IETF Logo Mail Archive

Re: [dhcwg] Secdir last call review of draft-ietf-dhc-dhcpv6-yang-23

Vincent Roca <vincent.roca@inria.fr> Wed, 17 November 2021 13:38 UTC

Return-Path: <vincent.roca@inria.fr>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AAF473A0CEB; Wed, 17 Nov 2021 05:38:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wD2OugLFP5vf; Wed, 17 Nov 2021 05:38:22 -0800 (PST)
Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CAAF3A0CE2; Wed, 17 Nov 2021 05:38:20 -0800 (PST)
IronPort-Data: A9a23:Q/Lj/6gcKz7hUp/9/jbU/PcQX1619BIKZh0ujC45NGQNrF6WrkUOy2ZLWD2COayNY2f8KY10Od+3pxwA7cCEyIJnSgs+/3w8FHgiRejtVY3IdB+oV8+xBpSeFxw/t512huEtnanYd1eEzvuWGuWn/SYUOZ2gHOKmUbedY38pHmeIdQ964f5ds79g6mJXqYjha++9kYuaT/z3YDdJ6RYsWo4nw/7rRCdUgRjHkGhwUmrSyhx8lAS2e3E9VPrzLEwqRpfyatE88uWSH44vwFwll1418SvBCvv9+lr6WlYPXqbZOQmDjGYQUrC6hhUqSi4ai/dncqNNOAEN23PVwbidy/0U3XC0YRkoOKbBnvhbSR5TGgl/O7dH8fnJOxBTtOTPlhebLSu1qxlpJARsVWECwc52CGdA/OYCJSolYRWTwemxxdqTUO5nj+wxLczhJopZu3d6zDifA+xOaYvOSKnL//dZ0Ss+wMdUEp72a8oSdjVHbRncbVtIIFh/IJ4klem0w3jybzMdpFKe4KY36HDNkklg2b7idtPRfvSLSNlb2EGCqQru+23iHlQRPdib4TuI7nzqgfXA9R4X8qp6+KaQ6ONumFCIgG0VEhwfUUO2ur+3kCaDtxtkAxR80kITQWIarSRHluXAYiA=
IronPort-HdrOrdr: A9a23:XN2GM6Cg6tEGwtPlHel155DYdb4zR+YMi2TDtnoBNCC9F/byqynAppUmPGDP+VAssR0b9exoe5PwOE80jKQFmrX5ZI3SJjUO21HYUL2Kj7GD/9SIIUSXnNK1s50OT0EUMrDN5DZB4/oTnWGDYq4dKQ28gcKVbZu39QYLcegTUdAC0+6PMHf+LqTefngiOaYE
X-IronPort-AV: E=Sophos;i="5.87,241,1631570400"; d="scan'208,217";a="4125681"
Received: from vulpes.inrialpes.fr (HELO smtpclient.apple) ([194.199.28.46]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 17 Nov 2021 14:38:18 +0100
From: Vincent Roca <vincent.roca@inria.fr>
Message-Id: <66A97B88-777B-43D5-A0B2-02ACB8297378@inria.fr>
Content-Type: multipart/alternative; boundary="Apple-Mail=_4EE8E56C-ED42-40E2-8ADE-2FC714D08993"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
Date: Wed, 17 Nov 2021 14:38:17 +0100
In-Reply-To: <83B0FF38-8180-4B5D-AE41-48E8AB7DA4A6@gmx.com>
Cc: Vincent Roca <vincent.roca@inria.fr>, secdir@ietf.org, dhcwg <dhcwg@ietf.org>, draft-ietf-dhc-dhcpv6-yang.all@ietf.org, last-call@ietf.org
To: ianfarrer@gmx.com
References: <163713848820.18649.9224727643938761782@ietfa.amsl.com> <83B0FF38-8180-4B5D-AE41-48E8AB7DA4A6@gmx.com>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/QTq2bScekt-hIOyT7T7pBu--LZI>
Subject: Re: [dhcwg] Secdir last call review of draft-ietf-dhc-dhcpv6-yang-23
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Dynamic Host Configuration <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Nov 2021 13:38:28 -0000

Thank you for your quick answer Ian.


> Hi Vincent,
> 
> Many thanks for your review. Please see inline below.
> 
> Cheers,
> Ian
> 
>> On 17. Nov 2021, at 09:41, Vincent Roca via Datatracker <noreply@ietf.org <mailto:noreply@ietf.org>> wrote:
>> 
>> Reviewer: Vincent Roca
>> Review result: Not Ready
>> 
>> Hello,
>> 
>> I have reviewed this document as part of the security directorate’s ongoing
>> effort to review all IETF documents being processed by the IESG. These
>> comments were written primarily for the benefit of the security area
>> directors.  Document editors and WG chairs should treat these comments just
>> like any other last call comments.
>> 
>> Summary: Not Ready
>> 
>> The Security Considerations section is globally well written, with links to
>> appropriate documents. However, a few clarifications would be welcome IMHO.
>> 
>> It is said: "An attacker who is able to access the DHCPv6 server" (resp. relay).
>> It's not just a matter of accessing the server (resp. relay).
>> As I understand it's more a matter of taking the control of the server (resp.
>> relay), which is different. Please clarify.
> 
> [if - I propose:
> 
> Old:
> An attacker who is able to access the DHCPv6 server can undertake
>    various attacks, such as:
> 
> New:
> An attacker with read/write access the DHCPv6 server can undertake
>    various attacks, such as:
> 
> Same change for the relay text."
> ]

VR: yes, I now understand what you meant. 


