Hi,
I think this is doing very good progress. Still i am not sure i fully
undersntad how this approach would work in the different cases.
Some comments below...
1. Introduction
Cryptographically Generated Addresses (CGA) [RFC3972] have been
designed primarily for securing Neighbor Discovery [RFC3971].
I wouldn't state it this way. they were designed by the send wg, but
their use for mobility was proposed in the same timeframe and they are
also used for multihoming... so i would suggest to rephrase this.
At the
time when they were specified, CGAs allowed only one signing
algorithm, namely RSA.
They still only allow a single PK algorithm
I am not sure i like the signing algorithm phrasing... i mean you need
botht he PK algorithm and the hash algorithm to produce a signature,
right? so it is not clear which one you are referring to
I would suggest dropping both these initial sentences...
It is well known that the RSA
signature generation and verification is computationally expensive.
I guess this sentence in the abstract doesn't make much sense.... i mean
compared to what? for what type of devices?
The usage scenarios associated with neighbor discovery have recently
been extended to include environments with mobile or nomadic nodes.
Many of these nodes have limited battery power and computing
resources. Therefore, heavy public key signing algorithms like RSA
are not feasible to support on such constrained nodes. Fortunately,
more lightweight yet secure signing algorithms do exist and have been
standardized, e.g. Elliptic Curve based algorithms.
this paragraph makes more sense to me (i would still change the signing
algorithm for pk algorithm though, in all the document i mean)
I would suggest dropping all the first paragraph and start directly with
this one
The aim of this memo is to outline options for allowing public key
signing algorithm agility for nodes configured to perform secure
neighbor discovery operations when attaching to a new link.
why is this restricted to the operation on a new link? i mean, i guess
this also applies to the operations that a node performs after it has
been attached to the link for a long time...
2.1.1. Classification of SEND nodes
At the time of this writing, there are no known large-scale or even
small-scale deployments of [RFC3971]-compatible devices. However, in
the interest of caution, we assume that there exist nodes that
support only the RSA algorithm and that are configured to perform
secure neighbor discovery when attaching to a new link.
same comment here.... they also do send operations when they have been
long time attached to the link, rephrase
Type H4 host:
A host that supports multiple signature algorithms and has
multiple CGAs, each of which is associated with a single key of
one supported algorithm. For simplicity, we do not consider hosts
that have multiple CGAs, one or more of which are generated from
multiple public keys.
A node MUST select and settle on one CGA when building a trust
relationship with another device via SeND (more below).
It is not obvious to me what this last sentence means...
Type R1 router:
A router that only supports one type of signature algorithm and
has a CGA and Certificate with a public key of this algorithm.
Such routers are expected to be commonplace, as compliance with
[RFC3971] suffices for them.
Not sure what you mean by this last sentence
I mean, current routers will be more restrcited than this, since they
will use only RSA, right?
Type R3 router:
A router that supports multiple types of signature algorithms and
has multiple CGAs and Certificates with public key of several
different algorithm types.
This type of router can sign and verify signatures of multiple
types. Such routers may not be attractive to build and deploy due
to increased requirements on its resources. Moreover using
multiple CGAs (with no bindings) may make that router appear as
having multiple identities.
Type R4 router:
A router that supports multiple types of signature algorithms and
has one CGA composed of multiple Publics Keys and multiple
certificates containing each a Public Key.
why did you switched router 3 and router 4 with respect to host3 and
host 4? this is confusing. I think you should switch them so router 4 is
the one with multiple CGAs
moreover, it is weird that you leave the host with multiple CGAs out of
the analysis but you keep a router with multiple CGAs as part of the
analysis... or you don't? If you don't consider routers with multiple
CGAs with
an additional comment on router r3
It may make sense to have one of such routers, i guess, if a given
interface is expected to handle one type of devices and a different
interface a different type of devices. For instnace a wireless interface
may want to use ECC while a wired interface may want to use RSA for
backward compatibility. Even can be the case for the same interface. So
while i may agree that for a host this configuration doesn't seem
attractive, maybe for a router it is...
2.1.2. Principal Scenarios
Based on the discussion above, a SEND agility solution should at
least properly deal with the communication between devices of type
H1, H2, H3, R1 and R2.
I am not sure why do you think R4 is not relevant...I mean, having a
router with multiple PK seems a good transition approach to me...
