[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
OK I have a lot of work to do for this now but that is cool as SHIM6 is important. day job is in the way at the moment.
Here is a bottom line from Jim. I believe if we encrypt everything (not just shim6 and I did not agree with all the mipv6 threats either and let it go and emphatically disagree with RR strategy ) at the IP layer we are going to be 90% secure most of the time world wide. But I do believe after decrypt that multi-layered security is important but I think the threats after IPsec are so reduced that given deployment it is of less concern from Jim's view of the world. I also believe PKI will get figured out and scale if not this year three years from now that it is not right for me to limit protocol views in my head in the IETF because of deployment scenarios I cannot possible know the answer to with axiomatic certainty.
Disclaimer: This view does not represent the view of my company, the IPv6 Forum, or any one I work with this solely a Jim view of the world, but I do have some in security world who are expert cryptographers and worry a lot about very important attacks I consult with who do agree with this view.
OK back to work we need to hear from you folks in the WG now for sure? Good discussion for sure but probably driving the chairs nuts :--)
/jim
> -----Original Message-----
> From: marcelo bagnulo braun [mailto:marcelo@it.uc3m.es]
> Sent: Wednesday, July 19, 2006 3:43 PM
> To: Bound, Jim
> Cc: Francis Dupont; shim6@psg.com; Pekka Savola; Iljitsch van Beijnum
> Subject: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
>
>
> El 19/07/2006, a las 22:30, Bound, Jim escribió:
>
> > I dont accept the threats in 4218 so that is a problem right there
>
> we have identified the core issue i think, great!!
>
> we have based the design of the shim6 security on the threats
> identified on RFC4218, so if you don't agree with those, we
> need to discuss those first and then move on to the security
> solutions (since they are direct consequence of the threats
> described there)
>
> proabably we should even also consider the threats of MIP described in
> RFC4225 since RFC4218 is heavily based on this one...
>
>
> But good we are making progress (at least in identifying the
> disagreement points)
>
> regards, marcelo
>
>
> > but I will do that but that is more than just a quick response on
> > email and need to go do proper analysis. I will respond to
> where we
> > disagree too later ok. As I said email is not good for me
> now I keep
> > changing my location :--).
> >
> > thx
> > /jim
> >
> >> -----Original Message-----
> >> From: marcelo bagnulo braun [mailto:marcelo@it.uc3m.es]
> >> Sent: Wednesday, July 19, 2006 3:27 PM
> >> To: Bound, Jim
> >> Cc: Francis Dupont; shim6@psg.com; Pekka Savola; Iljitsch
> van Beijnum
> >> Subject: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
> >>
> >>
> >> El 19/07/2006, a las 20:10, Bound, Jim escribió:
> >>
> >>> Global PKI is not required for certificates that can be done with
> >>> pre-shared keys too or as we are doing with shim6 out-of-band
> >>> signaling. If any here believe IPsec will not be used end-to-end
> >>> think again please it will. Ipsec is totally possible and
> >> I will not
> >>> repeat my mail on enclaves for end-to-end PKI as that is a
> >> deployment
> >>> and systems integration implementation issue.
> >>>
> >>
> >> ok at this point it seems to me that we may start to
> >> repeating ourselves, so at least let's try to identify where
> >> do we disagree...
> >>
> >> What i am saying is that:
> >>
> >> - In order to use IPSec to protect the shim6 protocol (in
> >> particular for providing a secure binding between identifier
> >> and locators), there are two options: a) we use certificates
> >> issued by a global PKI are needed in all shim6 peers or b) we
> >> have preshared keys in all shim6 nodes
> >>
> >> do you disagree with this statement?
> >>
> >> I assume you do
> >>
> >> if you disagree could you explain to me how would you protect
> >> the shim6 protocol from the threats described in RFC4218?
> >>
> >> in particular could you explain to me how would you protect
> >> from the following attack:
> >>
> >> Suppose that Alice and Bob work in the same office and that
> >> Alice reads the local newspaper web page every morning at
> >> www.localpress.com Now, suppose that tomorrow is Alice
> >> birthday and since Bob has a crush on Alice, Bob wants to
> >> make Alice believe that tomorrow local newspaper headline is
> >> "Happy Birthday Alice".
> >>
> >> In order to do that, Bob's plan is to hijack any future
> >> communication that Alice initiates from her machine to Bob's
> >> laptop, so Bob can substitute the local newspaper web page by
> >> his own fake happy birthday greetings home page.
> >>
> >> So, in the DNS www.localpress.com has a single IP address IPlp.
> >>
> >> To launch the attack, the night before, Bob creates a shim6
> >> state in alice machine. In order to do that, Bob initiates
> >> the shim6 context establishment exchange.
> >>
> >> The created context, has IPlp as ULID and it has IPB (i.e.
> >> Bob's laptop
> >> IP) as preferred locator.
> >>
> >> In order to keep the context alive, Bob sends periodic
> packets (e.g.
