IETF Logo Mail Archive

Re: [manet] DLEP-18 Security Considerations

Stan Ratliff <ratliffstan@gmail.com> Sat, 06 February 2016 23:18 UTC

Return-Path: <ratliffstan@gmail.com>
X-Original-To: manet@ietfa.amsl.com
Delivered-To: manet@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63ABB1A700F for <manet@ietfa.amsl.com>; Sat, 6 Feb 2016 15:18:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1VnmQvc4n3eI for <manet@ietfa.amsl.com>; Sat, 6 Feb 2016 15:18:47 -0800 (PST)
Received: from mail-io0-x232.google.com (mail-io0-x232.google.com [IPv6:2607:f8b0:4001:c06::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E5D041A7018 for <manet@ietf.org>; Sat, 6 Feb 2016 15:18:46 -0800 (PST)
Received: by mail-io0-x232.google.com with SMTP id f81so163072972iof.0 for <manet@ietf.org>; Sat, 06 Feb 2016 15:18:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Ne8amiKFbgC+Y5oUmqqGLbj8wqX4xlbrwodXKDuhKXs=; b=0Te0AjOdjSERyTOGUyexgv7rLOkzZ9gxy5B7LNkwgTyG4Bm45XZvSo+lAv+p4DDxqi 0Eg/0BKrD0eOhr1OXLmtgbLYH8ZAaTE7hjdSbZW4Zn086gVXNmrx5Rm3fz1pEDZL1Lzh 4WNChpyFrrwAG7j9fHY2K7ZtI3CUK/Gj/pUm865H8mYZcCRCUqTBVLkDCS4Ta6QVik6B iZfFFya41nJ0KwHE2zmoVAaqJ/fXH+Z9hrT24GjKlmmeam+HF3JC/w+dDvGtH7yr7MtQ yUsT2bMZ6geoETXJ728G5/kPuq7NCChdUuNuLdEbj0CJKsCqpmW5YxclaKrUQ09kYqvD slcQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=Ne8amiKFbgC+Y5oUmqqGLbj8wqX4xlbrwodXKDuhKXs=; b=NGh8KSFl9+R6QjwPo81QIvgkeOkIDuTmAAY/I94W+Dr+l6+hd6SEixlWyCtccZ0BLF 2UAJ3Sjw4gGUP7E5HgyP2wlw5M/Ac/8I5PoHPVQHkdi/O6UQa3qU4XGWkzhfXRYWpQ6R skD3cKZkh7knRloYeCvBgqcPzdEkz/7A1ZEWfQu2n1cRpFUydjocEKb8CrjIiLGAfjZu VPsarog/WSrL5woLZFcNrg9QJTVgFEVOYB/jvIF0PeeJtEN0rfTkDN99AjpAUnRaA5lq Owe/c+M3EEpXbZEvVHI6cfeEQgKCjte6qFcnIPiC116DNQUcs2xwD1rMHspqdAZ64DFL YkZQ==
X-Gm-Message-State: AG10YOTNWXIktixkrtvwg3lATgK7bDvvDjpn8gfOgRPeeOy7lxEsB44eyM/QboEtSKZXvWTWXg64NOS59EosRw==
MIME-Version: 1.0
X-Received: by 10.107.129.89 with SMTP id c86mr22601064iod.102.1454800726322; Sat, 06 Feb 2016 15:18:46 -0800 (PST)
Received: by 10.79.96.1 with HTTP; Sat, 6 Feb 2016 15:18:46 -0800 (PST)
In-Reply-To: <D2DBAA65.10DB40%aretana@cisco.com>
References: <CALtoyo=6zEWqj8kC=JHb1=6sKD+ktCOWmnU+rzbNGhrkAwMfzQ@mail.gmail.com> <D2DBAA65.10DB40%aretana@cisco.com>
Date: Sat, 06 Feb 2016 18:18:46 -0500
Message-ID: <CALtoyonxRb64odA5NAvdUfgCteqn4_s4GRoJZHaU55_4iLvTyQ@mail.gmail.com>
From: Stan Ratliff <ratliffstan@gmail.com>
To: "Alvaro Retana (aretana)" <aretana@cisco.com>
Content-Type: multipart/alternative; boundary="001a113f943c82f49b052b22308f"
Archived-At: <http://mailarchive.ietf.org/arch/msg/manet/IEOS--oRagaD-ZJFNxLl8nnijn0>
Cc: MANET IETF <manet@ietf.org>
Subject: Re: [manet] DLEP-18 Security Considerations
X-BeenThere: manet@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Mobile Ad-hoc Networks <manet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/manet>, <mailto:manet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/manet/>
List-Post: <mailto:manet@ietf.org>
List-Help: <mailto:manet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/manet>, <mailto:manet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Feb 2016 23:18:49 -0000

