subject:"Re\: \[homenet\] Please review security considerations of draft\-homenet\-babel\-profile"

Re: [homenet] Please review security considerations of draft-homenet-babel-profile

2017-07-27 Thread Gert Doering

Hi,

On Thu, Jul 27, 2017 at 03:38:15PM +0200, Philip Homburg wrote:
> The TTL hack is used in ND. 

Because ND uses GUAs (which it should have never done in the first place).

> It strikes me as really bad for security to come
> up with a different mechanism to achieve the same result for no other reason
> than that you for some reason didn't like that trick.

Relying on "it must be a link local src and link local dst" sounds much
more sane than "we permit arbitrary packets to reach us from the outside
and then worry about criteria to ignore them afterwards".

Gert Doering
-- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AGVorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14  Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen   HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444   USt-IdNr.: DE813185279

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Please review security considerations of draft-homenet-babel-profile

2017-07-27 Thread Philip Homburg

>>> Yeah, the so-called "TTL hack".  
>
>> Care to explain why it would not be useful?
>
>At the time I wrote down Babel, I decided that given that we have link-local
>addresses that are securely scoped to a single link, the TTL hack is not
>necessary.

The TTL hack is used in ND. It strikes me as really bad for security to come
up with a different mechanism to achieve the same result for no other reason
than that you for some reason didn't like that trick.


___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Please review security considerations of draft-homenet-babel-profile

2017-07-26 Thread Philip Homburg

>Yeah, the so-called "TTL hack".  

Care to explain why it would not be useful?


___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Please review security considerations of draft-homenet-babel-profile

2017-07-26 Thread Philip Homburg

In your letter dated Wed, 26 Jul 2017 20:49:10 +0200 you wrote:
>> Historically, a popular brand of router would forward packets with LL source
>.
>
>"Historically"?  Has this been fixed?

I wanted to give them the benefit of the doubt. Sometimes they do fix a bug
and I didn't want to spend any time figuring out if this one was fixed or not.

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Please review security considerations of draft-homenet-babel-profile

2017-07-26 Thread Juliusz Chroboczek

> A trick used in some places, such as ND, is to require the receiver to check
> that the hop limit is equal to 255. This ensures that the packet has not
> been forwarded by any router (obviously the sender also has to send it with
> a hop limit of 255).

Yeah, the so-called "TTL hack".  I considered that for Babel back when it
was being designed, then decided that it is useful in an IPv6 world.
Perhaps I was wrong, but at this stage it would break interoperability
with all existing Babel routers, which is not acceptable.

> Historically, a popular brand of router would forward packets with LL source.

Let's hope none of these historical routers will be used in a Homenet
environment.

-- Juliusz

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Please review security considerations of draft-homenet-babel-profile

2017-07-26 Thread Philip Homburg

>Nasty comments on list, please, compliments by private mail ;-)

A trick used in some places, such as ND, is to require the receiver to check
that the hop limit is equal to 255. This ensures that the packet has not
been forwarded by any router (obviously the sender also has to send it with
a hop limit of 255).

Historically, a popular brand of router would forward packets with LL source.
So that cannot be considered safe in general.

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Please review security considerations of draft-homenet-babel-profile

2017-07-25 Thread Juliusz Chroboczek

> ...one might recommend starting with "an upper-layer security protocol"
> such as CMS, COSE, JOSE or some other layer-3 encapsulation.  

We're planning to use DTLS for both HNCP and Babel.

But the authentication mechanism is not our main concern.  This being
Homenet, we need to generate keys automatically and distribute them
securely with little or no user intervention.  This is not trivial to do
right, and requires carefully balancing the tradeoffs between security and
usability.

-- Juliusz

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Please review security considerations of draft-homenet-babel-profile

2017-07-25 Thread Mark Baugher

> On Jul 25, 2017, at 1:27 PM, Juliusz Chroboczek  wrote:
> 
> Dear all,
> 
> All security wizards are kindly requested to carefully read and if
> necessary criticise the following section:
> 
>  https://tools.ietf.org/html/draft-ietf-homenet-babel-profile-02#section-4

Based on this paragraph...
"If untrusted links are used for transit, which is NOT RECOMMENDED,
   and therefore need to carry HNCP and Babel traffic, then HNCP and
   Babel MUST be secured using an upper-layer security protocol.  While
   both HNCP and Babel support cryptographic authentication, at the time
   of writing no protocol for autonomous configuration of HNCP and Babel
   security has been defined."

