Internet DRAFT - draft-barth-homenet-hncp-security-trust
draft-barth-homenet-hncp-security-trust
Homenet Working Group S. Barth
Internet-Draft
Intended status: Standards Track October 14, 2014
Expires: April 17, 2015
HNCP - Security and Trust Management
draft-barth-homenet-hncp-security-trust-01
Abstract
This document describes threats and a security and trust bootstrap
mechanism for the Home Networking Control Protocol (HNCP).
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 17, 2015.
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Barth Expires April 17, 2015 [Page 1]
�
Internet-Draft HNCP - Security and Trust Management October 2014
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements language . . . . . . . . . . . . . . . . . . . . 2
3. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. Border Determination . . . . . . . . . . . . . . . . . . . . 3
5. HNCP Payload Security . . . . . . . . . . . . . . . . . . . . 4
5.1. Isolated router-to-router links . . . . . . . . . . . . . 4
5.2. Authentication and Encryption of HNCP-traffic . . . . . . 4
6. Trust Management for Authentication and Encryption . . . . . 4
6.1. Pre-shared secret based trust . . . . . . . . . . . . . . 4
6.2. PKI-based trust . . . . . . . . . . . . . . . . . . . . . 5
6.3. Certificate-based trust consensus . . . . . . . . . . . . 5
6.3.1. Trust Verdicts . . . . . . . . . . . . . . . . . . . 5
6.3.2. Trust Cache . . . . . . . . . . . . . . . . . . . . . 6
6.3.3. Announcement of Verdicts . . . . . . . . . . . . . . 6
6.3.4. Bootstrap Ceremonies . . . . . . . . . . . . . . . . 7
7. Other homenet protocols . . . . . . . . . . . . . . . . . . . 8
8. Security Considerations . . . . . . . . . . . . . . . . . . . 9
8.1. Revocation of Trust . . . . . . . . . . . . . . . . . . . 9
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
10.1. Normative references . . . . . . . . . . . . . . . . . . 10
10.2. Informative references . . . . . . . . . . . . . . . . . 10
Appendix A. Draft source . . . . . . . . . . . . . . . . . . . . 11
Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 11
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11
1. Introduction
HNCP is designed to make home networks self-configuring, requiring as
little user intervention as possible. However this zero-
configuration goal usually conflicts with security goals and
introduces a number of threats.
This document describes imminent threats and different security and
trust management mechanisms to mitigate them.
2. Requirements language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
Barth Expires April 17, 2015 [Page 2]
�
Internet-Draft HNCP - Security and Trust Management October 2014
3. Scope
This draft is based on HNCP as described in [I-D.ietf-homenet-hncp]
and the additional threats it introduces. Many of these already
exist in a similar form in current single-link home networks due to
the usually unauthenticated use of protocols like NDP [RFC4861] or
DHCPv6 [RFC3315]. This document intentionally does not cover these
and other Homenet-related threats not explicitly introduced by HNCP.
HNCP is a generic state synchronization mechanism carrying
information with varying threat potential. This draft will mainly
consider the currently specified payloads:
Network topology information such as homenet routers and their
adjacent links
Address assignment information such as delegated and assigned
prefixes for individual links
Naming and service discovery information such as auto-generated or
customized names for individual links and routers
IGP capabilities and preferences of individual routers
4. Border Determination
In general an HNCP-router determines the internal or external state
on a per-link scale and creates a firewall-perimeter and allows HNCP-
and IGP-traffic based on the individual results. These are provided
by either automatic border discovery or a predefined configuration
indicated by e.g. the link-type, a physically dedicated (labeled)
port or the administrator.
Threats concerning automatic border discovery cannot be mitigated by
encrypting or authenticating HNCP-traffic itself since external
routers do not participate in the protocol and often cannot be
authenticated by other means. These threats include propagation of
forged uplinks in the homenet in order to e.g. redirect traffic
destined to external locations and forged internality by external
routers to e.g. circumvent the perimeter firewall.
