IP Configuration Security BOF (icos) Thursday, March 10 at 0900-1130 =============================== CHAIRS: Bernard Aboba Jari Arkko AGENDA: Pleminaries: (5 minutes) - Minute Takers - Bluesheets IP Configuration Security Problem, Bernard Aboba (10 minutes) http://www.drizzle.com/~aboba/IETF62/icos.ppt Why do we care, TBD (10 minutes) EAP and its Applicability, Bernard Aboba (15 minutes) http://www.drizzle.com/~aboba/IETF62/icos.ppt http://www.ietf.org/rfc/rfc3748.txt http://www.ietf.org/internet-drafts/draft-ietf-eap-keying-04.txt Overview of The MIPv6 Bootstrap Problem, James Kempf (15 minutes) http://www.ietf.org/internet-drafts/draft-ietf-mipv6-bootstrap-ps-01.txt http://www.ietf.org/internet-drafts/draft-giaretta-mip6-authorization-eap-02.txt http://www.ietf.org/internet-drafts/draft-chakrabarti-mip6-bmip-00.txt http://www.ietf.org/internet-drafts/draft-ietf-mipv6-ikev2-ipsec-00.txt (more documents in the reading list) Overview of DHCP Security, Mark Stapp/Ralph Droms (15 minutes) http://www.ietf.org/rfc/rfc3118.txt http://www.ietf.org/rfc/rfc3315.txt http://www.ietf.org/internet-drafts/draft-ietf-dhc-v4-threat-analysis-03.txt http://www.ietf.org/internet-drafts/draft-yegin-eap-boot-rfc3118-01.txt http://bgp.potaroo.net/ietf/all-ids/draft-ietf-dhc-auth-sigzero-00.txt http://www.drizzle.com/~aboba/IETF62/draft-stapp-dhc-eap-00.txt (To Be Provided) Overview of Secure Configuration in SEND, Jari Arkko (10 minutes) http://www.ietf.org/internet-drafts/draft-ietf-send-cga-06.txt http://www.ietf.org/internet-drafts/draft-ietf-send-ndopt-06.txt NSIS Secure Configuration Issues, Hannes Tschofenig (5 mins) http://www.tschofenig.com/drafts/draft-tschofenig-nsis-qos-ext-authz-00.txt Overview of Other IP Layer Needs, TBD (5 min) - Mobile IPv4 - PANA - IKEv2 Discussion and Wrapup (25 minutes)here are also some papers available at the web page. DESCRIPTION: Internet layer configuration is defined as the configuration required to support the operation of the Internet layer. This includes IP address configuration, default gateway(s), name server configuration, boot configuration (TFTP, NFS), service location and directory configuration, mobility configuration, and time server configuration (NTP). Configuration is typically performed insecurely today. For example, DHCP is rarely secured due to the need for keys to be set up between clients and servers. In other cases, such as in Mobile IPv6, tools for secure configuration exist and their use is required, but there are deployment barriers. As a result, Internet Area working groups are exploring alternative solutions. These include use of EAP for use for key derivation, and configuration. For example, the DHC WG has considered employment of EAP-derived keys for use with DHCP security, as defined in RFC 3118 and 3315. The MIPv6 WG, in investigating the bootstrapping problem, has considered proposals involving use of IKEv2 with EAP, as well as utilization of link layer EAP exchanges for configuration. The SEND working group defined a certificate-based authorization for routers, where hosts prefer a router that has a certificate traceable to a trusted root configured for the host. SEND also defined zero configuration mechanism for secure IP address configuration, based on Cryptographically Generated Addresses (CGAs). This BOF will provide an overview of Internet layer secure configuration needs, discussing the architectural issues and potential solutions under discussion. The purpose of the BOF is to discuss a common topic that touches several existing Working Groups, and it is not expected that a new working group will be formed as a result. Reading list: [RFC3118] Droms, R. and W. Arbaugh, "Authentication for DHCP Messages", RFC 3118, June 2001. [RFC3315] Droms, R., Ed., Bound, J., Volz,, B., Lemon, T., Perkins, C. and M. Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003. [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J. and H. Lefkowetz, "Extensible Authentication Protocol (EAP)", RFC 3748, June 2004. [RFC3736] Droms, R., "Stateless Dynamic Host Configuration Protocol (DHCP) Service for IPv6", RFC 3736, April 2004. [RFC3756] Nikander, P., Kempf, J. and E. Nordmark, "IPv6 Neighbor Discovery (ND) Trust Models and Threats", RFC 3756, May 2004. [RFC3818] Schryver, V., "IANA Considerations for Point-to-Point Protocol", RFC 3818, June 2004. [ANYCAST] Hagino, J., and K. Ettikan, "An Analysis of IPv6 Anycast", draft-ietf-ipngwg-ipv6-anycast-analysis-02.txt, Internet draft (work in progress), June 2003. [DHCPv4Threat] Hibbs, R., Smith, C., Volz, B., Zohar, M., "Dynamic Host Configuration Protocol for IPv4 (DHCPv4) Threat Analysis", draft-ietf-dhc-v4-threat-analysis-02.txt, Internet draft (work in progress), April 2004. [DHCPv6Threat] Prigent, N., Marchand, J., Dupont, F., Cousin, B., Laurent- Maknavicius, M. and J. Bournelle, "DHCPv6 Threats", draft- prigent-dhcpv6-threats-00.txt, March 2001. [DNSConfv6] Jeong, J. (ed.), "IPv6 Host Configuration of DNS Server Information Approaches", draft-ietf-dnsop-ipv6-dns- configuration-04.txt, Internet draft (work in progress), September 2004. [EAP3118] Yegin, A., Tschofenig, H. and D. Forsberg, "Bootstrapping RFC 3118 Delayed DHCP AUthentication Using EAP-based Network Access Authentication", draft-yegin-eap-boot-rfc3118-00.txt, Internet draft (work in progress), February 2004. [EAPIKE] Tschofenig, H., Kroeselberg, D., Ohba, Y. and F. Bersani, "EAP IKEv2 Method (EAP-IKEv2)", draft-tschofenig-eap-ikev2-05.txt, Internet draft (work in progress), October 2004. [IKEv2] Kaufman, C., (ed.), "Internet Key Exchange (IKEv2) Protocol", draft-ietf-ipsec-ikev2-17.txt, Internet draft (work in progress), September 2004. [IPCPMIPv6] Song, J., Chong, C. and D. Leigh, "MIPv6 IPCP configuration option for PPP IPv6CP", draft-song-pppext-mipv6-ppp- support-01.txt, Internet draft (work in progress), October 2001. [SEND] Arkko, J., Kempf, J., Sommerfeld, B., Zill, B. and P. Nikander, "SEcure Neighbor Discovery (SEND)", draft-ietf-send- ndopt-06.txt, Internet draft (work in progress), January 2005. [SEND-CGA] Aura, T., "Cryptographically Generated Addresses (CGA)", draft-ietf-send-cga-06.txt, Internet draft (work in progress), October 2004. [MIPv6-EAP] Giaretta, G., Guardini, I., Demaria, E., Bournelle, J., and M. Laurent-Maknavicius, "MIPv6 Authorization and Configuration based on EAP", draft-giaretta-mip6-authorization-eap-02.txt, Internet draft (work in progress), October 2004. [MIPv6-IKEv2] Devarapalli, V., "Mobile IPv6 Operation with IKEv2 and the revised IPsec Architecture", draft-ietf-mip6-ikev2-ipsec-00.txt, Internet draft (work in progress), October 2004.