Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-dhc-dhcpv6-failover-protocol-04: (with DISCUSS and COMMENT)
kkinnear <kkinnear@cisco.com> Wed, 01 February 2017 16:28 UTC
Return-Path: <kkinnear@cisco.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 796CE1294D6; Wed, 1 Feb 2017 08:28:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.72
X-Spam-Level:
X-Spam-Status: No, score=-17.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-3.199, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id suIAsJFdaFnU; Wed, 1 Feb 2017 08:28:30 -0800 (PST)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6458A1294D2; Wed, 1 Feb 2017 08:28:30 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7689; q=dns/txt; s=iport; t=1485966510; x=1487176110; h=mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=1qw18UclONluZrxyGd4pptRfJr63C5hOGxMJKyF7Rd8=; b=JIFb0Tf7z9EpeCj5qr54lfR/eB2OWnD15hzjeXBGoaD1RoSMbaI7i8G2 Dvgrr7GSFWGnUsafO4rUGGnVrR+MMmwt4EdM+IfmNJmDGBB2E0zrHUm7q mPiaJOA/mLeiHcfLbtM2wwkhzqy37Lf2GsU83SbZWaGFuVPvo2CXGdyvu o=;
X-IronPort-AV: E=Sophos;i="5.33,320,1477958400"; d="scan'208";a="203286801"
Received: from alln-core-4.cisco.com ([173.36.13.137]) by rcdn-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 01 Feb 2017 16:28:29 +0000
Received: from bxb-kkinnear-8814.cisco.com (bxb-kkinnear-8814.cisco.com [10.98.10.245]) (authenticated bits=0) by alln-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id v11GSShD014637 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 1 Feb 2017 16:28:28 GMT
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: kkinnear <kkinnear@cisco.com>
In-Reply-To: <148590541849.5999.8358163403846302600.idtracker@ietfa.amsl.com>
Date: Wed, 01 Feb 2017 11:28:27 -0500
Content-Transfer-Encoding: 7bit
Message-Id: <DB565EB8-D133-4858-9990-39890BA55D4F@cisco.com>
References: <148590541849.5999.8358163403846302600.idtracker@ietfa.amsl.com>
To: Ben Campbell <ben@nostrum.com>
X-Mailer: Apple Mail (2.3124)
X-Authenticated-User: kkinnear@cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/ykLo54kYEp4ccUozwhfnWHd46Nc>
Cc: Bernie Volz <volz@cisco.com>, dhc-chairs@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-dhc-dhcpv6-failover-protocol@ietf.org, dhcwg@ietf.org, Kim Kinnear <kkinnear@cisco.com>
Subject: Re: [dhcwg] Ben Campbell's Discuss on draft-ietf-dhc-dhcpv6-failover-protocol-04: (with DISCUSS and COMMENT)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Feb 2017 16:28:32 -0000
Ben, Thanks for the review. My comments are indented below. > On Jan 31, 2017, at 6:30 PM, Ben Campbell <ben@nostrum.com> wrote: > > Ben Campbell has entered the following ballot position for > draft-ietf-dhc-dhcpv6-failover-protocol-04: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-dhc-dhcpv6-failover-protocol/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > I think the security considerations need some elaboration. The draft says > "When operating in secure mode...", but it doesn't discuss when one might > want to run in secure more vs non-secure mode. It would be helpful to > discuss actual threats. You mention TCP DoS attacks, but, for example, > can an eavesdropper learn sensitive or private information? Is there a > risk of someone impersonating a partner? Tampering with messages on the > network? > > There's a mention of using TLS certs for authentication/authorization, > but I think there's more to be said there. Is there any authentication or > authorization if you aren't using secure mode? How do you match a TLS > certificate to the partner name? > > The section opens saying that the security considerations from 3315 and > 3633 apply, but I doubt either of those contemplated that you would be > sending DHCP messages over TCP connections between partner servers. While I could try to answer your questions directly, it seemed like offering an augmented Security Considerations section might be more useful. This takes into account both your comments and Kathleen Moriarty's comments as well: DHCPv6 failover is an extension of a standard DHCPv6 protocol, so all security considerations from [RFC3315], Section 23 and [RFC3633], Section 15 related to the server apply. The use of TCP introduces some additional concerns. Attacks that attempt to exhaust the DHCP server's available TCP connection resources can compromise the ability of legitimate partners to receive service. Malicious requestors who succeed in establishing connections but who then send invalid messages, partial messages, or no messages at all can also