IETF Logo Mail Archive

Re: [secdir] Secdir review of draft-ietf-hip-rfc5203-bis-09

Julien Laganier <julien.ietf@gmail.com> Sun, 31 January 2016 17:52 UTC

Return-Path: <julien.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7BBF1B2B34; Sun, 31 Jan 2016 09:52:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ymsQGbRoFVBp; Sun, 31 Jan 2016 09:52:15 -0800 (PST)
Received: from mail-oi0-x22e.google.com (mail-oi0-x22e.google.com [IPv6:2607:f8b0:4003:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 14FB31B2B33; Sun, 31 Jan 2016 09:52:15 -0800 (PST)
Received: by mail-oi0-x22e.google.com with SMTP id r14so76265751oie.0; Sun, 31 Jan 2016 09:52:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=F4gnItYRGiw0ximKu+B/iA3ezw4xA5KOYv7Szn3z9A4=; b=O0HV8/4TyN6u/wow2V42u3lrLWRjzJhNNryTPsPu/Xa2IkvSPeTwQE74B0wliWUo0s NAwBWP58LZn4Qa3//8UoF7uo67TYAwzMaPDrBWBsUvVHVtDVSN3B1e05skbRiTerk5xq bJUvSNgn1OGTBao73BnpT76nAoEXjxe1I5JnK/IHS6LCLEsXwxP+HUZ0bmnP65rvKC3Q wV8KBX67U1mtS6TTYB4RxJc7C2TsTvxRjSw5knl8M0fps/ZehKsXp3U5TVGosbNN9MrS S4WpI5ziSdt3EqEh2mbZux1dgutJ0lgHL9u5rHwJ3GvJeN1L8O4O3SF7bR9SVqjkVv+k YKLg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=F4gnItYRGiw0ximKu+B/iA3ezw4xA5KOYv7Szn3z9A4=; b=L37YyOB1rLCuuIkYs83lvBm60ySdn8a22WjaqCU3qiEGCJUuPnhH2FcrDVI3w6duo1 EPO2kHUqg5nct1QqiBXWDXkbT1Ji90CTGztI9UrPolUkepF0uMx4at+sUaQlTH6GLMLD GLpt7GutcewAPtteUlUrdeG4ZoYmubJpn3M+DvW5nruRaUAICVW4HBFZZKOt6rJ+5oEu P9cDR7eP0EFRGQQupEus9QrM4l9JtK5H7MjCyCAWSQwhnXqWZpoBDOYPDGZcuVf583De wwNusNXggtTDMA//LdSuSoqVqArZnHbFgwZef6k9FUNNTVxa+n2wC24gGo9pyxkJvKbj BVpg==
X-Gm-Message-State: AG10YOQyx3n0yadmLEKrsVdUYQJMaUfXJGM6qsrQ+DUB6dUji6K50W0HNijyJAJsp7tK99RlLdk+/c/fE2abSQ==
MIME-Version: 1.0
X-Received: by 10.202.76.193 with SMTP id z184mr12822843oia.92.1454262734515; Sun, 31 Jan 2016 09:52:14 -0800 (PST)
Received: by 10.157.26.28 with HTTP; Sun, 31 Jan 2016 09:52:14 -0800 (PST)
In-Reply-To: <000901d14157$7052a680$50f7f380$@nict.go.jp>
References: <000901d14157$7052a680$50f7f380$@nict.go.jp>
Date: Sun, 31 Jan 2016 09:52:14 -0800
Message-ID: <CAE_dhjshGS19So1b_wuXLV1u7+jqw329LqT7t_OBzZQrGH0EsQ@mail.gmail.com>
From: Julien Laganier <julien.ietf@gmail.com>
To: Takeshi Takahashi <takeshi_takahashi@nict.go.jp>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/e6o5BSQ9VafnnxPszqKIdfpqOcY>
Cc: draft-ietf-hip-rfc5203-bis.all@ietf.org, The IESG <iesg@ietf.org>, hip-chairs@tools.ietf.org, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-ietf-hip-rfc5203-bis-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Jan 2016 17:52:17 -0000

[resending with corrected typo in the recipient list. apologies for the noise]

Takahashi san,

Thank you for reviewing the document, and my apologies for the belated
reply. Please find my answers to your comments/questions inlined
below:

On Mon, Dec 28, 2015 at 2:06 AM, Takeshi Takahashi
<takeshi_takahashi@nict.go.jp> wrote:

[...]

> [overall feeling on this draft]
>
> ready, and good to proceed
>
> [overview]
>
> This draft updates RFC 5203 to cope with HIPv2 (RFC 7401).
> RFC 5203 specifies a registration mechanism for HIPv1 (RFC 5201).
> Likewiise, this draft specifies the mechanism for HIPv2.
>
> [questions]
>
> Below are simply clarification questions, and these do not block the further
> process of this document.
> I am not that familiar with HIP, so it would be helpful if you could provide
> me some comments on them to deepen my understanding.
>
> 1. "If the requester has one or more suitable certificates, the host SHOULD
> include them (or just the most suitable one)"(in section 3.3)
>
> I wonder whether it would be better to let the requester send only the most
> suitable certificate.
> The requester may send multiple certificates, but it would be helpful if the
> requester sends only the most suitable certificate, I guess. (It is easy to
> process from the standpoint of the receiver, isn't it?)
> Would you explain why the draft encourages to send multiple certificates
> rather than sending only the most suitable certificate?