It is therefore imperative to either secure individual links on the
physical or link-layer or preconfigure the adjacent interfaces of
HNCP-routers to an adequate fixed-category in order to secure the
homenet border. Depending on the security of the external link
eavesdropping, man-in-the-middle and similar attacks on external
traffic can still happen between a homenet border-router and the ISP,
however these cannot be mitigated from inside the homenet.
Barth Expires April 17, 2015 [Page 3]
�
Internet-Draft HNCP - Security and Trust Management October 2014
5. HNCP Payload Security
Once the homenet border has been established there are several ways
to secure HNCP against internal threats like manipulation or
eavesdropping by compromised devices on a link which is enabled for
HNCP-traffic. If left unsecured attackers may cause arbitrary
spoofing or denial of service attacks on HNCP-services such as
address assignment or service discovery. Furthermore they may
manipulate routing or external connection information in order to
perform eavesdropping or man-in-the-middle attacks on outbound
traffic. The following security mechanisms are defined to mitigate
these threats:
5.1. Isolated router-to-router links
Given that links containing HNCP routers can be sufficiently secured
or isolated it is possible to run HNCP in a secure manner without
using any form of authentication or encryption. Detailed interface
categories like "leaf" or "guest" can be used to integrate not fully
trusted devices to various degrees into the homenet by not exposing
them to HNCP and IGP traffic or by using firewall rules to prevent
them from reaching homenet-internal resources.
5.2. Authentication and Encryption of HNCP-traffic
The end-to-end mechanism DTLS [RFC6347] is used to authenticate and
encrypt all HNCP unicast-traffic in order to protect its potentially
sensitive payload. Methods for establishing and managing trust for
this mechanism are described in the following section.
HNCP also uses multicast signaling to announce changes of HNCP
information but will not send any actual payload over this channel.
An attacker may learn hash-values of HNCP-information and may be able
to trigger unicast synchronization attempts between routers on the
local link this way. An HNCP-router should therefore limit its
unicast synchronizations attempts to avoid a multicast-induced
denial-of-service.
6. Trust Management for Authentication and Encryption
6.1. Pre-shared secret based trust
A PSK-based trust model is a simple security management mechanism
that allows an administrator to deploy devices to an existing network
by configuring them with a pre-defined key, similar to the
configuration of an administrator password or WPA-key. Although
limited in nature it is useful to provide a user-friendly security
mechanism for smaller homenets.
Barth Expires April 17, 2015 [Page 4]
�
Internet-Draft HNCP - Security and Trust Management October 2014
6.2. PKI-based trust
A PKI-based trust-model enables more advanced management capabilities
at the cost of increased complexity and bootstrapping effort. It
however allows trust to be managed in a centralized manner and is
therefore useful for larger networks with a need for an authoritative
trust management.
6.3. Certificate-based trust consensus
The certificate-based consensus model is designed to be a compromise
between trust management effort and flexibility. It is based on
X.509-certificates and allows each connected device to give a verdict
on any other certificate and a consensus is found to determine
whether a device using this certificate or any certificate signed by
it is to be trusted.
6.3.1. Trust Verdicts
Trust Verdicts are statements of HNCP-devices about the
trustworthiness of X.509-certificates. There are 5 possible verdicts
in order of ascending priority:
0 Neutral: no verdict exists but the homenet should find one
1 Cached Trust: the last known effective verdict was Configured or
Cached Trust
2 Cached Distrust: the last known effective verdict was Configured
or Cached Distrust
3 Configured Trust: trustworthy based upon an external ceremony or
configuration
4 Configured Distrust: not trustworthy based upon an external
ceremony or configuration
Verdicts are differentiated in 3 groups:
Configured verdicts are used to announce explicit verdicts a
device has based on any external trust bootstrap or predefined
relation a device has formed with a given certificate.
Cached verdicts are used to retain the last known trust state in
case all devices having configured verdicts about a given
certificate have been disconnected or turned off.
Barth Expires April 17, 2015 [Page 5]
�
Internet-Draft HNCP - Security and Trust Management October 2014
The Neutral verdict is used to announce a new device intending to
join the homenet so a final verdict for it can be found.
