[Mipshop] Re: AD review of draft-ietf-mipshop-handover-key

To: James Kempf <kempf at docomolabs-usa.com>
Subject: [Mipshop] Re: AD review of draft-ietf-mipshop-handover-key
From: Jari Arkko <jari.arkko at piuha.net>
Date: Mon, 29 Oct 2007 18:48:49 +0200
Cc: Mipshop <mipshop at ietf.org>, draft-ietf-mipshop-handover-key at tools.ietf.org
In-reply-to: <01e801c81a4a$29352530$576115ac@dcml.docomolabsusa.com>
List-help: <mailto:mipshop-request@ietf.org?subject=help>
List-id: mipshop.ietf.org
List-post: <mailto:mipshop@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/mipshop>, <mailto:mipshop-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/mipshop>, <mailto:mipshop-request@ietf.org?subject=unsubscribe>
References: <47260A0A.8030005@piuha.net> <01e801c81a4a$29352530$576115ac@dcml.docomolabsusa.com>
User-agent: Thunderbird 1.5.0.14pre (X11/20071022)

James,

>> The MN can reuse the key pair on different
>> access routers but MUST NOT use the key pair for
>> any other encryption or for signature operation.
>
> I hope this does not imply that the same key pair could not be
> used for SEND. Essentially, this would mean that SEND and
> FMIP are incompatible. OTOH, I see no reason why this should
> apply to anything involving the CGA address itself. Suggested
> rewrite:
>
> The MN can reuse the key pair on different
> access routers but MUST NOT use the key pair for
> any encryption or signature beyond operations
> involving the given CGA address (such as Neighbor
> Advertisements for the given address, secured
> with SEND).
>
> jak>> The handover key encryption key should not be used for any
> authentication operation including SEND. A separate key was introduced
> for encrypting because RSA has a vulnerability if the same key is used
> for both encryption and authentication. I can modify it to:
>
> jak>> The MN can reuse the key pair on different
> access routers for encrypting a handover key
> but MUST NOT use the key pair for
> any other encryption or signature operations, especially
> for authentication with SEND.

This is very problematic. If I understand this correctly, it means that
the MN can pick a key pair and address and defend them in the
RtPrSol, but is unable to do so for regular ND operations on the
link. And you need to use ND operations on the link. Also, at
the same time any use of the given care of address with CGA
based techniques (SHIM6, RFC 4866) becomes impossible.

Did I get this correctly? If yes, I think we need to do something
about it.

Is the RSA vulnerability an issue for the key in question? What
if there was key pair P that was used to derive the care of address,
and to certify key pair Q. Both P and Q were included in RtPrSol,
and only Q would be used for encryption in RtPrAdv? But I'm
just thinking aloud here...

> In which format? Can you specify this more explicitly?
>
> jak>> I'll look into this. Do you have any preferences about the format?

No. I don't remember if RFC 4866 had something similar, you may
want to copy from there if it did.

Jari



_______________________________________________
Mipshop mailing list
Mipshop at ietf.org
https://www1.ietf.org/mailman/listinfo/mipshop

Follow-Ups:
- [Mipshop] Re: AD review of draft-ietf-mipshop-handover-key
  - From: James Kempf

References:
- [Mipshop] AD review of draft-ietf-mipshop-handover-key
  - From: Jari Arkko
- [Mipshop] Re: AD review of draft-ietf-mipshop-handover-key
  - From: James Kempf

Prev by Date: [Mipshop] Re: AD review of draft-ietf-mipshop-handover-key
Next by Date: [Mipshop] Re: AD review of draft-ietf-mipshop-handover-key
Previous by thread: [Mipshop] Re: AD review of draft-ietf-mipshop-handover-key
Next by thread: [Mipshop] Re: AD review of draft-ietf-mipshop-handover-key
Index(es):
- Date
- Thread

[Mipshop] Re: AD review of draft-ietf-mipshop-handover-key

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.