As the draft currently states, the suitability of certificates is
likely to be application-specific, i.e., dependent on the specific
service for which the requester seeks registration -- "How the
suitability is determined and how the certificates are obtained is out
of scope for this document."

For example there may not be a strict ordering of certificates w.r.t.
suitability to register, i.e., given two certificates A and B, there
isn't necessarily one that is more suitable than the other.

For example, a requester for a service may have certificates issued by
two ISPs, such as a fixed wireline broadband ISP, and a mobile service
provider. These may have brokered roaming agreements with various
other parties to optimize topological closeness of the service
registrar w.r.t. the requester's current access network. If the
requester always include both certificates in its requests, this would
avoid having to specify and implement complex certificate selection
logic on the requester.

> 2. "it SHOULD send the registration request without the CERT parameter to
> test whether the registrar accepts the request based on the host's
> identity." (in Section 3.3)
>
> In this situation, if a malicious party knows the identity of the reqester,
> the party can get the access right.
> Is the identity protected so that no malicious party can get it?

The Host Identity is the public component of a public-private key
pair, and since completion of the HIP exchange's mutual peer
authentication requires knowledge of the private component of the key
pair, an attacker knowing the public component would not be able to be
granted any service registration based on that knowledge.

> 3. "Other documents will define specific values for registration types. See
> Section 7 for more information" (Section 4.3)
>
> I looked at Section 7 to understaind the types and values of Reg Type, but I
> guess the section does not define any on them.
> Are the types and values completely the same as the ones defined by RFC
> 5203?

The registration types are defined by the documents defining the
service for which registration is being sought, and recorded in the
relevant IANA registry. This document does not change the list of
services currently being registered with IANA:

<http://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#hip-parameters-11>

> 4. "Insufficient resource" and "Invalid certificate" (in the table in
> Section 7)
> When a requester sends requests without sending CERT parameters, the
> requester expects to be authenticated based on its identity.
> But sometimes it fails.
> In this case, which of the failor type will be used? "Insufficient
> resources"? or "Invalid certificate"? or none of them?

As the draft currently states:

   If the requester was not in the allowed list and the registrar
   requires the requester to authenticate, the registrar MUST check
   whether the packet also contains a CERT parameter.  If the packet
   does not contain a CERT parameter, the registrar MUST reject the
   registrations requiring authentication with Failure Type 0
   (Registration requires additional credentials).

"Registration requires additional credentials" is allocated in the
relevant IANA registry:

<http://www.iana.org/assignments/hip-parameters/hip-parameters.xhtml#hip-parameters-13>

Thanks again for the review. With best regards,

--julien

On Mon, Dec 28, 2015 at 2:06 AM, Takeshi Takahashi
<takeshi_takahashi@nict.go.jp> wrote:
> Hello,
>
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the IESG.
> These comments were written primarily for the benefit of the security area
> directors.
> Document editors and WG chairs should treat these comments just like any
> other last call comments.
>
> [overall feeling on this draft]
>
> ready, and good to proceed
>
> [overview]
>
> This draft updates RFC 5203 to cope with HIPv2 (RFC 7401).
> RFC 5203 specifies a registration mechanism for HIPv1 (RFC 5201).
> Likewiise, this draft specifies the mechanism for HIPv2.
>
> [questions]
>
> Below are simply clarification questions, and these do not block the further
> process of this document.
> I am not that familiar with HIP, so it would be helpful if you could provide
> me some comments on them to deepen my understanding.
>
> 1. "If the requester has one or more suitable certificates, the host SHOULD
> include them (or just the most suitable one)"(in section 3.3)
>
> I wonder whether it would be better to let the requester send only the most
> suitable certificate.
> The requester may send multiple certificates, but it would be helpful if the
> requester sends only the most suitable certificate, I guess. (It is easy to
> process from the standpoint of the receiver, isn't it?)
> Would you explain why the draft encourages to send multiple certificates
> rather than sending only the most suitable certificate?
>
> 2. "it SHOULD send the registration request without the CERT parameter to
> test whether the registrar accepts the request based on the host's
> identity." (in Section 3.3)
>
> In this situation, if a malicious party knows the identity of the reqester,
> the party can get the access right.
> Is the identity protected so that no malicious party can get it?
>
> 3. "Other documents will define specific values for registration types. See
> Section 7 for more information" (Section 4.3)
>
> I looked at Section 7 to understaind the types and values of Reg Type, but I
> guess the section does not define any on them.
> Are the types and values completely the same as the ones defined by RFC
> 5203?
>
> 4. "Insufficient resource" and "Invalid certificate" (in the table in
> Section 7)
> When a requester sends requests without sending CERT parameters, the
> requester expects to be authenticated based on its identity.
> But sometimes it fails.
> In this case, which of the failor type will be used? "Insufficient
> resources"? or "Invalid certificate"? or none of them?
>
> Thank you for your kind contributions.
> Take
>
>
>
> _______________________________________________
> secdir mailing list
> secdir@ietf.org
> https://www.ietf.org/mailman/listinfo/secdir
> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview

v2.23.0 | Report a Bug | By Email