Re: [manet] DLEP-18 Security Considerations

Stan Ratliff <ratliffstan@gmail.com> Sun, 07 February 2016 16:33 UTC

Return-Path: <ratliffstan@gmail.com>
X-Original-To: manet@ietfa.amsl.com
Delivered-To: manet@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68DA21A1AFC for <manet@ietfa.amsl.com>; Sun, 7 Feb 2016 08:33:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lp0wa6w5JU_E for <manet@ietfa.amsl.com>; Sun, 7 Feb 2016 08:33:09 -0800 (PST)
Received: from mail-io0-x22e.google.com (mail-io0-x22e.google.com [IPv6:2607:f8b0:4001:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32C0C1A8A80 for <manet@ietf.org>; Sun, 7 Feb 2016 08:33:09 -0800 (PST)
Received: by mail-io0-x22e.google.com with SMTP id g73so174503294ioe.3 for <manet@ietf.org>; Sun, 07 Feb 2016 08:33:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=We7CKeojqItswhNlMatlKjwkQfg1PJDzdthwnI24Rj4=; b=cOsBbwS+ZOXRkU1ad9PVA+VJweg6sMVlcqGM4TDzGTw0f4yRxJ9AtDSHDPtJ/nENDc LR18/DiOFuPkE/gvaRPLgvUpYCF8a/WptRzjbrv9SYZkOOC5txqsRyPqAMwPuOj3Pbrc k+lxNWfH7UW2qQ2hPAY0gTdnYv6NyCRmW61CdhMyKCzCSnIG9D1mpZ7oHULJ+tyTB3l8 G6eODXx/WJ3zA0G157nINn4jQz9nqT6S9ePEIzllE48mNAefdEHT0sXUKh01fNDue+Sd MbQmihiIp79UBmDM73L0yAHct3FKwwecGQtbdX/tIhgS7UKIRgCSJegNml0OGLgm7Fet aktg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=We7CKeojqItswhNlMatlKjwkQfg1PJDzdthwnI24Rj4=; b=V8GQkOyARvgmC6ErqLDOfP7QQF+MRZ9J66B1XqSw3+JK6Q/vuZJkQVTThi1DPVFMPe tBPCOLre2ihqKX2GtnFgz01RiFBlMHELGO8jn+7sb1/jhTtfGa0In7d3w7ZE6uypP1ae 4D3l30Nt1IHIlgDL86ERvFl96dkAPCKAtrQXi6/0b2j1+BXtHKI6bl8kb2wJR15EgJxq YYFDX0stU3yEDYmVzlC+MXWcQN2/Y98C/toeoRQ7HT89DgQaDM2Rf27OInPwH5hxhaKL NGviJSn7wdguWLtpDC6BioQVa4cOlE4tAnsriwmR1XEjVT433pUAa0N7Xm2s4TRDfwpB O+PQ==
X-Gm-Message-State: AG10YOT5ZqNbf1UIyUz0hTOMrxMHxA422i/4gFZ29haCQGw4516InlAj/m0UYEAu7PsivvPGUD7wtsaBmkP2Zw==
MIME-Version: 1.0
X-Received: by 10.107.3.229 with SMTP id e98mr26781158ioi.182.1454862788405; Sun, 07 Feb 2016 08:33:08 -0800 (PST)
Received: by 10.79.96.1 with HTTP; Sun, 7 Feb 2016 08:33:08 -0800 (PST)
In-Reply-To: <152bc392e10.2818.9b4188e636579690ba6c69f2c8a0f1fd@labn.net>
References: <CALtoyo=6zEWqj8kC=JHb1=6sKD+ktCOWmnU+rzbNGhrkAwMfzQ@mail.gmail.com> <D2DBAA65.10DB40%aretana@cisco.com> <CAGnRvur=CMe7YwudtYJmbO_fOPh2n3Vch5z1AkzawFe1gULgjQ@mail.gmail.com> <CA+-pDCfPghT=v=CPdNa8vNXPCiJmC1FMK3NwS-vf890irOkLJg@mail.gmail.com> <152bc392e10.2818.9b4188e636579690ba6c69f2c8a0f1fd@labn.net>
Date: Sun, 7 Feb 2016 11:33:08 -0500
Message-ID: <CALtoyokKUHxjONQvigB6eMcRC4n6Xf34soTY9RvOzPmGCVZAvQ@mail.gmail.com>
From: Stan Ratliff <ratliffstan@gmail.com>
To: Lou Berger <lberger@labn.net>
Content-Type: multipart/alternative; boundary=001a113f97beb332b4052b30a3e2
Archived-At: <http://mailarchive.ietf.org/arch/msg/manet/-tsnTSwkRXtlY3Ng9Dva12GH808>
Cc: MANET IETF <manet@ietf.org>
Subject: Re: [manet] DLEP-18 Security Considerations
X-BeenThere: manet@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Mobile Ad-hoc Networks <manet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/manet>, <mailto:manet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/manet/>
List-Post: <mailto:manet@ietf.org>
List-Help: <mailto:manet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/manet>, <mailto:manet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Feb 2016 16:33:12 -0000

