[Int-area] Benjamin Kaduk's Discuss on draft-ietf-intarea-provisioning-domains-10: (with DISCUSS and COMMENT)
Benjamin Kaduk via Datatracker <noreply@ietf.org> Wed, 22 January 2020 00:21 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: int-area@ietf.org
Delivered-To: int-area@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id A576F1200C3; Tue, 21 Jan 2020 16:21:17 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-intarea-provisioning-domains@ietf.org, Erik Kline <ek@loon.com>, intarea-chairs@ietf.org, ek@loon.com, int-area@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.116.1
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <157965247766.28967.928252459729282133.idtracker@ietfa.amsl.com>
Date: Tue, 21 Jan 2020 16:21:17 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/3liDrk7DNFrMMjEF6le4p0BWCfY>
Subject: [Int-area] Benjamin Kaduk's Discuss on draft-ietf-intarea-provisioning-domains-10: (with DISCUSS and COMMENT)
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Jan 2020 00:21:18 -0000
Benjamin Kaduk has entered the following ballot position for draft-ietf-intarea-provisioning-domains-10: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-intarea-provisioning-domains/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Alexey basically already noted this in his Comment, but I'll elevate it to a Discuss: the usage of TLS for retrieving PvD Additional Information is not really completely specified -- generally in this sort of case where there's a (provisioning) domain name to authenticate we'd expect to require that the server present a certificate with DNS-ID [RFC6125] that matches the expected name. We could also cite RFC 7525 for TLS best practices and/or make a TLS version recommendation (i.e., 1.3). There seems to be a missing step in the binding of the PvD ID to the actual usage, or rather, we are making stronger statements about authenticity than the technology seems to justify. While we can verify that the TLS certificate used to access the additional information matches with the PvD ID provided, there doesn't seem to be a step to validate that the PvD ID in question is applicable for the current network environment. The prefix match helps some, but (to first order) only for globally-routable prefixes in the absence of NAT. Malicious routers (e.g., coffeeshop wifi) can fairly easily implement NAT66 and circumvent host-side countermeasures; tunneling traffic through to a compromised host actually in the target PvD would allow circumvention of the TLS-server-side countermeasures. I have some suggested rewordings in the Comment section that should bring the claims in line with what is actually provided. (As something of a side note, it seems that the JOSE/signature scheme discussed in the secdir review thread, that does have a tighter binding to the local network with the PvD, could defeat the caching attack discussed there by having the host supply a nonce in the RS and including that in the signed response, but that requires a lot of expensive signatures and has some challenging key-management problems. So it doesn't seem worth pursuing, even though it's attractive to make more use of the network locality.) The IANA Considerations for PvD Option Flags indicates that bits 0 to 15 are managed by IANA, but I think there are only 12 bits available due to the 4-bit Delay field. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Section 3.1 Do we want to give any guidance about what to put for the Sequence Number (and/or Delay) when the H-bit is not set? IIUC they are only relevant for the fetching of additional data. R-flag: (1 bit) 'Router Advertisement' flag stating whether the PvD Option is followed (right after padding to the next 64 bits boundary) by a Router Advertisement message header (see section 4.2 of [RFC4861]). The usage of the inner message header is described in Section 3.4. nit(?): I'd be wary of saying "PvD option is followed", since IIUC the inner RA header and subsequent options are still part of "the PvD option". Section 3.2 In order to provide multiple different PvDs, a router MUST send multiple RAs. If more than one different Implicit PvD is advertised, the RAs MUST be sent from different link-local source addresses. This seems to imply that implicit PvDs can be advertised via the PvD RA, but the only contents specified for the "PvD ID FQDN" field thereof is a DNS-format FQDN, and we don't say how to construct one of those for an implicit PvD. I think the intent is just to say that "RAs sent from different link-local source addresses establish distinct implicit PvDs, in the absence of a PvD Option". Section 3.4 received RA otherwise. If an RA message header is present both within the PvD Option