An H1 or R1 node interacting with an H2 or R2 node: i.e., a node
supporting only RSA (for example, an old non-agility node which
only supports RFC3971) and a node supporting both RSA and ECDSA
(or other new algorithms). These two nodes must be able to
perform secure neighbor discovery.
What do you mean they must be able to preform SEND? I mean, i find hard
to see how the node H1 will be able to validate a NADV msg from H2 using
a different pk algorithm. I think you need to be much more precise with
what you mean here
A node of any type (H1, H2, H3, R1, R2, R3 or R4) interacting with
another node, their algorithms differ but there is a 3rd party
willing/able to help: this is an optional solution applicable to
the previous scenario, where two nodes that support SEND but do
not have any signature algorithms in common can talk through a
third party (router). In this case they should be able to perform
facilitated secure neighbor discovery.
I am not sure what you have in mind for this,,, hopefully it will be
clearer later on but certainly seems to be drifting from the SEND model
to me...
An H2, H3 or R2 node interacting with another H2, H3, or R2 node:
e.g., two nodes that support at least two signature algorithms in
common (one of which is likely preferred over the other), will be
able to perform secure neighbor discovery with any of the two
algorithms.
what about the scenario where they have one algorithm in common?
wouldn't this be a common case as well?
in 3. Supported Signature Algorithm Option
it became apparetnt o me that you were actually talking about a crypto
suite to support both pk algorithm and hash algorithm agility. I think
is the way to go, but the document is very opaque about this. This
should be made clear way earlier and a referecne tot he ahs threat
analysis in needed, in order to motivate the hash agility.
Signature Algorithm
A one-octet long field indicating a signature algorithm that is
supported by the node, this support implies at least ability to
verify signatures of this PK algorithm.
The first leftmost bit, bit 0, if set to 0, indicates that the
emitter is able to perform signature checks only (i.e. no
signature generation with this type on signature algorithm). If
this bit is set to 1, it indicates that the emitter has a public
key of this type and can generate signatures. Bit 1 and 2 are
reserved. Bit 3 to 7 are named Signature Type Identifier subfield
and encode the signature algorithm identifier. This signature
algorithm identifier binds a Public Key algorithm with an hash
algorithm. Default values for the Signature Type Identifier
subfield defined in this document are:
* Value 1 is RSA/SHA-256
* Value 2 is ECDSA/SHA-256
* Value 0 is reserved for future use.
I am not sure i understand how this works.
You will include one byte per PK alorithm supported?
and within it you will specify the hash algorithm supported?
This is not clear to me...
5. Basic negotiation
5.1. Overview
Two nodes sharing a common Signing Algorithm must be able to securely
communicate. Below is an example of such a message flow.
Node A Node B
NS
{CGA option,
RSA Signature option.
Supported-Signature-Algo option
(RSA, ECC, R=0)} -------->
NA
{CGA option,
ECC Signature option
Supported-Signature-Algo option
<-------- (ECC, R=1)}
NA
{CGA option,
ECC Signature option.
Supported-Signature-Algo option
(RSA, ECC, R=0)} -------->
IPv6 traffic <-------> IPv6 traffic
Basic Negotiation- Case 1
Two questions:
why does the node B sends the R set, when there was nothing to validate
in the NS msg?
Second, why does the node A sends a NA as a reply to a NA msg? i don't
think this is the normal ND behaviour, right?
I think we need to understand how we want this to behave in the
different scenarios you have described above. I think it is great that
you describe this for these two cases, but i think more thorough
analysis of how the different type of hosts, routers and the different
ND msgs work is needed.
I mean, i would like to understnad how every different host type
interacts with every other host type and router type for every different
ND msg exchange. I know this is a lot of work, but unless we understnad
this, we wont be able to see if this works properly
6. Router-as-a-notary function
This optional functionality enhances backward compatibility by
introducing a new entity. Here, the entity named "notary" serves to
certify the authenticity of a node's message. This improves
communication when two nodes have a disjoint set of supported
Signature Algorithm types and still require secure neighbor
discovery.
I really not sure if we want to go this path...
8. IANA Considerations
This document requests IANA to allocate types for the two new notary
ICMP messages.
I understnad you are creating a registry for the signature algorithms
used, so this belongs to the iana considerations section.
_______________________________________________
CGA-EXT mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cga-ext
