Re: [savi] Status of draft-ietf-savi-threat-scope
Jean-Michel Combes <jeanmichel.combes@gmail.com> Mon, 20 June 2011 15:26 UTC
Return-Path: <jeanmichel.combes@gmail.com>
X-Original-To: savi@ietfa.amsl.com
Delivered-To: savi@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE03D9E800D for <savi@ietfa.amsl.com>; Mon, 20 Jun 2011 08:26:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.461
X-Spam-Level:
X-Spam-Status: No, score=-103.461 tagged_above=-999 required=5 tests=[AWL=0.138, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0mr5GruFCZmL for <savi@ietfa.amsl.com>; Mon, 20 Jun 2011 08:26:07 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by ietfa.amsl.com (Postfix) with ESMTP id EA4AB9E802D for <savi@ietf.org>; Mon, 20 Jun 2011 08:25:51 -0700 (PDT)
Received: by gya6 with SMTP id 6so1120093gya.31 for <savi@ietf.org>; Mon, 20 Jun 2011 08:25:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=i6LUWjqf2tJ3MSYAfw3XT8P4+xCyuG4d7MCW/SphpZA=; b=VpB6JJR2rMC6nTbCVj1sw/BvV4A949aDVXLXHm3H1FZMg05huw8jkhfEDEw+oLfT4d zPuBWqAxupGWwZVbRZdxl2URRM8E/Ydl8LFCTytflfmAbzAyyYlAP6vCZMMPb9Tox7oX sC2UlmNdzfvBQfdP+qZk7rVe6bQ+Rnscs4s9w=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; b=ejwYeUYpXZpFyjGkubI69KwwALVsa+96QeMfFGsk3dhbxjuOzz7IDJij2LmqElhrI7 nuSTqXzRrr39DvaTLzwcAlZkJoIo4KobPT2C3pxFXMh/PW0B4p/2195PvMGrdDYjPZq0 BFDKNMkVJGuFXPzrBkb4UBgf5yiTcIEWxrtUo=
MIME-Version: 1.0
Received: by 10.151.92.2 with SMTP id u2mr6219272ybl.209.1308583551152; Mon, 20 Jun 2011 08:25:51 -0700 (PDT)
Received: by 10.147.83.20 with HTTP; Mon, 20 Jun 2011 08:25:50 -0700 (PDT)
In-Reply-To: <4DFA7585.4060406@cs.tcd.ie>
References: <20110526184749.21820.68101.idtracker@ietfa.amsl.com> <4DE34147.8070103@piuha.net> <4DE3A604.8080807@joelhalpern.com> <BANLkTiky5iejz2gnL=tgt4u+-52OZ-pQJA@mail.gmail.com> <4DFA7585.4060406@cs.tcd.ie>
Date: Mon, 20 Jun 2011 17:25:50 +0200
Message-ID: <BANLkTing6OAcmmY_W2UuEnb6S8rsrysSUw@mail.gmail.com>
From: Jean-Michel Combes <jeanmichel.combes@gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: SAVI Mailing List <savi@ietf.org>, draft-ietf-savi-threat-scope@tools.ietf.org
Subject: Re: [savi] Status of draft-ietf-savi-threat-scope
X-BeenThere: savi@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mailing list for the SAVI working group at IETF <savi.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/savi>, <mailto:savi-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/savi>
List-Post: <mailto:savi@ietf.org>
List-Help: <mailto:savi-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/savi>, <mailto:savi-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jun 2011 15:26:10 -0000
Hi Stephen, 2011/6/16 Stephen Farrell <stephen.farrell@cs.tcd.ie>: > > Hi Jean-Michel, > > Let's see if we can figure the other tricky bit of my discuss > as quickly as the other! OK. > > Although I raised the same issue in my discuss on FCFS, I > think dealing with it on this document is better since I reckon > the same thing is likely to occur with all SAVI docs, so if > we can figure it out independent of FCFS that should be better. Agree. > > So this is about logging. To be clear - I have no problem if > SAVI mechanisms log some information when a spoofing event of > some sort has been prevented/detected, my problem lies in > SAVI logging binding anchor information for the 90-something > percent of cases where there is no spoofing at all. > > I do not think that such ubiquitous logging is in scope > of the WG charter which states that SAVI is about preventing > spoofing and that "Tracking other protocols is not within > the scope of the WG." > > Separately, there is rfc 2804. As far as I know that is the > most relevant IETF consensus position here. And that was > arrived at after an extended and wide ranging debate (one > of the IETF's finer moments IMO, but that's beside the > point). > > Of course that wasn't precisely addressing the same issue, > but I think its close enough. Given the various combinations > of privacy and data retention laws in various jurisdictions, > and the fact that ubiquitous logging would put SAVI into > the ballpark of wiretapping functionality, it seems to me > that the same conclusion should apply when considering whether > SAVI mechanisms ought to log information for every binding > anchor. > > I'm not sure whether or not WG participants considered this > in relation to the logging issue or not. > > I would also