[secdir] Secdir review of draft-ietf-mext-mip6-tls-03
Tobias Gondrom <tobias.gondrom@gondrom.org> Wed, 29 February 2012 19:04 UTC
Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FFF121F86DF for <secdir@ietfa.amsl.com>; Wed, 29 Feb 2012 11:04:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -96.777
X-Spam-Level:
X-Spam-Status: No, score=-96.777 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aeECwHQckfuj for <secdir@ietfa.amsl.com>; Wed, 29 Feb 2012 11:04:04 -0800 (PST)
Received: from lvps83-169-7-107.dedicated.hosteurope.de (www.gondrom.org [83.169.7.107]) by ietfa.amsl.com (Postfix) with ESMTP id C1DF821F86F2 for <secdir@ietf.org>; Wed, 29 Feb 2012 11:04:03 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=ns4MUAUdEAD42e0uSFvxVjjqfzm9su7MkSXD/cJg+Yro/0/i4oc+8ufrbXJrNH73/jA26h550IPc5QRu+aH1yh04RqrIpssH+C6m8pLi4pnKCGrcSsOblgQQWIfKcp9H; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:Subject:Content-Type;
Received: (qmail 11713 invoked from network); 29 Feb 2012 20:03:40 +0100
Received: from 94-194-102-93.zone8.bethere.co.uk (HELO ?192.168.1.68?) (94.194.102.93) by www.gondrom.org with (DHE-RSA-AES256-SHA encrypted) SMTP; 29 Feb 2012 20:03:40 +0100
Message-ID: <4F4E768B.7030302@gondrom.org>
Date: Wed, 29 Feb 2012 19:03:39 +0000
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
MIME-Version: 1.0
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-mext-mip6-tls.all@tools.ietf.org
Content-Type: multipart/alternative; boundary="------------090206010604060406010402"
Subject: [secdir] Secdir review of draft-ietf-mext-mip6-tls-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Feb 2012 19:04:05 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This draft of the MEXT WG is experimental and aims at using Transport Layer Security-based Mobile IPv6 Security Framework for Mobile Node to Home Agent Communication instead of IPSEC. In general this can be feasible and the security considerations section is relatively extensive,however a number of issues come to mind, which can be grouped in four areas: 1. TLS: - risk of TLS downgrading (via renegotiation) - risk of TLS stripping (by a MitM) 2. trust and server certificates - as we saw in websec there are a number of risks with the handling/provisoning of certs through CAs. In this case the server landscape could be much better controlled by the operator, this may be easier here, but still the question remains: - as this uses certs for authentication, do we have to look at compromised certs / how to update trust-anchors in mobile nodes? - do we need to look into cert pinning to sustain trust relationships? 3. Cipher Suites (5.6.5. and following): the listed cipher suites seem limited and potentially not sufficiently secure and agile. - why are you not including AES-256 and SHA-2 (512bit)? - furthermore due to the list of ciphers it seems the spec is lacking algorithm agility, it might be apropriate to use a registry or even better refer to an existing registry for cipher suites? 4. Misc: - and on a personal note maybe a stupid question: why do you MUST set the sequence number to 0 at the start? Does this reduction in the range of expected sequence number values possibly open channels for attack, like increase the risk of an attacker guessing sequence numbers in the stream? In general I feel the draft could use the improvements in the above four areas, but as it is experimental, it may be sufficient. Best regards, Tobias
- [secdir] Secdir review of draft-ietf-mext-mip6-tl… Tobias Gondrom