IETF Logo Mail Archive

Re: [RPSEC] Topic 1: Section 3.1 Threat Sources

Yi Yang <yiya@cisco.com> Fri, 14 March 2003 21:40 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA15479 for <rpsec-archive@odin.ietf.org>; Fri, 14 Mar 2003 16:40:16 -0500 (EST)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h2ELtMu12932 for rpsec-archive@odin.ietf.org; Fri, 14 Mar 2003 16:55:22 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h2ELtMO12929 for <rpsec-web-archive@optimus.ietf.org>; Fri, 14 Mar 2003 16:55:22 -0500
Received: from www1.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA15442 for <rpsec-web-archive@ietf.org>; Fri, 14 Mar 2003 16:39:44 -0500 (EST)
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h2ELsTO12812; Fri, 14 Mar 2003 16:54:29 -0500
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h2ELrvO12766 for <rpsec@optimus.ietf.org>; Fri, 14 Mar 2003 16:53:57 -0500
Received: from sj-core-5.cisco.com (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA15395 for <rpsec@ietf.org>; Fri, 14 Mar 2003 16:38:20 -0500 (EST)
Received: from yiya-u10.cisco.com (yiya-u10.cisco.com [64.102.48.79]) by sj-core-5.cisco.com (8.12.6/8.12.6) with ESMTP id h2ELeShs005394; Fri, 14 Mar 2003 13:40:29 -0800 (PST)
Received: from localhost (yiya@localhost) by yiya-u10.cisco.com (8.8.8-Cisco List Logging/CISCO.WS.1.2) with ESMTP id QAA02492; Fri, 14 Mar 2003 16:40:28 -0500 (EST)
X-Authentication-Warning: yiya-u10.cisco.com: yiya owned process doing -bs
Date: Fri, 14 Mar 2003 16:40:28 -0500
From: Yi Yang <yiya@cisco.com>
To: sandy@tislabs.com
cc: rpsec@ietf.org
Subject: Re: [RPSEC] Topic 1: Section 3.1 Threat Sources
In-Reply-To: <200303112234.h2BMYTK26435@raven.gw.tislabs.com>
Message-ID: <Pine.GSO.4.44.0303141616110.1700-100000@yiya-u10.cisco.com>
References: <200303112234.h2BMYTK26435@raven.gw.tislabs.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: rpsec-admin@ietf.org
Errors-To: rpsec-admin@ietf.org
X-BeenThere: rpsec@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=unsubscribe>
List-Id: Routing Protocol Security Requirements <rpsec.ietf.org>
List-Post: <mailto:rpsec@ietf.org>
List-Help: <mailto:rpsec-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/rpsec>, <mailto:rpsec-request@ietf.org?subject=subscribe>

Sandy,

> (2.a) That doesn't apply to some (many?) protocols.
>
> For some protocols, there is no sense of an authorized peer.  For
> OSPF (that is, before the MD5 part got added), OSPF speaks to all
> routers on the local link that answer to the AllSPFRouters multicast
> address.  MANET protocols frequently speak over the broadcast link
> (as mentioned earlier in the draft).  And so forth.

You are right. IMHO, however, this is because in most IGPs, authentication
(such as MD5) is used a mechanism of authorization, instead of
identication. And current implementations just don't care the
identification in most cases.

But in the future, we might also want to care about the identification as
well.

> (2.c) It's misleading, security wise.
>
> When I saw this in the draft, I got to thinking about what makes a
> threat source distinct.  A threat source should be considered
> separately if it has a capability that gives it extra power, if it can
> launch attacks that others cannot, or if there are security
> defenses that work against it and not against others.  Now an
> unauthorized router has the same capabilities and can perform the same
> attacks as a masquerader, but it can be eliminated by doing pure
> address based filtering of some sort where masqueraders cannot.
>
> By that criterion, the unauthorized router is a separate threat source
> only if one considers pure address based filtering as a "security
> defense".
>
> I don't.  In a big way, I don't.  To call such an easily circumvented
> mechanism a security defense makes me extremely uneasy.
>
> I was emboldened to speak up about this by reading the IAS security
> mechanisms draft draft-iab-secmech-02.txt that came out a few weeks
> ago.  Bellovin, Kaufman and Schiller list address-based authentication
> as an "Insecurity Mechanism", along with plaintext passwords (emphasis
> on the "In").  To quote, "Some common security mechanisms are part of
> the problem rather than part of the solution."
>
> I think if we left unauthorized routers as a distinct threat source,
> we'd see claims like ".. and our ACME router's address filtering
> eliminates unauthorized routers, recognized by the IETF as one of the
> biggest threats to routing.."

I agree w/ you using a pure address filtering mechanism is insecure. But I
don't think it is the only mechanism to seperate masqueraders from the
unauthorized. For example, digital signature can be used for
identification while MD5 can be used for authorization.

Yi

_______________________________________________
RPSEC mailing list
RPSEC@ietf.org
https://www1.ietf.org/mailman/listinfo/rpsec

v2.23.0 | Report a Bug | By Email