Re: [v6ops] [EXTERNAL] Re: Improving ND security

"Templin (US), Fred L" <Fred.L.Templin@boeing.com> Mon, 03 August 2020 19:56 UTC

Return-Path: <Fred.L.Templin@boeing.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3EC53A10E0; Mon, 3 Aug 2020 12:56:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.2
X-Spam-Level:
X-Spam-Status: No, score=-0.2 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=boeing.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B440-o5tucAo; Mon, 3 Aug 2020 12:56:07 -0700 (PDT)
Received: from clt-mbsout-01.mbs.boeing.net (clt-mbsout-01.mbs.boeing.net [130.76.144.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39F863A10DF; Mon, 3 Aug 2020 12:56:06 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by clt-mbsout-01.mbs.boeing.net (8.15.2/8.15.2/DOWNSTREAM_MBSOUT) with SMTP id 073Ju27F001848; Mon, 3 Aug 2020 15:56:04 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=boeing.com; s=boeing-s1912; t=1596484564; bh=NTn2uRHs7o1a5RnGEQ5dwuotx1TGVZxjjomztNIA5cY=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=Ad3I/7dVBBjD0nbDZ1yzHInIR0IrKVGLO0kBo0HPzPdU+N9NhBU6xysyyXMLSNuWe 2Zt7eor0JBgeoI6q2jHAHUTlPOCgtzJ4rJbFs4M/muwHyTx1MSybchIIX/lTm3gwCp wW9Ymx/R06ag3LgdU93FTNoe4w8VH+0L4u+J8GgiDr3Zfmo1itrg0S8rtke96OHiuD ubPfZurQ+9UpolvBsHiYJvOSIxkEYwJU8CG9HrW9UDALvg69iUtZJ4lIQxIvyOXD7x 7ycb1xrf9MA+Gi3ue8L++EYupYtXVABOj+fyQFuIGFUMNuNfP2bnk7vSm2f2zHuUkO spZWr2Bz7VB2w==
Received: from XCH16-07-09.nos.boeing.com (xch16-07-09.nos.boeing.com [144.115.66.111]) by clt-mbsout-01.mbs.boeing.net (8.15.2/8.15.2/8.15.2/UPSTREAM_MBSOUT) with ESMTPS id 073Jtn78031867 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=OK); Mon, 3 Aug 2020 15:55:49 -0400
Received: from XCH16-07-10.nos.boeing.com (144.115.66.112) by XCH16-07-09.nos.boeing.com (144.115.66.111) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.1979.3; Mon, 3 Aug 2020 12:55:48 -0700
Received: from XCH16-07-10.nos.boeing.com ([fe80::1522:f068:5766:53b5]) by XCH16-07-10.nos.boeing.com ([fe80::1522:f068:5766:53b5%2]) with mapi id 15.01.1979.003; Mon, 3 Aug 2020 12:55:48 -0700
From: "Templin (US), Fred L" <Fred.L.Templin@boeing.com>
To: Fernando Gont <fernando@gont.com.ar>, "Pascal Thubert (pthubert)" <pthubert@cisco.com>
CC: v6ops list <v6ops@ietf.org>, 6man <ipv6@ietf.org>
Thread-Topic: [v6ops] [EXTERNAL] Re: Improving ND security
Thread-Index: AdZnYGykJNK1kk2zSneWe05yLDtm6gAO/XoAAA6T6+D//9BAgIAAcUNg//yt9vCABzh8AIAAbPyQ///Bg4CAAGxUwA==
Date: Mon, 3 Aug 2020 19:55:47 +0000
Message-ID: <da17a88b1886451796e45331a2fd75d4@boeing.com>
References: <d5c245f216c3409f826f8132e532a882@boeing.com> <860E06E2-2650-4AAE-AD33-D4D12B0290DC@fugue.com> <b66ce3d9c75d4a39b5336dcdf9929411@boeing.com> <0DDEBA6C-3933-40FC-BB9C-33FA59DC9D76@cisco.com> <4907a159683346789bef5c495f03f95d@boeing.com> <b5043a5446914cb5b12ed76401359c7e@boeing.com> <3978163f-8815-1bd4-0fda-d84df9cbe684@gont.com.ar> <6b0d6c0a790b46c893b0ff3051599fb4@boeing.com> <85d89256-a495-d779-2c7c-2573bfae36c5@gont.com.ar>
In-Reply-To: <85d89256-a495-d779-2c7c-2573bfae36c5@gont.com.ar>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [137.137.12.6]
x-tm-snts-smtp: 6BB4A154522EF7C36A5ED9A512ED8A920B9F421BFB65F56EFB48A59A744B565D2000:8
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-TM-AS-GCONF: 00
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/Lr-ywd8JKOlBoYWBgN9cjfIBstI>
Subject: Re: [v6ops] [EXTERNAL] Re: Improving ND security
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Aug 2020 19:56:10 -0000