> >> ping or UDP) to Alice machine. Note that the goal of these
> >> packets is just to prevent the shim6 state at Alice machine
> >> to be garbage collected, so there is no need to have a actual
> >> application receiving those packets above the shim (i.e.
> >> these packets can be perfectly discarded once they passed
> >> above the shim, and they would still be fulfilling their goal
> >> from the attack p.o.v.)
> >>
> >> The next morning (Alice birthday!!!) Alice arrives to the
> >> office and she tries to connect to the local newspaper as
> >> everyday. The only difference is that today, there is a shim6
> >> state in Alice machine for IPlp.
> >> Alice browser asks the resolver for www.localpress.com. the
> >> resolver returns IPlp. The browser initiates a TCP connection
> >> with IPlp, but the SYN packet is intercepted by the shim
> >> layer (at Alice's machine) and the address is translated to
> >> IPB. the result, the communication is redirected to Bob's
> >> machine and Alice will be accessing Bob's web server while
> >> she thinks that she is reaching the local newspaper web page
> >>
> >> Bob has managed to steal the local newspaper IP identity from
> >> Alice p.o.v.
> >>
> >> This type of attack cannot be prevented by simply using
> >> IPSec, because it is launched before the keys have been exchanged.
> >>
> >> In order to prevent these attacks, we need additional tools,
> >> like global certificates, pre shared keys or crypto identities.
> >>
> >> reagrds, marcelo
> >>
> >>
> >>
> >>
> >>
> >>> thanks
> >>> /jim
> >>>
> >>>> -----Original Message-----
> >>>> From: marcelo bagnulo braun [mailto:marcelo@it.uc3m.es]
> >>>> Sent: Wednesday, July 19, 2006 11:32 AM
> >>>> To: Bound, Jim
> >>>> Cc: Francis Dupont; shim6@psg.com; Pekka Savola; Iljitsch
> >> van Beijnum
> >>>> Subject: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006
> >>>>
> >>>>
> >>>> El 19/07/2006, a las 16:55, Bound, Jim escribió:
> >>>>
> >>>>> I was assuming the node regardless will use IPsec as
> >>>> required. Thus
> >>>>> it really is not shime6 concern. But I do not believe no
> >>>> one will not
> >>>>> deploy IPsec because of PKI that is simply not true.
> >>>>
> >>>> i agree with this
> >>>>
> >>>>
> >>>> but the problem is that if you want to use IPSEc to secure
> >> the shim,
> >>>> you need to use certificates, if not the security is not
> >> acceptable.
> >>>>
> >>>> You need to provide a secure binding between the
> identifer and the
> >>>> locators. IPSec wihtout certificates does not provides
> >> this feature.
> >>>> If you want to use IPSec to secure the
> >>>> shim6 protocol, you need the certificates hence you need
> >> the global
> >>>> PKI.
> >>>>
> >>>> So in order to evaluate a solution based on IPSec for
> securing the
> >>>> shim6, you need to consider the fact that a global PKI
> is required
> >>>> for this.
> >>>>
> >>>> Hence, the alternative solution for securing the shim at
> >> this point
> >>>> would be IPSec+PKI, agree?
> >>>>
> >>>> regards, marcelo
> >>>>
> >>>>
> >>>>
> >>>>> IPsec is deployed today with PKI.
> >>>>>
> >>>>
> >>>>
> >>>>> /jim
> >>>>>
> >>>>>> -----Original Message-----
> >>>>>> From: marcelo bagnulo braun [mailto:marcelo@it.uc3m.es]
> >>>>>> Sent: Wednesday, July 19, 2006 8:04 AM
> >>>>>> To: Francis Dupont
> >>>>>> Cc: shim6@psg.com; Bound, Jim; Pekka Savola; Iljitsch
> van Beijnum
> >>>>>> Subject: Re: CGA Use with HBA in Shim6 IETF Meeting
> July 10, 2006
> >>>>>>
> >>>>>>
> >>>>>> El 19/07/2006, a las 14:38, Francis Dupont escribió:
> >>>>>>
> >>>>>>> I can't see where Jim proposed to base the Shim6 security
> >>>>>> on IPsec...
> >>>>>>
> >>>>>> in message http://ops.ietf.org/lists/shim6/msg01511.html
> >>>>>>
> >>>>>> it is stated that:
> >>>>>>
> >>>>>> Suggestion is to simply embed ULIDs within the data
> >>>> payload with new
> >>>>>> option and secure all communications at least for now
> >> for IP layer
> >>>>>> communcatiions with IPsec encryption based on locator pair.
> >>>>>>
> >>>>>> meaning to use IPSec as an alternative to HBA security
> >>>>>>
> >>>>>>> (something which is known to require the impossible and
> >> even not
> >>>>>>> desirable global PKI :-)
> >>>>>>>
> >>>>>>
> >>>>>> exactly
> >>>>>>
> >>>>>> Regards, marcelo
> >>>>>>
> >>>>>>
> >>>>>>> Regards
> >>>>>>>
> >>>>>>> Francis.Dupont@point6.net
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>>>
> >>>
> >>
> >>
> >
>
>