and outside it, as indicated by the R-flag, the header within the PvD Option takes precedence. Why is the R-flag relevant? Similarly, hosts MUST associate all network configuration objects (e.g., default routers, addresses, more specific routes, DNS Recursive Resolvers) with the PvD associated with the RA which last updated the object. For example, addresses that are generated using a received Prefix Information option (PIO) are associated with the PvD of the last received RA which included the given PIO. I'm not sure I'm parsing the first sentence as intended. For any given configuration object, there will be an RA which has most-recently updated that object ("last updated the object"); that RA has some associated PvD, whether via explicit PvD ID option or assignment of implicit PvD. It sounds like this is telling me to associate the object with the aforementioned PvD, so that "last PvD wins" for any given object, but this seems at odds with the idea of having multiple PvDs active at once, with separate configurations. So I'm not sure that the "last updated" phrasing is giving the right impression. While resolving names, executing the default address selection algorithm [RFC6724] or executing the default router selection algorithm when forwarding packets ([RFC4861], [RFC4191] and Is this an exhaustive list? [RFC8028]), hosts and applications MAY consider only the configuration associated with any non-empty subset of PvDs. For example, a host MAY associate a given process with a specific [...] nit: maybe these should not be separate paragraphs? Section 3.4.1 When a host retrieves stateful assignments using DHCPv6, such assignments MUST be associated with the received PvD which was received with RAs with the M-flag set and including a matching PIO. Is there a reason to use different language here than the previous paragraph (which was "all the explicit and implicit PvDs received on the same interface and [stuff about the RA]")? In cases where an address would be assigned by DHCPv6 and no matching PvD could be found, hosts MAY associate the assigned address with any implicit PvD received on the same interface or to multiple of implicit PvD received on the same interface. This is intended to resolve backward compatibility issues with rare deployments choosing to assign addresses with DHCPv6 while not sending any matching PIO. Wouldn't backwards compatibility be better if we specified "all implicit PvD on the same interface" rather than leaving things in a nondeterministic state? Section 3.4.2 When a PvD-aware host retrieves configuration elements from DHCPv4, the information is associated either with a single Explicit PvD on that interface, or else with all Implicit PvDs on the same interface. This is further specified in the following two paragraphs, right? So maybe "as detailed below" would help the reader. Section 3.4.4 PvD-aware hosts can be provisioned with recursive DNS servers via RA options passed within an Explicit PvD, via RA options associated with an Implicit PvD, via DHCPv6 or DHCPv4, or from some other provisioning mechanism that creates an Implicit PvD (such as a VPN). nit: didn't we say that IPsec VPNs were explicit PvDs? If so, they will not be provisioning recursive DNS servers via RA options, and thus are not covered by any of the items in this listing. In all of these cases, the recursive DNS server addresses SHOULD be associated with the corresponding PvD. Specifically, queries sent to a configured recursive DNS server SHOULD be sent from a local IP address that was provisioned by the PvD via RA or DHCP. Answers nit: are they provisioned "by" the PvD" or "with"/"for" the PvD? PvD-aware applications will be able to select which PvD(s) to use for DNS resolution and connections, which allows them to effectively use multiple Explicit PvDs. In order to support non-PvD-aware applications, however, PvD-aware hosts SHOULD ensure that non-PvD- aware name resolution APIs like "getaddrinfo" only use resolvers from a single PvD for each query. Handling DNS across PvDs is discussed just to check: this SHOULD is only at a per-API-call level, and subsequent calls to getaddrinfo (even with the same arguments) are permitted to use results from different PvDs? I would have naievly expected that the "default PvD" used for such non-PvD-aware applications would be relatively stable over time... Section 4 This JSON object is restricted to the restricted profile of I-JSON, as defined in [RFC7493]. nit: I-JSON is a restricted profile of JSON, but does not itself has a "restricted profile" subset, so I'd suggest just "is restricted to the I-JSON profile". Section 4.1 Note that the DNS name resolution of the PvD ID, the PKI (Public Key Infrastructure) checks as well as the actual query MUST be performed using the considered PvD. In other words, the name resolution, PKI nit(?): I am not sure if these "PKI checks" are supposed to be DNSSEC or the TLS validation. I don't think we previously discussed having separate per-PvD TLS trust anchors, which mostly leads me to assume DNSSEC PKI, but greater clarity in the document would be welcome. If the HTTP status of the answer is greater than or equal to 400 the host MUST abandon and consider that there is no additional PvD information. If the HTTP status of the answer is between 300 and nit: "abandon" is a transitive verb and requires an object. 