Re: [OPSEC] review for draft-ietf-opsec-ip-security-01

Andrew Yourtchenko <ayourtch@cisco.com> Tue, 17 February 2009 20:16 UTC

Return-Path: <ayourtch@cisco.com>
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6046D3A6BFD for <opsec@core3.amsl.com>; Tue, 17 Feb 2009 12:16:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mCTWGzJFlBFX for <opsec@core3.amsl.com>; Tue, 17 Feb 2009 12:16:07 -0800 (PST)
Received: from av-tac-bru.cisco.com (odd-brew.cisco.com [144.254.15.119]) by core3.amsl.com (Postfix) with ESMTP id A69853A6882 for <opsec@ietf.org>; Tue, 17 Feb 2009 12:16:06 -0800 (PST)
X-TACSUNS: Virus Scanned
Received: from strange-brew.cisco.com (localhost [127.0.0.1]) by av-tac-bru.cisco.com (8.11.7p3+Sun/8.11.7) with ESMTP id n1HKGG101064; Tue, 17 Feb 2009 21:16:17 +0100 (CET)
Received: from kk-son (dhcp-peg3-vl30-144-254-7-191.cisco.com [144.254.7.191]) by strange-brew.cisco.com (8.11.7p3+Sun/8.11.7) with ESMTP id n1HKGEt04005; Tue, 17 Feb 2009 21:16:16 +0100 (CET)
Date: Tue, 17 Feb 2009 21:17:22 +0100 (CET)
From: Andrew Yourtchenko <ayourtch@cisco.com>
X-X-Sender: ayourtch@zippy.stdio.be
To: Fernando Gont <fernando@gont.com.ar>
In-Reply-To: <20090129201501.C10D83A687E@core3.amsl.com>
Message-ID: <Pine.LNX.4.64.0902131108350.5865@zippy.stdio.be>
References: <20090129201501.C10D83A687E@core3.amsl.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: opsec@ietf.org
Subject: Re: [OPSEC] review for draft-ietf-opsec-ip-security-01
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: ayourtch@cisco.com
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Feb 2009 20:16:08 -0000

Hello,

I've gone through the doc, below will go comments, anchored to the layout 
as per http://tools.ietf.org/html/draft-gont-opsec-ip-security-01

First, the references that did not get hyperlinked in the text of the 
document.

It's a bit tedious to enumerate all, something similar to the following 
should list them:

wget -o /dev/null -O - http://tools.ietf.org/html/draft-gont-opsec-ip-security-01 |
     egrep '\[<a name|Normative References' |
     fgrep -B 10000 'Normative References</span'

Now - more specific textual comments. There is a "TODO" in the place of 
IP ID comment - I need a bit more thinking on that topic, meanwhile you 
can consider my points from my first mail as an initial placeholder on 
that item.


[Page 6]:

"If the packet does not pass this check, it should be dropped."

I think this event (as other packet drops) should be reflected in
counter variable(s) somewhere that can be inspected - both from the 
security point of view and from the troubleshooting point of view. The 
same applies to other places where it is recommended to drop the packets.

[Page 7]:

"3.2. IHL (Internet Header Length)
..."

More of a nit - the explicit mention of what is to be done when the check 
fails is missing.

[Page 8]:

"3.3. TOS ..." -> RFC1349 is obsoleted by the RFC2474 (DSCP), so this 
chapter needs a rewrite.

[Page 9]:

"3.4. Total Length..."

The section talks about the corner cases with discrepancy of length value 
in the header and the actual packet length, but does not discuss any 
potential interaction with EMTU_R limitations in case there are any.

9kb limit - the document should have some specific references to the 
stacks that have it. Also, probably the reference to the RFC1122 (at least 
for the terminological definition of the EMTU_R?)

[Page 11]:

"3.5.2. Possible security improvements"

TODO - discussion of a quality of IP ID of being able to provide a 
"fingerprint" of the remote host.

[Page 17]:

"Fingerprinting the physical device from which the packets originate" -

orphan word sequence.


[Page 21]:

reference [Ed3f2002] is a dead link - 
also include http://www.phrack.org/issues.html?issue=60&id=12&mode=txt ?

[Page 24]:

"Enforce a limit on the maximum number of options" - to me this looks a 
bit of a dangerous recommendation in this form, as it would cause 
arbitrary hard limits set by middle devices, resulting in creation of "IP 
Option MTU". (Not that anyone is adding a lot of IP options anyway these 
days, so it is more a theoretical nitpick :-)

[Page 28]:

Discussion of the semantics of the "LSRR.Pointer" - might be also simpler 
(for some?) to say that this is a 1-based index of the starting byte 
which will be used as the first storage byte of the address, in an array 
of length LSRR.Length, starting with LSRR option type as the first element.

[Page 31]:

LSRR, SSRR and RR options - can their restrictions be combined as much as 
possible ? To me they look largely similar, and the repetition is a cause 
for potential mistakes, IMHO.

[Page 41]:

stray "</t>"


[Page 42]:

Man in the middle threat mention for DSCP: is this the only field for 
which the MITM attacks are a concern ?

[Page 51]:

The sequence# check: should here be a reference to the section 3.4.3 of 
rfc2406 as a pointer to what constitutes the "valid sequence#" ?

Step three: should there be more specifics about some randomization for 
the process of dropping ?

Also - this algorithm omits the frequently used NAT-T (essentially IPSEC 
over UDP/4500)

[Page 52]:

"virtually impossible" - I'd replace this with "harder" :) And, as the 
MITM is mentioned for DSCP, I'd not make the task easier for IPSEC 
specifically :) the algorighm which is supposed to protect IPSEC should 
be able to resist the on-path attacker.

"Unfortunately, some TCP/IP stacks, when performing fragmentation,
    send the corresponding fragments in reverse order.  In such cases, at
    the point of flushing the fragment buffer, legitimate fragments will
    receive the same treatment as the possible forged fragments."

Should have a reference to the stacks in question.

[Page 53]:

"Additionally, given that many middle-boxes such as firewalls create
    state according to the contents of the first fragment of a given
    packet, it is best that, in the event an end-system receives
    overlapping fragments, it honors the information contained in the
    fragment that was received first."

received first if there was a box behind the middlebox that has reordered 
the packets afterwards, or if there was no such box ? :-)

If the two received fragments contain conflicting information, we do not 
have enough info to discern which of the two is "correct", IMHO. So, we 
should mark the corresponding packet as "bad", treat the reassembly as 
usual, and then drop it with an auditable event. (not drop immediately in 
order to avoid the DoS where colliding fragments would be dropped and 
cause the accumulation of the remaining fragments till the max reassembly 
timeout occurs).

[Page 54]:

sending with high precedence values: ingress filtering ?

(Also, with the DSCP/ToS duality, worth doublechecking on how does it 
translate to real forwarding devices?)

[Page 55]:

Address resolution: the passage about storing the packets for a long time 
on the router - isn't it something that should be directly discouraged, 
precisely because of its big impact ?

[Page 56]:

"Dropping packets":

should be mentioned that all dropped packets should be *counted* 
somewhere ?


thanks,
andrew