Hello Marcelo,
Thanks for your review.
Comments inline:
On Sun, 15 Mar 2009, marcelo bagnulo braun wrote:
I think this is doing very good progress. Still i am not sure i fully
undersntad how this approach would work in the different cases.
Some comments below...
1. Introduction
Cryptographically Generated Addresses (CGA) [RFC3972] have been
designed primarily for securing Neighbor Discovery [RFC3971].
I wouldn't state it this way. they were designed by the send wg, but their
use for mobility was proposed in the same timeframe and they are also used
for multihoming... so i would suggest to rephrase this.
At the
time when they were specified, CGAs allowed only one signing
algorithm, namely RSA.
They still only allow a single PK algorithm
I am not sure i like the signing algorithm phrasing... i mean you need botht
he PK algorithm and the hash algorithm to produce a signature, right? so it
is not clear which one you are referring to
NIST refers to these algorithms we are writing about as "digital signature
algorithms" (see FIPS 186-2). The digital signature algorithm includes a hash
algorithm. So we will replace "signing" by "digital signature" to be correct.
I would suggest dropping both these initial sentences...
It is well known that the RSA
signature generation and verification is computationally expensive.
I guess this sentence in the abstract doesn't make much sense.... i mean
compared to what? for what type of devices?
The usage scenarios associated with neighbor discovery have recently
been extended to include environments with mobile or nomadic nodes.
Many of these nodes have limited battery power and computing
resources. Therefore, heavy public key signing algorithms like RSA
are not feasible to support on such constrained nodes. Fortunately,
more lightweight yet secure signing algorithms do exist and have been
standardized, e.g. Elliptic Curve based algorithms.
this paragraph makes more sense to me (i would still change the signing
algorithm for pk algorithm though, in all the document i mean)
I would suggest dropping all the first paragraph and start directly with this
one
We will rephrase it in the next version of the draft.
The aim of this memo is to outline options for allowing public key
signing algorithm agility for nodes configured to perform secure
neighbor discovery operations when attaching to a new link.
why is this restricted to the operation on a new link? i mean, i guess this
also applies to the operations that a node performs after it has been
attached to the link for a long time...
This is only a poor phrasing. Will remove the "attach ..." part as it is
only confusing.
[...]
Type H4 host:
A host that supports multiple signature algorithms and has
multiple CGAs, each of which is associated with a single key of
one supported algorithm. For simplicity, we do not consider hosts
that have multiple CGAs, one or more of which are generated from
multiple public keys.
A node MUST select and settle on one CGA when building a trust
relationship with another device via SeND (more below).
It is not obvious to me what this last sentence means...
We will rephrase it. Basically, it means that the node having multiple
separate single PK CGAs, another node may start a ND process with a CGA based
on a signature algorithm it can't verify, while the very same node possess a
CGA with a signature algorithm which can be verified. The issue is that H4
nodes will try to bind multiples CGAs to the same owner node, which is not
feasible when some of the Digital Signature Algorithm associated with CGAs can
not be verified.
Type R1 router:
A router that only supports one type of signature algorithm and
has a CGA and Certificate with a public key of this algorithm.
Such routers are expected to be commonplace, as compliance with
[RFC3971] suffices for them.
Not sure what you mean by this last sentence
I mean, current routers will be more restrcited than this, since they will
use only RSA, right?
We meant, that RFC3971 nodes only handle one type of PK per CGA and per
certificate. They fit in R1 category. Then, they are more likely to be
deployed that other type of nodes described in this draft. Hence, they
are expected to be "commonplace". That said, we will rephrase it (as it
is not really important for the reader), but RFC3971 nodes definitely
fit in R1 category.
Type R3 router:
A router that supports multiple types of signature algorithms and
has multiple CGAs and Certificates with public key of several
different algorithm types.
This type of router can sign and verify signatures of multiple
types. Such routers may not be attractive to build and deploy due
to increased requirements on its resources. Moreover using
multiple CGAs (with no bindings) may make that router appear as
having multiple identities.
