RE: [rddp] Security draft issue (4) - IPsec
Black_David@emc.com Sun, 09 May 2004 21:37 UTC
Received: from optimus.ietf.org (www.iesg.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA23145 for <rddp-archive@odin.ietf.org>; Sun, 9 May 2004 17:37:43 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BMvyB-0005wJ-11 for rddp-archive@odin.ietf.org; Sun, 09 May 2004 17:36:23 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i49LaMjU022831 for rddp-archive@odin.ietf.org; Sun, 9 May 2004 17:36:23 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BMvoR-0005S2-Jp for rddp-web-archive@optimus.ietf.org; Sun, 09 May 2004 17:26:19 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA22910 for <rddp-web-archive@ietf.org>; Sun, 9 May 2004 17:26:16 -0400 (EDT)
Received: from ietf-mx.ietf.org ([132.151.6.1] helo=ietf-mx) by ietf-mx with esmtp (Exim 4.32) id 1BMvoP-000150-9U for rddp-web-archive@ietf.org; Sun, 09 May 2004 17:26:17 -0400
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1BMvnL-0000kK-00 for rddp-web-archive@ietf.org; Sun, 09 May 2004 17:25:12 -0400
Received: from optimus.ietf.org ([132.151.1.19]) by ietf-mx with esmtp (Exim 4.12) id 1BMvmP-0000R4-00 for rddp-web-archive@ietf.org; Sun, 09 May 2004 17:24:13 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BMvlE-00059d-Kv; Sun, 09 May 2004 17:23:00 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1BMvjP-00052E-F4 for rddp@optimus.ietf.org; Sun, 09 May 2004 17:21:07 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA22705 for <rddp@ietf.org>; Sun, 9 May 2004 17:21:04 -0400 (EDT)
From: Black_David@emc.com
Received: from ietf-mx.ietf.org ([132.151.6.1] helo=ietf-mx) by ietf-mx with esmtp (Exim 4.32) id 1BMvjN-0007K0-5Y for rddp@ietf.org; Sun, 09 May 2004 17:21:05 -0400
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1BMviV-00072H-00 for rddp@ietf.org; Sun, 09 May 2004 17:20:11 -0400
Received: from mxic2.corp.emc.com ([128.221.12.9]) by ietf-mx with esmtp (Exim 4.12) id 1BMvhb-0006RP-00 for rddp@ietf.org; Sun, 09 May 2004 17:19:15 -0400
Received: by mxic2.corp.emc.com with Internet Mail Service (5.5.2653.19) id <JDZDW3ZD>; Sun, 9 May 2004 17:18:37 -0400
Message-ID: <B459CE1AFFC52D4688B2A5B842CA35EA7A5996@corpmx14.corp.emc.com>
To: cait@asomi.com
Cc: rddp@ietf.org
Subject: RE: [rddp] Security draft issue (4) - IPsec
Date: Sun, 09 May 2004 17:18:36 -0400
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
Content-Type: text/plain
Sender: rddp-admin@ietf.org
Errors-To: rddp-admin@ietf.org
X-BeenThere: rddp@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rddp>, <mailto:rddp-request@ietf.org?subject=unsubscribe>
List-Id: IETF Remote Direct Data Placement (rddp) WG <rddp.ietf.org>
List-Post: <mailto:rddp@ietf.org>
List-Help: <mailto:rddp-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rddp>, <mailto:rddp-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.3 required=5.0 tests=AWL, NO_REAL_NAME autolearn=no version=2.60
Caitlin, > I do not see any RDDP specific vulnerabilities that are relevant > to the use of IPsec. > > A non-RDDP application enables reception of peer messages into > application buffers. Given the nature of non-RDDP LLPs, use > of intermediate system buffering is likely. > > Once received, the Application judges the applicability of > transport layer security to its needs. It may determine that > the transport has provided sufficient authentication of the > remote peer to allow acting upon the received messages without > further validation, or it may decide to apply its own validation. > > So what changes with RDDP? > > Nothing, except that the intermediate system buffering is > far less likely. That *improves* security, not worsens it. > > Whether or not IPsec is in use, the Application already > has full control of which of its buffers are exposed, > to what extent, and for how long. Procedures to precisely > control that exposure are already documented in the security > draft and are not dependent on the use of IPsec or other > transport layer security. I think this misses the point by focusing on data instead of control. The thing that has changed is that RDDP exposes a new functional interface for use over the network, providing more opportunities for abuse by a rogue peer who misuses the interface or an attacker who modifies the headers in transit - the security exposure here involves the headers and the additional functionality they enable. In contrast to other new functionality, the application has no possibility to perform "its own validation" on use of the RDDP placement interface because the application never sees the RDDP headers. > There are also several problems with mandating IPsec > implemenetation. > > First, what is the meaning of the mandate when the RDDP > implementation is cleanly layered over the LLP (or > even when it is integrated with the LLP, but they > are cleanly layered over IP)? > > Surely we are not going to require that an RDDP implementation > refuse to use a valid TCP or IP stack because it lacks > IPsec support. That's correct. If the RFCs that define RDDP require that IPsec be implemented, and an implementation that lacks IPsec nonetheless claims to meet the requirements of the RFCs, that claim is false. How a customer chooses to deal with a vendor who makes false claims is up to the customer. I would not foresee a requirement for RDDP to check for IPsec