[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Shim6 proxies

To: Iljitsch van Beijnum <iljitsch@muada.com>
Subject: Re: Shim6 proxies
From: Erik Nordmark <erik.nordmark@sun.com>
Date: Wed, 14 Jun 2006 07:24:53 -0700
Cc: marcelo bagnulo braun <marcelo@it.uc3m.es>, shim6-wg <shim6@psg.com>
In-reply-to: <36E51BBA-18F9-4823-8EEF-FE75112F5BC4@muada.com>
References: <Pine.LNX.4.58.0603271434050.29315@sleibrand-ibm.acs.internap.com> <be3431f1f15b52f98dc22e4edeba3aa2@it.uc3m.es> <Pine.LNX.4.58.0603301131490.15884@sleibrand-ibm.acs.internap.com> <4444313C.7010204@sun.com> <BC7898C5-DAE1-47B0-B125-C811E8F39F23@muada.com> <06b0b71eb68c13e16a6e71e587ce0c32@it.uc3m.es> <36E51BBA-18F9-4823-8EEF-FE75112F5BC4@muada.com>
User-agent: Thunderbird 1.5 (X11/20060113)

Iljitsch van Beijnum wrote:

Unless I'm mistaken, if you go to an HTTPS website, what happens is thatyour browser gets a certificate from the server that proves that theholder of the certificate has a certain identity, such aswww.example.com. The browser checks whether the server has the privatekey for the certificate by sending it a challenge and checks if theidentity in question matches the URL, which, I imagine, requires someDNS lookups.
shim6 security could work much the same way by tying a certificate to aULID, either with or without the intermediate step of an FQDN. Such acertificate allows a host to prove that it holds a certain identity,irrespective of the address it's actually using. Once you know whoyou're talking with you can mostly believe them when they say what theirlocators are, you just need to send a packet to those locators to makesure the same host is present there to avoid the possibility of someonedumping shim6 traffic on an unrelated third party.
As for the PKI, yes, you need some kind of infrastructure, but it'salready there so I don't see the problem, especially for enterprises andcontent hosters. Most home users don't have a certificate, but they canstill use HBA. (Note that in the above scenario only one side (usuallythe server) needs a certificate.)

I can see this working, but it can't securely recover a context after afailure failure! This is because there is no trusted relationshipbetween the certificate for the server and the alternate locators of theserver. (And I have only thought about end-to-end use of this - notproxy use - so I don't know if that would add some further complications.)

The host (which doesn't have a cert) uses HBA. Looks up www.example.comand gets some IP addresses. The shim6 layer on the host is told the FQDNfor the peer.

During the shim6 context establishment TLS is used, which verifies theserver's cert. If the server needs to use a different locator it can useTLS to tell the client the new locator; the shim6 layer needs to verifythat the same cert is used for the locator update as was used for thecontext establishment.

But that happens if the client looses the context and the server needsto send it some data? One would have to fall back on essentially returnroutability, since the client's shim doesn't remember the FQDN of theserver any more (perhaps the application remembers the FQDN but thatdoesn't help unless we redo all the socket APIs from scratch).

The worst case is when the client has lost the context and the serverneeds to contact the client but using a locator that is different thanits ULID; in this case even return routability can't be used.Thus it would allow the server to say "my FQDN is www.foo.com and thisis my cert, and even though I'm using locator X, I also have ULID=Y -trust me".

You could argue that the bulk of these problems occur when the "server"needs to contact the "client" and that this case isn't important. But ifwe'd want to add this, I think "server" is really "host that has a cert"thus we'd want this security scheme to work independently of theapplication layer roles (server vs. client) of the host that has thecertificate.

So I don't see how the certificate helps, unless there is a global PKIwhich can assertively state the IP addresses of the holder of thecertificate (and have this somehow be updated when the site/hostrenumbers). Without this, all we seem to get is something analogous toanonymous diffie-hellman, and that doesn't help prevent time-shiftedredirection attacks.

I think one can try to do things using DNS forward+reverse lookups forverification of relationships between ULIDs and locators. The old NOIDdraft explored this space. But my personal conclusion was that such anapproach would be expensive, since to be reasonably secure, the hostswould have to do forward+reverse lookup (or reverse+forward) even beforeestablishing the shim context. There was also the issue that NOIDassumed that all communicating parties had correct forward+reverse DNSentries.

But it might make sense to look at the possibility of using DNSverification for one end and HBA for the other.

   Erik

Follow-Ups:
- Re: Shim6 proxies
  - From: Paul Jakma <paul@clubi.ie>
- Re: Shim6 proxies
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

References:
- Shim6 proxies
  - From: Scott Leibrand <sleibrand@internap.com>
- Re: Shim6 proxies
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>
- Re: Shim6 proxies
  - From: Scott Leibrand <sleibrand@internap.com>
- Re: Shim6 proxies
  - From: Erik Nordmark <erik.nordmark@sun.com>
- Re: Shim6 proxies
  - From: Iljitsch van Beijnum <iljitsch@muada.com>
- Re: Shim6 proxies
  - From: marcelo bagnulo braun <marcelo@it.uc3m.es>
- Re: Shim6 proxies
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

Prev by Date: Re: I-D ACTION:draft-ietf-shim6-applicability-01.txt
Next by Date: Re: Shim6 proxies
Previous by thread: Re: Shim6 proxies
Next by thread: Re: Shim6 proxies
Index(es):
- Date
- Thread