>> Then, the current text only mentions "denial of services" among the possible
>> consequences. DoS are rapidly identified and fixed, and anyway, an attacker
>> having full control on the DHCP server has other options to launch a DoS. I'd
>> be more concerned by subtle attacks that could be used to exfiltrate sensitive
>> information (maybe by redirecting to a rogue server?), or to create excessive
>> traffic (maybe by changing the valid-lifetime?), or to create subtle
>> dysfunctions (e.g., assigning the same IP to different clients), etc.
> 
> [if - The subtle attacks are properties of the DHCPv6 protocol and the elements which provide it,
> rather than specifically associated with NETCONF/YANG or other methods by which those elements are configured
> and managed. The text currently has:
> 
> "Security considerations related to DHCPv6 are discussed in [RFC8415].”
> 
> Do you think this covers it?]

VR: if I follow your logic and if I correctly understand, DoS attacks are already discussed
in RFC 8415 and could be removed from this document since there’s nothing specific to YANG.
My point is to highlight that risks are not limited to DoS, unlike what is currently suggested. 

Maybe:

Old:
   *  Various attacks based on re-configuring the contents of DHCPv6
      options.  For example, changing the address of a the DNS server
      supplied in a DHCP option to point to a rogue server.

New:
   *  Various attacks based on re-configuring the contents of DHCPv6
      options, leading to several types of security or privacy threats.  
      For example, changing the address of a the DNS server
      supplied in a DHCP option to point to a rogue server.


>> Another example: an attacker may gather information about clients, network
>> topology and network devices (e.g., by looking at the OUI part of the MAC
>> address). Such information can be highly helpful when preparing an orchestrated
>> attack towards a target company. If this is simplified by the YANG based
>> configuration in some way (I think so but you have a better understanding than
>> me), then it's worth mentioning.
> 
> [if - The current Security Considerations text contains the following:
> 
> "   Some of the readable data nodes in this YANG module may be considered
>    sensitive or vulnerable in some network environments.  Therefore, it
>    is important to control read access (e.g., only permitting get, get-
>    config, or notifications) to these data nodes.  These subtrees and
>    data nodes can be misused to track the activity of a host:
> 
>    *  Information the server holds about clients with active leases:
>       (dhc6-srv/allocation-ranges/allocation-range/address-pools/
>       address-pool/active-leases)
> 
>    *  Information the relay holds about clients with active leases:
>       (dhc6-rly/relay-if/prefix-delegation/)
> 
> MAC address/Client DUIDs and other client state information is held as part of these sub-trees.
> 
> RFC7824 specfically covers DHCPv6 Privacy Considerations in some detail, so I can add
> The following text:
> 
> “[RFC7824] covers privacy considerations for DHCPv6 and is applicable here."
> ]

VR: indeed, RFC 7824 is a key reference and must be referenced by your document.
	Thanks for adding it.


>> To summarize, I have the feeling the current text could better illustrate some
>> of the consequences of attacks, beyond DoS attacks.
>> 
>> Minor comments:
>> 
>> - Section 5: remove "a" or "the" in:
>>        "changing the address of a the DNS server"
> 
> [if - done]
> 
>> 
>> - Section 5: "re-configuring messages" is ambiguous.
>>        I think "forwarding messages to a rogue server after modifying the
>>        'server-address'" (I think this is what is meant) would be more
>>        appropriate.
> 
> [if - I’ve changed to the following:
> 
> Modifying the relay's "destination-address" to send               
>           messages to a rogue DHCPv6 server. 
> ]

VR: yes.

> 
>> - intro:
>>        "...which is applicable device's interfaces."
>>        May be: "applicable to ..."
> 
> [if - done]
> 
>> 
>> - intro, 1st paragraph:
>>        You should choose to either expand both NETCONF and RESTCONF acronyms,
>>        or none of them.
> 
> [if - AFAIK, RESTCONF does not have an expanded acronym (there isn’t one given in RFC8040)
> The RFC Editor’s list of acronyms (https://www.rfc-editor.org/materials/abbrev.expansion.txt <https://www.rfc-editor.org/materials/abbrev.expansion.txt>) has the following:
> 
> NETCONF    - Network Configuration Protocol (NETCONF) 
> RESTCONF   - No Expansion 
> ]

VR: okay, forget what I said, I was not aware.

Cheers,

   Vincent

v2.23.0 | Report a Bug | By Email