...one might recommend starting with "an upper-layer security protocol"
such as CMS, COSE, JOSE or some other layer-3 encapsulation.  

Mark

> 
> Nasty comments on list, please, compliments by private mail ;-)
> 
> Thanks,
> 
> -- Juliusz
> 
> ___
> homenet mailing list
> homenet@ietf.org
> https://www.ietf.org/mailman/listinfo/homenet

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Please review security considerations of draft-homenet-babel-profile

2017-07-25 Thread Ray Bellis



On 25/07/2017 22:58, Stephen Farrell wrote:

> I suggest asking the chairs to hit the "request directorate" review
> (iirc only they can see that button?) for an early secdir review.

Good idea - I've just done this.

Ray

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Please review security considerations of draft-homenet-babel-profile

2017-07-25 Thread Juliusz Chroboczek

> 1) The first sentence seems to not say what to do if a packet comes
> from a 1918 IPv4 address. Even if that's not supposed to happen, it
> could be attempted. What's an implementation supposed to do then?

Both HNCP and Babel use IPv6 for carrying control data.  There's no way an
IPv4 packet can be received by them (barring bugs, of course).  See also
REQ1 in this draft.

> 2) Again I need to read the rest of the draft, but does this mean
> that anyone on that link of the homenet can inject these messages
> without any authentication,

On the trusted link, yes.

> and if so why is that ok?

This draft takes no stand on whether it is okay or not, it merely states
the current security situation.  Defining cryptographic authentication
mechanisms for the Homenet stack is out of scope for this draft.

-- Juliusz

___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Please review security considerations of draft-homenet-babel-profile

2017-07-25 Thread Stephen Farrell

Hiya,

I suggest asking the chairs to hit the "request directorate" review
(iirc only they can see that button?) for an early secdir review.

For myself, I've not read the draft yet (I will over the next few
weeks) but have two questions while I'm here:

1) The first sentence seems to not say what to do if a packet comes
from a 1918 IPv4 address. Even if that's not supposed to happen, it
could be attempted. What's an implementation supposed to do then?

2) Again I need to read the rest of the draft, but does this mean
that anyone on that link of the homenet can inject these messages
without any authentication, and if so why is that ok? (I'm not
asking for now why doing better is too hard, just why it's ok for
any node on link to be able to play here.)

Cheers,
S.

On 25/07/17 21:27, Juliusz Chroboczek wrote:
> Dear all,
> 
> All security wizards are kindly requested to carefully read and if
> necessary criticise the following section:
> 
>   https://tools.ietf.org/html/draft-ietf-homenet-babel-profile-02#section-4
> 
> Nasty comments on list, please, compliments by private mail ;-)
> 
> Thanks,
> 
> -- Juliusz
> 
> ___
> homenet mailing list
> homenet@ietf.org
> https://www.ietf.org/mailman/listinfo/homenet
> 

signature.asc
Description: OpenPGP digital signature
___
homenet mailing list
homenet@ietf.org
https://www.ietf.org/mailman/listinfo/homenet

Re: [homenet] Please review security considerations of draft-homenet-babel-profile

Re: [homenet] Please review security considerations of draft-homenet-babel-profile

Re: [homenet] Please review security considerations of draft-homenet-babel-profile

Re: [homenet] Please review security considerations of draft-homenet-babel-profile

Re: [homenet] Please review security considerations of draft-homenet-babel-profile

Re: [homenet] Please review security considerations of draft-homenet-babel-profile

Re: [homenet] Please review security considerations of draft-homenet-babel-profile

Re: [homenet] Please review security considerations of draft-homenet-babel-profile

Re: [homenet] Please review security considerations of draft-homenet-babel-profile

Re: [homenet] Please review security considerations of draft-homenet-babel-profile

Re: [homenet] Please review security considerations of draft-homenet-babel-profile

11 matches

Site Navigation

Mail list logo

Footer information