Re: [saag] Security and Privacy Implications of Numeric Identifiers Employed in Network Protocols (Fwd: New Version Notification for draft-gont-predictable-numeric-ids-00.txt)
Fernando Gont <fgont@si6networks.com> Wed, 02 March 2016 07:05 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 017E21A1C04 for <saag@ietfa.amsl.com>; Tue, 1 Mar 2016 23:05:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.358
X-Spam-Level:
X-Spam-Status: No, score=-0.358 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_06_12=1.543, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5SBqcRr39Ym2 for <saag@ietfa.amsl.com>; Tue, 1 Mar 2016 23:05:24 -0800 (PST)
Received: from fgont.go6lab.si (fgont.go6lab.si [IPv6:2001:67c:27e4::14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CEEA1A1EB7 for <saag@ietf.org>; Tue, 1 Mar 2016 23:05:24 -0800 (PST)
Received: from [192.168.3.107] (unknown [181.165.125.191]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 7AD6080D93; Wed, 2 Mar 2016 08:05:20 +0100 (CET)
To: Joseph Lorenzo Hall <joe@cdt.org>
References: <20160204162945.16956.31282.idtracker@ietfa.amsl.com> <56B38293.6000800@si6networks.com> <CABtrr-Xdah3ugx1QA9OYPDScEAswZ2kKLRnf1e4+RiT3rJMMfw@mail.gmail.com>
From: Fernando Gont <fgont@si6networks.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <56D62BC7.50003@si6networks.com>
Date: Tue, 01 Mar 2016 20:54:47 -0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <CABtrr-Xdah3ugx1QA9OYPDScEAswZ2kKLRnf1e4+RiT3rJMMfw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/blCrERawWXGkqLZ-8WIo_K2dlW0>
Cc: privsec-program@iab.org, Greg Norcie <norcie@cdt.org>, "saag@ietf.org" <saag@ietf.org>, Iván Arce <iarce@fundacionsadosky.org.ar>
Subject: Re: [saag] Security and Privacy Implications of Numeric Identifiers Employed in Network Protocols (Fwd: New Version Notification for draft-gont-predictable-numeric-ids-00.txt)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Mar 2016 07:05:26 -0000
Hi, Joseph! Thanks so much for your feedback! -- Please find my comments in-line.... On 03/01/2016 12:20 PM, Joseph Lorenzo Hall wrote: > Hi, here are some comments from our -- CDT's Joe Hall and Greg Norcie > -- review of this document: > > * General: thanks for taking this on, it's a great resource and > needed, in our opinion. > > * Do you have thoughts where you might go with this next? It seems > like a BCP for "Guidelines on the use of identifiers in protocols" > could be a very good thing. I know the IAB would be engaged as would > folks on this list in ensuring that it resulted in good, flexible > guidance. Yes, that's the intent: a BCP of similar nature to BCP 106/RFC 4086 which should be applied everytime a new numeric identifier is specified in a new protocol. And could b applied to existing protocols were the corresponding spec still allows or suggest the use of numeric identifiers that have negative security/privacy implications. > * There are a number of places in the ID where you state some > assumptions about what the attacker can and cannot know. Maybe I > missed this but are you adopting a specific threat model/attacker > model from another RFC or publication? If so, it would be good to > point to it (I may have missed this). If not, it would be good to add > a paragraph that states you're considering a network attacker with no > local physical or logical access to the device, etc. Yep, we assume that in many places. Will clarify this. > * I was expecting to see at some point a list of common > vulnerabilities or bad design patterns with unique identifiers. E.g., > "predictable identifiers", "predictable offsets in identifier > sequences", This is discussed throughout the document for each algorithm that results in predictable identifiers. For example, Section 7.4.1 (page 15), states: If a global counter is used (such as "next_id" in the example above), a node that learns one protocol identifier can also learn or guess values employed by past and future protocol instances. On the other hand, when the value of increments is known (such as "1" in this case), an attacker can sample two values, and learn the number of identifiers that were generated in-between. The consequences of an attacker learning "values employed by past and future protocol instances" or "the number of identifiers that were generated in-between" varies from one protocol to another. e.g., in the case of TCP ephemeral ports, predicting ephemeral ports would be of help for the attacker to perform e.g. TCP reset attacks, whereas "learning the number of ephemeral pots generated between two outgoing connections" would be an information leakage about the number of outgoing connections established by the victim (which might be of use in certain scenarios). OTOH, Sections 4.1 and 4.2 illustrate how predictable numeric IDs were found to be useful for performing different kinds of attacks. mmm.. were you expecting, in all of the sections that discuss specific algorithms, references/links to how such vulnerable algorithms result in specific vulnerabilities when applied to different protocols? (i.e., kind of a cross-reference), or something else? > "embedding IDs from one context into another" (see: > https://tools.ietf.org/html/draft-huitema-dhc-anonymity-profile ). We didn't cover "embedding IDs from one context into another". In principle, you just shouldn't do this, since this is kind of what we refer to as "Protocol specifications that over-specify their identifiers", in the sense that, when you employ a numeric identifier in a different context, you're implicitly enforcing requirements that you usually don't really need in the new context. -- e.g., using a MAC address to generate a DHCP DUID leaks information that you don't eally need to leak for complying with the corresponding *interoperability* requirements (uniqueness). > I'm > not sure if section 8 lists vulnerabilities or something else (or if > what I'm thinking of are not vulnerabilities). For example, where does > the reuse of an identifier -- like that described across layers in > draft-huitema-dhc-anonymity-profile -- fit in your scheme? As noted above, this one is not explicitly noted -- maybe we could say what I mentioned above ("this results in over-specification of the numeric id") in Section 3 of the document? > * typos: [....] We will fix all of these typos in the next rev of the document (that we plan to submit before the cutoff). Thanks so much! Best regards, -- Fernando Gont SI6 Networks e-mail: fgont@si6networks.com PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- [saag] Security and Privacy Implications of Numer… Fernando Gont
- Re: [saag] Security and Privacy Implications of N… Joseph Lorenzo Hall
- Re: [saag] Security and Privacy Implications of N… Fernando Gont
- Re: [saag] Security and Privacy Implications of N… Joseph Lorenzo Hall
- Re: [saag] Security and Privacy Implications of N… Fernando Gont