[proxies] Review of draft-hoeper-proxythreat-01.txt (Part 1)
Bernard Aboba <bernard_aboba@hotmail.com> Wed, 05 November 2008 08:56 UTC
Return-Path: <proxies-bounces@ietf.org>
X-Original-To: proxies-archive@ietf.org
Delivered-To: ietfarch-proxies-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 654A83A692F; Wed, 5 Nov 2008 00:56:46 -0800 (PST)
X-Original-To: proxies@core3.amsl.com
Delivered-To: proxies@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EE3603A6A10 for <proxies@core3.amsl.com>; Wed, 5 Nov 2008 00:56:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.637
X-Spam-Level:
X-Spam-Status: No, score=-1.637 tagged_above=-999 required=5 tests=[AWL=0.961, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZAJDo3hvtqhl for <proxies@core3.amsl.com>; Wed, 5 Nov 2008 00:56:43 -0800 (PST)
Received: from blu0-omc2-s36.blu0.hotmail.com (blu0-omc2-s36.blu0.hotmail.com [65.55.111.111]) by core3.amsl.com (Postfix) with ESMTP id DFD113A68EF for <proxies@ietf.org>; Wed, 5 Nov 2008 00:56:42 -0800 (PST)
Received: from BLU137-W54 ([65.55.111.72]) by blu0-omc2-s36.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 5 Nov 2008 00:56:26 -0800
Message-ID: <BLU137-W54E3AB48E6D604B591851E931F0@phx.gbl>
X-Originating-IP: [24.16.101.127]
From: Bernard Aboba <bernard_aboba@hotmail.com>
To: katrin.hoeper@nist.gov, proxies@ietf.org
Date: Wed, 05 Nov 2008 00:56:27 -0800
Importance: Normal
In-Reply-To: <7.0.1.0.2.20081104105518.025aa8c8@nist.gov>
References: <7.0.1.0.2.20081104092258.0251aaa0@nist.gov> <7.0.1.0.2.20081104105518.025aa8c8@nist.gov>
MIME-Version: 1.0
X-OriginalArrivalTime: 05 Nov 2008 08:56:26.0930 (UTC) FILETIME=[63034120:01C93F24]
Subject: [proxies] Review of draft-hoeper-proxythreat-01.txt (Part 1)
X-BeenThere: proxies@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion list for ad hoc group interested in security and proxies <proxies.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/proxies>, <mailto:proxies-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/proxies>
List-Post: <mailto:proxies@ietf.org>
List-Help: <mailto:proxies-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/proxies>, <mailto:proxies-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1381339774=="
Sender: proxies-bounces@ietf.org
Errors-To: proxies-bounces@ietf.org
Overall comment:
Discussion of AAA proxy security issues has a long history within the IETF, starting in 1996
with the IESG review of RFC 2607, which spawned the development of RFC 4962, the
AAA requirements documents, and threat model and security analysis included within RFC 5247.
As with NAT, AAA proxies became widely entrenched before their implications were
fully understood, and in addition, they offered the solution to a wide range of
real or perceived problems, as discussed in RFC 2607.
Given this, progress on the proxy problem has experienced some of the same
issues that have been encountered in developing "NATless" infrastructures within
IPv6. While in theory alternatives are possible, in practice there are many
operational details that would need to be solved before they can be deployed.
Teasing out all the potential benefits of proxies, and evaluating the extent
to which deployable alternatives are available has proven to be a daunting
task. For example, the key management issues identified in RFC 2607
have been attacked via a variety of PKI approaches, which themselves
have encountered deployment issues, influencing the perceived practicality
of proposals such as Diameter CMS and Redirect.
However, at the same time, some of the operational issues with proxies
(such as increased packet loss and latency) have also come to be better
appreciated, motivating new approaches to solutions within organizations
such as EDUROAM. As a result, it would appear to me that operational
issues, not security, provide both the major impediments to and motivations
for progress.
While the focus of this document is threat analysis, it would seem important
to address some of those operational concerns, given their critical influence
on deployment. Otherwise we risk developing a scism between the
Security and O&M Areas in addressing these concerns.
Specific Comments
The introduction of proxies can change the security model of a
network as well as of the implemented protocols. As a consequence,
AAA proxies may introduce new security vulnerabilities. However,
currently the role of AAA proxies in networks and all their security
implications are not considered in many existing RFCs and Internet
drafts. The relationship with RFC 4962 [1] is the most glaring aspect
of the problem, but the progress of numerous drafts in a number of
working groups is affected by the so-called "proxy problem".
Recently, there have been attempts to reconcile the widespread
deployment of AAA proxies with the security requirements of
individual Internet protocols or protocol extensions.
The security vulnerabilities introduced by AAA proxies are not "new";
the RFC 2607 security analysis was initially requested by the IESG a
decade ago. In order to address the issues raised by the RFC 2607
threat analysis, support for end-to-end security was made a
requirement for the development of a new AAA protocol.
RFC 4962 was developed in part to formalize that requirement,
and RFC 5247 was added to the EAP WG charter in order to provide
an analysis of the degree to which existing EAP/AAA implementations
complied with those requirements.
In order to satisfy the requirements that eventually were codified
in RFC 4962, the AAA WG developed multiple proposals for
end-to-end transport of attributes through proxies; these included
CMS, Kerberos, and Redirect proposals. Of these, the AAA WG eventually
settled on Diameter Redirect, and this proposal was included within
RFC 3588.