Type R4 router:
A router that supports multiple types of signature algorithms and
has one CGA composed of multiple Publics Keys and multiple
certificates containing each a Public Key.
why did you switched router 3 and router 4 with respect to host3 and host 4?
this is confusing. I think you should switch them so router 4 is the one with
multiple CGAs
True. We will switch them back in the next version of the draft.
moreover, it is weird that you leave the host with multiple CGAs out of the
analysis but you keep a router with multiple CGAs as part of the analysis...
or you don't? If you don't consider routers with multiple CGAs with
We are not considering the multi-CGA hosts, as they complicate the situation
too much for this stage of the draft. Will either remove the multi-CGA router
description or add a similar one for hosts, but it will be irrelevant for the
rest of the draft anyway.
I'd say that the multiple CGA routers don't have the same identity problem as
host may have with multiple CGA as their identity(ies) is related to their
certificate(s).
an additional comment on router r3
It may make sense to have one of such routers, i guess, if a given interface
is expected to handle one type of devices and a different interface a
different type of devices. For instnace a wireless interface may want to use
ECC while a wired interface may want to use RSA for backward compatibility.
Even can be the case for the same interface. So while i may agree that for a
host this configuration doesn't seem attractive, maybe for a router it is...
Indeed.
2.1.2. Principal Scenarios
Based on the discussion above, a SEND agility solution should at
least properly deal with the communication between devices of type
H1, H2, H3, R1 and R2.
I am not sure why do you think R4 is not relevant...I mean, having a router
with multiple PK seems a good transition approach to me...
R4 is a subset of R3 capabilities. That's why we ruled out R4 to focus
on R3. Also, note the wording, we said "at least", meaning that R4 could be
used. We will add it in the next versions.
An H1 or R1 node interacting with an H2 or R2 node: i.e., a node
supporting only RSA (for example, an old non-agility node which
only supports RFC3971) and a node supporting both RSA and ECDSA
(or other new algorithms). These two nodes must be able to
perform secure neighbor discovery.
What do you mean they must be able to preform SEND? I mean, i find hard to
see how the node H1 will be able to validate a NADV msg from H2 using a
different pk algorithm. I think you need to be much more precise with what
you mean here
The "must" we wrote should be a "may" (it will be corrected). There are cases
when this is possible, and other cases when the ND operation will only be
successful at one of the nodes, the one able to verify the signature. These
cases we have shown in the slides that we prepared for the WG meeting.
A node of any type (H1, H2, H3, R1, R2, R3 or R4) interacting with
another node, their algorithms differ but there is a 3rd party
willing/able to help: this is an optional solution applicable to
the previous scenario, where two nodes that support SEND but do
not have any signature algorithms in common can talk through a
third party (router). In this case they should be able to perform
facilitated secure neighbor discovery.
I am not sure what you have in mind for this,,, hopefully it will be clearer
later on but certainly seems to be drifting from the SEND model to me...
This is basically a reference to the router-as-a-notary part. This is drifting
from the model, indeed. However, router would need a certificate to be trusted
as notaries (the same way as they currently need a certificate to be trusted
to advertise a prefix), no extra material needed. This will also relax
requirement on the hosts, which is the whole purpose of the draft.
An H2, H3 or R2 node interacting with another H2, H3, or R2 node:
e.g., two nodes that support at least two signature algorithms in
common (one of which is likely preferred over the other), will be
able to perform secure neighbor discovery with any of the two
algorithms.
what about the scenario where they have one algorithm in common? wouldn't
this be a common case as well?
Indeed, we will simplify this point. The idea is that when two nodes share two
algorithms in common, they may have a "preferred one" (e.g. one that uses less
power, etc.).
in 3. Supported Signature Algorithm Option
it became apparetnt o me that you were actually talking about a crypto suite
to support both pk algorithm and hash algorithm agility. I think is the way
to go, but the document is very opaque about this. This should be made clear
way earlier and a referecne tot he ahs threat analysis in needed, in order to
motivate the hash agility.
Will do.
Signature Algorithm
A one-octet long field indicating a signature algorithm that is
supported by the node, this support implies at least ability to
verify signatures of this PK algorithm.