support. > Secondly, we need to recognize that authentication and > privacy can be fully achieved in many IP networks without > any support for IPsec in the host through physical security, > managed switches and in-network IPsec devices. In fact there > are strong arguments why network implemented security is > superior to host implemented security. > > Further, many RDDP deployments will be in precisely these > sort of controlled environments. That is why an IPsec requirement would be "MUST implement" not "MUST use" - so that IPsec would be available outside such controlled environments without its usage being mandated in such controlled environments. > Lastly, requiring RDDP vendors to implement IPsec will > in merely force mediocre implementations to be integrated > and pre-empt the use of superior IPsec implemetnations that > are not integrated. I'll take not of your view that mediocre IPsec implementations will result from an IPsec implementation requirement, but I don't understand your "pre-empt" point, unless you were mistakenly assuming a "MUST use" requirement for IPsec. Thanks, --David > -----Original Message----- > From: Caitlin Bestler [mailto:cait@asomi.com] > Sent: Sunday, May 09, 2004 4:08 AM > To: Black_David@emc.com > Cc: cait@asomi.com; rddp@ietf.org > Subject: RE: [rddp] Security draft issue (4) - IPsec > > > > Black_David@emc.com said: > > Caitlin, > > > >> Until IPsec is mandatory-to-implement for IP hosts I see no > >> justification for making it mandatory for RDDP endpoints. And > >> of course if it were mandatory-to-implement for IP Hosts, RDDP > >> would not have to implement it. > > > > IPsec is mandatory-to-implement for IPv6 hosts, FWIW. The IESG > > will not approve standards-track RFCs that lack mandatory-to- > > implement security measures, although it's possible to reference > > measures that already exist elsewhere in the environment. > > > > If RDDP introduced no new risks above and beyond TCP or SCTP > > over IPv4, then falling back to the security requirements of > > those underlying protocols might be acceptable - I don't > > believe this to be the case, though (i.e., there are new > > RDDP-specific security risks). > > > > Thanks, > > --David > > I do not see any RDDP specific vulnerabilities that are relevant > to the use of IPsec. > > A non-RDDP application enables reception of peer messages into > application buffers. Given the nature of non-RDDP LLPs, use > of intermediate system buffering is likely. > > Once received, the Application judges the applicability of > transport layer security to its needs. It may determine that > the transport has provided sufficient authentication of the > remote peer to allow acting upon the received messages without > further validation, or it may decide to apply its own validation. > > So what changes with RDDP? > > Nothing, except that the intermediate system buffering is > far less likely. That *improves* security, not worsens it. > > Whether or not IPsec is in use, the Application already > has full control of which of its buffers are exposed, > to what extent, and for how long. Procedures to precisely > control that exposure are already documented in the security > draft and are not dependent on the use of IPsec or other > transport layer security. > > > There are also several problems with mandating IPsec > implemenetation. > > First, what is the meaning of the mandate when the RDDP > implementation is cleanly layered over the LLP (or > even when it is integrated with the LLP, but they > are cleanly layered over IP)? > > Surely we are not going to require that an RDDP implementation > refuse to use a valid TCP or IP stack because it lacks > IPsec support. > > Secondly, we need to recognize that authentication and > privacy can be fully achieved in many IP networks without > any support for IPsec in the host through physical security, > managed switches and in-network IPsec devices. In fact there > are strong arguments why network implemented security is > superior to host implemented security. > > Further, many RDDP deployments will be in precisely these > sort of controlled environments. > > Lastly, requiring RDDP vendors to implement IPsec will > in merely force mediocre implementations to be integrated > and pre-empt the use of superior IPsec implemetnations that > are not integrated. > > For all of these reasons, I strongly believe that RDDP should > remain oblivious to LLP provided security, and merely use > whatever is there. > > > > -- > Caitlin Bestler > http://asomi.com/ > _______________________________________________ rddp mailing list rddp@ietf.org https://www1.ietf.org/mailman/listinfo/rddp
- [rddp] Security draft issue (4) - IPsec Black_David
- Re: [rddp] Security draft issue (4) - IPsec Caitlin Bestler
- Re: [rddp] Security draft issue (4) - IPsec Caitlin Bestler
- RE: [rddp] Security draft issue (4) - IPsec Black_David
- RE: [rddp] Security draft issue (4) - IPsec Caitlin Bestler
- RE: [rddp] Security draft issue (4) - IPsec Caitlin Bestler
- RE: [rddp] Security draft issue (4) - IPsec Black_David
- RE: [rddp] Security draft issue (4) - IPsec Caitlin Bestler
- RE: [rddp] Security draft issue (4) - IPsec Black_David
- RE: [rddp] Security draft issue (4) - IPsec Caitlin Bestler
- RE: [rddp] Security draft issue (4) - IPsec Black_David
- RE: [rddp] Security draft issue (4) - IPsec Caitlin Bestler