IETF Logo Mail Archive

Re: [TICTOC] Updated draft-ietf-tictoc-security-requirements-07

"Smiley, Russell" <Russell.Smiley@idt.com> Tue, 29 April 2014 15:07 UTC

Return-Path: <Russell.Smiley@idt.com>
X-Original-To: tictoc@ietfa.amsl.com
Delivered-To: tictoc@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 958541A0564 for <tictoc@ietfa.amsl.com>; Tue, 29 Apr 2014 08:07:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.551
X-Spam-Level:
X-Spam-Status: No, score=-2.551 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iTjs1GXzy-I4 for <tictoc@ietfa.amsl.com>; Tue, 29 Apr 2014 08:07:42 -0700 (PDT)
Received: from mxout1.idt.com (mxout1.idt.com [157.165.5.25]) by ietfa.amsl.com (Postfix) with ESMTP id 56D031A04AC for <tictoc@ietf.org>; Tue, 29 Apr 2014 08:07:42 -0700 (PDT)
Received: from mail.idt.com (localhost [127.0.0.1]) by mxout1.idt.com (8.13.1/8.13.1) with ESMTP id s3TF7abl032481; Tue, 29 Apr 2014 08:07:36 -0700
Received: from corpml3.corp.idt.com (corpml3.corp.idt.com [157.165.140.25]) by mail.idt.com (8.13.8/8.13.8) with ESMTP id s3TF7YBt025819; Tue, 29 Apr 2014 08:07:34 -0700 (PDT)
Received: from corpmail2.na.ads.idt.com (corpimss.corp.idt.com [157.165.140.30]) by corpml3.corp.idt.com (8.11.7p1+Sun/8.11.7) with ESMTP id s3TF6g127358; Tue, 29 Apr 2014 08:06:42 -0700 (PDT)
Received: from CORPMAIL1.na.ads.idt.com ([fe80::f9ec:4643:471e:dd33]) by corpmail2.na.ads.idt.com ([fe80::7d1f:86ad:31c6:5aee%17]) with mapi id 14.03.0158.001; Tue, 29 Apr 2014 08:06:41 -0700
From: "Smiley, Russell" <Russell.Smiley@idt.com>
To: Tal Mizrahi <talmi@marvell.com>, "dieter.sibold@ptb.de" <dieter.sibold@ptb.de>
Thread-Topic: [TICTOC] Updated draft-ietf-tictoc-security-requirements-07
Thread-Index: Ac9f2ZBtIMFw8mfpT3WQMEuoNBqdhQDjdYAQABHdjgAAALmx8AACZrbw
Date: Tue, 29 Apr 2014 15:06:40 +0000
Message-ID: <3EB7D1CECF89334E9B5A0D6E60B9518F31909C20@corpmail1.na.ads.idt.com>
References: <74470498B659FA4687F0B0018C19A89C01D4397649E9@IL-MB01.marvell.com> <OF115648C5.E137AD16-ONC1257CC4.0058221F-C1257CC4.005A0A44@ptb.de> <74470498B659FA4687F0B0018C19A89C01D439765370@IL-MB01.marvell.com> <3EB7D1CECF89334E9B5A0D6E60B9518F31909967@corpmail1.na.ads.idt.com> <74470498B659FA4687F0B0018C19A89C01D439765535@IL-MB01.marvell.com>
In-Reply-To: <74470498B659FA4687F0B0018C19A89C01D439765535@IL-MB01.marvell.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.165.140.29]
Content-Type: multipart/alternative; boundary="_000_3EB7D1CECF89334E9B5A0D6E60B9518F31909C20corpmail1naadsi_"
MIME-Version: 1.0
X-TM-AS-MML: disable
X-Scanned-By: MIMEDefang 2.43
Archived-At: http://mailarchive.ietf.org/arch/msg/tictoc/Pjbd9AtFBVfY03Y5i2GNO5hApek
Cc: "tictoc@ietf.org" <tictoc@ietf.org>
Subject: Re: [TICTOC] Updated draft-ietf-tictoc-security-requirements-07
X-BeenThere: tictoc@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Timing over IP Connection and Transfer of Clock BOF <tictoc.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tictoc>, <mailto:tictoc-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tictoc/>
List-Post: <mailto:tictoc@ietf.org>
List-Help: <mailto:tictoc-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tictoc>, <mailto:tictoc-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Apr 2014 15:07:45 -0000

[TM] I will try to phrase Dieter’s claim the way I understand it (Dieter – correct me if I am wrong). The slave can send Delay_Req packets with *something* (a nonce or something else) that is protected by a MAC with a key that only the slave has access to, and thus no other node can forge this MAC. The Delay_Resp message then includes the same *something* with the same MAC, allowing the slave to verify that the Delay_Resp corresponds to an authentic Delay_Req. As Dieter suggests, this prevents spoofing, and the master does not have to verify the master’s identity.

