IETF CSI - CGA and SEND Mantenance WG ()

Laganier, Julien | 21 May 2010 19:10

Review of draft-cheneau-csi-send-sig-agility-01

I have reviewed "Signature Algorithm Agility in the Secure Neighbor Discovery Protocol" and have the
following comments. I am not going to comment on the specifics of the protocol extension because I
disagree with the overall approach.

I do not think it's reasonable for an extension to a relatively simple security protocol (SEND) to
introduces 4 different types of hosts, 4 different type of routers, some of which are said to be "hard to
secure" and recommended to avoid, while another who rely on unspecified redirection mechanisms between
CGAs, and some combinations of these hosts and routers leading to undetectable failure modes (at least
from what I understood.)

I think most of the complexity and drawbacks of the proposal stems from the requirement that signature
agile nodes be able to negotiate a common signature algorithm, which I think is unreasonable when the
protocol employs multicast/broadcast (thus reaches multiples nodes which might support different
algorithms) and when the algorithm is somehow "hardcoded" in the CG address used by a node thus adding an
additional level of constraint.

In this situation, the only reasonable chance for ND to operate securely is that most of the nodes on a link
support the same signature algorithm (e.g., ECDSA), other minority nodes falling back to mixed mode.

In light of this, I recommend a simpler approach to be taken based on two simple requirements:

- it shall be possible for a node supporting the signature agility extension to use a public key algorithm
other than RSA for generation/verification of a signature/CGA.

- an ND message sent from a CGA based on a public key algorithm that is not supported by the receiver, and
signed using that same algorithm shall be treated as insecure by the receiver as per RFC3971, i.e., it
shall not be discarded.

--julien

(Continue reading)

Laganier, Julien | 21 May 2010 21:47

Re: Review of draft-cheneau-csi-send-sig-agility-01

Someone pointed out that my previous message (below) listed the "simple requirements" but omitted a
description of a "simpler approach" that I recommended we follow. That was actually intentional -- I
thought a simpler approach would easily be derived from simple requirements. 

FWIW - a strawman that seems to fulfill simpler requirements would be:

- define NewSignature and NewCGA options that include the algorithm in use and are used in place of CGA and
RSA Signature options when the algorithm in use is not RSA. 

- NewSignature and NewCGA options will be ignored by legacy nodes (i.e., conforming to RFC 3971) and thus
messages carrying them will be treated as unsecured by these nodes. 

- specify NewSignature and NewCGA receiver processing such that a node that doesn't support said
algorithm treats the message as unsecured.

--julien

Laganier, Julien wrote:
> 
> I have reviewed "Signature Algorithm Agility in the Secure Neighbor
> Discovery Protocol" and have the following comments. I am not going to
> comment on the specifics of the protocol extension because I disagree
> with the overall approach.
> 
> I do not think it's reasonable for an extension to a relatively simple
> security protocol (SEND) to introduces 4 different types of hosts, 4
> different type of routers, some of which are said to be "hard to
> secure" and recommended to avoid, while another who rely on unspecified
> redirection mechanisms between CGAs, and some combinations of these
> hosts and routers leading to undetectable failure modes (at least from

(Continue reading)

Tony Cheneau | 24 May 2010 15:30

Picon

Re: Review of draft-cheneau-csi-send-sig-agility-01

Hello Julien,

On Fri, 21 May 2010, Laganier, Julien wrote:

[...]
> FWIW - a strawman that seems to fulfill simpler requirements would be:
>
> - define NewSignature and NewCGA options that include the algorithm in use and are used in place of CGA and
RSA Signature options when the algorithm in use is not RSA.
I would need several clarifications on this sentence:
- I do not see why we should define a NewCGA option. RFC 3971 defines a
   CGA Option that carries a CGA PDS (defined in RFC 3972) that is
   agnostic of the Public Key type. As long as the Public Key can be
   formatted as a DER-encoded ASN.1 structure of type
   SubjectPublicKeyInfo, this is not a problem. Did I miss something ? 
- concerning the NewSignature, do you think we should define a new one
   per Signature Algorithm ? So there will be one for RSA (already
   exists), one for ECDSA, as long as there is free value on the "IPv6
   Neighbor Discovery Option Formats" registry. Or do you think there is
   actually some value in our solution that defines an "Universal"
   Signature option that indicates the type of Digital Signature it
   carries.
   Since there is already a reserved field in the RSA Signature Option, I
   would not see why we could not use this field to do just that. Legacy
   nodes will try to process the option and fail when it is not RSA.
   Signature Agility enabled nodes will just do fine. What is you opinion
   on this ?