All,

I think the critical point here is Alvaro's comment:

> The main problem I see with the text below is that it is based on
> assumptions — even though you do say that "DLEP is restricted to…a single
> (possibly logical) hop at layer 2", it is based on the deployment
> assumptions.  What happens if it isn't deployed that way?

It's NOT an "assumption". We've mis-lableld it as an assumption. It's
actually a requirement.
Henning's response to the above text is correct:

"It will not work because the user traffic will not reach the
destination. DLEP is the model of a "external radio" which acts as a
bridge (as in "layer-2 bridge") between the connection to the router
and the radio network."

Anyone attempting multi-hop deployment will immediately bump into the issue
of a router issuing packets with a Destination MAC address that's not on
the local segment. Traffic won't pass. As Henning states, it simply won't
work.

I believe we need to move the following text from "Assumptions" to
"Requirements":

   DLEP assumes that the MAC address for delivering data traffic is the
   MAC address used by DLEP to identify the destination.  No
   manipulation or substitution is performed; the MAC address supplied
   in all destination messages is used as the OSI Layer 2 Destination
   MAC address.  DLEP also assumes that MAC addresses are unique within
   the context of a router-modem session.

   The reliance on MAC addresses by DLEP forces the assumption that
   participating DLEP peers are on a single segment (either physical or
   logically, via tunneling protocols) at Layer 2.


We also need to take the TLS flag out of the IPv4 and IPv6 Connection Point
data items (a clear "miss" on our part). I believe this addresses the
concern, in that 1-hop deployment is no longer an "assumption".

Regards,
Stan



On Sun, Feb 7, 2016 at 9:53 AM, Lou Berger <lberger@labn.net>; wrote:

> Justin,
>
> Two minor suggestions:
>
> s/ link-local addresses/a directly attached IP sub-subnet/
>
> And at then end of  b
>
> Such implementations MAY [or SHOULD] support MACsec, IEEE 802.1AE and
> 802.1X.
>
> Lou
>
> On February 7, 2016 7:58:37 AM Justin Dean <bebemaster@gmail.com>; wrote:
>
>> How about the following update?  Taken from bits of Hennings' explanation
>> here and Ran's proposed text from quite a while back.  Please note the
>> difference in deployment and implement, and the resulting what actually
>> gets used in real deployments....
>>
>> The potential security concerns when using DLEP are:
>>
>> 1.  An attacker might pretend to be a DLEP peer, either at DLEP
>>     session initialization, or by injection of messages once a
>>     session has been established, and/or
>>
>> 2.  DLEP data items could be altered by an attacker, causing the
>>     receiving implementation to inappropriately alter its information
>>     base concerning network status.
>>
>>    DLEP is restricted to operation over a single (possibly
>>    logical) hop at layer 2; Deployments other than single-hop are
>>    not permitted and outside the scope of this specification.
>>    Deployments requiring authentication and/or encryption of traffic
>>    MUST take steps to secure the Layer 2 link.
>>
>> All DLEP Implementations either:
>>
>> (a) MUST implement Transport Layer Security (TLS)' [RFC-5246]
>> so TLS is available for use when deployment dictate or
>> (b) MUST restrict the valid IP (both IPv4 and IPv6) unicast
>> addresses for use with DLEP to link-local addresses.
>>
>>    To avoid potential denial of service attack, it is RECOMMENDED that
>>    implementations using the Peer Discovery mechanism maintain an
>>    information base of hosts that persistently fail Session
>>    Initialization having provided an acceptable Discovery signal, and
>>    ignore Peer Discovery signals from such hosts.
>>
>>    This specification does not effect security of the data plane;
>>    standard security procedures can be employed for the data plane.
>>
>> On Sun, Feb 7, 2016 at 6:54 AM, Henning Rogge <hrogge@gmail.com>; wrote:
>>
>>> On Sat, Feb 6, 2016 at 11:22 PM, Alvaro Retana (aretana)
>>> <aretana@cisco.com>; wrote:
>>> > On 1/18/16, 7:51 PM, "manet on behalf of Stan Ratliff"
>>> > <manet-bounces@ietf.org on behalf of ratliffstan@gmail.com>; wrote:
>>> >
>>> > Stan:
>>> >
>>> > Hi!
>>> >
>>> > You'll need references for L2 security.
>>> >
>>> > The main problem I see with the text below is that it is based on
>>> > assumptions — even though you do say that "DLEP is restricted to…a
>>> single
>>> > (possibly logical) hop at layer 2", it is based on the deployment
>>> > assumptions.  What happens if it isn't deployed that way?
>>>
>>> It will not work because the user traffic will not reach the
>>> destination. DLEP is the model of a "external radio" which acts as a
>>> bridge (as in "layer-2 bridge") between the connection to the router
>>> and the radio network.
>>>
>>> If you are more than 1 IP-hop away you will not get the user traffic.
>>>
>>> > What about confidentiality of the data?  What about exposing
>>> information
>>> > about users (privacy)?
>>>
>>> if you have one IP-hop between radio and router linklayer/MAC security
>>> takes care of this. If not you are outside the specification of the
>>> protocol and do something strange to the traffic anyways... so it
>>> should not be DLEP's problem.
>>>
>>> >  I know that the assumed deployment model makes it
>>> > very hard to look at the data in flight between and the physical and L2
>>> > security may well be enough.  However, what if DLEP is not used as
>>> expected?
>>>
>>> If you break the basic assumptions of the protocol, you should not
>>> expect its security considerations to be secure in your situation.
>>>
>>> > IMO, you should describe the expected operating environment (or point
>>> to the
>>> > assumptions) and any security mechanisms that should be included there
>>> (L2,
>>> > physical assumptions), and explain why confidentiality and privacy are
>>> not a
>>> > concern…
>>>
>>> http://tools.ietf.org/html/draft-ietf-manet-dlep-18#section-2.1
>>>
>>> > but then you should also say something like: "if DLEP is used in an
>>> > environment other then the expected one, then xx, yy and zz
>>> MUST/SHOULD be
>>> > implemented".   I think that this way we would be covering the normal
>>> case,
>>> > but also providing an answer to what if without making mandatory
>>> mechanisms
>>> > that may be superfluous.
>>>
>>> There is no guarantee that xx/yy/zz will give you any kind of security
>>> in an unspecified environment.
>>>
>>> Henning Rogge
>>>
>>> _______________________________________________
>>> manet mailing list
>>> manet@ietf.org
>>> https://www.ietf.org/mailman/listinfo/manet
>>>
>>
>> _______________________________________________
>> manet mailing list
>> manet@ietf.org
>> https://www.ietf.org/mailman/listinfo/manet
>>
>>
> _______________________________________________
> manet mailing list
> manet@ietf.org
> https://www.ietf.org/mailman/listinfo/manet
>
>