399, inclusive, it MUST follow the redirection(s). If the HTTP status of the answer is between 200 and 299, inclusive, the host MAY get a file containing a single JSON object. Is redirect-chasing recursive or one-time? I agree with Alissa that this "MAY" is not normatiave. After retrieval of the PvD Additional Information, hosts MUST remember the last Sequence Number value received in the RA including the same PvD ID. Whenever a new RA for the same PvD is received with nit: s/the RA/an RA/ a different Sequence Number value, or whenever the expiry date for the additional information is reached, hosts MUST deprecate the additional information and stop using it until a new JSON object is retrieved. Is this really just "a different Sequence Number value" or do we want "a larger Sequence Number value"? If the former, then it's not really functioning as a *sequence* number, is it? Also, is the "until [...]" clause really needed? Regardless of whether new additional information is retrieved (and validated), *this* additional information is still not being used. nit: if we are going to say "uniformly random" for the [(B-A)/2,B] interval, we should probably also use "uniformly" for the "random time between zero and 2**(Delay * 2) milliseconds". Since the 'Delay' value is directly within the PvD Option rather than the object itself, an operator may perform a push-based update by incrementing the Sequence value while changing the Delay value nit: "Sequence Number" Section 4.2 RA by the network operator. In particular, when a captive portal is present, hosts MUST still be allowed to perform DNS, PKI and HTTP over TLS operations related to the retrieval of the object, even before logging into the captive portal. I assume "DNS" here means "DNS over UDP(/TCP) on port 53 in the traditional, unencrypted, protocol of STD 13"? It may be prudent to be clear about the expectations here. Routers SHOULD increment the PVD Option Sequence Number by one whenever a new PvD Additional Information object is available and should be retrieved by hosts. If the value exceeds what can be stored in the Sequence Number field, it SHOULD wrap back to zero. Why are these just "SHOULD"? The server providing the JSON files SHOULD also check whether the client address is part of the prefixes listed into the additional information and SHOULD return a 403 response code if there is no match. (I assume that the "SHOULD" is to allow for exceptions when NAT-shaped things are in use.) nit: "is part of" is perhaps a bit odd Section 4.3 [perhaps update the example "expires" value to something slightly more current, both here and in 4.3.1?] | noInternet | No Internet, set | Boolean | true | | | when the PvD is | | | | | restricted. | | | nit: "set to 'true'"; setting it to "false" does not provide such an indication :) In addition to Alissa's Discuss point, "MUST create sub-dictionaries, [...] with a key of the format 'vendor-*'" is in conflict with "URN namespace SHOULD be used rather than the 'vendor-*' format". Section 4.4 When a host retrieves the PvD Additional Information, it MUST verify that the TLS server certificate is valid for the performed request (e.g., that the Subject Alternative Name is equal to the PvD ID expressed as an FQDN). This authentication creates a secure binding between the information provided by the trusted Router Advertisement, What makes an RA "trusted"? and the HTTPS server. However, this does not mean the Advertising Router and the PvD server belong to the same entity. Can you give me an example of when they would not be part of the same entity? I can only partially see how that would happen. I see there's some discussion of client IPv4 addresses here, but note that the "prefixes" entry in the additional information is specifically limited to IPv6 prefixes. Does the prefix check just not work at all for IPv4, or we know that NAT44 is too prevalent for it to be worth trying, or ...? Section 5 Do you want to also mention that some fields (e.g., Sequence Number) are only listed when relevant, and/or provide default values for the examples when