Re: [secdir] secdir review of draft-templin-aero-10
Fred Templin <fltemplin@yahoo.com> Tue, 24 April 2012 18:14 UTC
Return-Path: <fltemplin@yahoo.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35C1E21F87C1 for <secdir@ietfa.amsl.com>; Tue, 24 Apr 2012 11:14:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.064
X-Spam-Level:
X-Spam-Status: No, score=-2.064 tagged_above=-999 required=5 tests=[AWL=0.534, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QzQ6tQuxGBQX for <secdir@ietfa.amsl.com>; Tue, 24 Apr 2012 11:14:38 -0700 (PDT)
Received: from nm30.bullet.mail.bf1.yahoo.com (nm30.bullet.mail.bf1.yahoo.com [98.139.212.189]) by ietfa.amsl.com (Postfix) with SMTP id C533D21F87AB for <secdir@ietf.org>; Tue, 24 Apr 2012 11:14:37 -0700 (PDT)
Received: from [98.139.212.152] by nm30.bullet.mail.bf1.yahoo.com with NNFMP; 24 Apr 2012 18:14:37 -0000
Received: from [98.139.215.250] by tm9.bullet.mail.bf1.yahoo.com with NNFMP; 24 Apr 2012 18:14:37 -0000
Received: from [127.0.0.1] by omp1063.mail.bf1.yahoo.com with NNFMP; 24 Apr 2012 18:14:37 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 125389.52475.bm@omp1063.mail.bf1.yahoo.com
Received: (qmail 48257 invoked by uid 60001); 24 Apr 2012 18:14:36 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1335291276; bh=haN4SOq4VUp+W0RM3R9z7dkOK4bvl5nliwqV7SxJtn0=; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=bHVM0AJ3AxtsvPAEnXRZB8q20Om+bnv3iwur8tzX9U/0iTmBrJFssaM19A7kgOpgEWwLf4bTS/uEttjWoHedZpOBzHl04wl8bpDnD7naZHGTOcV+wG7BXI+HjhVpan0msglAg4gNYOGsahNyJuSH1PUBc4r1v+/hRvNI5uSE3d0=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=AAjv9izJNy/YVquka59iee48xAdE4oHEuZ2tRYXpjVxTqInAL7g0KKT0LveSDXl0XDWuw2If5Z7bTuIbeMqkkNJcmbknX4FgnJbjRMalSoVXD8/Idp1AezcJJoPayL4/F8UjxTE4/EyxTw1hVzCnepj/blFOQZ2h3ux1GHCF904=;
X-YMail-OSG: CPIhuK4VM1nwp0AarbAYjacPeNc1pJ734rd1l6AAHVXRaSc QIugsl6SkEBcss9Nt3nHGgsgNJk_dPUbakD73fD.CNM9ohEm397YruJEladc f2ybup3W8o8LdRCGxnxgZy1FAVre5IRHo7GXBo5nG2jMSEUL5Ra2t40WZa.O sC_RWzkG9Ab8_4GxA_N1lbHYmqn6iq3S3923Fy01ZCJxemBKiYDrzwEFTLex m2T7oYz7uiZD1ggDKArxLvIBCPZVjDDgKEDi7n0OWxGmvB0WqdwMTZNeMCVu DVDUZtveGyvzpuLvBnWT38wcG8Us44ct7S1TiMuis9gIh7SRJcmcBgtlwHXF .T99q0lDq65elGgKQO1SDKEdy5edH2SyNaYPRT1HR5pKx0eFtjd28dPj0uV5 QGjhgs58S3ji6lU64BFCZmHfW2vsqnsHX2fNFgIiGW29VR_IS1io0hgpR79K 61nqrgMJzLlJtAeOjO4s5kjyeoGGGaUBgKlmPSgb2t1ZTVcE-
Received: from [130.76.32.212] by web161603.mail.bf1.yahoo.com via HTTP; Tue, 24 Apr 2012 11:14:36 PDT
X-Mailer: YahooMailWebService/0.8.117.340979
References: <36214B77-821E-47B9-8349-A89D2800E24C@cisco.com> <1335199956.12137.YahooMailNeo@web161604.mail.bf1.yahoo.com> <94CFA5A8-1D03-4BA2-993E-073B523538D7@cisco.com>
Message-ID: <1335291276.47915.YahooMailNeo@web161603.mail.bf1.yahoo.com>
Date: Tue, 24 Apr 2012 11:14:36 -0700
From: Fred Templin <fltemplin@yahoo.com>
To: Joe Salowey <jsalowey@cisco.com>
In-Reply-To: <94CFA5A8-1D03-4BA2-993E-073B523538D7@cisco.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="-2012143828-1748022034-1335291276=:47915"
X-Mailman-Approved-At: Tue, 24 Apr 2012 13:57:40 -0700
Cc: "draft-templin-aero.all@tools.ietf.org" <draft-templin-aero.all@tools.ietf.org>, The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] secdir review of draft-templin-aero-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Fred Templin <fltemplin@yahoo.com>
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Apr 2012 18:14:39 -0000
Hello Joe, Thank you for your comments. To your question on specifying a digital signing mechanism, would the concern be addressed if I were to say something like: "e.g., using IPsec AH, etc." ? Fred fltemplin@acm.org ----- Original Message ----- > From: Joe Salowey <jsalowey@cisco.com> > To: Fred Templin <fltemplin@yahoo.com> > Cc: "secdir@ietf.org" <secdir@ietf.org>; The IESG <iesg@ietf.org>; "draft-templin-aero.all@tools.ietf.org" <draft-templin-aero.all@tools.ietf.org> > Sent: Tuesday, April 24, 2012 10:47 AM > Subject: Re: secdir review of draft-templin-aero-10 > >T hanks for the quick response, comments inline: > On Apr 23, 2012, at 9:52 AM, Fred Templin wrote: > >> (Resending with comments as inline text) >> >> Hello Joe, >> >> Thank you for these comments. Please see below for my proposed >> resolutions: >> >> Fred >> fltemplin@acm.org >> >> From: Joe Salowey <jsalowey@cisco.com> >> To: secdir@ietf.org; The IESG <iesg@ietf.org>; > draft-templin-aero.all@tools.ietf.org >> Sent: Sunday, April 22, 2012 3:00 PM >> Subject: secdir review of draft-templin-aero-10 >> >> I have reviewed this document as part of the security directorate's >> ongoing effort to review all IETF documents being processed by the >> IESG. These comments were written primarily for the benefit of the >> security area directors. Document editors and WG chairs should treat >> these comments just like any other last call comments. >> >> I apologize for the delay in getting this review out. Hopefully it is > still useful. >> >> This first set of comments is primarily for the authors. >> >> 1. In section 4.4.4 on Data