Re: [ANCP] Privacy issue in draft-ietf-ancp-mc-extensions-12

"Francois Le Faucheur (flefauch)" <flefauch@cisco.com> Mon, 02 December 2013 09:11 UTC

Return-Path: <flefauch@cisco.com>
X-Original-To: ancp@ietfa.amsl.com
Delivered-To: ancp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2107F1AE387 for <ancp@ietfa.amsl.com>; Mon, 2 Dec 2013 01:11:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.502
X-Spam-Level:
X-Spam-Status: No, score=-9.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ydG4kxtaUb9q for <ancp@ietfa.amsl.com>; Mon, 2 Dec 2013 01:11:35 -0800 (PST)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) by ietfa.amsl.com (Postfix) with ESMTP id 806131AE23C for <ancp@ietf.org>; Mon, 2 Dec 2013 01:11:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2161; q=dns/txt; s=iport; t=1385975464; x=1387185064; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=2KRoRsOiJAU6bIwCrt1/ljl/tB0Q97vDlD1aomlIs1I=; b=N3n+vOtC8a2ccp6dxAce6H9pqpK0h1UPZuAAK4vsHEBeoH5DrU14ObMl TzkX6GtQgCE2qTUX01Ivwv9e24I7Fcsb7ycR+Xs1sY5CupGRLG+MFEEm9 k4fkSpp9xjWBwUSYHSgNDyIKLmZY3FD2mx5D2dxvPvxUSTAqdEATd5+Tg w=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AhoFAINNnFKtJXG//2dsb2JhbABPCoMHOFO4V4EhFnSCJQEBAQMBAQEBNzQLBQsCAQg2ECEGCyUCBA4Fh28DCQYNt1ENhzQTBIx3gSUQKTMHgyCBEwOWKYFrjFqFOYMpgXE5
X-IronPort-AV: E=Sophos;i="4.93,809,1378857600"; d="scan'208";a="3575705"
Received: from rcdn-core2-4.cisco.com ([173.37.113.191]) by alln-iport-5.cisco.com with ESMTP; 02 Dec 2013 09:11:04 +0000
Received: from xhc-rcd-x07.cisco.com (xhc-rcd-x07.cisco.com [173.37.183.81]) by rcdn-core2-4.cisco.com (8.14.5/8.14.5) with ESMTP id rB29B4e2016683 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 2 Dec 2013 09:11:04 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.250]) by xhc-rcd-x07.cisco.com ([173.37.183.81]) with mapi id 14.03.0123.003; Mon, 2 Dec 2013 03:11:03 -0600
From: "Francois Le Faucheur (flefauch)" <flefauch@cisco.com>
To: Tom Taylor <tom.taylor.stds@gmail.com>
Thread-Topic: [ANCP] Privacy issue in draft-ietf-ancp-mc-extensions-12
Thread-Index: AQHO7tb0SgZ58E8jaUem8VSz3VS2I5pBA78A
Date: Mon, 2 Dec 2013 09:11:02 +0000
Message-ID: <6EE0FD67-10BB-480C-941A-2C7986A91314@cisco.com>
References: <529BA104.2050500@gmail.com>
In-Reply-To: <529BA104.2050500@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.55.161.199]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <A5D714D1EE7C10459B254DC8D3539EBE@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "ancp@ietf.org" <ancp@ietf.org>
Subject: Re: [ANCP] Privacy issue in draft-ietf-ancp-mc-extensions-12
X-BeenThere: ancp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Access Node Control Protocol working group mailing list <ancp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ancp>, <mailto:ancp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ancp/>
List-Post: <mailto:ancp@ietf.org>
List-Help: <mailto:ancp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ancp>, <mailto:ancp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Dec 2013 09:11:43 -0000

Hello Tom,

I think these TLVs bring some value:
The ANCP Multicast Admission Control message supports the "Conditional Access and Admission Control Use Case". When conditional access is to be performed on a per device basis (as opposed to per DSL line basis), the message needs to provide the NAS with a way to identify the device.

In general (and more or less by definition) the NAS has a lot of visibility on each DSL line (certainly for unicast), so I assume the privacy concern is not so much about communicating the info to the NAS but has more to do with the risk of a monitoring attack of the ANCP protocol. Right?

How about an alternative approach where we keep these TLVs in the document and keep them as optional, but add a note that says that:
	* including those TLVs in the message is only useful when the NAS is to perform per-device "Conditional Access and Admission Control"
	* including those TLVs in the message results in an increased privacy concern because it exposes on the wire the corresponding privacy information about which IP/MAC is accessing which multicast channel, which could be exploited by a monitoring attack on the ANCP protocol.
	* these TLVs SHOULD NOT be included when per-device "Conditional Access and Admission Control" by the NAS is not used

Makes sense?

Francois

On 1 Dec 2013, at 21:50, Tom Taylor <tom.taylor.stds@gmail.com>
 wrote:

> In his review of draft-ietf-ancp-mc-extensions-12, our AD pointed out that the optional presence of the Request-Source-IP or Request-Source-MAC TLV in the ANCP Multicast Admission Control message posed privacy issues. Looking through the ANCP requirements in RFC 5851 and TR-101, I could find no requirement that these be reported.
> 
> I proposed that these TLVs be dropped from the message and from the document. I will assume that I have consent for this change if I do not hear arguments against it by the end of Wednesday, December 18.
> 
> Tom Taylor
> _______________________________________________
> ANCP mailing list
> ANCP@ietf.org
> https://www.ietf.org/mailman/listinfo/ancp