[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[MSEC] Review of draft-ietf-msec-tesla-for-alc-norm-05.txt

To: msec at ietf.org
Subject: [MSEC] Review of draft-ietf-msec-tesla-for-alc-norm-05.txt
From: Ramu Panayappan <pramu at cmu.edu>
Date: Thu, 2 Oct 2008 18:32:45 -0400
Delivered-to: ietfarch-msec-web-archive at core3.amsl.com
Delivered-to: msec at core3.amsl.com
List-archive: <http://www.ietf.org/pipermail/msec>
List-help: <mailto:msec-request@ietf.org?subject=help>
List-id: Multicast Security List <msec.ietf.org>
List-post: <mailto:msec@ietf.org>
List-subscribe: <https://www.ietf.org/mailman/listinfo/msec>, <mailto:msec-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www.ietf.org/mailman/listinfo/msec>, <mailto:msec-request@ietf.org?subject=unsubscribe>
Sender: msec-bounces at ietf.org

Hi,

Brian had asked the security group at CMU, to have a quick look at thedraft to check if there are any issues with the way TESLA is being used.

At the outset, there are no apparent issues with the way it has beenused. However, I have a few comments (see below) in form of questions/suggestions to ascertain that my conclusions are correct. A couple ofnits are also noted. Feel free to ignore those.


Thanks
Ramu


--------------


2.3.2 (Nit)

Use of GPS as secure time source is a issue almost always as GPStimings signals can be spoofed easily. Methods like "dead reckoning"may be used to circumvent spurious GPS signals to certain extent. Itmay be worthwhile to add a "caution" of not using this method forsynchronization.


3.3.1 (Nit)

What is the F' function? (probably some reference to later sectionmight help)


3.3.2 (Assumption)

Bootstrap Message signing: Assumes that the receiver obtains theverifying key corresponding to the signing key K of the sender by somemeans. May be add this as a pre-requisite for receiver side in Section4.


3.3.3 (Question & suggestion)

What is the reasoning behind including the digital signature (e.g.,of a bootstrap message) and the MAC fields (e.g., of an authenticationtag) while computing the Weak group MAC Tag. Since this is just apreliminary check the group MAC tag can be computed devoid of it andthus helping the sender to parallize the computations of group MAC tagand computing authentication tags on the packet.

(As a side note given that groups change dynamically and the groupkeys are rekeyed periodically it might be a implementation hurdle toalways tag the correct group MAC tag. This might require acceptinggroup MAC based on older group keys too. May be it is worth cautioningthis and cite it as "out of scope").



6. Security Considerations: (Suggestion)

In addition to the correct calculation of D-t the choice of timeintervals is critical for TESLA to function correctly. It should benoted that (d * time interval) should b greater than the propagationdelay to reach from sender to receiver. (Not sure whether this isalready taken care of by the nuances of the existing protocols).



6.1 DoS (Suggestion)

In addition to those mentioned,

DoS is possible by bombarding with spurious bootstrap packets orbombarding with synchronization packets. Recommendations for these mayalso be helpful.


6.2.2 Impact of replay attacks on NORM (Question)

Does the sequence number check happen before the TELSA processing?




_______________________________________________
MSEC mailing list
MSEC at ietf.org
https://www.ietf.org/mailman/listinfo/msec

Prev by Date: [MSEC] Review of draft-ietf-msec-tesla-for-alc-norm-05.txt
Next by Date: Re: [MSEC] Authentication for OSPFv3
Previous by thread: Re: [MSEC] Review of draft-ietf-msec-tesla-for-alc-norm-05.txt
Next by thread: [MSEC] [Fwd: New Version Notification for draft-ietf-msec-tesla-for-alc-norm-06]
Index(es):
- Date
- Thread