[proxies] Review of draft-hoeper-proxythreat-01.txt (Part 1)

Bernard Aboba <bernard_aboba@hotmail.com> Wed, 05 November 2008 08:56 UTC

Return-Path: <proxies-bounces@ietf.org>
X-Original-To: proxies-archive@ietf.org
Delivered-To: ietfarch-proxies-archive@core3.amsl.com
Received: from [] (localhost []) by core3.amsl.com (Postfix) with ESMTP id 654A83A692F; Wed, 5 Nov 2008 00:56:46 -0800 (PST)
X-Original-To: proxies@core3.amsl.com
Delivered-To: proxies@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id EE3603A6A10 for <proxies@core3.amsl.com>; Wed, 5 Nov 2008 00:56:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.637
X-Spam-Status: No, score=-1.637 tagged_above=-999 required=5 tests=[AWL=0.961, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id ZAJDo3hvtqhl for <proxies@core3.amsl.com>; Wed, 5 Nov 2008 00:56:43 -0800 (PST)
Received: from blu0-omc2-s36.blu0.hotmail.com (blu0-omc2-s36.blu0.hotmail.com []) by core3.amsl.com (Postfix) with ESMTP id DFD113A68EF for <proxies@ietf.org>; Wed, 5 Nov 2008 00:56:42 -0800 (PST)
Received: from BLU137-W54 ([]) by blu0-omc2-s36.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 5 Nov 2008 00:56:26 -0800
Message-ID: <BLU137-W54E3AB48E6D604B591851E931F0@phx.gbl>
X-Originating-IP: []
From: Bernard Aboba <bernard_aboba@hotmail.com>
To: <katrin.hoeper@nist.gov>, <proxies@ietf.org>
Date: Wed, 5 Nov 2008 00:56:27 -0800
Importance: Normal
In-Reply-To: <>
References: <> <>
MIME-Version: 1.0
X-OriginalArrivalTime: 05 Nov 2008 08:56:26.0930 (UTC) FILETIME=[63034120:01C93F24]
Subject: [proxies] Review of draft-hoeper-proxythreat-01.txt (Part 1)
X-BeenThere: proxies@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discussion list for ad hoc group interested in security and proxies <proxies.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/proxies>, <mailto:proxies-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/proxies>
List-Post: <mailto:proxies@ietf.org>
List-Help: <mailto:proxies-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/proxies>, <mailto:proxies-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1381339774=="
Sender: proxies-bounces@ietf.org
Errors-To: proxies-bounces@ietf.org

Overall comment:  

Discussion of AAA proxy security issues has a long history within the IETF, starting in 1996
with the IESG review of RFC 2607, which spawned the development of RFC 4962, the 
AAA requirements documents, and threat model and security analysis included within RFC 5247. 

As with NAT, AAA proxies became widely entrenched before their implications were
fully understood, and in addition, they offered the solution to a wide range of
real or perceived problems, as discussed in RFC 2607.   

Given this, progress on the proxy problem has experienced some of the same
issues that have been encountered in developing "NATless" infrastructures within
IPv6.  While in theory alternatives are possible, in practice there are many
operational details that would need to be solved before they can be deployed. 

Teasing out all the potential benefits of proxies, and evaluating the extent
to which deployable alternatives are available has proven to be a daunting
task.   For example, the key management issues identified in RFC 2607
have been attacked via a variety of PKI approaches, which themselves
have encountered deployment issues, influencing the perceived practicality
of proposals such as Diameter CMS and Redirect.  

However, at the same time, some of the operational issues with proxies
(such as increased packet loss and latency) have also come to be better
appreciated, motivating new approaches to solutions within organizations
such as EDUROAM.  As a result, it would appear to me that operational
issues, not security, provide both the major impediments to and motivations 
for progress. 

While the focus of this document is threat analysis, it would seem important
to address some of those operational concerns, given their critical influence
on deployment.  Otherwise we risk developing a scism between the 
Security and O&M Areas in addressing these concerns. 

Specific Comments

   The introduction of proxies can change the security model of a
   network as well as of the implemented protocols. As a consequence,
   AAA proxies may introduce new security vulnerabilities. However,
   currently the role of AAA proxies in networks and all their security
   implications are not considered in many existing RFCs and Internet
   drafts. The relationship with RFC 4962 [1] is the most glaring aspect
   of the problem, but the progress of numerous drafts in a number of
   working groups is affected by the so-called "proxy problem".
   Recently, there have been attempts to reconcile the widespread
   deployment of AAA proxies with the security requirements of
   individual Internet protocols or protocol extensions.

The security vulnerabilities introduced by AAA proxies are not "new";
the RFC 2607 security analysis was initially requested by the IESG a 
decade ago.  In order to address the issues raised by the RFC 2607
threat analysis, support for end-to-end security was made a 
requirement for the development of a new AAA protocol. 
RFC 4962 was developed in part to formalize that requirement,
and RFC 5247 was added to the EAP WG charter in order to provide
an analysis of the degree to which existing EAP/AAA implementations
complied with those requirements. 

