Hello,
I've gone through draft-ietf-csi-proxy-send-00 and I have some comments.
You state in section 5:
The Secure Proxy ND becomes part of the trusted infrastructure just
like a SEND router. The Secure Proxy ND is granted a certificate
that specifies the range of addresses for which it is allowed to
perform proxying of SEND messages. Hosts can use the same process to
discover the certification path between a proxy and one of the host's
trust anchors as the one defined for routers in Section 6 of SEND
specification [RFC3971].
As far as I understand, once you authorize a node to act as a Proxy with
a certificate, if the proxy gets corrupted, it can update Neighbor Cache
value of all the nodes on the link. Am I right ?
If so, maybe you should add a statement in the Security Considerations
indicating that as specified the protocol is prone to Good Router Gone
Bad attacks.
I think this attacks should be mitigated by using a Token generated by the
proxied node and sent to a proxy to authorize it to actually "proxy" the
address. This token will be carried in every proxied messages (modified by
the proxy). It will prove the receiver that the proxied node authorized
the proxy to act as such.
The Token itself look like this:
- CGA parameter structure of the proxied node
- a timestamp, that authorize the proxy to act as such in a
predetermined duration
- a signature upon the proxied node's CGA address, proxy address (that
must also be a CGA), the timestamp. This signature is performed using
proxied node Private Key (only known by the proxied node).
The token, verifiable by the receiver, will prove that the proxy is
still authorized to do proxying job for the node.
What do you think of this ? Does that sound feasible ?
Regards,
Tony Cheneau
_______________________________________________
CGA-EXT mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cga-ext