Alvaro,


On Sat, Feb 6, 2016 at 5:22 PM, Alvaro Retana (aretana) <aretana@cisco.com>
wrote:

> On 1/18/16, 7:51 PM, "manet on behalf of Stan Ratliff" <
> manet-bounces@ietf.org on behalf of ratliffstan@gmail.com> wrote:
>
> Stan:
>
> Hi!
>
> You'll need references for L2 security.
>

OK. Do you have any in mind?



>
> The main problem I see with the text below is that it is based on
> assumptions — even though you do say that "DLEP is restricted to…a single
> (possibly logical) hop at layer 2", it is based on the deployment
> assumptions.  What happens if it isn't deployed that way?
>

> What about confidentiality of the data?  What about exposing information
> about users (privacy)?  I know that the assumed deployment model makes it
> very hard to look at the data in flight between and the physical and L2
> security may well be enough.  However, what if DLEP is not used as expected?
>

I'm confused. We tried to state the DLEP only works over 1 hop. Reliance on
MAC addresses forces that. If DLEP isn't used as expected, why would anyone
think it would work as expected? Or be secure? A requirement to document
use cases outside the document seems to me like a never-ending task - after
all, "we don't know what we don't know". We could sit & think about
"perverse implementations" almost forever. At the end of the day, if DLEP
is not used as expected, all bets are off.

Having said that, would the addition of text stating "Using DLEP with
multiple network hops between router and modem is out of scope of this
document, and results are unpredictable" serve to address your comment?


Regards,
Stan





>
> IMO, you should describe the expected operating environment (or point to
> the assumptions) and any security mechanisms that should be included there
> (L2, physical assumptions), and explain why confidentiality and privacy are
> not a concern…but then you should also say something like: "if DLEP is used
> in an environment other then the expected one, then xx, yy and zz
> MUST/SHOULD be implemented".   I think that this way we would be covering
> the normal case, but also providing an answer to what if without making
> mandatory mechanisms that may be superfluous.
>
> My 2c.
>
> Alvaro.
>
>
>
> Hello WG,
>
> As requested in the email thread earlier today, here's a snapshot of what
> we currently have in the upcoming DLEP-18 draft wrt security. We've put an
> additional paragraph in the Assumptions section (Sec. 2.1) that says:
>
>    The reliance on MAC addresses by DLEP forces the assumption that
>    participating DLEP peers are on a single segment (either physical or
>    logically, via tunneling protocols) at Layer 2.  DLEP further assumes
>    that security of the implementations (e.g., authentication of
>    stations, encryption of traffic, or both) is dealt with by by
>    utilizing Layer 2 security techniques.
>
>
> Additionally, here is the text in the "Security Considerations":
>
> 12.  Security Considerations
>
>    The potential security concerns when using DLEP are:
>
>    1.  An attacker might pretend to be a DLEP peer, either at DLEP
>        session initialization, or by injection of messages once a
>        session has been established, and/or
>
>    2.  DLEP data items could be altered by an attacker, causing the
>        receiving implementation to inappropriately alter its information
>        base concerning network status.
>
>    Since DLEP is restricted to operation over a single (possibly
>    logical) hop at layer 2, implementations requiring authentication
>    and/or encryption of traffic MUST take steps to secure the Layer 2
>    link.
>
>    To avoid potential denial of service attack, it is RECOMMENDED that
>    implementations using the Peer Discovery mechanism maintain an
>    information base of hosts that persistently fail Session
>    Initialization having provided an acceptable Discovery signal, and
>    ignore Peer Discovery signals from such hosts.
>
>    This specification does not address security of the data plane, as it
>    (the data plane) is not affected, and standard security procedures
>    can be employed.
>
>
> Thoughts? Suggestions?
>
> Regards,
> Stan
>
>

v2.23.0 | Report a Bug | By Email