IETF Logo Mail Archive

Re: [secdir] secdir review of draft-templin-aero-10

Fred Templin <fltemplin@yahoo.com> Mon, 23 April 2012 16:52 UTC

Return-Path: <fltemplin@yahoo.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B2E121F85E5 for <secdir@ietfa.amsl.com>; Mon, 23 Apr 2012 09:52:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.53
X-Spam-Level:
X-Spam-Status: No, score=-1.53 tagged_above=-999 required=5 tests=[AWL=1.068, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q7Kbe89p5nkd for <secdir@ietfa.amsl.com>; Mon, 23 Apr 2012 09:52:44 -0700 (PDT)
Received: from nm39-vm7.bullet.mail.bf1.yahoo.com (nm39-vm7.bullet.mail.bf1.yahoo.com [72.30.239.151]) by ietfa.amsl.com (Postfix) with SMTP id B9FB621F85F9 for <secdir@ietf.org>; Mon, 23 Apr 2012 09:52:39 -0700 (PDT)
Received: from [98.139.212.151] by nm39.bullet.mail.bf1.yahoo.com with NNFMP; 23 Apr 2012 16:52:36 -0000
Received: from [98.139.212.214] by tm8.bullet.mail.bf1.yahoo.com with NNFMP; 23 Apr 2012 16:52:36 -0000
Received: from [127.0.0.1] by omp1023.mail.bf1.yahoo.com with NNFMP; 23 Apr 2012 16:52:36 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 605944.70754.bm@omp1023.mail.bf1.yahoo.com
Received: (qmail 27268 invoked by uid 60001); 23 Apr 2012 16:52:36 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1335199956; bh=V5jPApH5kPbt/6VvhHvjPYUMje4asNCu+/Y2H1J2siQ=; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=krqHKTuuJmZ/B77dHqR4zJGH0QHhPUVIPOl3xIDqDAne2op5ZRel2epRonwKrMW+I3K4xy7iv8M9gBhnV4AMBmfkTCJblaJQdeKIt9QdAUzZLXkuZd3eRIJSq8nhwxzCRBB0CVptIRaqH0nOtoirbMSEe3a2ALz1xbmSECDd13E=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=5++V9Q2zzvFFO7VYUvO+6LGu4NrIf+IEe4uDmkHYhTnaP7xUqU3vmhuEAZa3aeGcEs8kUFcIigWjlZ2qoEId9ZiY7gQL3gcmPv8XnT7DmiB6wY8jkKsJZg6OO6Ki8X4EgJjmnoyLgRyt56qP0l3Fpu3WiIXTk4iNCoc3PT1oNUY=;
X-YMail-OSG: O061kb4VM1lzSjYGLeiYKZfgH3UCVO4LIpiHxgmgysDQkQ9 dTA0._DCTFFXo_vEJAMJUb3oFD9GNO0lCBTGQhwWVgM4uGP1PAQVJyr3gfyU mPUUb5RWVtWpAPAPLoC8p5FiAwX97cMtuUNdJObl8whhc7WL3J.HRP__GU1I hY345a70A43tURlGu58OE0Z3TfWTGVnT.pH3CP8Bz5_csChs6aJXS_bJB55J OdHHvmkXwuhB7HSHSnlw1veDRVvkPwbaDvh15H6K6co2ZF6_DY4HdEPYhTBV QQgPRzsVLqDSDBBPRR6BGcfPieC0MZZ8A_hv4JYPeCKRfUjyV7MiA01OY.90 zVMNac.4hQlMI4K3sCNSTfPqlqa9OQcIhalZSN.JxeOSab0xA3QJB8bLcN_9 61gjP2a6d47YdUjCLGNVG0EKfOnnTFB4K50Pmh44tOEp3Hvxtwk9cqEZ.Kd9 qVGg7zNGVzEiZtVVyV9AC79wC8E9uh76tDNU4yfkDPPdYCb7AcoVJyTB.xh4 g2VGTT03e1hltzl.wyp9YTt2X_k1ucglcnq_JLfMIWxtUgrARzBwY
Received: from [130.76.32.197] by web161604.mail.bf1.yahoo.com via HTTP; Mon, 23 Apr 2012 09:52:36 PDT
X-Mailer: YahooMailWebService/0.8.117.340979
References: <36214B77-821E-47B9-8349-A89D2800E24C@cisco.com>
Message-ID: <1335199956.12137.YahooMailNeo@web161604.mail.bf1.yahoo.com>
Date: Mon, 23 Apr 2012 09:52:36 -0700
From: Fred Templin <fltemplin@yahoo.com>
To: Joe Salowey <jsalowey@cisco.com>, "secdir@ietf.org" <secdir@ietf.org>, The IESG <iesg@ietf.org>, "draft-templin-aero.all@tools.ietf.org" <draft-templin-aero.all@tools.ietf.org>
In-Reply-To: <36214B77-821E-47B9-8349-A89D2800E24C@cisco.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="397762125-199359350-1335199956=:12137"
X-Mailman-Approved-At: Mon, 23 Apr 2012 09:56:23 -0700
Subject: Re: [secdir] secdir review of draft-templin-aero-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Fred Templin <fltemplin@yahoo.com>
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Apr 2012 16:52:46 -0000