they are not explicitly listed? Section 5.2 In the above example, non-PvD-aware hosts will only use the first RA sent from their default router and using the 2001:db8:cafe::/64 prefix. PvD-aware hosts will autonomously configure addresses from nit(?): I can't decide whether "from" or "for" is intended in "from their default router". both PIOs, but will only use the source address in 2001:db8:f00d::/64 to communicate past the first hop router since only the router sending the second RA will be used as default router; similarly, they will use the DNS server 2001:db8:f00d::53 when communicating with this address. nit: I'm not sure I understand what "communicating with this address" is intended to mean (it would make more sense to me as "communicating from this adddress"). Section 5.3 * RA Header: router lifetime = 1600 (PvD-aware hosts will use this router as a default router), implicit length = 2 just to check my understanding: this is only "use as a default router" within the scope of this PvD (and will use the other RA's data as default router for the other PvD)? I'd perhaps consider adding "for this PvD", though it's far from clear that such clarification in the text is needed. Section 6 This RA Option can include other RA Options; we should probably note that the security considerations of the included options continue to apply. When RAs have to be split to avoid exceeding the link MTU, there is perhaps some scope for selective packet blocking to influence host behavior (by denying them some of the PvD-specific configuration), though of course such attacks are pretty challenging on a local network/link. Attacks to block attempts to retrieve the additional information are more likely succeed, though the scope is perhaps limited since all that stuff is supposed to be optional. We can't really limit what vendors will do with it, though, so we should probably treat it as having some significant risk of DoS. Expiration times are represented as absolute times, so the usual considerations about accurate time and clock skew apply. This specification does not improve the Neighbor Discovery Protocol security model, but extends the purely link-local trust relationship between the host and the default routers with HTTP over TLS communications which servers are authenticated as rightful owners of the FQDN received within the trusted PvD ID RA option. I think I need some more persuasion to believe that the routers are actually "authenticated as rightful owners of the FQDN received" as claimed here. In light of the following paragraph in the text, perhaps we should say something more like "validates that the owner of the FQDN authorizes its use with the prefix advertised by the router" and "in combination with implicit trust in the local router (if present), this gives the host some level of assurance that the PvD is authorized for use in this environment. However, when the local router cannot be trusted, no such guarantee is available." Users cannot be assumed to be able to meaningfully differentiate between "safe" and "unsafe" networks. This is a known attack surface that is present whether or not PvDs are in use, and hence cannot be addressed by this document. However, a host that correctly implements the multiple PvD architecture ([RFC7556]) using the mechanism described in this document will be less susceptible to such attacks than a host that does not by being able to check for the various misconfigurations described in this document. I think this is only true for certain definitions of "safe" and would like to learn more about what definition the authors had in mind when writing this. Section 7 Whenever we introduce new identifier (types), the question of privacy considerations arises with respect to tracking of the identified entity or related entities, among other things. The PvD itself here is not really "trackable", so we seem to be concerned only with tracking of devices that connect to /use a given PvD. I'll try to walk through the workflow to confirm that there's not more that needs to be said here: Generally, a host is going to mostly just be receiving the PvD ID value, and not broadcasting it in much outgoing traffic. It would perhaps get some configuration about PvD IDs in some area (though configured PvD IDs seems more likeoy on routers than hosts), and receives PvD IDs via RA options, and uses the PvD ID to correlate/associate information across RAs, potentially across networks and mobility events. The only time I see the PvD ID being sent outbound from a PvD-aware host is in the query to the PvD's well-known URI for additional information, and we say that the DNS resolution used to look up that name must be from the same configuration that claims