[NSIS] ntlp security thoughts
"Hannes Tschofenig" <hannestschofenig@hotmail.com> Sun, 13 July 2003 12:49 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA17921 for <nsis-archive@odin.ietf.org>; Sun, 13 Jul 2003 08:49:29 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19bgHm-0005xV-7g for nsis-archive@odin.ietf.org; Sun, 13 Jul 2003 08:49:02 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h6DCn2Dn022899 for nsis-archive@odin.ietf.org; Sun, 13 Jul 2003 08:49:02 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19bgHl-0005xE-BO; Sun, 13 Jul 2003 08:49:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19bgHB-0005wZ-6V for nsis@optimus.ietf.org; Sun, 13 Jul 2003 08:48:25 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id IAA17853 for <nsis@ietf.org>; Sun, 13 Jul 2003 08:48:22 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19bgH9-0003cm-00 for nsis@ietf.org; Sun, 13 Jul 2003 08:48:23 -0400
Received: from bay8-f54.bay8.hotmail.com ([64.4.27.54] helo=hotmail.com) by ietf-mx with esmtp (Exim 4.12) id 19bgH9-0003c3-00 for nsis@ietf.org; Sun, 13 Jul 2003 08:48:23 -0400
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sun, 13 Jul 2003 05:47:52 -0700
Received: from 81.160.141.224 by by8fd.bay8.hotmail.msn.com with HTTP; Sun, 13 Jul 2003 12:47:51 GMT
X-Originating-IP: [81.160.141.224]
X-Originating-Email: [hannestschofenig@hotmail.com]
From: Hannes Tschofenig <hannestschofenig@hotmail.com>
To: nsis@ietf.org
Date: Sun, 13 Jul 2003 14:47:51 +0200
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"; format="flowed"
Message-ID: <BAY8-F54hmsmPXAPgIi0000ae17@hotmail.com>
X-OriginalArrivalTime: 13 Jul 2003 12:47:52.0645 (UTC) FILETIME=[F954B750:01C3493C]
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by ietf.org id IAA17854
Subject: [NSIS] ntlp security thoughts
Sender: nsis-admin@ietf.org
Errors-To: nsis-admin@ietf.org
X-BeenThere: nsis@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=unsubscribe>
List-Id: Next Steps in Signaling <nsis.ietf.org>
List-Post: <mailto:nsis@ietf.org>
List-Help: <mailto:nsis-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: quoted-printable
hi all, i have compiled some thoughts on ntlp security. please see below: ciao hannes ---------------------------------------------------------- NTLP Security Considerations ============================ 1. Introduction Based on the discussions at the IETF #56 NSIS working group meeting two new NTLP proposals have been submitted (see [1] and [2]). The architectural two-layer split into an NTLP (a generic transport mechanism) and an NSLP part (the NSLP part contains the application specific signaling payloads). Although this layer split (with regard to security) was already introduced with policy-aware and policy-ignorant nodes in RSVP, the question was raised what type of security should be enforced at which layer. There is conconsus that - at least some authorization decisions should be handled specific for certain applications. - non peer-to-peer security must be handled at the application layer Some members, however, believe that security protection for the signaling messages at the NTLP layer is not necessary. It should be noted that the introduction of the two-layer split might cause that signaling messages traversing n NTLP nodes whereby only m of these nodes (possibly with m<<n) support the required NSLP functionality required. Goal of this document is to describe some threats against the NTLP protocol. The reader should by itself decide whether these threats require countermeasures. Some architectural questions might also influence the decisions - these architectural decisions are, however, not described in this document (TBD: future version). 