>
> - NewSignature and NewCGA options will be ignored by legacy nodes (i.e., conforming to RFC 3971) and thus

(Continue reading)

Laganier, Julien | 24 May 2010 19:22

Re: Review of draft-cheneau-csi-send-sig-agility-01

Tony Cheneau wrote:
> 
> Hello Julien,
> 
> 
> On Fri, 21 May 2010, Laganier, Julien wrote:
> 
> [...]
> > FWIW - a strawman that seems to fulfill simpler requirements would
> > be:
> >
> > - define NewSignature and NewCGA options that include the algorithm
> > in use and are used in place of CGA and RSA Signature options when the
> > algorithm in use is not RSA.
>
> I would need several clarifications on this sentence:
> - I do not see why we should define a NewCGA option. RFC 3971 defines a
>    CGA Option that carries a CGA PDS (defined in RFC 3972) that is
>    agnostic of the Public Key type. As long as the Public Key can be
>    formatted as a DER-encoded ASN.1 structure of type
>    SubjectPublicKeyInfo, this is not a problem. Did I miss something ?

If the public key algorithm in use is signaled elsewhere (e.g. via an algorithm field in the NewSignature
option) then it seems that current CGA option would be enough.

> - concerning the NewSignature, do you think we should define a new one
>    per Signature Algorithm ? 

No. We should define a NewSignature option with a field encoding the signature algorithm. (Seems that's
what you call "Universal" as below.)

(Continue reading)

Tony Cheneau | 24 May 2010 15:27

Picon

Re: Review of draft-cheneau-csi-send-sig-agility-01

Hello Julien,

Thank you for reviewing our document.

Comments below:

On Fri, 21 May 2010, Laganier, Julien wrote:

> I have reviewed "Signature Algorithm Agility in the Secure Neighbor Discovery Protocol" and have the
following comments. I am not going to comment on the specifics of the protocol extension because I
disagree with the overall approach.
OK.

> I do not think it's reasonable for an extension to a relatively simple security protocol (SEND) to
introduces 4 different types of hosts, 4 different type of routers, some of which are said to be "hard to
secure" and recommended to avoid, while another who rely on unspecified redirection mechanisms between
CGAs, and some combinations of these hosts and routers leading to undetectable failure modes (at least
from what I understood.)
It appears, from your comment and Jean-Michel's review that this part of
the document (section 2.1.1 and 2.1.2) is currently quite confusing.
Section 2.1.1 is about what we might expect the nodes to do. Not about
what we actually do here in this document. It is just a classification
work so we can state what can be done, with some drawbacks, and what we
actually propose here in this document (H1, H2, R1, R2 and R4 type nodes).
I am currently reworking these sections so, hopefully, the text will be
less confusing in the future.

> I think most of the complexity and drawbacks of the proposal stems from the requirement that signature
agile nodes be able to negotiate a common signature algorithm, which I think is unreasonable when the
protocol employs multicast/broadcast (thus reaches multiples nodes which might support different

(Continue reading)

Laganier, Julien | 24 May 2010 19:14

Re: Review of draft-cheneau-csi-send-sig-agility-01

Hello Tony,

[ cutting through ] 

Tony Cheneau wrote:
> 
> Hello Julien,
> 
> Thank you for reviewing our document.
> 
> Comments below:
> 
> On Fri, 21 May 2010, Laganier, Julien wrote:
> 
> > [...]
> 
> > - an ND message sent from a CGA based on a public key algorithm that
> > is not supported by the receiver, and signed using that same algorithm
> > shall be treated as insecure by the receiver as per RFC3971, i.e., it
> > shall not be discarded.
>
> I do not see why I should threat a message as insecure if I can verify
> the signature it is protected with. 

If you can verify the signature you support the algorithm. If you cannot verify the signature you do not
support the algorithm. This is orthogonal to your choice of algorithm to generate a CGA.

--julien

Return

Return to gmane.ietf.csi.

Project Web Page

IETF CSI - CGA and SEND Mantenance WG ()

Search Archive

Language

Change language

Options

Current view: Threads only / Showing only 20 lines / Not hiding cited text.
Change to All messages, whole messages, or hide cited text.

Post a message
NNTP Newsgroup
Classic Gmane web interface
XML

XML

RSS Feed
List Information

About Gmane