Hi Fernando,

> -----Original Message-----
> From: Fernando Gont [mailto:fernando@gont.com.ar]
> Sent: Monday, August 03, 2020 11:53 AM
> To: Templin (US), Fred L <Fred.L.Templin@boeing.com>om>; Pascal Thubert (pthubert) <pthubert@cisco.com>
> Cc: v6ops list <v6ops@ietf.org>rg>; 6man <ipv6@ietf.org>
> Subject: Re: [v6ops] [EXTERNAL] Re: Improving ND security
> 
> This message was sent from outside of Boeing. Please do not click links or open attachments unless you recognize the sender and
> know that the content is safe.
> Hi, Fred,
> 
> On 3/8/20 13:45, Templin (US), Fred L wrote:
> [....]
> >> This message was sent from outside of Boeing. Please do not click links or open attachments unless you recognize the sender and
> >> know that the content is safe.
> >> On 3/8/20 11:22, Templin (US), Fred L wrote:
> >>> Here’s another think about SEND. RFC3971 SEND says that it works in
> >>> conjunction with Cryptographically Generated addresses (CGA) per RFC3972. But, CGAs are
> >>> cumbersome to work with as the source and destination addresses of IPv6 packets,
> >>> and SEND hints that it can be used without CGA but does not tell how to do so.
> >>
> >> Of the top of my head, CGAs are a core part of send.
> >
> > That is fine; we can accommodate CGAs in OMNI, cumbersome as they are.
> > I have this on my TODO list for after the adoption call.
> 
> Why "cumbersome"?



I realize the addresses are cryptographically-generated, which implies a security property
which is good. But, they would not be the primary link-local addresses that neighbor
nodes will know each other by - the CGAs will be found in the IPv6 ND message source
and destination addresses, while the primary addresses will be carried in an additional
IPv6 encapsulation header and would be the addresses that the NCEs are indexed by.
So, all the CGAs really are is placeholders in the IPv6 header to run security checks over.
They need not even be checked for uniqueness on the link, because it is the primary
addresses and not the CGAs which need to be maintained as unique.



> >>> But then, RFC4380 offers a “poor-man’s” alternative to SEND/CGA. It
> >>> places a message authentication code in the encapsulation headers of IPv6 ND messages so
> >>> that the messages can pass a rudimentary authentication check.
> >>
> >> You mean the Teredo spec? If so, I don't think it includes any sort of
> >> poor-man's SEND-CGA.
> >
> > It provides for message authentication,
> 
> But what's special about SEND/CGAs is that they tie the address to a key...



OK, that sounds good. So, we like that property but AFAICT that is about all the
CGA is good for in my application.




> > and it is widely-deployed which suggests
> > to me that the vendors who support it believe it is secure.
> 
> I'm sure others probably know better, but... I think Teredo is mostly MS
> + Miredo. (when it comes to implementation)
> 
> And Re: deployment, IIRC Teredo has been phased out.
> 
> 
> 
> > So, if it is secure enough for RFC4380, then shouldn't it also be secure enough for OMNI?
> 
> I believe Auth in Teredo is a totally different thing from SEND/CGAs.
> 
> Regarding OMIN, I Haven read the draft/spec, yet...
 


The usage we have for OMNI is that of an Internet-based Client sending an
authenticated, encapsulated, unicast RS message to an Internet-based Server
which then must authenticate the message. (The "link" in this case is the
Internet itself.) The encapsulation format is based on RFC4380 encapsulation
but with a different UDP port number than specified for RFC4380. A second
level of encapsulation is also added per RFC2473. The CGA of the Client is
in the IPv6 ND source address, "All-Routers" is in the IPv6 ND destination
address, the OMNI ULA of the Client is in the RFC2473 source address, and
either the OMNI ULA of the Server or Subnet Router Anycast is in the
RFC2473 destination address. The outer UDP/IP header has the Internet
source address of the Client and the Internet destination address of the
Server. That is a lot of addresses to carry around in a single packet, but if
we must use CGAs then we do what we have to do.

In the reverse direction, the Server must also include its CGA as the source
of the RA message, the CGA of the Client as the destination address, and
with the RFC2473 header having the Server's OMNI ULA as the source and
the OMNI ULA of the Client as the destination. The UDP/IP header has the
Internet addresses as before. Again, lots of addresses to juggle around due
to the need to include CGAs. 



> >>> So someone with
> >>> security experience please help me out here – is RFC4380 authentication an acceptably
> >>> secure  replacement for SEND/CGA that might be easier to work with and less
> >>> cumbersome?
> >>
> >> Nope. Tee point of CGAs is that they allow you to prove address
> >> ownership. There's nothing in RFC4380 that provides the same or similar
> >> functionality.
> >
> > Why do we have to prove address ownership
> 
> Well, that's one of the goals of SEND/CGAs. :-)
> 
> 
> > and use a whacky address format like CGA?
> 
> The *address format* is not really whacky. At the end of the day, it's a
> random number, with the specific property that it's part of the hash of
> a public key.
> 
> looking at a CGA, you probably wouldn't be able to tell CGA from RFC7217.




I think if you look inside the IPv6 ND message and find a CG option you can
infer that the address in the IPv6 header is a CGA.



> > There is nothing in the OMNI spec that needs or wants CGAs in any fashion
> > unless they are absolutely required for security. Isn't it enough to prove message
> > authentication using the mechanisms of RFC4380 without having to accommodate
> > the excess baggage of CGAs??
> 
> Both are different things.
> 
> One thing is to authenticate the contents of a message. And a different
> one is to be able to tell that one specific host is "authorized" to use
> one specific address...



The only reason I am hesitant is that it just seems that the usage of CGAs
envisioned for OMNI is just as a cryptographically-generated "bag of bits".
They are not used as indexes into the neighbor cache. They are not
examined by routers, bridges or switches, etc. They are simply payload
bits carried in a special place known as the IPv6 source and destination
address. Is that good enough?

Thanks - Fred




> --
> Fernando Gont
> e-mail: fernando@gont.com.ar || fgont@si6networks.com
> PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
> 
>