exhaust a server's pool of available connections. DHCPv6 failover can operate in secure or insecure mode. Secure mode (using TLS) would be indicated when the TCP connection between failover partners is open to external monitoring or interception. Insecure mode should only be used when the TCP connection between failover partners remains within set of protected systems. Details of such protections are beyond the scope of this document. The threats created by using failover directly mirror those from using DHCPv6 itself: information leakage through monitoring, and disruption of address assignment and configuration. Monitoring the failover TCP connection provides no additional data beyond that available from monitoring the interactions between DHCPv6 clients and the DHCPv6 server. Likewise, manipulating the data flow between failover servers provides no additional opportunities to disrupt address assignment and configuration beyond that provided by acting as a counterfeit DHCP server. Protection from both threats is easier than with basic DHCPv6, as only a single TCP connection needs to be protected. Either use secure mode to protect that TCP connection or ensure that it can only exist with a set of protected systems. When operating in secure mode, TLS [RFC5246] is used to secure the connection. The recommendations in [RFC7525] SHOULD be followed when negotiating a TLS connection. Servers SHOULD offer configuration parameters to limit the sources of incoming connections through validation and use of the digital certificates presented to create a TLS connection. They SHOULD also limit the number of accepted connections and limit the period of time during which an idle connection will be left open. Authentication for DHCPv6 messages [RFC3315] MUST NOT be used to attempt to secure transmission of the messages described in this document. If authentication is desired, secure mode using TLS SHOULD be employed as described in Sections 8.2 and 9.1 of [RFC7653] > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > - 6.1.3: I'm confused by the procedure for checking > OPTION_F_PROTOCOL_VERSION in the CONNECTREPLY message. The secondary > already checked that it supported the version in the CONNECT message; why > does the primary need to check it again? Is it expected that the > secondary might choose to send a different version in the CONNECTREPLY > than it received in CONNECT? Is it possible that the partners use > different protocol versions at the same time? > > The intent here is that each server tells the other server what protocol version that it will be sending, and also has the opportunity to accept or reject the version that that other server is sending. As noted in Section 5.5.14, there is a major/minor component to the protocol version. Each server is expected to have a range of acceptable major (and, possibly, minor) versions on reception. So, each server gets to see what the other server will be sending and accept or reject the connection based on that information. The secondary accepts or rejects that primary's version, and the primary gets to do the same with the secondary. So, yes, they might send different versions to each other. Future revisions of this document will define interoperability requirements when new versions are created, the details can't be known at this point. We just want to create a way to at least communicate the information from the outset. I will add this Section 6.1.1 (for the primary sending CONNECT): o OPTION_F_PROTOCOL_VERSION containing the protocol version that the primary server will use when sending failover messages. and this to Section 6.1.2 (for the secondary sending CONNECTREPLY): o OPTION_F_PROTOCOL_VERSION containing the protocol version being used by the secondary server when sending failover messages. and this to Section 6.1.3 (primary receiving the CONNECTREPLY): o OPTION_F_PROTOCOL_VERSION - The primary server decides if the protocol version in use by the secondary server is supported by the primary server. If it is not, send a DISCONNECT message and drop the connection. If it is supported, continue processing. It is possible that the primary and secondary server will each be sending different version of the protocol to the other server. The extent to which this is supported will be in part defined by as yet unknown differences in the protocols that the versions represent, and in part by the capabilities of the two implementations involved in the failover relationship. Again, thanks for the review. Kim