[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006



Hi Jim,

It is quite clear for me now the discussion points.

I think these go way beyond the actual shim6 work, since you seem to be challenging some fundamental assumptions that we use to start working on shim, namely: - the threat model of mip (in particular time shifted attacks that were the base threat for requiring mip RR and shim HBAs) - the difficulty in deploying a global PKI and issuing client certificates

I very much agree that if we change these assumptions the resulting shim6 design would be very different

OTOH, it was/is my feeling that at the time of the design and even now, there seem to be consensus that these points are valid (in other words, we had lots of discussions here and in multi6, but not many folks challenged these points, you are the first AFAICT)

So, i guess we can discuss these of course, and make a consensus call on these items in the wg

Regards, marcelo

El 19/07/2006, a las 22:58, Bound, Jim escribió:

OK I have a lot of work to do for this now but that is cool as SHIM6 is important. day job is in the way at the moment.

Here is a bottom line from Jim. I believe if we encrypt everything (not just shim6 and I did not agree with all the mipv6 threats either and let it go and emphatically disagree with RR strategy ) at the IP layer we are going to be 90% secure most of the time world wide. But I do believe after decrypt that multi-layered security is important but I think the threats after IPsec are so reduced that given deployment it is of less concern from Jim's view of the world. I also believe PKI will get figured out and scale if not this year three years from now that it is not right for me to limit protocol views in my head in the IETF because of deployment scenarios I cannot possible know the answer to with axiomatic certainty.

Disclaimer: This view does not represent the view of my company, the IPv6 Forum, or any one I work with this solely a Jim view of the world, but I do have some in security world who are expert cryptographers and worry a lot about very important attacks I consult with who do agree with this view.

OK back to work we need to hear from you folks in the WG now for sure? Good discussion for sure but probably driving the chairs nuts :--)

/jim

-----Original Message-----
From: marcelo bagnulo braun [mailto:marcelo@it.uc3m.es]
Sent: Wednesday, July 19, 2006 3:43 PM
To: Bound, Jim
Cc: Francis Dupont; shim6@psg.com; Pekka Savola; Iljitsch van Beijnum
Subject: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006


El 19/07/2006, a las 22:30, Bound, Jim escribió:

I dont accept the threats in 4218 so that is a problem right there

we have identified the core issue i think, great!!

we have based the design of the shim6 security on the threats
identified on RFC4218, so if you don't agree with those, we
need to discuss those first and then move on to the security
solutions (since they are direct consequence of the threats
described there)

proabably we should even also consider the threats of MIP described in
RFC4225 since RFC4218 is heavily based on this one...


But good we are making progress (at least in identifying the
disagreement points)

regards, marcelo


but I will do that but that is more than just a quick response on
email and need to go do proper analysis.  I will respond to
where we
disagree too later ok.  As I said email is not good for me
now I keep
changing my location :--).

thx
/jim

-----Original Message-----
From: marcelo bagnulo braun [mailto:marcelo@it.uc3m.es]
Sent: Wednesday, July 19, 2006 3:27 PM
To: Bound, Jim
Cc: Francis Dupont; shim6@psg.com; Pekka Savola; Iljitsch
van Beijnum
Subject: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006


El 19/07/2006, a las 20:10, Bound, Jim escribió:

Global PKI is not required for certificates that can be done with
pre-shared keys too or as we are doing with shim6 out-of-band
signaling.  If any here believe IPsec will not be used end-to-end
think again please it will.  Ipsec is totally possible and
I will not
repeat my mail on enclaves for end-to-end PKI as that is a
deployment
and systems integration implementation issue.


ok at this point it seems to me that we may start to
repeating ourselves, so at least let's try to identify where
do we disagree...

What i am saying is that:

- In order to use IPSec to protect the shim6 protocol (in
particular for providing a secure binding between identifier
and locators), there are two options: a) we use certificates
issued by a global PKI are needed in all shim6 peers or b) we
have preshared keys in all shim6 nodes

do you disagree with this statement?

I assume you do

if you disagree could you explain to me how would you protect
the shim6 protocol from the threats described in RFC4218?

in particular could you explain to me how would you protect
from the following attack:

Suppose that Alice and Bob work in the same office and that
Alice reads the local newspaper web page every morning at
www.localpress.com Now, suppose that tomorrow is Alice
birthday and since Bob has a crush on Alice, Bob wants to
make Alice believe that tomorrow local newspaper headline is
"Happy Birthday Alice".

