Re: [Dime] FW: SECDIR review of draft-ietf-dime-nat-control-07
"Frank Brockners (fbrockne)" <fbrockne@cisco.com> Thu, 30 June 2011 10:09 UTC
Return-Path: <fbrockne@cisco.com>
X-Original-To: dime@ietfa.amsl.com
Delivered-To: dime@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCDF521F86A6 for <dime@ietfa.amsl.com>; Thu, 30 Jun 2011 03:09:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id so4bHFhreILJ for <dime@ietfa.amsl.com>; Thu, 30 Jun 2011 03:09:22 -0700 (PDT)
Received: from ams-iport-2.cisco.com (ams-iport-2.cisco.com [144.254.224.141]) by ietfa.amsl.com (Postfix) with ESMTP id 5CE6121F859F for <dime@ietf.org>; Thu, 30 Jun 2011 03:09:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=fbrockne@cisco.com; l=5290; q=dns/txt; s=iport; t=1309428561; x=1310638161; h=mime-version:content-transfer-encoding:subject:date: message-id:from:to; bh=TKhxfO4C7jxVNjJZ/FvzhrFddiXkGlsybvnbrNFLZnE=; b=mBCO8V9RGVT7QOn3DeNh6ZqP6ZMVXX2QnGu9Z4qfPlr7wV626MUF/IV4 7qeoVguQSTeWsGWTt49BLTLqum2vOYhrMu57G+FS2Z+8v+XtQ4itwKAHH McAgUCRsWQ38BgQ/ZkqYJXBDf3JdpPu26NhtqKsOS4v3OAh3BsNr6Byd0 Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvkAAGxKDE6Q/khM/2dsb2JhbABFDZgkjy93qXKeFYMggxEEly6LMQ
X-IronPort-AV: E=Sophos;i="4.65,449,1304294400"; d="scan'208";a="39991068"
Received: from ams-core-3.cisco.com ([144.254.72.76]) by ams-iport-2.cisco.com with ESMTP; 30 Jun 2011 10:09:20 +0000
Received: from xbh-ams-101.cisco.com (xbh-ams-101.cisco.com [144.254.74.71]) by ams-core-3.cisco.com (8.14.3/8.14.3) with ESMTP id p5UA9KZC014991; Thu, 30 Jun 2011 10:09:20 GMT
Received: from xmb-ams-106.cisco.com ([144.254.74.81]) by xbh-ams-101.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Thu, 30 Jun 2011 12:09:20 +0200
X-Mimeole: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 30 Jun 2011 12:09:18 +0200
Message-ID: <0D212BD466921646B58854FB79092CEC061BB655@XMB-AMS-106.cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Dime] FW: SECDIR review of draft-ietf-dime-nat-control-07
Thread-Index: AcveXoAI4/NYzV6BSlyRghF9Op12ZQAG6YMwAABq4TAWJF9PgA==
From: "Frank Brockners (fbrockne)" <fbrockne@cisco.com>
To: dime@ietf.org, mlepinsk@bbn.com
X-OriginalArrivalTime: 30 Jun 2011 10:09:20.0472 (UTC) FILETIME=[C74D0D80:01CC370D]
Subject: Re: [Dime] FW: SECDIR review of draft-ietf-dime-nat-control-07
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dime>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jun 2011 10:09:23 -0000
FYI. I've just posted a revision (draft-ietf-dime-nat-control-08), which now includes an extended security section - closely following Matt's comments (Matt, thanks again for the very detailed comments). Regards, Frank > > -----Original Message----- > > From: dime-bounces@ietf.org [mailto:dime-bounces@ietf.org] On Behalf > Of > > Romascanu, Dan (Dan) > > Sent: Wednesday, March 09, 2011 5:51 PM > > To: dime@ietf.org > > Subject: [Dime] FW: SECDIR review of draft-ietf-dime-nat-control-07 > > > > > > > > > > -----Original Message----- > > From: Matt Lepinski [mailto:mlepinsk@bbn.com] > > Sent: Wednesday, March 09, 2011 3:33 PM > > To: draft-ietf-dime-nat-control.all@tools.ietf.org; iesg@ietf.org; > > secdir@ietf.org > > Subject: SECDIR review of draft-ietf-dime-nat-control-07 > > > > I have reviewed this document as part of the security directorate's > > ongoing effort to review all IETF documents being processed by the > > IESG. > > These comments were written primarily for the benefit of the security > > area directors. Document editors and WG chairs should treat these > > comments just like any other last call comments. > > > > This document defines a Diameter application whereby a Diameter NAT > > Control Application (DNCA) server (either a AAA server or a Network > > Access Server) can control a DNCA client (either a NAT or NAPT > device). > > For example, the DNCA server can determine the number of port > bindings > > available to a given