[NSIS] [Fwd: secdir review of draft-ietf-nsis-nslp-natfw-13.txt]
Magnus Westerlund <magnus.westerlund@ericsson.com> Mon, 11 December 2006 09:22 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GthN0-0006Cq-1B; Mon, 11 Dec 2006 04:22:46 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GthMy-0006Cg-Da for nsis@ietf.org; Mon, 11 Dec 2006 04:22:44 -0500
Received: from mailgw4.ericsson.se ([193.180.251.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GthMr-000795-6X for nsis@ietf.org; Mon, 11 Dec 2006 04:22:44 -0500
Received: from esealmw126.eemea.ericsson.se (unknown [153.88.254.123]) by mailgw4.ericsson.se (Symantec Mail Security) with ESMTP id 3EC835DA; Mon, 11 Dec 2006 10:22:32 +0100 (CET)
Received: from esealmw126.eemea.ericsson.se ([153.88.254.174]) by esealmw126.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Mon, 11 Dec 2006 10:22:32 +0100
Received: from [147.214.30.247] ([147.214.30.247]) by esealmw126.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Mon, 11 Dec 2006 10:22:31 +0100
Message-ID: <457D2357.3060503@ericsson.com>
Date: Mon, 11 Dec 2006 10:22:31 +0100
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
User-Agent: Thunderbird 1.5.0.8 (Windows/20061025)
MIME-Version: 1.0
To: NSIS <nsis@ietf.org>
Content-Type: multipart/mixed; boundary="------------040102040406090503050904"
X-OriginalArrivalTime: 11 Dec 2006 09:22:31.0698 (UTC) FILETIME=[E297A720:01C71D05]
X-Brightmail-Tracker: AAAAAA==
X-Spam-Score: 0.4 (/)
X-Scan-Signature: 9f79b8e383fd3af2b1b5b1d0910f6094
Cc: meadows@itd.nrl.navy.mil
Subject: [NSIS] [Fwd: secdir review of draft-ietf-nsis-nslp-natfw-13.txt]
X-BeenThere: nsis@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Next Steps in Signaling <nsis.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:nsis@ietf.org>
List-Help: <mailto:nsis-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=subscribe>
Errors-To: nsis-bounces@ietf.org
Hi NSIS Many thanks to Catherine Meadows (CC) who has done the Security Directorate review attached. It was done on my and the WG chairs request through the security ADs to help check the security details of the document. It contains the normal boilerplate for document that are in IESG review, but as you know this document isn't in that step yet. I hope this can help improve the document. Cheers Magnus Westerlund IETF Transport Area Director & TSVWG Chair ---------------------------------------------------------------------- Multimedia Technologies, Ericsson Research EAB/TVA/A ---------------------------------------------------------------------- Ericsson AB | Phone +46 8 4048287 Torshamsgatan 23 | Fax +46 8 7575550 S-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com ----------------------------------------------------------------------
--- Begin Message ---
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.
This ID describes a protocol by which hosts may signal along the path
used
for transport of data packets the information necessary to configure
NATs and firewalls
according to the needs of the
application data flows. Not surprisingly, the use of this protocol
by unauthorized
hosts could cause major security problems. The security
considerations considerations section of this document describes the
problems in detail,
and outlines recommendations for solutions. These are to have
security mechanisms providing data origin authentication, replay
protection, integrity protection, and optional confidentiality
protection. According to this document, uch security
mechanisms can be provided for neighboring nodes
by using a mutually authenticated
transport layer secured connection and by relying on authorization by
the
neighboring NATFW NSLP entities, as well as randomly generated (that is,
unpredictable) session IDs.
For non-neighboring nodes (presumably, this means nodes that do not
share
a security association) some sort of authorization is still
necessary. The document
discusses the possibility of using authorization tokens for this, and
also provides
some recommendations for protecting them (e.g. protection against
tampering
and confidentiality to protect against replay). The document does not
go into detail about this, apparently because the usage of
authorization tokens
in NPLS is covered in another document (referenced in this ID).
This security strategy looks plausible, but I found the justification
for it very hard to follow. It starts with a number of possible
attacks that an unauthorized host could perform using NSLP. Almost
all of these attacks can be prevented by providing authorization (the
exceptions are one or two denial of service attacks), and
recommendations for authorizations are accordingly provided.
However, there
are two cases in which such recommendations are lacking. In one of
these
(5.2.3, data sender behind a firewall), no reason is given for the
lack of a recommendation. In the other (5.8, misuse of unreleased
sessions), it is claimed
that this will be addressed by the NATFW NSLP. This last confused me;
isn't that the protocol that this document describes?
The list of attacks appears to have grown up over a period of time as
the document went through its various iterations. In its current
form, the list is not very helpful, especially as the end of the
security considerations section, in which the actual recommendations
are made do not reference them explicitly. Instead, there
are somewhat vague comments such as
Almost all security threats at the
NATFW NSLP layer can be prevented by using a mutually authenticated
Transport Layer secured connection and by relying on
authorization by
the neighboring NATFW NSLP entities.
It would have been helpful for the reader to know what is meant by
"almost all"
without having to go back through the entire list of attacks.
I would suggest that the authors provide a tightened up, condensed
account of the
security threats against NSLP. There is no need to try to have an
exhaustive list
of attacks; indeed such a list will be of limited use since one can
never be certain that all the possibilities can be exhaustive.
Instead, it would be more helpful to described classes of threats,
with some illustrative examples.
In the final section, where the recommendations for security
mechanisms are
made, you need to be explicit about the types of threats that are
addressed.
In particular, some characterization of the types of threats that
are and are not addressed by authentication and authorization of
neighboring nodes needs to be provided,
I am wondering if it would not be a good idea to have a separate ID
describing the security mechanisms that need to be used by this
protocol.
The WG already seems to be halfway there, since they are already working
on an ID for authentication tokens.
Catherine Meadows
Head, Formal Methods Section
Center for High Assurance Computer Systems
Code 5540
Naval Research Laboratory
Washington, DC 20375
phone: +1-202-767-3490
fax: +1-202-404-7942
--- End Message ---
_______________________________________________ nsis mailing list nsis@ietf.org https://www1.ietf.org/mailman/listinfo/nsis
- [NSIS] [Fwd: secdir review of draft-ietf-nsis-nsl… Magnus Westerlund
- [NSIS] Pending issue secdir review of draft-ietf-… Martin Stiemerling
- RE: [NSIS] Pending issue secdir review ofdraft-ie… john.loughney
- Re: [NSIS] Pending issue secdir review ofdraft-ie… Martin Stiemerling
- Re: [NSIS] Pending issue secdir review ofdraft-ie… Ali Fessi