Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-dhc-dhcpv6-failover-protocol-04: (with DISCUSS and COMMENT)

kkinnear <kkinnear@cisco.com> Wed, 01 February 2017 16:28 UTC

Return-Path: <kkinnear@cisco.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 796CE1294D6; Wed, 1 Feb 2017 08:28:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.72
X-Spam-Level:
X-Spam-Status: No, score=-17.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-3.199, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id suIAsJFdaFnU; Wed, 1 Feb 2017 08:28:30 -0800 (PST)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6458A1294D2; Wed, 1 Feb 2017 08:28:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7689; q=dns/txt; s=iport; t=1485966510; x=1487176110; h=mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=1qw18UclONluZrxyGd4pptRfJr63C5hOGxMJKyF7Rd8=; b=JIFb0Tf7z9EpeCj5qr54lfR/eB2OWnD15hzjeXBGoaD1RoSMbaI7i8G2 Dvgrr7GSFWGnUsafO4rUGGnVrR+MMmwt4EdM+IfmNJmDGBB2E0zrHUm7q mPiaJOA/mLeiHcfLbtM2wwkhzqy37Lf2GsU83SbZWaGFuVPvo2CXGdyvu o=;
X-IronPort-AV: E=Sophos;i="5.33,320,1477958400"; d="scan'208";a="203286801"
Received: from alln-core-4.cisco.com ([173.36.13.137]) by rcdn-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 01 Feb 2017 16:28:29 +0000
Received: from bxb-kkinnear-8814.cisco.com (bxb-kkinnear-8814.cisco.com [10.98.10.245]) (authenticated bits=0) by alln-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id v11GSShD014637 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 1 Feb 2017 16:28:28 GMT
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: kkinnear <kkinnear@cisco.com>
In-Reply-To: <148590541849.5999.8358163403846302600.idtracker@ietfa.amsl.com>
Date: Wed, 1 Feb 2017 11:28:27 -0500
Content-Transfer-Encoding: 7bit
Message-Id: <DB565EB8-D133-4858-9990-39890BA55D4F@cisco.com>
References: <148590541849.5999.8358163403846302600.idtracker@ietfa.amsl.com>
To: Ben Campbell <ben@nostrum.com>
X-Mailer: Apple Mail (2.3124)
X-Authenticated-User: kkinnear@cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/ykLo54kYEp4ccUozwhfnWHd46Nc>
Cc: Bernie Volz <volz@cisco.com>, dhc-chairs@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-dhc-dhcpv6-failover-protocol@ietf.org, dhcwg@ietf.org, Kim Kinnear <kkinnear@cisco.com>
Subject: Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-dhc-dhcpv6-failover-protocol-04: (with DISCUSS and COMMENT)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Feb 2017 16:28:32 -0000

Ben,

Thanks for the review.  My comments are indented below.

> On Jan 31, 2017, at 6:30 PM, Ben Campbell <ben@nostrum.com>; wrote:
> 
> Ben Campbell has entered the following ballot position for
> draft-ietf-dhc-dhcpv6-failover-protocol-04: Discuss
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-dhc-dhcpv6-failover-protocol/
> 
> 
> 
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
> I think the security considerations need some elaboration. The draft says
> "When operating in secure mode...", but it doesn't discuss when one might
> want to run in secure more vs non-secure mode. It would be helpful to
> discuss actual threats. You mention TCP DoS attacks, but, for example,
> can an eavesdropper learn sensitive or private information? Is there a
> risk of someone impersonating a partner? Tampering with messages on the
> network?
> 
> There's a mention of using TLS certs for authentication/authorization,
> but I think there's more to be said there. Is there any authentication or
> authorization if you aren't using secure mode? How do you match a TLS
> certificate to the partner name?
> 
> The section opens saying that the security considerations from 3315 and
> 3633 apply, but I doubt either of those contemplated that you would be
> sending DHCP messages over TCP connections between partner servers.

  While I could try to answer your questions directly, it seemed like
  offering an augmented Security Considerations section might be more
  useful.  This takes into account both your comments and Kathleen
  Moriarty's comments as well:


   DHCPv6 failover is an extension of a standard DHCPv6 protocol, so
   all security considerations from [RFC3315], Section 23 and
   [RFC3633], Section 15 related to the server apply.