In order to do that, Bob's plan is to hijack any future
communication that Alice initiates from her machine to Bob's
laptop, so Bob can substitute the local newspaper web page by
his own fake happy birthday greetings home page.

So, in the DNS www.localpress.com has a single IP address IPlp.

To launch the attack, the night before, Bob creates a shim6
state in alice machine. In order to do that, Bob initiates
the shim6 context establishment exchange.

The created context, has IPlp as ULID and it has IPB (i.e.
Bob's laptop
IP) as preferred locator.

In order to keep the context alive, Bob sends periodic
packets (e.g.
ping or UDP) to Alice machine. Note that the goal of these
packets is just to prevent the shim6 state at Alice machine
to be garbage collected, so there is no need to have a actual
application receiving those packets above the shim (i.e.
these packets can be perfectly discarded once they passed
above the shim, and they would still be fulfilling their goal
from the attack p.o.v.)

The next morning (Alice birthday!!!) Alice arrives to the
office and she tries to connect to the local newspaper as
everyday. The only difference is that today, there is a shim6
state in Alice machine for IPlp.
Alice browser asks the resolver for www.localpress.com. the
resolver returns IPlp. The browser initiates a TCP connection
with IPlp, but the SYN packet is intercepted by the shim
layer (at Alice's machine) and the address is translated to
IPB. the result, the communication is redirected to Bob's
machine and Alice will be accessing Bob's web server while
she thinks that she is reaching the local newspaper web page

Bob has managed to steal the local newspaper IP identity from
Alice p.o.v.

This type of attack cannot be prevented by simply using
IPSec, because it is launched before the keys have been exchanged.

In order to prevent these attacks, we need additional tools,
like global certificates, pre shared keys or crypto identities.

reagrds, marcelo





thanks
/jim

-----Original Message-----
From: marcelo bagnulo braun [mailto:marcelo@it.uc3m.es]
Sent: Wednesday, July 19, 2006 11:32 AM
To: Bound, Jim
Cc: Francis Dupont; shim6@psg.com; Pekka Savola; Iljitsch
van Beijnum
Subject: Re: CGA Use with HBA in Shim6 IETF Meeting July 10, 2006


El 19/07/2006, a las 16:55, Bound, Jim escribió:

I was assuming the node regardless will use IPsec as
required.  Thus
it really is not shime6 concern.  But I do not believe no
one will not
deploy IPsec because of PKI that is simply not true.

i agree with this


but the problem is that if you want to use IPSEc to secure
the shim,
you need to use certificates, if not the security is not
acceptable.

You need to provide a secure binding between the
identifer and the
locators. IPSec wihtout certificates does not provides
this feature.
If you want to use IPSec to secure the
shim6 protocol, you need the certificates hence you need
the global
PKI.

So in order to evaluate a solution based on IPSec for
securing the
shim6, you need to consider the fact that a global PKI
is required
for this.

Hence, the alternative solution for securing the shim at
this point
would be IPSec+PKI, agree?

regards, marcelo



  IPsec is deployed today with PKI.



/jim

-----Original Message-----
From: marcelo bagnulo braun [mailto:marcelo@it.uc3m.es]
Sent: Wednesday, July 19, 2006 8:04 AM
To: Francis Dupont
Cc: shim6@psg.com; Bound, Jim; Pekka Savola; Iljitsch
van Beijnum
Subject: Re: CGA Use with HBA in Shim6 IETF Meeting
July 10, 2006


El 19/07/2006, a las 14:38, Francis Dupont escribió:

I can't see where Jim proposed to base the Shim6 security
on IPsec...

in message http://ops.ietf.org/lists/shim6/msg01511.html

it is stated that:

Suggestion is to simply embed ULIDs within the data
payload with new
option and secure all communications at least for now
for IP layer
communcatiions with IPsec encryption based on locator pair.

meaning to use IPSec as an alternative to HBA security

(something which is known to require the impossible and
even not
desirable global PKI :-)


exactly

Regards, marcelo


Regards

Francis.Dupont@point6.net