Hi Jim, It is quite clear for me now the discussion points.I think these go way beyond the actual shim6 work, since you seem to be challenging some fundamental assumptions that we use to start working on shim, namely: - the threat model of mip (in particular time shifted attacks that were the base threat for requiring mip RR and shim HBAs) - the difficulty in deploying a global PKI and issuing client certificates
I very much agree that if we change these assumptions the resulting shim6 design would be very different
OTOH, it was/is my feeling that at the time of the design and even now, there seem to be consensus that these points are valid (in other words, we had lots of discussions here and in multi6, but not many folks challenged these points, you are the first AFAICT)
So, i guess we can discuss these of course, and make a consensus call on these items in the wg
Regards, marcelo El 19/07/2006, a las 22:58, Bound, Jim escribió:
OK I have a lot of work to do for this now but that is cool as SHIM6 is important. day job is in the way at the moment.Here is a bottom line from Jim. I believe if we encrypt everything (not just shim6 and I did not agree with all the mipv6 threats either and let it go and emphatically disagree with RR strategy ) at the IP layer we are going to be 90% secure most of the time world wide. But I do believe after decrypt that multi-layered security is important but I think the threats after IPsec are so reduced that given deployment it is of less concern from Jim's view of the world. I also believe PKI will get figured out and scale if not this year three years from now that it is not right for me to limit protocol views in my head in the IETF because of deployment scenarios I cannot possible know the answer to with axiomatic certainty.Disclaimer: This view does not represent the view of my company, the IPv6 Forum, or any one I work with this solely a Jim view of the world, but I do have some in security world who are expert cryptographers and worry a lot about very important attacks I consult with who do agree with this view.OK back to work we need to hear from you folks in the WG now for sure? Good discussion for sure but probably driving the chairs nuts :--)/jim-----Original Message----- From: marcelo bagnulo braun [mailto:marcelo@it.uc3m.es] Sent: Wednesday, July 19, 2006 3:43 PM To: Bound, Jim Cc: Francis Dupont; shim6@psg.com; Pekka Savola; Iljitsch van Beijnum Subject: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006 El 19/07/2006, a las 22:30, Bound, Jim escribió:I dont accept the threats in 4218 so that is a problem right therewe have identified the core issue i think, great!! we have based the design of the shim6 security on the threats identified on RFC4218, so if you don't agree with those, we need to discuss those first and then move on to the security solutions (since they are direct consequence of the threats described there) proabably we should even also consider the threats of MIP described in RFC4225 since RFC4218 is heavily based on this one... But good we are making progress (at least in identifying the disagreement points) regards, marcelobut I will do that but that is more than just a quick response on email and need to go do proper analysis. I will respond towhere wedisagree too later ok. As I said email is not good for menow I keepchanging my location :--). thx /jim-----Original Message----- From: marcelo bagnulo braun [mailto:marcelo@it.uc3m.es] Sent: Wednesday, July 19, 2006 3:27 PM To: Bound, Jim Cc: Francis Dupont; shim6@psg.com; Pekka Savola; Iljitschvan BeijnumSubject: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006 El 19/07/2006, a las 20:10, Bound, Jim escribió:Global PKI is not required for certificates that can be done with pre-shared keys too or as we are doing with shim6 out-of-band signaling. If any here believe IPsec will not be used end-to-end think again please it will. Ipsec is totally possible andI will notrepeat my mail on enclaves for end-to-end PKI as that is adeploymentand systems integration implementation issue.ok at this point it seems to me that we may start to repeating ourselves, so at least let's try to identify where do we disagree... What i am saying is that: - In order to use IPSec to protect the shim6 protocol (in particular for providing a secure binding between identifier and locators), there are two options: a) we use certificates issued by a global PKI are needed in all shim6 peers or b) we have preshared keys in all shim6 nodes do you disagree with this statement? I assume