[proxies] Review of draft-hoeper-proxythreat-01.txt (Part 1)
Bernard Aboba <bernard_aboba@hotmail.com> Wed, 05 November 2008 08:56 UTC
Return-Path: <proxies-bounces@ietf.org>
X-Original-To: proxies-archive@ietf.org
Delivered-To: ietfarch-proxies-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 654A83A692F; Wed, 5 Nov 2008 00:56:46 -0800 (PST)
X-Original-To: proxies@core3.amsl.com
Delivered-To: proxies@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EE3603A6A10 for <proxies@core3.amsl.com>; Wed, 5 Nov 2008 00:56:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.637
X-Spam-Level:
X-Spam-Status: No, score=-1.637 tagged_above=-999 required=5 tests=[AWL=0.961, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZAJDo3hvtqhl for <proxies@core3.amsl.com>; Wed, 5 Nov 2008 00:56:43 -0800 (PST)
Received: from blu0-omc2-s36.blu0.hotmail.com (blu0-omc2-s36.blu0.hotmail.com [65.55.111.111]) by core3.amsl.com (Postfix) with ESMTP id DFD113A68EF for <proxies@ietf.org>; Wed, 5 Nov 2008 00:56:42 -0800 (PST)
Received: from BLU137-W54 ([65.55.111.72]) by blu0-omc2-s36.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 5 Nov 2008 00:56:26 -0800
Message-ID: <BLU137-W54E3AB48E6D604B591851E931F0@phx.gbl>
X-Originating-IP: [24.16.101.127]
From: Bernard Aboba <bernard_aboba@hotmail.com>
To: katrin.hoeper@nist.gov, proxies@ietf.org
Date: Wed, 05 Nov 2008 00:56:27 -0800
Importance: Normal
In-Reply-To: <7.0.1.0.2.20081104105518.025aa8c8@nist.gov>
References: <7.0.1.0.2.20081104092258.0251aaa0@nist.gov> <7.0.1.0.2.20081104105518.025aa8c8@nist.gov>
MIME-Version: 1.0
X-OriginalArrivalTime: 05 Nov 2008 08:56:26.0930 (UTC) FILETIME=[63034120:01C93F24]
Subject: [proxies] Review of draft-hoeper-proxythreat-01.txt (Part 1)
X-BeenThere: proxies@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion list for ad hoc group interested in security and proxies <proxies.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/proxies>, <mailto:proxies-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/proxies>
List-Post: <mailto:proxies@ietf.org>
List-Help: <mailto:proxies-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/proxies>, <mailto:proxies-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1381339774=="
Sender: proxies-bounces@ietf.org
Errors-To: proxies-bounces@ietf.org
Overall comment: Discussion of AAA proxy security issues has a long history within the IETF, starting in 1996 with the IESG review of RFC 2607, which spawned the development of RFC 4962, the AAA requirements documents, and threat model and security analysis included within RFC 5247. As with NAT, AAA proxies became widely entrenched before their implications were fully understood, and in addition, they offered the solution to a wide range of real or perceived problems, as discussed in RFC 2607. Given this, progress on the proxy problem has experienced some of the same issues that have been encountered in developing "NATless" infrastructures within IPv6. While in theory alternatives are possible, in practice there are many operational details that would need to be solved before they can be deployed. Teasing out all the potential benefits of proxies, and evaluating the extent to which deployable alternatives are available has proven to be a daunting task. For example, the key management issues identified in RFC 2607 have been attacked via a variety of PKI approaches, which themselves have encountered deployment issues, influencing the perceived practicality of proposals such as Diameter CMS and Redirect. However, at the same time, some of the operational issues with proxies (such as increased packet loss and latency) have also come to be better appreciated, motivating new approaches to solutions within organizations such as EDUROAM. As a result, it would appear to me that operational issues, not security, provide both the major impediments to and motivations for progress. While the focus of this document is threat analysis, it would seem important to address some of those operational concerns, given their critical influence on deployment. Otherwise we risk developing a scism between the Security and O&M Areas in addressing these concerns. Specific Comments The introduction of proxies can change the security model of a network as well as of the implemented protocols. As a consequence, AAA proxies may introduce new security vulnerabilities. However, currently the role of AAA proxies in networks and all their security implications are not considered in many existing RFCs and Internet drafts. The relationship with RFC 4962 [1] is the most glaring aspect of the problem, but the progress of numerous drafts in a number of working groups is affected by the so-called "proxy problem". Recently, there have been attempts to reconcile the widespread deployment of AAA proxies with the security requirements of individual Internet protocols or protocol extensions. The security vulnerabilities introduced by AAA proxies are not "new"; the RFC 2607 security analysis was initially requested by the IESG a decade ago. In order to address the issues raised by the RFC 2607 threat analysis, support for end-to-end security was made a requirement for the development of a new AAA protocol. RFC 4962 was developed in part to formalize that requirement, and RFC 5247 was added to the EAP WG charter in order to provide an analysis of the degree to which existing EAP/AAA implementations complied with those requirements. In order to satisfy the requirements that eventually were codified in RFC 4962, the AAA WG developed multiple proposals for end-to-end transport of attributes through proxies; these included CMS, Kerberos, and Redirect proposals. Of these, the AAA WG eventually settled on Diameter Redirect, and this proposal was included within RFC 3588. Given all of this, AAA proxies have long been an