| ICOS BOF -- IP Configuration Security | <– Date –> <– Thread –> |
From: Jari Arkko (jari.arkko piuha.net)
|
|
| Date: Thu, 17 Feb 2005 08:02:01 -0500 (EST) | |
For your information: we intend to arrange a BoF in the next IETF about the secure configuration needs at IP layer. Some of the proposals in this space relate to EAP usage, so participation from this group would be highly desirable. Mailing list has also been set up; see below for a link to subscribe yourself.
IP Configuration Security BoF
Chairs: Bernard Aboba <aboba [at] internaut.com> Jari Arkko <jari.arkko [at] piuha.net>
Area Directors: Thomas Narten <narten [at] us.ibm.com> Margaret Wasserman <margaret [at] thingmagic.com>
Mailing list: https://www.machshav.com/mailman/listinfo.cgi/icos
This BoF will provide an overview of secure Internet layer configuration needs, discussing the architectural issues, areas of applicability and potential solutions under discussion in different areas of the IETF. The purpose of the BoF is to discuss a common topic that touches several existing Working Groups, and it is not expected that a new working group will be formed as a result. The BoF will also not replace ongoing process in existing WGs, though it is hoped that the discussion gives additional insights to the participants to deal with these issues.
The need for this BoF has came up in the context of expanding EAP usage, including the use of EAP for configuration in different IETF WGs. However, the BoF will discuss this issue from a general point of view, as the issue is not related to just a single protocol. Examples of specific issues in IP layer protocols are brought forward, however, as are examples of solutions in order make it easier to understand the concrete implications of the issues.
Internet layer configuration is defined as the configuration required to support the operation at the Internet layer. This includes IP address configuration, default gateway(s), name server configuration, boot configuration (TFTP, NFS), service location and directory configuration, mobility configuration, and time server configuration (NTP).
Configuration is typically performed insecurely today. For example, DHCP is rarely secured for a variety of reasons, even though a security mechanism has been defined in RFC 3118. In other cases, such as in Mobile IPv6, the use of security tools is mandatory in the protocols, but there are deployment barriers.
As a result, Internet Area working groups are exploring alternative solutions. These include use of EAP for use for key derivation, and configuration. For example, the DHC WG has considered employment of EAP-derived keys for use with DHCP security, as defined in RFC 3118 and 3315. The MIPv6 WG, in investigating the bootstrapping problem, has considered proposals involving use of IKEv2 with EAP, as well as utilization of link layer EAP exchanges for configuration.
IPv6 uses Router Advertisements for address autoconfiguration; however, a mechanism is needed to secure them. The SEND working group defined a zero-configuration mechanism for secure IP address configuration, based on Cryptographically Generated Addresses (CGAs). It also defined a certificate-based authorization for routers, where hosts can use a router that has a certificate traceable to a trusted root configured for the host.
All these configuration tasks have delay constraints, because they typically need to be performed before a node that just moved can resume communications.
Reading list:
[RFC3118] Droms, R. and W. Arbaugh, "Authentication for DHCP
Messages", RFC 3118, June 2001.[RFC3315] Droms, R., Ed., Bound, J., Volz,, B., Lemon, T.,
Perkins, C. and M. Carney, "Dynamic Host
Configuration Protocol for IPv6 (DHCPv6)", RFC
3315, July 2003.[RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J.
and H. Lefkowetz, "Extensible Authentication Protocol
(EAP)", RFC 3748, June 2004.[RFC3736] Droms, R., "Stateless Dynamic Host Configuration
Protocol (DHCP) Service for IPv6", RFC 3736,
April 2004.[RFC3756] Nikander, P., Kempf, J. and E. Nordmark, "IPv6 Neighbor
Discovery (ND) Trust Models and Threats",
RFC 3756, May 2004.[RFC3818] Schryver, V., "IANA Considerations for Point-to-Point
Protocol", RFC 3818, June 2004.[ANYCAST] Hagino, J., and K. Ettikan, "An Analysis of IPv6 Anycast",
draft-ietf-ipngwg-ipv6-anycast-analysis-02.txt,
Internet draft (work in progress), June 2003.[DHCPv4Threat]
Hibbs, R., Smith, C., Volz, B., Zohar, M., "Dynamic Host
Configuration Protocol for IPv4 (DHCPv4) Threat Analysis",
draft-ietf-dhc-v4-threat-analysis-02.txt, Internet draft
(work in progress), April 2004.[DHCPv6Threat]
Prigent, N., Marchand, J., Dupont, F., Cousin, B., Laurent-
Maknavicius, M. and J. Bournelle, "DHCPv6 Threats", draft-
prigent-dhcpv6-threats-00.txt, March 2001.[DNSConfv6]
Jeong, J. (ed.), "IPv6 Host Configuration of DNS Server
Information Approaches", draft-ietf-dnsop-ipv6-dns-
configuration-04.txt, Internet draft (work in progress),
September 2004.[EAP3118] Yegin, A., Tschofenig, H. and D. Forsberg, "Bootstrapping RFC
3118 Delayed DHCP AUthentication Using EAP-based Network
Access Authentication", draft-yegin-eap-boot-rfc3118-01.txt,
Internet draft (work in progress), January 2005.[EAPIKE] Tschofenig, H., Kroeselberg, D., Ohba, Y. and F. Bersani, "EAP
IKEv2 Method (EAP-IKEv2)", draft-tschofenig-eap-ikev2-05.txt,
Internet draft (work in progress), October 2004.[IKEv2] Kaufman, C., (ed.), "Internet Key Exchange (IKEv2) Protocol",
draft-ietf-ipsec-ikev2-17.txt, Internet draft (work in
progress), September 2004.[IPCPMIPv6]
Song, J., Chong, C. and D. Leigh, "MIPv6 IPCP configuration
option for PPP IPv6CP", draft-song-pppext-mipv6-ppp-
support-01.txt, Internet draft (work in progress), October
2001.[SEND] Arkko, J., Kempf, J., Sommerfeld, B., Zill, B. and P.