you do if you disagree could you explain to me how would you protect the shim6 protocol from the threats described in RFC4218? in particular could you explain to me how would you protect from the following attack: Suppose that Alice and Bob work in the same office and that Alice reads the local newspaper web page every morning at www.localpress.com Now, suppose that tomorrow is Alice birthday and since Bob has a crush on Alice, Bob wants to make Alice believe that tomorrow local newspaper headline is "Happy Birthday Alice". In order to do that, Bob's plan is to hijack any future communication that Alice initiates from her machine to Bob's laptop, so Bob can substitute the local newspaper web page by his own fake happy birthday greetings home page. So, in the DNS www.localpress.com has a single IP address IPlp. To launch the attack, the night before, Bob creates a shim6 state in alice machine. In order to do that, Bob initiates the shim6 context establishment exchange. The created context, has IPlp as ULID and it has IPB (i.e. Bob's laptop IP) as preferred locator. In order to keep the context alive, Bob sends periodicpackets (e.g.ping or UDP) to Alice machine. Note that the goal of these packets is just to prevent the shim6 state at Alice machine to be garbage collected, so there is no need to have a actual application receiving those packets above the shim (i.e. these packets can be perfectly discarded once they passed above the shim, and they would still be fulfilling their goal from the attack p.o.v.) The next morning (Alice birthday!!!) Alice arrives to the office and she tries to connect to the local newspaper as everyday. The only difference is that today, there is a shim6 state in Alice machine for IPlp. Alice browser asks the resolver for www.localpress.com. the resolver returns IPlp. The browser initiates a TCP connection with IPlp, but the SYN packet is intercepted by the shim layer (at Alice's machine) and the address is translated to IPB. the result, the communication is redirected to Bob's machine and Alice will be accessing Bob's web server while she thinks that she is reaching the local newspaper web page Bob has managed to steal the local newspaper IP identity from Alice p.o.v. This type of attack cannot be prevented by simply using IPSec, because it is launched before the keys have been exchanged. In order to prevent these attacks, we need additional tools, like global certificates, pre shared keys or crypto identities. reagrds, marcelothanks /jim-----Original Message----- From: marcelo bagnulo braun [mailto:marcelo@it.uc3m.es] Sent: Wednesday, July 19, 2006 11:32 AM To: Bound, Jim Cc: Francis Dupont; shim6@psg.com; Pekka Savola; Iljitschvan BeijnumSubject: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006 El 19/07/2006, a las 16:55, Bound, Jim escribió:I was assuming the node regardless will use IPsec asrequired. Thusit really is not shime6 concern. But I do not believe noone will notdeploy IPsec because of PKI that is simply not true.i agree with this but the problem is that if you want to use IPSEc to securethe shim,you need to use certificates, if not the security is notacceptable.You need to provide a secure binding between theidentifer and thelocators. IPSec wihtout certificates does not providesthis feature.If you want to use IPSec to secure the shim6 protocol, you need the certificates hence you needthe globalPKI. So in order to evaluate a solution based on IPSec forsecuring theshim6, you need to consider the fact that a global PKIis requiredfor this. Hence, the alternative solution for securing the shim atthis pointwould be IPSec+PKI, agree? regards, marceloIPsec is deployed today with PKI./jim-----Original Message----- From: marcelo bagnulo braun [mailto:marcelo@it.uc3m.es] Sent: Wednesday, July 19, 2006 8:04 AM To: Francis Dupont Cc: shim6@psg.com; Bound, Jim; Pekka Savola; Iljitschvan BeijnumSubject: Re: CGA Use with HBA in Shim6 IETF MeetingJuly 10, 2006El 19/07/2006, a las 14:38, Francis Dupont escribió:I can't see where Jim proposed to base the Shim6 securityon IPsec... in message http://ops.ietf.org/lists/shim6/msg01511.html it is stated that: Suggestion is to simply embed ULIDs within the datapayload with newoption and secure all communications at least for nowfor IP layercommuncatiions with IPsec encryption based on locator pair. meaning to use IPSec as an alternative to HBA security(something which is known to require the impossible andeven notdesirable global PKI :-)exactly Regards, marceloRegards Francis.Dupont@point6.net