(Resending with comments as inline text)

Hello Joe,

Thank you for these comments. Please see below for my proposed
resolutions:

Fred
fltemplin@acm.org



>________________________________
> From: Joe Salowey <jsalowey@cisco.com>
>To: secdir@ietf.org; The IESG <iesg@ietf.org>; draft-templin-aero.all@tools.ietf.org 
>Sent: Sunday, April 22, 2012 3:00 PM
>Subject: secdir review of draft-templin-aero-10
> 
>I have reviewed this document as part of the security directorate's 
>ongoing effort to review all IETF documents being processed by the 
>IESG.  These comments were written primarily for the benefit of the 
>security area directors.  Document editors and WG chairs should treat 
>these comments just like any other last call comments.
>
>I apologize for the delay in getting this review out.  Hopefully it is still useful.  
>
>This first set of comments is primarily for the authors.
>
>1. In section 4.4.4 on Data origin authentication the last paragraph states that only the 3rd of the above conditions is acceptable, do you really mean the 4th?
>
>>>> Begin FLT response
>
>You are correct; this should say the 4th and
can be fixed in the next version.>>> End FLT response
>
>2. In section 4.4.4 there is reference to the packet including a digital signature to authenticate the origin.  What is the signature mechanism?  Is this SEND or something different? I did not see a reference to it.
>
>>>> Begin FLT response
>
>The digital signature mechanism is out of scope for
this document. The text
>could be adjusted to say: “…, AERO nodes may be obliged
to require the
>use of digital signatures applied through means outside the
scope of this
>document.”>>> End FLT response
>
>3. The security considerations do not say much about the consequences of trusting an inappropriate intermediate router, ingress node or egress node. Clearly DOS to the ingress node is a possibility.   Data modification and disclosure can be a goal of an attacker who tries to control the routing.   Are there other issues the reader should be aware of (perhaps other DOS attacks such as amplification attacks).  Anything outside the considerations of RFC4861)?
>
>>>> Begin FLT response
>
>Proposed resolution is to re-write the first paragraph
of Section 6 as follows:
> 
>“AERO link security considerations are the same as for standard
IPv6 Neighbor Discovery
>(RFC4861) except that AERO improves on some aspects. In
particular, AERO is dependent
>on a trust basis between AERO edge nodes and intermediate
routers, where the edge nodes
>must only engage in the AERO mechanism when it is
facilitated by a trusted intermediate
>router.”>>> End FLT response
>
>4. The security consideration section indicates that spoofing protection can be provided by links that provide link layer security mechanisms.    Link Layer security mechanisms may or may not help.   I believe more information is needed here.  L2 mechanisms may not provide adequate protection of upper layer address bindings.  In some cases L2 mechanisms do not provide source origin authentication such as multicast  traffic protected with the group  key in WiFi and group security associations in 802.1AE (MACSEC).
>
>>>> Begin FLT response
>
>Proposed resolution is to re-write the second paragraph
of Section 6 as follows:
>“AERO links must be protected against spoofing attacks in which an attacker
>on the link pretends to be a trusted neighbor.  Links that provide link-layer
>securing mechanisms (e.g., WiFi networks) and links that provide physical
>security (e.g., enterprise network LANs) provide only a fist-line of defense.In some instances, therefore, additional
securing assurances against on-link
>spoofing attacks are required. For example,
if the source can through some
>means digitally sign its messages the
destination can verify the signatures to
>ensure data origin authentication.
Exact mechanisms for digitally signing and
>verifying signatures are outside the
scope of this document.”
>>>> End FLT response
>
>This set of comments is mostly for the area directors:
>
>1. I am mostly concerned about the lack of definition for the digital signature mechanism.  Perhaps this is easily rectified by a reference to an existing specification. Its not clear to me what the specification would be (perhaps SEND??)?  Is something needed in addition? 
>2.  The risks of not securing the proposal are not defined in the security considerations section. I think this would be helpful, but may not be strictly necessary.  There is some mention of Link-Layer security helping in some aspects of this, but its not clear on what characteristics the lower layer security needs to provide. 
>
>Cheers,
>
>Joe
>
>

v2.23.0 | Report a Bug | By Email