origin authentication the last paragraph states > that only the 3rd of the above conditions is acceptable, do you really mean the > 4th? >> >> >>> Begin FLT response >> You are correct; this should say the 4th and can be fixed in the next > version. >> >>> End FLT response >> > > [Joe] OK > >> 2. In section 4.4.4 there is reference to the packet including a digital > signature to authenticate the origin. What is the signature mechanism? Is this > SEND or something different? I did not see a reference to it. >> >> >>> Begin FLT response >> The digital signature mechanism is out of scope for this document. The text >> could be adjusted to say: “…, AERO nodes may be obliged to require the >> use of digital signatures applied through means outside the scope of this >> document.” >> >>> End FLT response >> > > [Joe] I was hoping that something would be specified for interoperability, I > think there are many cases where you would have to resort to a signing > mechanism, however it may be the case that AERO may be deployed where spoofing > of messages is not a concern (perhaps this should be the recommendation until a > signing mechanism is specified). The ADs can decide if this is an issue or not. > >> 3. The security considerations do not say much about the consequences of > trusting an inappropriate intermediate router, ingress node or egress node. > Clearly DOS to the ingress node is a possibility. Data modification and > disclosure can be a goal of an attacker who tries to control the routing. Are > there other issues the reader should be aware of (perhaps other DOS attacks such > as amplification attacks). Anything outside the considerations of RFC4861)? >> >> >>> Begin FLT response >> Proposed resolution is to re-write the first paragraph of Section 6 as > follows: >> >> “AERO link security considerations are the same as for standard IPv6 > Neighbor Discovery >> (RFC4861) except that AERO improves on some aspects. In particular, AERO is > dependent >> on a trust basis between AERO edge nodes and intermediate routers, where > the edge nodes >> must only engage in the AERO mechanism when it is facilitated by a trusted > intermediate >> router.” >> >>> End FLT response >> > > [Joe] OK thanks. > >> 4. The security consideration section indicates that spoofing protection > can be provided by links that provide link layer security mechanisms. Link > Layer security mechanisms may or may not help. I believe more information is > needed here. L2 mechanisms may not provide adequate protection of upper layer > address bindings. In some cases L2 mechanisms do not provide source origin > authentication such as multicast traffic protected with the group key in WiFi > and group security associations in 802.1AE (MACSEC). >> >> >>> Begin FLT response >> Proposed resolution is to re-write the second paragraph of Section 6 as > follows: >> “AERO links must be protected against spoofing attacks in which an attacker >> on the link pretends to be a trusted neighbor. Links that provide > link-layer >> securing mechanisms (e.g., WiFi networks) and links that provide physical >> security (e.g., enterprise network LANs) provide only a fist-line of > defense. >> In some instances, therefore, additional securing assurances against > on-link >> spoofing attacks are required. For example, if the source can through some >> means digitally sign its messages the destination can verify the signatures > to >> ensure data origin authentication. Exact mechanisms for digitally signing > and >> verifying signatures are outside the scope of this document.” >> >>> End FLT response >> > [Joe] Thanks. (same comment on the specification of the signing mechanism as > above). > >> This set of comments is mostly for the area directors: >> >> 1. I am mostly concerned about the lack of definition for the digital > signature mechanism. Perhaps this is easily rectified by a reference to an > existing specification. Its not clear to me what the specification would be > (perhaps SEND??)? Is something needed in addition? >> 2. The risks of not securing the proposal are not defined in the security > considerations section. I think this would be helpful, but may not be strictly > necessary. There is some mention of Link-Layer security helping in some aspects > of this, but its not clear on what characteristics the lower layer security > needs to provide. >> >> Cheers, >> >> Joe >> >
- [secdir] secdir review of draft-templin-aero-10 Joe Salowey
- Re: [secdir] secdir review of draft-templin-aero-… Fred Templin
- Re: [secdir] secdir review of draft-templin-aero-… Fred Templin
- Re: [secdir] secdir review of draft-templin-aero-… Joe Salowey
- Re: [secdir] secdir review of draft-templin-aero-… Fred Templin
- Re: [secdir] secdir review of draft-templin-aero-… Joe Salowey
- Re: [secdir] secdir review of draft-templin-aero-… Sean Turner
- Re: [secdir] secdir review of draft-templin-aero-… Fred L. Templin
- Re: [secdir] secdir review of draft-templin-aero-… Fred L. Templin