Given all of this, AAA proxies have long been an area of focus within
the IETF, encompassing many man-years of work which have resulted in
more than a hundred pages of RFCs and Internet-Drafts relating to the
issue as well as many, many discussions and postings on the subject.
Therefore to say that the implications are "not considered" seems
odd, given the amount of time that has been spent on this.
Doubts exist whether current security claims stated in RFCs and
Internet Drafts are still valid for implementations with proxies.
"Doubts" is perhaps too weak a word -- RFC 5247 shows that many
of the fundamental security requirements can no longer be met
where proxies are present.
Hence, providers of networks with proxies that rely on such security
claims may have unknowingly introduced new vulnerabilities to their
systems that have not been covered in the respective protocol
specifications. For the same reasons, users of such systems may be
unknowingly exposed to attacks.
Not sure that the term "unknowing" is appropriate here. Given the
volume of work, it would be quite hard for providers to plead ignorance.
Rather, the issue is more likely to be the difficulty of operating
and managing a network that addresses the problems.
Concluding, the proxy problem may affect existing and future
implementations of Internet protocols whose specifications neglected
proxies in their security considerations. If security issues
introduced by proxies are not identified and addressed, future
protocol specifications will suffer from the same problems.
Proxies have become a fundamental aspect of the architecture of a
number of IETF protocols, including SMTP, SIP and AAA. In each
case, implementers and deployers of those protocols are painfully
aware of the problems that they cause. Also, in each case a number
of proposals have been made (such as domain certificates) to address
operational issues. So I don't think you can say that proxies
have been neglected in the security considerations.
Section 1.1
This document solely identifies security-related issues introduced by
AAA proxies and their severity but neither provides solutions to
address these problems nor discusses non-security related issues
(such as routing, performance, etc.). Furthermore, this document does
not consider AAA proxies that are configured to solely serve as a re-
direct (as supported by Diameter), because such proxies do not need
to gain access to attributes and/or keying material.
As noted earlier, operational issues have proven to be a very difficult
challenge. If you ignore these, I think you will miss the crux of the
problem.
Section 2
Unlike some other network entities that simply forward packets in the
network, AAA proxies are designed to have additional capabilities and
properties such that the AAA protocols executed through AAA proxies
may have the following features:
o AAA proxies are able to modify and/or delete AAA attributes
o AAA proxies share pairwise AAA keys with the AAA server and/or
other AAA proxies;
o AAA proxies and NAS cannot be distinguished by AAA server;
o AAA proxies and AAA server cannot be distinguished by NAS;
o AAA proxy chains cannot be distinguished from single proxies by
neither NAS nor AAA server.
Each of the above statements are not always true:
a. The Diameter CMS, Redirect and Kerberos proposals limited the
ability of AAA proxies to modify attributes.
b. Security schemes such as Diameter or RADSEC do not rely on
pairwise AAA keys, but are based on certificates.
c. Properly configured AAA servers *can* distinguish between AAA clients.
d. Properly configured NASes *can* distinguish between AAA servers and proxies.
e. Some proposals *do* support distinguishing of proxy chains from single proxies
(e.g. RADIUS/Kerberos, Route Record functionality).
Section 3
3. Related Work
[Editor's note: what other references should be mentioned here?]
I'd look at RFC 5247, which discusses the EAP security model and the
effects of proxies (and AAA mis-configuration) in some detail. There
are also the Diameter CMS and RADIUS/Kerberos proposals, the AAA
Requirements Documents, and discussions of proxy security and deployment
in the RADIUS, AAA, RADEXT, DIME and SIP WGs.
Section 4.1
In enterprise networks or other local networks with a single
administrative domain, AAA proxies are used to enable easy and
scalable network access in large networks.
Given the prevalence of enterprise customer arrangements with
access wholesalers and aggregators, many enterprise deployments
do in fact support inter-domain usage. However, in those
deployments it's probably accurate to say that the enterprise
trusts the wholesaler/aggregator infrastructure.
Hierarchical proxy routing can
further simplify key management, as has been pointed out in RFC 2607.
The Terena/EDUROAM experience is probably worth pointing out here, since
they are both using certificates (rather than symmetric keys), as well
as encountering issues with latency (leading to the desire for reduced
chain length).
_______________________________________________ Proxies mailing list Proxies@ietf.org https://www.ietf.org/mailman/listinfo/proxies
- [proxies] New draft: draft-hoeper-proxythreat-01.… Katrin Hoeper
- Re: [proxies] New draft: draft-hoeper-proxythreat… Katrin Hoeper
- [proxies] Review of draft-hoeper-proxythreat-01.t… Bernard Aboba
- Re: [proxies] Review of draft-hoeper-proxythreat-… Stefan Winter
- Re: [proxies] Review of draft-hoeper-proxythreat-… Katrin Hoeper
- Re: [proxies] Review of draft-hoeper-proxythreat-… Klaas Wierenga
- Re: [proxies] Review of draft-hoeper-proxythreat-… Bernard Aboba
- Re: [proxies] Review of draft-hoeper-proxythreat-… Klaas Wierenga
- Re: [proxies] Review of draft-hoeper-proxythreat-… Bernard Aboba
- Re: [proxies] Review of draft-hoeper-proxythreat-… Alan DeKok
- [proxies] next steps for draft-hoeper-proxythreat… Klaas Wierenga