Re: [v6ops] [EXTERNAL] Re: Improving ND security

Vasilenko Eduard <vasilenko.eduard@huawei.com> Wed, 05 August 2020 13:35 UTC

Return-Path: <vasilenko.eduard@huawei.com>
X-Original-To: v6ops@ietfa.amsl.com
Delivered-To: v6ops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 315B73A00F7; Wed, 5 Aug 2020 06:35:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tm3nSp5NCBaB; Wed, 5 Aug 2020 06:35:07 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB2ED3A0044; Wed, 5 Aug 2020 06:35:06 -0700 (PDT)
Received: from lhreml733-chm.china.huawei.com (unknown [172.18.7.108]) by Forcepoint Email with ESMTP id C3C4CFEFEDD8AF18FE67; Wed, 5 Aug 2020 14:35:04 +0100 (IST)
Received: from msceml703-chm.china.huawei.com (10.219.141.161) by lhreml733-chm.china.huawei.com (10.201.108.84) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Wed, 5 Aug 2020 14:35:04 +0100
Received: from msceml703-chm.china.huawei.com (10.219.141.161) by msceml703-chm.china.huawei.com (10.219.141.161) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Wed, 5 Aug 2020 16:35:03 +0300
Received: from msceml703-chm.china.huawei.com ([10.219.141.161]) by msceml703-chm.china.huawei.com ([10.219.141.161]) with mapi id 15.01.1913.007; Wed, 5 Aug 2020 16:35:03 +0300
From: Vasilenko Eduard <vasilenko.eduard@huawei.com>
To: "Pascal Thubert (pthubert)" <pthubert@cisco.com>, Fernando Gont <fernando@gont.com.ar>
CC: 6man <ipv6@ietf.org>, v6ops list <v6ops@ietf.org>
Thread-Topic: [v6ops] [EXTERNAL] Re: Improving ND security
Thread-Index: AQHWZ2MUnNPDF6+dz0W13zbI2SbhcKkiBzuAgAAHOoCABIr6k///0IKAgAAjfoCAABGogIAAK7IAgAIIjgCAAFY8QIAAFX+QgAAFaACAAEaNkA==
Date: Wed, 5 Aug 2020 13:35:03 +0000
Message-ID: <7e3e7a229d8846cdb9c0818226944cc5@huawei.com>
References: <d5c245f216c3409f826f8132e532a882@boeing.com> <860E06E2-2650-4AAE-AD33-D4D12B0290DC@fugue.com> <b66ce3d9c75d4a39b5336dcdf9929411@boeing.com> <0DDEBA6C-3933-40FC-BB9C-33FA59DC9D76@cisco.com> <4907a159683346789bef5c495f03f95d@boeing.com> <b5043a5446914cb5b12ed76401359c7e@boeing.com> <3978163f-8815-1bd4-0fda-d84df9cbe684@gont.com.ar> <6b0d6c0a790b46c893b0ff3051599fb4@boeing.com> <85d89256-a495-d779-2c7c-2573bfae36c5@gont.com.ar> <da17a88b1886451796e45331a2fd75d4@boeing.com>, <a3d8ba55-52f1-f1dc-f75d-ee71a39dd9e3@gont.com.ar> <02D913B5-17C8-43ED-B572-04FD97420F99@cisco.com> <3a82af384ba441778a1187b9ca36800c@huawei.com> <MN2PR11MB3565F0B20BEDB60EFC62896CD84B0@MN2PR11MB3565.namprd11.prod.outlook.com>
In-Reply-To: <MN2PR11MB3565F0B20BEDB60EFC62896CD84B0@MN2PR11MB3565.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.47.204.128]
Content-Type: multipart/alternative; boundary="_000_7e3e7a229d8846cdb9c0818226944cc5huaweicom_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/v6ops/yw3ICh-JPvg5Q03dz9rwFCehvIU>
Subject: Re: [v6ops] [EXTERNAL] Re: Improving ND security
X-BeenThere: v6ops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <v6ops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/v6ops>, <mailto:v6ops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/v6ops/>
List-Post: <mailto:v6ops@ietf.org>
List-Help: <mailto:v6ops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/v6ops>, <mailto:v6ops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Aug 2020 13:35:10 -0000

Therefore, you have decided not to do recommendations.
Smart vendor would do clever things.
Stupid one would miss the point.
And both implementations would be fully compliant to standard. Just result would be very different.
I see.
Ed/
From: Pascal Thubert (pthubert) [mailto:pthubert@cisco.com]
Sent: 5 августа 2020 г. 15:20
To: Vasilenko Eduard <vasilenko.eduard@huawei.com>om>; Fernando Gont <fernando@gont.com.ar>
Cc: 6man <ipv6@ietf.org>rg>; v6ops list <v6ops@ietf.org>
Subject: RE: [v6ops] [EXTERNAL] Re: Improving ND security

> I could guess that your https://datatracker.ietf.org/doc/draft-ietf-6lo-ap-nd
> Has 1 additional advantage that you did not mention in the draft: it does not need PKI.