host, cause the allocation of particular NAT > > bindings, define the external address pool used for by the NAT > device, > > or generate reports used for accounting purposes. > > > > The principle security concern is that an unauthorized (or > > unauthenticated) DNCA server could effect a denial of service of > attack > > on any or all hosts using a NAT/NAPT device in several ways. (E.g., > an > > unauthorized server could exhaust resources in the NAPT device, set > > maximum bindings to zero for all hosts, provide a set of external > > addresses that are in use elsewhere in the network, etc.) An > additional > > concern is that an unauthenticated DNCA client could provide > incorrect > > reporting data to the DNCA server to prevent correct accounting > within > > the system. Therefore, the NAT control application requires mutual > > authentication, authorization of the DNCA server, and integrity > > protection of the Diameter messages in the DNCA interaction. > > Additionally, the application may require confidentiality depending > on > > the deployment scenario and, particularly, how authorization is > > accomplished. > > > > The Security Considerations section of the document claims that > > security > > considerations are essentially the same as in the Diameter QoS (RFC > > 5866). I agree with the authors that the security concerns for > Diameter > > NAT Control are very similar to the security concerns for Diameter > QoS, > > but I think the additional layer of indirection is not helpful to the > > reader. (In particular, the NAT Control Application has no > dependencies > > on the Diameter QoS document. Therefore it is reasonable to believe > > that > > an implementer of Diameter NAT Control may not be familiar with the > > Diameter QoS document.) I would recommend that the authors add > > additional text explaining why mutual authentication, server > > authorization, and message integrity are required (copying a bit of > > text > > from RFC 5866 may be appropriate). Then I would recommend that the > > authors cite the Diameter specification (RFC 3588) for a discussion > of > > how IPsec or TLS can be used to obtain these security properties. (To > > me, this seems preferable to sending a reader to RFC 5866 for > > discussion > > of required security properties, which in turn sends the reader to > RFC > > 3588 for an information on the use of IPsec or TLS to achieve these > > properties.) > > > > Finally, the end of the security considerations section claims that > > "Authorization between DNCA Agent and > > DNCA Manager is beyond the scope of this document". I understand > > that the authors do not want to mandate a particular mechanism for > > making an authorization decision. That being said, providing some > > guidance as to how a DNCA client would determine if a DNCA server > were > > authorized to issue NAT control commands. I imagine in practice that > > the > > way authorization is accomplished is that the NAT/NAPT device stores > a > > local authorization policy. (E.g., the device stores a list of server > > identities that authorized, and then once the server has been > > authenticated its identity can be checked against the list). At the > > very > > least having text analogous to first paragraph of RFC 5866 Section 11 > > would be helpful (RFC 5866 says the device making the authorization > > decision needs to have sufficient information to make this decision > and > > then provides examples of where this information would come from.) > > > > - Matt Lepinski > > > > > > > > _______________________________________________ > > DiME mailing list > > DiME@ietf.org > > https://www.ietf.org/mailman/listinfo/dime
- [Dime] FW: SECDIR review of draft-ietf-dime-nat-c… Jouni Korhonen
- [Dime] FW: SECDIR review of draft-ietf-dime-nat-c… Romascanu, Dan (Dan)
- Re: [Dime] FW: SECDIR review of draft-ietf-dime-n… Frank Brockners (fbrockne)