Ok. To prevent spoofing of the downlink channel, presumably in Delay_Resp the master also includes its own MAC *m-something* as well as returning the slaves *s-something* ?

I agree with your separation of the two requirements.


From: Tal Mizrahi [mailto:talmi@marvell.com]
Sent: Tuesday, April 29, 2014 9:56 AM
To: Smiley, Russell; dieter.sibold@ptb.de
Cc: tictoc@ietf.org
Subject: RE: [TICTOC] Updated draft-ietf-tictoc-security-requirements-07

Hi Russell,

Please see inline, marked [TM].

Thanks,
Tal.

From: Smiley, Russell [mailto:Russell.Smiley@idt.com]
Sent: Tuesday, April 29, 2014 4:47 PM
To: Tal Mizrahi; dieter.sibold@ptb.de<mailto:dieter.sibold@ptb.de>
Cc: tictoc@ietf.org<mailto:tictoc@ietf.org>
Subject: RE: [TICTOC] Updated draft-ietf-tictoc-security-requirements-07

Tal,

Let me restate your separation of the requirements in the hope that I have understood correctly:


1.       Master authenticates slaves as a necessary component of authorizing slaves for access to the master services.
[TM] Yes

2.       Master authenticates slaves in order to uniquely identify slaves to prevent spoofing attacks.
[TM] Not exactly. The general way to phrase this is spoofing prevention. Dieter argued (and I agree) that slave spoofing can be prevented even if the master does not authenticate the identity of the slave.

If I understand correctly you want to make requirement (1) a MAY and (2) a MUST, with the understanding that the implementation of the authentication mechanism in (1) and (2) may be different.
[TM] Right.

I believe that Dieter suggests that a nonce would be adequate to satisfy (2). I am not confident of this assertion; a nonce is normally used to prevent a replay attack, so unless there is something about the implementation of a nonce that I have misunderstood I do not see how a nonce could prevent spoofing/MITM. Perhaps further explanation would be helpful?
[TM] I will try to phrase Dieter’s claim the way I understand it (Dieter – correct me if I am wrong). The slave can send Delay_Req packets with *something* (a nonce or something else) that is protected by a MAC with a key that only the slave has access to, and thus no other node can forge this MAC. The Delay_Resp message then includes the same *something* with the same MAC, allowing the slave to verify that the Delay_Resp corresponds to an authentic Delay_Req. As Dieter suggests, this prevents spoofing, and the master does not have to verify the master’s identity.

In the case of a public master that Dieter is concerned about, I believe the authentication of slaves in (2) to prevent spoofing can be satisfied using a key exchange system such as in TLS; the keys are generated and exchanged per session within the context of a secure handshaking mechanism. Thus there is no/minimal prior knowledge needed to establish secure communications between master and slave.

Russell.


From: TICTOC [mailto:tictoc-bounces@ietf.org] On Behalf Of Tal Mizrahi
Sent: Tuesday, April 29, 2014 1:04 AM
To: dieter.sibold@ptb.de<mailto:dieter.sibold@ptb.de>
Cc: tictoc@ietf.org<mailto:tictoc@ietf.org>
Subject: Re: [TICTOC] Updated draft-ietf-tictoc-security-requirements-07

Hi,

Dieter, thanks for the comments.
After some further offline discussion with Dieter, I understand the concern: in section 5.1.3 WRT authentication we actually implied two different requirements: (i) master authenticates the identity of the slave, and (ii) slave spoofing prevention.  As Dieter explains, (ii) can be satisfied even when (i) is not satisfied.

My suggestion is as follows:
Add a new subsection, “5.x Spoofing Prevention”, that requires a mechanism that prevents (i) master (server) spoofing. (ii) slave (client) spoofing, and (iii) TC spoofing (in PTP).
This new section will be a MUST.
We can then change 5.1.3 and 5.1.4 back to MAY.

Please let me know if there are further comments.