The first leftmost bit, bit 0, if set to 0, indicates that the
emitter is able to perform signature checks only (i.e. no
signature generation with this type on signature algorithm). If
this bit is set to 1, it indicates that the emitter has a public
key of this type and can generate signatures. Bit 1 and 2 are
reserved. Bit 3 to 7 are named Signature Type Identifier subfield
and encode the signature algorithm identifier. This signature
algorithm identifier binds a Public Key algorithm with an hash
algorithm. Default values for the Signature Type Identifier
subfield defined in this document are:
* Value 1 is RSA/SHA-256
* Value 2 is ECDSA/SHA-256
* Value 0 is reserved for future use.
I am not sure i understand how this works.
You will include one byte per PK alorithm supported?
Yes.
and within it you will specify the hash algorithm supported?
Yes. According to NIST, a "digital signature algorithm" includes the
definition of a message digest. Here, we specify PK algorithm + Hash algorithm
to perform the digital signature. We could have chosen to separate both,
saying that we support ECC, RSA in one side and SHA-1, SHA-256 on the other
side. But it may not be desirable to authorize ECC/SHA-1 while you may allow
ECC/SHA-256 and RSA/SHA-1 (just an example).
5. Basic negotiation
5.1. Overview
Two nodes sharing a common Signing Algorithm must be able to securely
communicate. Below is an example of such a message flow.
Node A Node B
NS
{CGA option,
RSA Signature option.
Supported-Signature-Algo option
(RSA, ECC, R=0)} -------->
NA
{CGA option,
ECC Signature option
Supported-Signature-Algo option
<-------- (ECC, R=1)}
NA
{CGA option,
ECC Signature option.
Supported-Signature-Algo option
(RSA, ECC, R=0)} -------->
IPv6 traffic <-------> IPv6 traffic
Basic Negotiation- Case 1
Two questions:
why does the node B sends the R set, when there was nothing to validate in
the NS msg?
Picture didn't showed it, but we supposed that the A's NS message contained
the Source Link-Layer Address Option (that needs to be protected in order to
update the Neighbor Cache). Here, B basically indicates to A that he wasn't
able to check his signature, so he won't update this cache. Hence A sending
it's Link-Layer address in a other message.
Second, why does the node A sends a NA as a reply to a NA msg? i don't think
this is the normal ND behaviour, right?
I am not sure in this special context. When A receives the B's NA message with
the SSA option indicating that its last message couldn't be verified, A still
have to make B node learn it's Link-Layer Address. I don't think we are still
in the "classic" ND or even in SEND as both party are supposed to understand
each other.
I think we need to understand how we want this to behave in the different
scenarios you have described above. I think it is great that you describe
this for these two cases, but i think more thorough analysis of how the
different type of hosts, routers and the different ND msgs work is needed.
I mean, i would like to understnad how every different host type interacts
with every other host type and router type for every different ND msg
exchange. I know this is a lot of work, but unless we understnad this, we
wont be able to see if this works properly
We are aware of this "lack". But in the interest of getting the main idea
out, we chose to leave out an exhaustive list of H* to H* interactions. We
will add a more thorough analysis in the next versions when H*, R* nodes will
be completely defined.
6. Router-as-a-notary function
This optional functionality enhances backward compatibility by
introducing a new entity. Here, the entity named "notary" serves to
certify the authenticity of a node's message. This improves
communication when two nodes have a disjoint set of supported
Signature Algorithm types and still require secure neighbor
discovery.
I really not sure if we want to go this path...
I don't know if many people will agree here, but this (optional)
mechanism will help in transitional effort (current and future ones,
when moving to a main Signature Algorithm/Public Key to another one) and
also in heterogeneous networks. I think it's worth developing the idea a
bit in the next versions and see if we reach a consensus among the WG.
8. IANA Considerations
This document requests IANA to allocate types for the two new notary
ICMP messages.
I understnad you are creating a registry for the signature algorithms used,
so this belongs to the iana considerations section.
Will do.
Thanks for your comments.
Regards,
Tony Cheneau
_______________________________________________
CGA-EXT mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cga-ext
