[dhcwg] Secdir last call review of draft-ietf-dhc-dhcpv6-yang-23

Vincent Roca via Datatracker <noreply@ietf.org> Wed, 17 November 2021 08:41 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: dhcwg@ietf.org
Delivered-To: dhcwg@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 400D13A0AF3; Wed, 17 Nov 2021 00:41:28 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Vincent Roca via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
Cc: dhcwg@ietf.org, draft-ietf-dhc-dhcpv6-yang.all@ietf.org, last-call@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 7.39.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <163713848820.18649.9224727643938761782@ietfa.amsl.com>
Reply-To: Vincent Roca <vincent.roca@inria.fr>
Date: Wed, 17 Nov 2021 00:41:28 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/DQynlQNbJz9W4P_B6XS40IS9GYA>
Subject: [dhcwg] Secdir last call review of draft-ietf-dhc-dhcpv6-yang-23
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Nov 2021 08:41:28 -0000

Reviewer: Vincent Roca
Review result: Not Ready


I have reviewed this document as part of the security directorate’s ongoing
effort to review all IETF documents being processed by the IESG. These
comments were written primarily for the benefit of the security area
directors.  Document editors and WG chairs should treat these comments just
like any other last call comments.

Summary: Not Ready

The Security Considerations section is globally well written, with links to
appropriate documents. However, a few clarifications would be welcome IMHO.

It is said: "An attacker who is able to access the DHCPv6 server" (resp. relay).
It's not just a matter of accessing the server (resp. relay).
As I understand it's more a matter of taking the control of the server (resp.
relay), which is different. Please clarify.

Then, the current text only mentions "denial of services" among the possible
consequences. DoS are rapidly identified and fixed, and anyway, an attacker
having full control on the DHCP server has other options to launch a DoS. I'd
be more concerned by subtle attacks that could be used to exfiltrate sensitive
information (maybe by redirecting to a rogue server?), or to create excessive
traffic (maybe by changing the valid-lifetime?), or to create subtle
dysfunctions (e.g., assigning the same IP to different clients), etc.

Another example: an attacker may gather information about clients, network
topology and network devices (e.g., by looking at the OUI part of the MAC
address). Such information can be highly helpful when preparing an orchestrated
attack towards a target company. If this is simplified by the YANG based
configuration in some way (I think so but you have a better understanding than
me), then it's worth mentioning.

To summarize, I have the feeling the current text could better illustrate some
of the consequences of attacks, beyond DoS attacks.

Minor comments:

- Section 5: remove "a" or "the" in:
        "changing the address of a the DNS server"

- Section 5: "re-configuring messages" is ambiguous.
        I think "forwarding messages to a rogue server after modifying the
        'server-address'" (I think this is what is meant) would be more

- intro:
        "...which is applicable device's interfaces."
        May be: "applicable to ..."

- intro, 1st paragraph:
        You should choose to either expand both NETCONF and RESTCONF acronyms,
        or none of them.