Thanks,
Tal.

From: dieter.sibold@ptb.de<mailto:dieter.sibold@ptb.de> [mailto:dieter.sibold@ptb.de]
Sent: Thursday, April 24, 2014 7:23 PM
To: Tal Mizrahi
Cc: tictoc@ietf.org<mailto:tictoc@ietf.org>
Subject: Re: [TICTOC] Updated draft-ietf-tictoc-security-requirements-07

Hello Tal,

I have one comment regarding Sec. 5.1.3.

This section requires that the master MUST authenticate each client. I think that this requirement should be a MAY! In the case of a public time service there is no need for the master to authenticate its slaves. The spoofing attack described in the second example of 3.2.2 can be mitigated by other means such as the introduction of a nonce in a time request or delay_req message.

I agree that in the case of authorization of the slave authentication is also necessary.


Greetings
Dieter






----------------------------------
Physikalisch-Technische Bundesanstalt
Dr. Dieter Sibold
Q.42 - Serversysteme und Datenhaltung
QM-Verantwortlicher der Stelle IT-Infrastruktur
Bundesallee 100
D-38116 Braunschweig
Tel: +49-531-592-84 20
E-Mail: dieter.sibold@ptb.de<mailto:dieter.sibold@ptb.de>



Von:        Tal Mizrahi <talmi@marvell.com<mailto:talmi@marvell.com>>
An:        "odonoghue@isoc.org<mailto:odonoghue@isoc.org>" <odonoghue@isoc.org<mailto:odonoghue@isoc.org>>, "Yaakov Stein (yaakov_s@rad.com<mailto:yaakov_s@rad.com>)" <yaakov_s@rad.com<mailto:yaakov_s@rad.com>>, "tictoc@ietf.org<mailto:tictoc@ietf.org>" <tictoc@ietf.org<mailto:tictoc@ietf.org>>
Kopie:        "Shawn M Emery \(shawn.emery@oracle.com\<mailto:shawn.emery@oracle.com\>)" <shawn.emery@oracle.com<mailto:shawn.emery@oracle.com>>
Datum:        23.04.2014 14:40
Betreff:        [TICTOC] Updated draft-ietf-tictoc-security-requirements-07
Gesendet von:        "TICTOC" <tictoc-bounces@ietf.org<mailto:tictoc-bounces@ietf.org>>
________________________________



Hi,

I have posted an updated draft.
http://tools.ietf.org/html/draft-ietf-tictoc-security-requirements-07


The most notable changes in this draft:
1.       I updated the draft to address comments from Shawn, the appointed secdir reviewer:
http://www.ietf.org/mail-archive/web/secdir/current/msg04315.html
2.       I updated the draft to address comments from Russell Smiley:
http://www.ietf.org/mail-archive/web/tictoc/current/msg01387.html
This includes:
- In section 5.1.3 and 5.1.4 we decoupled the authentication and authorization requirements. The authentication requirement level was changed to ‘MUST’ following the good observation made by Russell: “Absence of authentication of slaves may enable MITM attacks delaying delay_req packets and thereby distorting the delay_req packet arrival times and subsequent departure of delay_resp. The resulting asymmetry could distort the subsequent slave clock offset calculations.”
- The authorization requirement remains ‘MAY’ for sections 5.1.3 and 5.1.4.
3.       The requirement level of section 5.8 was changed to ‘MUST’. The background is the insight that MITM attacks (sections 3.2.5, 3.2.6) have the same impact and level of difficulty to implement as manipulation attacks (section 3.2.1). Hence, a similar requirement level is called for in the two cases.
Section 5.8 also clarifies that: “While the security mechanism should support the ability to detect delay attacks, it is noted that in some networks it is not possible to provide the redundancy needed for such a detection mechanism.”
4.       Section 5.2: merged the two sub-requirements to a single requirement for integrity protection. The previous phrasing called for hop-by-hop integrity protection as a MUST and end-to-end as a SHOULD, but some of the feedback we received was that in some scenarios or network topologies an end-to-end may provide a higher level of security. The current phrasing just presents the tradeoff between peer-to-peer and end-to-end.

Please let me know if there are any comments.

Thanks,
Tal.
 _______________________________________________
TICTOC mailing list
TICTOC@ietf.org<mailto:TICTOC@ietf.org>
https://www.ietf.org/mailman/listinfo/tictoc

v2.23.0 | Report a Bug | By Email