This is correct, Eduard

> You did not mention anywhere in the draft that Public/Private key pair is locally generated, and should not be registered anywhere.

We make no assumption how the key pair is obtained but it is perfectly fine to generate it locally as you point out. It is also perfectly acceptable to provision it in one or more nodes, if you want to use it for anycast. In that case you also need to provision a modifier.

Anycast operations are globally underspecified. To make them work in the context of RFC 8505, one needs to synchronize the TIDs so the registrations are all accepted.

Note: There’s a lot more state to synchronize than this if you want to implement redundant routers so it does not change the world. The synchronization mechanism and the synchronized data are usually proprietary. This is one of the basic things you have to consider when writing code in a router.

Keep safe;

Pascal

From: Vasilenko Eduard <vasilenko.eduard@huawei.com<mailto:vasilenko.eduard@huawei.com>>
Sent: mercredi 5 août 2020 11:13
To: Pascal Thubert (pthubert) <pthubert@cisco.com<mailto:pthubert@cisco.com>>; Fernando Gont <fernando@gont.com.ar<mailto:fernando@gont.com.ar>>
Cc: 6man <ipv6@ietf.org<mailto:ipv6@ietf.org>>; v6ops list <v6ops@ietf.org<mailto:v6ops@ietf.org>>
Subject: RE: [v6ops] [EXTERNAL] Re: Improving ND security

Pascal,
I could guess that your https://datatracker.ietf.org/doc/draft-ietf-6lo-ap-nd
Has 1 additional advantage that you did not mention in the draft: it does not need PKI.
You did not mention anywhere in the draft that Public/Private key pair is locally generated, and should not be registered anywhere.

I guess it looking to your claim: “first come first serve”.
Then ND record expiration is possible only on timer. It is not suitable for a few cases.
How you would share one IPv6 between N hosts? Use cases: (1) Permanent (anycast) or (2) fast dynamic (VRRP-like redundancy, active/standby)
Where is the procedure to manually extract Private key from 1 host and feed it to other host (in redundant pair).
Redundant hosts probably belongs to something important – they should have protection for IP address hijacking as the 1st priority.
Looks like you have missed it.
Eduard
From: Vasilenko Eduard
Sent: 5 августа 2020 г. 11:32
To: 'Pascal Thubert (pthubert)' <pthubert=40cisco.com@dmarc.ietf.org<mailto:pthubert=40cisco.com@dmarc.ietf.org>>; Fernando Gont <fernando@gont.com.ar<mailto:fernando@gont.com.ar>>
Cc: 6man <ipv6@ietf.org<mailto:ipv6@ietf.org>>; v6ops list <v6ops@ietf.org<mailto:v6ops@ietf.org>>
Subject: RE: [v6ops] [EXTERNAL] Re: Improving ND security

Hi Pascal,
I believe that you are a little misleading audience on SeND.

Yes, they did something terrible: they have invented their own crypto algorithm for Interface ID generation.
It is something like HMAC: based on “proof of work”. It is a some sort of signature, but weak and expensive (a lot of computations). Yet could be simple -  complexity regulated by special 3 bits.
Good security rule has been broken: never ever develop your own crypto algorithm! One should have very good reasons to do it. Even more, never develop crypto protocol. Remember how many vulnerabilities have been found in SSL or TLS on the protocol level.
When I was reading about this requirement that bits should be 0 – it reminded me block chain☺ Is Satoshi Nakamoto was behind this 0 version of block chain?

HMAC-like is the big computation burden for any processor. It is really “killing application” for IoT. Literally “killing”.

I was not capable to understand why it has been done for SeND. Why it was not acceptable to generate Interface ID in typical way?
Why in principle we need “Cryptographically Generated Addresses”?!?

I was really laughing when I have read this justification in SeND: “second signature algorithm is only necessary as a recovery mechanism, in case a flaw is found in RSA”

But what if a flaw would be found in 2nd mechanism – may be 3rd mechanism would be needed? Why 2nd mechanism (CGA) is so miserable from cryptographic point of view (low protection, high computation)?

After this jumping around proprietary HMAC (in IID),

Normal Private key of RSA is used over whole packet – it is real protection. Look to very small section 6 of RFC 3972 (CGA).
Pascal, protection is strong, but real assurance is given from RSA, not from this simplified HMAC that everybody would probably keep on minimal level of complexity (as you said).

IMHO: CGA part of SeND should be just discarded as redundant. It is exactly what Pascal did in his draft that he is promoting here.

I agree that SeND have seen dinosaurs. Zero chances that it would be accepted by the market.