Nikander, "SEcure Neighbor Discovery (SEND)", draft-ietf-send-
ndopt-06.txt, Internet draft (work in progress), January 2005.[SEND-CGA]
Aura, T., "Cryptographically Generated Addresses (CGA)",
draft-ietf-send-cga-06.txt, Internet draft (work in progress),
October 2004.[MIPv6-BOOT]
A. Patel, "Problem Statement for bootstrapping
Mobile IPv6, draft-ietf-mip6-bootstrap-ps-01.txt,
Internet draft (work in progress), October 2004.[MIPv6-IKEv2]
Devarapalli, V., "Mobile IPv6 Operation with IKEv2 and the
revised IPsec Architecture", draft-ietf-mip6-ikev2-ipsec-00.txt,
Internet draft (work in progress), October 2004.[MIPv6-EAP]
Giaretta, G., Guardini, I., Demaria, E., Bournelle, J., and
M. Laurent-Maknavicius, "MIPv6 Authorization and Configuration
based on EAP", draft-giaretta-mip6-authorization-eap-02.txt,
Internet draft (work in progress), October 2004.[MIPv6-AAA]
Yegin, A., "AAA Mobile IPv6 Application Framework",
draft-yegin-mip6-aaa-fwk-00.txt, Internet draft (work
in progress), August 2004.[MIPv6-BOOT2]
J. Kempf, E. Nordmark, S. Chakrabarti, "Bootstrapping Mobile
IPv6", draft-chakrabarti-mip6-bmip-00.txt, Internet draft
(work in progress), December 2004.----
IP Configuration Security BOF Agenda
Time and Date: Monday, March 7, 2005, 1530-1730 (Tentative - have asked to be moved to Wed-Thu!)
Preliminaries: (5 minutes) - Minute Takers - Bluesheets
IP Configuration Security Problem, Bernard Aboba (10 minutes) http://www.drizzle.com/~aboba/IETF62/icos.ppt
Why do we care, TBD (10 minutes)
Credential Reuse, TBD (10 minutes)
EAP and its Applicability, Bernard Aboba (15 minutes) http://www.drizzle.com/~aboba/IETF62/icos.ppt (To Be Provided) http://www.ietf.org/rfc/rfc3748.txt http://www.ietf.org/internet-drafts/draft-ietf-eap-keying-04.txt
Overview of The MIPv6 Bootstrap Problem, James Kempf (20 minutes) http://www.ietf.org/internet-drafts/draft-ietf-mipv6-bootstrap-ps-01.txt http://www.ietf.org/internet-drafts/draft-giaretta-mipv6-authorization-eap-02.txt http://www.ietf.org/internet-drafts/draft-chakrabarti-mip6-bmip-00.txt http://www.ietf.org/internet-drafts/draft-ietf-mipv6-ikev2-ipsec-00.txt (more documents in the reading list)
Overview of DHCP Security, Mark Stapp/Ralph Droms (20 minutes) http://www.ietf.org/rfc/rfc3118.txt http://www.ietf.org/rfc/rfc3315.txt http://www.ietf.org/internet-drafts/draft-ietf-dhc-v4-threat-analysis-03.txt http://www.ietf.org/internet-drafts/draft-yegin-eap-boot-rfc3118-01.txt http://bgp.potaroo.net/ietf/all-ids/draft-ietf-dhc-auth-sigzero-00.txt http://www.drizzle.com/~aboba/IETF62/draft-stapp-dhc-eap-00.txt (To Be Provided)
Overview of Secure Configuration in SEND, Jari Arkko (10 minutes) http://www.ietf.org/internet-drafts/draft-ietf-send-cga-06.txt http://www.ietf.org/internet-drafts/draft-ietf-send-ndopt-06.txt
Overview of Other IP Layer Needs, TBD (5 min) - Mobile IPv4 - PANA - IKEv2
Discussion and Wrapup (20 minutes)
- (no other messages in thread)
Results generated by Tiger Technologies using MHonArc.