2. Protocol Vulnerabilities Analysing the protocol proposal [1] and [2] the following protocol vulnerabilities are apparent: - Force NTLP node todo more processing Some protocol fields (such as epoch or MESSAGE_ID in [1]) allow an adversary to force an NTLP node todo more processing. Additionally it might be able to interfear with the conguestion control procedure. Furthermore it might be possible to force other entities to cause some additional actions or signaling message exchanges. - Flooding An adversary might benefit from flooding an NTLP node with messages which must be stored (e.g. due to fragmentation handling) before detecting the correctness of signaling messages. It was also noticed that a large number of small NTLP messages might require a large amount of CPU processing since the processing of Router Alert messages is highly inefficient (additional CPU processing due to the context switching). - Terminate signaling Unprotected error messages allow an adversary to delete NTLP state (and possibly NSLP state) when returned unprotected. - Combined discovery and signaling message delivery Combining discovery together with signaling message delivery prevents usage of security mechanisms (even at the NSLP layer). Furthermore it does not allow summary refreshes to be used in the expected way since the summary refresh assumes knowledge about the recepient. - Create NTLP state An RSVP path-alike message allows an adversary to create NTLP state at a number of NSIS nodes along the path. This might be seen as an amplification attack. - Modification to the HOP address When an RSVP path-alike signaling message is intercepted by an NTLP node the HOP address is stored in the NTLP state table. This allows an adversary to change routing of NTLP (and therefore NSLP messages). This might either lead to messages routed to unreachable IP addresses or to other NSIS nodes or to the adversary itself. - Modification of the refresh period An adversary changing the refresh period is able to control the rate at which refresh messages are expected. Together with bogus state creation messages this might allow an adversary to store state much longer resulting in a more effective DoS attack. Reducing the refresh interval causes NTLP nodes to expect refresh messages at a higher rate. This might cause state timeouts due to the absence of refresh messages. - Teardown NTLP state The NTLP protocol defines different operations on the NTLP state. One of this operation allows to delete NTLP state information. An adversary can issue a teardown message in both direction. A RSVP path-alike teardown message might restrict the location of the adversary whereas the RSVP resv-alike teardown message can be initiated from any location to any NTLP node along the path. The implications of deleted NTLP has implications for NSLPs (e.g. reverse routing is not possible if reverse routing information is not present). - Session Ownership Including the session identifier into the NTLP might be exploited by an adversary as described in [3]. - Flow ID modification It was mentioned that the inclusion of the flow identifier in the NTLP allows NAT aware NTLPs to perform address translation independent of the NSLP. It needs to be verified whether the inclusion of the flow identifier for the purpose of network address translation helps in all cases. As an other alternative it is necessary to enable NATs to understand all NSLP protocols. In any case if a flow identifier is included in the NTLP (unprotected) then an adversary is able to modify the flow identifier to e.g. make QoS reservations inefficient, exploit if for other purposes (e.g. theft of service), for DoS attacks etc. The same implications can be considered in case of NAT/firewall signaling. 3. Summary As a summary it is possible to add, modify and delete any state information available. This might cause NSLP signaling to become ineffective or to abort. Various denial of service attacks are possible. 4. References [1] M. Shore: "The NSIS Transport Layer Protocol (NTLP)", <draft-shore-ntlp-00.txt>, (work in progress), May 2003. [2] H. Schulzrinne: "GIMPS: General Internet Messaging Protocol for Signaling" <draft-schulzrinne-nsis-ntlp-00.txt>, (work in progress), June 2003. [3] H. Tschofenig, et al.: "Security Implications of the Session Identifier", <draft-tschofenig-nsis-sid-00.txt>, (work in progress), May 2003. _________________________________________________________________ MSN Hotmail - Absolut kostenfrei! Der weltweit größte E-Mail-Anbieter im Netz: http://www.msn.de/hotmail _______________________________________________ nsis mailing list nsis@ietf.org https://www1.ietf.org/mailman/listinfo/nsis
- [NSIS] ntlp security thoughts Hannes Tschofenig
- Re: [NSIS] ntlp security thoughts Henning Schulzrinne
- Re: [NSIS] ntlp security thoughts Hannes Tschofenig
- Re: [NSIS] ntlp security thoughts Henning Schulzrinne
- Re: [NSIS] ntlp security thoughts Hannes Tschofenig
- Re: [NSIS] ntlp security thoughts Henning Schulzrinne