Eduard
From: ipv6 [mailto:ipv6-bounces@ietf.org] On Behalf Of Pascal Thubert (pthubert)
Sent: 5 августа 2020 г. 8:35
To: Fernando Gont <fernando@gont.com.ar<mailto:fernando@gont.com.ar>>
Cc: 6man <ipv6@ietf.org<mailto:ipv6@ietf.org>>; v6ops list <v6ops@ietf.org<mailto:v6ops@ietf.org>>
Subject: Re: [v6ops] [EXTERNAL] Re: Improving ND security

I agree that a valuable ND security should not only protect address ownership but also provide SAVi, which send does not.

SeND has to protect distributed stateless address claim so they decided to embed the proof of ownership in the address. This limits the size of the security proof to 64 bits which is far from sufficient. So CGA added those 3 bits that optionally make the computational cost more cumbersome. Nobody uses that so the protection is low. Very powerful devices could potentially do that but smaller devices will be left with little protection and hardship to form new addresses.

In a stateful architecture the proof of ownership can be separated from the address and made bigger. It is stored in the infrastructure together with the address on the first come. A same proof can be used for multiple addresses (and obfuscated with rehashing) so it does not affect privacy addressing.

https://datatracker.ietf.org/doc/draft-ietf-6lo-ap-nd/ Is sitting in the rfc editor queue and soon on the shelf. It does all the above. SAVI. Proof of ownership. But it only works for addresses that are registered through rfc 8505, which makes ND proactive/stateful.
All the best,

Pascal

Le 5 août 2020 à 01:41, Fernando Gont <fernando@gont.com.ar<mailto:fernando@gont.com.ar>> a écrit :
Hi, Fred,

On 3/8/20 16:55, Templin (US), Fred L wrote:
[....]

That is fine; we can accommodate CGAs in OMNI, cumbersome as they are.
I have this on my TODO list for after the adoption call.

Why "cumbersome"?
I realize the addresses are cryptographically-generated, which implies a security property
which is good. But, they would not be the primary link-local addresses that neighbor
nodes will know each other by - the CGAs will be found in the IPv6 ND message source
and destination addresses, while the primary addresses will be carried in an additional
IPv6 encapsulation header and would be the addresses that the NCEs are indexed by.

Not sure what you mean...

So, all the CGAs really are is placeholders in the IPv6 header to run security checks over.
They need not even be checked for uniqueness on the link, because it is the primary
addresses and not the CGAs which need to be maintained as unique.

The point of CGAs is that in order for you to ND-answer for PREFIX:IID, you need to have the key identified by "IID". So, assuming /64s, you'd need to be lucky to, given a CGA (PREFIX:IID), generate a key-pair where the public key is identified by "IID".

But then, RFC4380 offers a “poor-man’s” alternative to SEND/CGA. It
places a message authentication code in the encapsulation headers of IPv6 ND messages so
that the messages can pass a rudimentary authentication check.

You mean the Teredo spec? If so, I don't think it includes any sort of
poor-man's SEND-CGA.

It provides for message authentication,

But what's special about SEND/CGAs is that they tie the address to a key...
OK, that sounds good. So, we like that property but AFAICT that is about all the
CGA is good for in my application.

The thing is that, while in theory you could *theoretically* extend the use of CGAs as a spoofing mitigation, in the context of SEND CGAs are just employed for mitigating ND attacks... and that's kind a lot of effort for mitigating something that we have learned to live_with/mitigate in IPv4 in simpler ways.

i.e., I find SEND smart... but, in the bigger picture, not very compelling to deploy.


[...]
The usage we have for OMNI is that of an Internet-based Client sending an
authenticated, encapsulated, unicast RS message to an Internet-based Server
which then must authenticate the message.

Depends on what you mean by "authenticated". CGAs prove that the node that sends the packet is the owner of the address. Not more than that.

That's different than authenticating the client.

Similarly, you could authenticate the client, but that wouldn't mean that a client is the owner of a given address.


So someone with
security experience please help me out here – is RFC4380 authentication an acceptably
secure  replacement for SEND/CGA that might be easier to work with and less
cumbersome?

Nope. Tee point of CGAs is that they allow you to prove address
ownership. There's nothing in RFC4380 that provides the same or similar
functionality.

Why do we have to prove address ownership

Well, that's one of the goals of SEND/CGAs. :-)


and use a whacky address format like CGA?

The *address format* is not really whacky. At the end of the day, it's a
random number, with the specific property that it's part of the hash of
a public key.

looking at a CGA, you probably wouldn't be able to tell CGA from RFC7217.
[...]
I think if you look inside the IPv6 ND message and find a CG option you can
infer that the address in the IPv6 header is a CGA.

Yep... but CGA != CGA option.

Thanks,
--
Fernando Gont
e-mail: fernando@gont.com.ar<mailto:fernando@gont.com.ar> || fgont@si6networks.com<mailto:fgont@si6networks.com>
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1