The current effective trust verdict for any certificate is defined as
the one with the highest priority from all verdicts announced for
said certificate at the time. A device MUST be trusted for
participating in the homenet if and only if the current effective
verdict for its own certificate or any one in its certificate
hierarchy is (Cached or Configured) Trust and none of the
certificates in its hierarchy have an effective verdict of (Cached or
Configured) Distrust. In case a device has a configured verdict
which is different from the current effective verdict for a
certificate the current effective verdict takes precedence in
deciding trustworthiness however the device still retains its
configured verdict in its configuration.
6.3.2. Trust Cache
Each device maintains a trust cache containing the current effective
trust verdicts for all certificates currently announced in the
homenet. This cache is used as a backup of the last known state in
case there is no device announcing an configured verdict for a known
certificate. It SHOULD be saved to a non-volatile memory at
reasonable time intervals to survive a reboot or power outage.
Every time a device (re)joins the homenet or detects the change of an
effective trust verdict for any certificate it will synchronize its
cache and store the new effective verdict overwriting any previously
cached verdicts. Configured verdicts are stored in the cache as
their respective cached counterparts, Neutral verdicts are never
stored.
6.3.3. Announcement of Verdicts
A device always announces any configured trust verdicts it has
established by itself. It also announces cached trust verdicts it
has stored in its trust cache if one of the following conditions
applies:
The stored verdict is Cached Trust and the current effective
verdict is Neutral or does not exist.
The stored verdict is Cached Distrust and the current effective
verdict is Cached Trust.
A device rechecks these conditions whenever it detects changes of
announced trust verdicts anywhere in the network.
Barth Expires April 17, 2015 [Page 6]
�
Internet-Draft HNCP - Security and Trust Management October 2014
Upon encountering a device with a hierarchy of certificates for which
there is no effective verdict a router announces Neutral verdicts for
all certificates found in the hierarchy until an effective verdict
different from Neutral can be found for any of the certificates or a
reasonable amount of time (10 minutes is suggested) with no reaction
and no further connection attempts has passed. Such verdicts SHOULD
also be limited in rate and number to prevent denial-of-service
attacks.
Trust verdicts are announced using Trust-Verdict TLVs:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type: Trust-Verdict (20) | Length: 41-104 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Verdict | (reserved) |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| |
| |
| SHA-256 Fingerprint |
| |
| |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Common Name |
Verdict represents the numerical index of the verdict.
(reserved) is reserved for future additions and MUST be set to 0
when creating TLVs and ignored when parsing them.
SHA-256 [RFC6234] Fingerprint contains the fingerprint of the
certificate.
Common Name contains the variable-length (1-64 bytes) common name
of the certificate.
6.3.4. Bootstrap Ceremonies
The following methods are defined to establish trust relationships
between HNCP-routers and router certificates. Trust establishment is
a two-way process in which the existing homenet must trust the newly
added device and the newly added device must trust at least one of
its neighboring routers. It is therefore necessary that both the
newly added device and an already trusted device perform such a
Barth Expires April 17, 2015 [Page 7]
�
Internet-Draft HNCP - Security and Trust Management October 2014
ceremony to successfully introduce a device into a homenet. In all
cases an administrator MUST be provided with external means to
identify the device belonging to a certificate based on its
fingerprint and a meaningful common name.
6.3.4.1. Trust by Identification
A device implementing certificate-based trust MUST provide an
interface to retrieve the current set of effective trust verdicts,
fingerprints and names of all certificates currently known and set
configured trust verdicts to be announced. Alternatively it MAY
provide a companion HNCP-device or application with these
capabilities with which it has a pre-established trust relationship.
6.3.4.2. Preconfigured Trust
A device MAY be preconfigured to trust a certain set of device or CA
certificates. However such trust relationships MUST NOT result in
unwanted or unrelated trust for devices not intended to be run inside
the same network (e.g. all other devices of that manufacturer).
6.3.4.3. Trust on Button Press
A device MAY provide a physical or virtual interface to put one or
more of its internal network interfaces temporarily into a mode in
which it trusts the certificate of the first HNCP-device it can
successfully establish a connection with.
6.3.4.4. Trust on First Use
A device which is not associated with any other homenet-router MAY
trust the certificate of the first HNCP-device it can successfully
establish a connection with. This method MUST NOT be used when the
device has already associated with any other HNCP-router.
