Mime-Version: 1.0
Message-Id: <p06240802cb6b41feba2f@[172.20.8.192]>
In-Reply-To: <5D36713D8A4E7348A7E10DF7437A4B92188B034F@SZXEML506-MBS.china.huawei.com>
References: <p0624080ccb3e5b4801c7@[128.89.89.66]> <5D36713D8A4E7348A7E10DF7437A4B92188B034F@SZXEML506-MBS.china.huawei.com>
Date: Wed, 22 Feb 2012 20:31:48 -0500
To: Sheng Jiang <jiangsheng@huawei.com>
From: Stephen Kent <kent@bbn.com>
Content-Type: multipart/alternative; boundary="============_-882161773==_ma============"
Cc: "secdir@ietf.org" <secdir@ietf.org>, "shenshuo@cnnic.cn" <shenshuo@cnnic.cn>, "rdroms.ietf@gmail.com" <rdroms.ietf@gmail.com>, "john_brzozowski@cable.comcast.com" <john_brzozowski@cable.comcast.com>, Sheng Jiang <jiangsheng@huawei.com>, "ted.lemon@nominum.com" <ted.lemon@nominum.com>
Subject: Re: [secdir] review of draft-ietf-dhc-secure-dhcpv6-04.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Feb 2012 01:32:17 -0000

At 2:33 AM +0000 2/22/12, Sheng Jiang wrote:
>Hi, Stephen,
>
>Thanks for your review. I have integrated them in a new version or 
>make some correspondent improvements. However, I do not agree the 
>below comment and would like to discuss it further.
>
><Stephen> The fact that the signature option can be placed anywhere 
>in the DHCPv6 message strikes me as dangerous. It imposes a 
>requirement on a receiver to treat the protected and unprotected 
>portions of the message differently, for any possible placement of 
>the signature option. This adds complexity to implementations, since 
>the security checking would have to indicate to the rest of message 
>processing which parts of a message were checked and which were not 
>verified. Unless there are DHCHv6 options that may be modified (or 
>added) legitimately when a message traverses a relay, it is not 
>clear why there needs to be a provision to exclude any portions of a 
>DHCPv6 message from  the integrity/authentication check.
>
><Sheng> The charge is not right here. Although the signature option 
>can be placed anywhere, it actually protects ALL DHCPv6 options and 
>payload (except for itself and auth option), see Section 5.2 for how 
>to perform signature. Therefore, there is no unprotected  portion at 
>all. The place of signature option does not mean the portion after 
>it is unprotected.

The text in 5.2 states, when it describes the Sig option:

"It protects all the DHCPv6 header and options before it. Any options 
after the Signature option can be processed, but it should be noticed 
that they are not protected by this Signature option."

This text contradicts what you said above. The text later in 5.2, in 
the discussion of how to compute the sig value, says what you meant 
(sort of), but that contradicts the text cited above.  Also, the text 
describing how to compute the sig is incorrect, since it says:

" The signature constructed by using the sender's private key over 
the following sequence of octets:..."

The private key is used to sign the hash value computed over the 
sequence of octets described in this part of 5.2. Also, allowing the 
sig option  to appear anywhere in the message is, as I indicated 
earlier, a bad idea. Even if the text is corrected to make clear that 
the whole message is protected, it is "cleaner" to put the sig option 
at the end, so that the sender and receiver does not have to skip 
over it in computing the hash value that is to be signed.

Steve