In order to satisfy the requirements that eventually were codified
in RFC 4962, the AAA WG developed multiple proposals for
end-to-end transport of attributes through proxies; these included
CMS, Kerberos, and Redirect proposals.  Of these, the AAA WG eventually
settled on Diameter Redirect, and this proposal was included within
RFC 3588.  

Given all of this, AAA proxies have long been an area of focus within
the IETF, encompassing many man-years of work which have resulted in
more than a hundred pages of RFCs and Internet-Drafts relating to the
issue as well as many, many discussions and postings on the subject. 

Therefore to say that the implications are "not considered" seems
odd, given the amount of time that has been spent on this. 

   Doubts exist whether current security claims stated in RFCs and
   Internet Drafts are still valid for implementations with proxies.

"Doubts" is perhaps too weak a word -- RFC 5247 shows that many
of the fundamental security requirements can no longer be met
where proxies are present. 

   Hence, providers of networks with proxies that rely on such security
   claims may have unknowingly introduced new vulnerabilities to their
   systems that have not been covered in the respective protocol
   specifications. For the same reasons, users of such systems may be
   unknowingly exposed to attacks.

Not sure that the term "unknowing" is appropriate here.  Given the 
volume of work, it would be quite hard for providers to plead ignorance.
Rather, the issue is more likely to be the difficulty of operating
and managing a network that addresses the problems. 

   Concluding, the proxy problem may affect existing and future
   implementations of Internet protocols whose specifications neglected
   proxies in their security considerations. If security issues
   introduced by proxies are not identified and addressed, future
   protocol specifications will suffer from the same problems.

Proxies have become a fundamental aspect of the architecture of a
number of IETF protocols, including SMTP, SIP and AAA.  In each
case, implementers and deployers of those protocols are painfully
aware of the problems that they cause.  Also, in each case a number
of proposals have been made (such as domain certificates) to address
operational issues.  So I don't think you can say that proxies
have been neglected in the security considerations.

Section 1.1

   This document solely identifies security-related issues introduced by
   AAA proxies and their severity but neither provides solutions to
   address these problems nor discusses non-security related issues
   (such as routing, performance, etc.). Furthermore, this document does
   not consider AAA proxies that are configured to solely serve as a re-
   direct (as supported by Diameter), because such proxies do not need
   to gain access to attributes and/or keying material.

As noted earlier, operational issues have proven to be a very difficult
challenge.  If you ignore these, I think you will miss the crux of the

Section 2

  Unlike some other network entities that simply forward packets in the
   network, AAA proxies are designed to have additional capabilities and
   properties such that the AAA protocols executed through AAA proxies
   may have the following features:

   o  AAA proxies are able to modify and/or delete AAA attributes

   o  AAA proxies share pairwise AAA keys with the AAA server and/or
      other AAA proxies;

   o  AAA proxies and NAS cannot be distinguished by AAA server;

   o  AAA proxies and AAA server cannot be distinguished by NAS;

   o  AAA proxy chains cannot be distinguished from single proxies by
      neither NAS nor AAA server.

Each of the above statements are not always true:

a.  The Diameter CMS, Redirect  and Kerberos proposals limited the 
ability of AAA proxies to modify attributes.  

b. Security schemes such as Diameter or RADSEC do not rely on 
pairwise AAA keys, but are based on certificates. 

c. Properly configured AAA servers *can* distinguish between AAA clients. 

d. Properly configured NASes *can* distinguish between AAA servers and proxies.

e. Some proposals *do* support distinguishing of proxy chains from single proxies
(e.g. RADIUS/Kerberos, Route Record functionality). 

Section 3

3. Related Work

   [Editor's note: what other references should be mentioned here?]

I'd look at RFC 5247, which discusses the EAP security model and the
effects of proxies (and AAA mis-configuration) in some detail.   There
are also the Diameter CMS and RADIUS/Kerberos proposals, the AAA
Requirements Documents, and discussions of proxy security and deployment

Section 4.1

   In enterprise networks or other local networks with a single
   administrative domain, AAA proxies are used to enable easy and
   scalable network access in large networks.

Given the prevalence of enterprise customer arrangements with 
access wholesalers and aggregators, many enterprise deployments
do in fact support inter-domain usage.  However, in those
deployments it's probably accurate to say that the enterprise
trusts the wholesaler/aggregator infrastructure. 

   Hierarchical proxy routing can
   further simplify key management, as has been pointed out in RFC 2607.

The Terena/EDUROAM experience is probably worth pointing out here, since
they are both using certificates (rather than symmetric keys), as well
as encountering issues with latency (leading to the desire for reduced
chain length).  

Proxies mailing list