7. Other homenet protocols
An IGP is usually run alongside HNCP in a homenet therefore the
individual security aspects of the respective protocols must be
considered. It can however be summarized that current candidate
protocols (namely Babel, OSPFv3, RIP and IS-IS) provide - to a
certain extent - similar security mechanisms. All mentioned
protocols do not support encryption and only support authentication
based on pre-shared keys natively. This influences the effectiveness
of any encryption-based security mechanism deployed by HNCP as
homenet routing information is usually not confidential.
Barth Expires April 17, 2015 [Page 8]
�
Internet-Draft HNCP - Security and Trust Management October 2014
As a PSK is required to authenticate IGP-traffic and potential other
protocols, HNCP is used to create and manage it. The key length is
defined to be 32 Bytes to be reasonably secure. The following rules
determine how a key is managed and used:
If no Managed-PSK-TLV is currently being announced, an HNCP-router
creates one with a random key and adds it to its node-data.
In case multiple routers announce such a TLV at the same time, all
but the one with the highest router-ID stop advertising it and
adopt the remaining one.
The router currently advertising the Managed-PSK-TLV must generate
and advertise a new random one whenever the HNCP security
mechanism stops trusting one or more trusted devices - i.e. HNCP
is secured with a PSK itself and it was changed or a certificate
has changed from trusted to distrusted.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type: Managed-PSK (21) | Length: 36 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
| |
| |
| Random PSK |
| |
| |
| |
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
PSKs for individual protocols are derived from the random PSK through
the use of HMAC-SHA256 [RFC6234] with a pre-defined per-protocol
HMAC-key in ASCII-format. The following HMAC-keys are currently
defined to derive PSKs for the respective protocols:
"ROUTING": to be used for IGPs. If a Random PSK exists then the
derived PSK MUST be used to secure the chosen IGP.
8. Security Considerations
8.1. Revocation of Trust
Revoking trust in a protocol intended for bootstrapping is non-
trivial, since neither an accurate clock nor network connectivity to
Barth Expires April 17, 2015 [Page 9]
�
Internet-Draft HNCP - Security and Trust Management October 2014
retrieve authenticated revocation information can be assumed in all
situations.
The Certificate-based trust consensus mechanism defined in this
document allows for a consenting revocation, however in case of a
compromised device the trust cache may be poisoned before the actual
revocation happens allowing the distrusted device to rejoin the
network using a different identity. Stopping such an attack might
require physical intervention and flushing of the trust caches.
However such an attack is often times more easily detectable than
threats discussed earlier in this document such as a silent
manipulation of routing information and related man-in-the-middle
attacks.
9. IANA Considerations
IANA should add HNCP TLV types with the following contents:
20: Trust-Verdict
21: Managed-PSK
10. References
10.1. Normative references
[I-D.ietf-homenet-hncp]
Stenberg, M. and S. Barth, "Home Networking Control
Protocol", draft-ietf-homenet-hncp-01 (work in progress),
June 2014.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security Version 1.2", RFC 6347, January 2012.
10.2. Informative references
[RFC6234] Eastlake, D. and T. Hansen, "US Secure Hash Algorithms
(SHA and SHA-based HMAC and HKDF)", RFC 6234, May 2011.
[RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C.,
and M. Carney, "Dynamic Host Configuration Protocol for
IPv6 (DHCPv6)", RFC 3315, July 2003.
Barth Expires April 17, 2015 [Page 10]
�
Internet-Draft HNCP - Security and Trust Management October 2014
[RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
"Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
September 2007.
Appendix A. Draft source
As usual, this draft is available at https://github.com/fingon/ietf-
drafts/ in source format (with nice Makefile too). Feel free to send
comments and/or pull requests if and when you have changes to it!
Appendix B. Acknowledgements
Thanks to Markus Stenberg, Pierre Pfister and Mark Baugher for their
contributions to the draft and Xavier Bonnetain for ideas on a web of
trust and PSK-management in I-D.bonnetain-hncp-security-00.
Author's Address
Steven Barth
Email: cyrus@openwrt.org
Barth Expires April 17, 2015 [Page 11]