to use that PvD. This is done with the intent that there's no additional information leakage, as we're essentially just echoing back the PvD ID to the same administrative entity that gave it to us. For honest routers it clearly should work fine, but what happens if we have dishonest routers? A dishonest router could send an RA claiming a different/bogus PvD ID, and an honest host as specified here would then go ahead and make the DNS+HTTPS query for additional information, which is still just echoing back the value that was sent, to who sent it. There would only be some additional information leakage if the host was configured to be selective about which PvDs to fetch additional information for, so that the attacker could check whether a given PvD ID was on the whitelist or not. I think, though, that even if a host does have a whitelist of PvD IDs it will use, there's still no harm from always fetching the additional information and just discarding it for non-whitelisted PvDs -- that lets such a host blend into the genera population of PvD-aware hosts without directly revealing that it has a whitelist or the contents thereof. (Its subsequent network traffic might still give some implicit signal, though that's perhaps less conclusive.) I don't have a great sense of how (un)likely host-leve PvD whitelists are to be seen in practice, and thus whether it's worth putting the above advice/analysis (just the "to blend in, always fetch even if you ignore" part) into the document. Given that we do mention FQDN/IP-prefix whitelists, I'm leaning towards including this aspect as well. (The above analysis changes some if a host is going to be caching any PvD-specific information across mobility events within the same PvD, but I don't see much to indicate that such long-term caching would occur.) default router, this property can't be ensured. Therefore, hosts willing to retrieve the PvD Additional Information before using it without leaking identity information, SHOULD make use of an IPv6 nit: this is either tautological or not saying what it's intended to, since it's impossible to use the information without having first retrieved it... Privacy Address and SHOULD NOT include any privacy sensitive data, such as User Agent header or HTTP cookie, while performing the HTTP over TLS query. ...so perhaps rephrasing akin to "To minimize the leakage of identity information while retrieving PvD Additional Information, hosts SHOULD [...]" is in order. From a user privacy perspective, retrieving the PvD Additional Information is not different from establishing a first connection to a remote server, or even performing a single DNS lookup. For example, most operating systems already perform early queries to well known web sites, such as http://captive.example.com/hotspot- detect.html, in order to detect the presence of a captive portal. I understand the desire to only use names/numbers designated as "for example use" in RFCs, but this seems like a case where it might be worth making an exception. Network operators SHOULD restrict access to PvD Additional Information to only expose it to hosts that are connected to the local network, especially if the Additional Information would provide information about local network configuration to attackers. This can (It seems that even the existence of a vendor-* subobject might be considered "sensitive" in this fashion.) Section 8.2 Is there any additional guidance we wish to give to the Experts? Section 8.3 document (as specified in Figure 1). Future assignments require Standards Action [RFC8126], via a Standards Track RFC document. nit: please drop the "via a Standards Track RFC document" clause; it's basically redundant with Standards Action and I'm not sure why there's a specific need to disallow BCP documents from allocating such codepoints. Section 8.4 Interoperability considerations: This document specifies format of conforming messages and the interpretation thereof. nit: "the format" Applications that use this media type: This media type is intended to be used by network advertising additional Provisioning Domain information, and clients looking up such information. nit: "networks" plural Section 10.1 I'm not sure whether RFCs 2131, 3646, and 8106 need to be Normative. Section 10.2 On the other hand, RFC 2818 does seem like it needs to be Normative (and 7556 as was already mentioned).
- [Int-area] Benjamin Kaduk's Discuss on draft-ietf… Benjamin Kaduk via Datatracker
- Re: [Int-area] Benjamin Kaduk's Discuss on draft-… Benjamin Kaduk
- Re: [Int-area] Benjamin Kaduk's Discuss on draft-… Benjamin Kaduk
- Re: [Int-area] Benjamin Kaduk's Discuss on draft-… Tommy Pauly
- Re: [Int-area] Benjamin Kaduk's Discuss on draft-… Tommy Pauly