[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[MSEC] Review of draft-ietf-msec-tesla-for-alc-norm-05.txt

To: vincent.roca at inria.fr, aurelien.francillon at inria.fr, faurite at lcpc.fr
Subject: [MSEC] Review of draft-ietf-msec-tesla-for-alc-norm-05.txt
From: Brian Weis <bew at cisco.com>
Date: Thu, 2 Oct 2008 12:24:42 -0700
Authentication-results: sj-dkim-3; header.From=bew at cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; );
Cc: msec at ietf.org
Delivered-to: ietfarch-msec-web-archive at core3.amsl.com
Delivered-to: msec at core3.amsl.com
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; l=5302; t=1222975377; x=1223839377; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=bew at cisco.com; z=From:=20Brian=20Weis=20<bew at cisco.com> |Subject:=20Review=20of=20draft-ietf-msec-tesla-for-alc-nor m-05.txt |Sender:=20; bh=ynnC+cI53e33MfJOf8dm8UGhKXFR1h1j0mzxsgrXGe4=; b=ZrsDoz7ypRSqgpVmSGNEIr4lVCkls1U8t6Pe61t3zKCziJ7MCJzMSlaFlp /osmsqqYtlwgST+7sn5vDXa7+ANlgpCWMN/YEVuyixCMwVO5FIfhsxTmPXHW Wy1GzL3LeH;
List-archive: <http://www.ietf.org/pipermail/msec>
List-help: <mailto:msec-request@ietf.org?subject=help>
List-id: Multicast Security List <msec.ietf.org>
List-post: <mailto:msec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/msec>, <mailto:msec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/msec>, <mailto:msec-request@ietf.org?subject=unsubscribe>
Sender: msec-bounces at ietf.org

Hi Vincent, Aurelien, and Sebastien,

I have reviewed this draft as part of the MSEC WG last call (as aworking group member), and have the following comments. If any ofthem are unclear I would be happy to discuss them.


Thanks,
Brian

General comments
================

1. The terms "weak group authentication tag" and "weak group MAC" maysound a bit pejorative to readers not familiar with group security.Protecting against attackers that are not group members is animportant property. I recommend removing the term "weak".

2. The term "out of the scope" is repeated 11 times, if I countedcorrectly ... including once in the Abstract. I'm not doubting thatthose areas ARE out of scope for the document, but reading thatphrase so often makes the reader wonder if the I-D leaves too MUCHout of scope (and I'd expect this question to arise as the I-Dprogresses to a wider IETF review). It might be a good idea to add ascope section at the beginning of the document to declare once whatis and is not in scope, and then remove as many of those individualstatements as possible.

3. Whether or not NTP is required to support TESLA isn't clear. Someplaces seems to indicate it is required (e.g., the bullets in section1.2.2), however section 2.3.2 gives a range of options for timesynchronization. The bits-on-the-wired description in section 3.4.1seems to require an NTP timestamp, although it isn't clear that thebootstrap information message requires the use of direct timesynchronization. Could you clarify the conditions under which NTP isa requirement?

4. In some text "NTP" is specified, and sometimes "(S)NTP" isspecified. Is it possible to be consistent, or are times when NTPmust be used rather than SNTP?


Specific comments
=================

Section 1. The last paragraph says "This specification does notconsider the packets that may be sent by receivers, for instanceNORM's feedback packets. Adding authentication/integrity to thepackets sent by receivers is out of the scope of this document." Thismakes the reader wonder if there's enough value to applying TESLA toNORM when it can only protect packets in one direction. Can you add ashort rationale explaining why it is OK to declare TESLA reversepackets out of scope? (Note that section 2.1 states "NORM requires abidirectional transport channel", so it seems clear that anyrationale security policy will require securing the back channel byin parallel.)

Section 1.2.1. The next-to-last bullet says "The mechanism by whichthis group key is shared by the group members is out of the scope ofthis document". The distribution of the group key could be related tothe bootstrapping discussion in section 2.2. Instead of saying it isout of scope, perhaps you could say that it SHOULD be distributedduring TELSA bootstrapping and and reference section 2.2.

Section 2.3.2. This section mandates the use of SHA-1, which is aside effect of modeling the signature semantics after RFC 4359.However, since the time that RFC was published there has been anumber of attacks on SHA-1, and the current guidance is that IETFdrafts should specify a SHA-256 hash for signatures. You shouldjustify why a signature over a SHA-1 hash (as opposed to a SHA-256hash) is acceptable, or else change the specification to be a SHA-256hash.

Section 4.2. In step 2, it isn't clear how much processing thereceiver has it receives a compact authentication header and has to"guess" the value of i. What happens if the receiver "guesses" thevalue of i wrong? Can it tell without progressing to the next step(group MAC check)?

Section 6.1. I suggest rewording the second paragraph to somethinglike this: "In order to mitigate these attacks, it is RECOMMENDED touse the Weak Group MAC scheme (Section 3.3.3). No mitigation ispossible if a group member acts as an attacker."

Section 6.2.2. This section should say whether or not the NORMsequence number check happens before the TESLA processing. I suspectit happens before TELSA processing, but If it is afterwards then itshould also be noted that the sequence number check doesn't mitigateTESLA processing on a replayed message.

Section 7. IANA will need to know whether they need to create a newregistry, or whether these are added to an existing. Also, I'msurprised that the document does not describe any ALC and NORMregistry entries for the TELSA messages. Will that be done as part ofALC-specific and NORM-specific I-Ds?


Nits
====

Sections 3.4.5 and 3.4.6 seem to have quote marks that are not 7-bitASCII.

Section 3.3. First bullet: "of a data packets" should be "of datapackets". Also, second bullet: "a digital signatures" should be "adigital signature".

Section 3.3.3. First sentence: "not group member" should be "notgroup members".

Section 6.2.1. Second bullet: "that is not member" should be "that isnot a member". Also, "which requires to" should be "which requires itto".


--
Brian Weis
Router/Switch Security Group, ARTG, Cisco Systems
Telephone: +1 408 526 4796
Email: bew at cisco.com

_______________________________________________
MSEC mailing list
MSEC at ietf.org
https://www.ietf.org/mailman/listinfo/msec

Follow-Ups:
- Re: [MSEC] Review of draft-ietf-msec-tesla-for-alc-norm-05.txt
  - From: L.Liang

Prev by Date: Re: [MSEC] Authentication for OSPFv3
Next by Date: [MSEC] Review of draft-ietf-msec-tesla-for-alc-norm-05.txt
Previous by thread: Re: [MSEC] Authentication for OSPFv3
Next by thread: Re: [MSEC] Review of draft-ietf-msec-tesla-for-alc-norm-05.txt
Index(es):
- Date
- Thread