area of focus within the IETF, encompassing many man-years of work which have resulted in more than a hundred pages of RFCs and Internet-Drafts relating to the issue as well as many, many discussions and postings on the subject. Therefore to say that the implications are "not considered" seems odd, given the amount of time that has been spent on this. Doubts exist whether current security claims stated in RFCs and Internet Drafts are still valid for implementations with proxies. "Doubts" is perhaps too weak a word -- RFC 5247 shows that many of the fundamental security requirements can no longer be met where proxies are present. Hence, providers of networks with proxies that rely on such security claims may have unknowingly introduced new vulnerabilities to their systems that have not been covered in the respective protocol specifications. For the same reasons, users of such systems may be unknowingly exposed to attacks. Not sure that the term "unknowing" is appropriate here. Given the volume of work, it would be quite hard for providers to plead ignorance. Rather, the issue is more likely to be the difficulty of operating and managing a network that addresses the problems. Concluding, the proxy problem may affect existing and future implementations of Internet protocols whose specifications neglected proxies in their security considerations. If security issues introduced by proxies are not identified and addressed, future protocol specifications will suffer from the same problems. Proxies have become a fundamental aspect of the architecture of a number of IETF protocols, including SMTP, SIP and AAA. In each case, implementers and deployers of those protocols are painfully aware of the problems that they cause. Also, in each case a number of proposals have been made (such as domain certificates) to address operational issues. So I don't think you can say that proxies have been neglected in the security considerations. Section 1.1 This document solely identifies security-related issues introduced by AAA proxies and their severity but neither provides solutions to address these problems nor discusses non-security related issues (such as routing, performance, etc.). Furthermore, this document does not consider AAA proxies that are configured to solely serve as a re- direct (as supported by Diameter), because such proxies do not need to gain access to attributes and/or keying material. As noted earlier, operational issues have proven to be a very difficult challenge. If you ignore these, I think you will miss the crux of the problem. Section 2 Unlike some other network entities that simply forward packets in the network, AAA proxies are designed to have additional capabilities and properties such that the AAA protocols executed through AAA proxies may have the following features: o AAA proxies are able to modify and/or delete AAA attributes o AAA proxies share pairwise AAA keys with the AAA server and/or other AAA proxies; o AAA proxies and NAS cannot be distinguished by AAA server; o AAA proxies and AAA server cannot be distinguished by NAS; o AAA proxy chains cannot be distinguished from single proxies by neither NAS nor AAA server. Each of the above statements are not always true: a. The Diameter CMS, Redirect and Kerberos proposals limited the ability of AAA proxies to modify attributes. b. Security schemes such as Diameter or RADSEC do not rely on pairwise AAA keys, but are based on certificates. c. Properly configured AAA servers *can* distinguish between AAA clients. d. Properly configured NASes *can* distinguish between AAA servers and proxies. e. Some proposals *do* support distinguishing of proxy chains from single proxies (e.g. RADIUS/Kerberos, Route Record functionality). Section 3 3. Related Work [Editor's note: what other references should be mentioned here?] I'd look at RFC 5247, which discusses the EAP security model and the effects of proxies (and AAA mis-configuration) in some detail. There are also the Diameter CMS and RADIUS/Kerberos proposals, the AAA Requirements Documents, and discussions of proxy security and deployment in the RADIUS, AAA, RADEXT, DIME and SIP WGs. Section 4.1 In enterprise networks or other local networks with a single administrative domain, AAA proxies are used to enable easy and scalable network access in large networks. Given the prevalence of enterprise customer arrangements with access wholesalers and aggregators, many enterprise deployments do in fact support inter-domain usage. However, in those deployments it's probably accurate to say that the enterprise trusts the wholesaler/aggregator infrastructure. Hierarchical proxy routing can further simplify key management, as has been pointed out in RFC 2607. The Terena/EDUROAM experience is probably worth pointing out here, since they are both using certificates (rather than symmetric keys), as well as encountering issues with latency (leading to the desire for reduced chain length).
_______________________________________________ Proxies mailing list Proxies@ietf.org https://www.ietf.org/mailman/listinfo/proxies
- [proxies] New draft: draft-hoeper-proxythreat-01.… Katrin Hoeper
- Re: [proxies] New draft: draft-hoeper-proxythreat… Katrin Hoeper
- [proxies] Review of draft-hoeper-proxythreat-01.t… Bernard Aboba
- Re: [proxies] Review of draft-hoeper-proxythreat-… Stefan Winter
- Re: [proxies] Review of draft-hoeper-proxythreat-… Katrin Hoeper
- Re: [proxies] Review of draft-hoeper-proxythreat-… Klaas Wierenga
- Re: [proxies] Review of draft-hoeper-proxythreat-… Bernard Aboba
- Re: [proxies] Review of draft-hoeper-proxythreat-… Klaas Wierenga
- Re: [proxies] Review of draft-hoeper-proxythreat-… Bernard Aboba
- Re: [proxies] Review of draft-hoeper-proxythreat-… Alan DeKok
- [proxies] next steps for draft-hoeper-proxythreat… Klaas Wierenga