   The use of TCP introduces some additional concerns.  Attacks that
   attempt to exhaust the DHCP server's available TCP connection
   resources can compromise the ability of legitimate partners to
   receive service.  Malicious requestors who succeed in establishing
   connections but who then send invalid messages, partial messages,
   or no messages at all can also exhaust a server's pool of available
   connections.

   DHCPv6 failover can operate in secure or insecure mode.  Secure
   mode (using TLS) would be indicated when the TCP connection between
   failover partners is open to external monitoring or interception.
   Insecure mode should only be used when the TCP connection between
   failover partners remains within set of protected systems.  Details
   of such protections are beyond the scope of this document.

   The threats created by using failover directly mirror those from
   using DHCPv6 itself: information leakage through monitoring, and
   disruption of address assignment and configuration.  Monitoring the
   failover TCP connection provides no additional data beyond that
   available from monitoring the interactions between DHCPv6 clients
   and the DHCPv6 server.  Likewise, manipulating the data flow
   between failover servers provides no additional opportunities to
   disrupt address assignment and configuration beyond that provided
   by acting as a counterfeit DHCP server.  Protection from both
   threats is easier than with basic DHCPv6, as only a single TCP
   connection needs to be protected.  Either use secure mode to
   protect that TCP connection or ensure that it can only exist with a
   set of protected systems.

   When operating in secure mode, TLS [RFC5246] is used to secure the
   connection.  The recommendations in [RFC7525] SHOULD be followed
   when negotiating a TLS connection.

   Servers SHOULD offer configuration parameters to limit the sources
   of incoming connections through validation and use of the digital
   certificates presented to create a TLS connection.  They SHOULD
   also limit the number of accepted connections and limit the period
   of time during which an idle connection will be left open.

   Authentication for DHCPv6 messages [RFC3315] MUST NOT be used to
   attempt to secure transmission of the messages described in this
   document.  If authentication is desired, secure mode using TLS
   SHOULD be employed as described in Sections 8.2 and 9.1 of
   [RFC7653]


> 
> 
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
> 
> - 6.1.3: I'm confused by the procedure for checking
> OPTION_F_PROTOCOL_VERSION in the CONNECTREPLY message. The secondary
> already checked that it supported the version in the CONNECT message; why
> does the primary need to check it again? Is it expected that the
> secondary might choose to send a different version in the CONNECTREPLY
> than it received in CONNECT? Is it possible that the partners use
> different protocol versions at the same time?
> 
> 

  The intent here is that each server tells the other server what
  protocol version that it will be sending, and also has the
  opportunity to accept or reject the version that that other server
  is sending.  As noted in Section 5.5.14, there is a major/minor
  component to the protocol version.  Each server is expected to have
  a range of acceptable major (and, possibly, minor) versions on
  reception.  So, each server gets to see what the other server will
  be sending and accept or reject the connection based on that
  information.  The secondary accepts or rejects that primary's
  version, and the primary gets to do the same with the secondary.

  So, yes, they might send different versions to each other.  Future
  revisions of this document will define interoperability requirements
  when new versions are created, the details can't be known at this
  point.  We just want to create a way to at least communicate the
  information from the outset.

  I will add this Section 6.1.1 (for the primary sending CONNECT):

   o  OPTION_F_PROTOCOL_VERSION containing the protocol version
      that the primary server will use when sending failover messages.

  and this to Section 6.1.2 (for the secondary sending CONNECTREPLY):

   o  OPTION_F_PROTOCOL_VERSION containing the protocol version being
      used by the secondary server when sending failover messages.

  and this to Section 6.1.3 (primary receiving the CONNECTREPLY):

   o  OPTION_F_PROTOCOL_VERSION - The primary server decides if the
      protocol version in use by the secondary server is supported by
      the primary server.  If it is not, send a DISCONNECT message and
      drop the connection.  If it is supported, continue processing.
      It is possible that the primary and secondary server will each
      be sending different version of the protocol to the other
      server.  The extent to which this is supported will be in part
      defined by as yet unknown differences in the protocols that the
      versions represent, and in part by the capabilities of the two
      implementations involved in the failover relationship.

Again, thanks for the review.

Kim