suspect that achieving a freshly minted IETF > consensus on this particular point might be as time > consuming as the raven process. (Might not be a bad thing > though to get an IETF consensus on that if we really > needed to do it.) > > So I think that given that the charter and rfc 2804 have > IETF consensus that would trump even a quite strong WG > consensus on this topic. Hence my discuss. > What can be done in the different SAVI documents, is to restrict logging only when an incident has been detected (i.e. use of an IP address not allowed on a binding anchor). Would it be fine for you? > (As an aside, if some spoofing can still occur for any > combination of SAVI mechanisms such ubiquitous logging makes > me even more nervous - that'd be like a wiretap technology > that sometimes records the wrong call or something.) > > A few more minor points below. > > On 08/06/11 19:21, Jean-Michel Combes wrote: >> Hi, >> >> 2011/5/30 Joel M. Halpern <jmh@joelhalpern.com>: >> >> [snip] >> >>> >>> 2) As you have been copied on, Stephen and I have been discussing the >>> question of the references to logging, and the fact that it is likely to be >>> used, and its utility is strengthened by the use of SAVI. This has been >>> assumed to be significant by the working group. The charter however agrees >>> with Stephen. Before I can make a change of that scope, it needs WG >>> concurrence, as judged by the chair. >> >> (1) From a previous discussion on the ML (cf. >> http://www.ietf.org/mail-archive/web/savi/current/msg01573.html), it >> seems that logging is something expected by people wanting to deploy >> SAVI, what I must admit I understand when we know that most of the >> security tools have such a feature. > > So that's a thread with Joel, you and another person contributing. > Joel now seems to agree that logging like this is problematic > given the WG charter and you're calling the consensus, so I guess > that's not quite an overwhelmingly strong WG consensus:-) > No one did object granted, and there may be a lot of silent > agreement, but I'm just going on the archive. > Yes, this was a silent agreement. >> (2) From the Threats document: "A second class of benefit is related >> to the traceability described above. When a security incident is >> detected, either within a site, or externally (and traced to the site) >> it can be critical to determine what the actual source of the incident >> was.". This is the only occurrence I saw about a trigger that should >> initiate a logging. > > Traceability implies a lot to me. It has serious privacy consequences. > See above. > >> (3) From BCP 38: "Network administrators should log information on >> packets which are dropped. This then provides a basis for monitoring >> any suspicious activity.". So, IMHO, the Threats document only >> provides the same type of advice. > > If SAVI only mandates logging related to spoofs then that'd be > ok and consistent with BCP38. Are you arguing that logging everything > is what BCP 38 calls for? > No no: from my point of view, BCP 38 only recommends to log when incidents occur. Cheers. JMC. >> >> So, regarding the Threats documents, I must admit I don't see what is the issue. >> >>> >>> It is the chair's task, as shepherd, to take these questions to the WG. I >>> will try to get the other comments dealt with. >> >> During the discussion on the ML about this topic there was no concern >> about logging references, so, from my point of view, there is already >> a WG consensus. > > But not, I think, IETF consensus. > > Cheers, > S. > >> >> Best regards. >> >> JMC. >> >>> >>> I am not sure whether Ralph's request for "more details" is arelaly a >>> discuss, or a suggestion to ask him for and consider more text. I am >>> certainly willing to talk with him about it. But I would need to temper any >>> such evaluation with the fact that folks asked us to CUT substantial >>> portions of text in the last review. >>> I have held off on that discussion because I wanted resolution on the other >>> issues. I will contact Ralph this week. It was only on Sunday that I >>> reached an understanding of what Stephen was asking for in point 2 above. >>> >>> Yours, >>> Joel >>> >>> On 5/30/2011 3:03 AM, Jari Arkko wrote: >>>> >>>> This draft was in IESG review last week. Please see below for the >>>> comments that were raised. I would like the authors to correct these >>>> issues and/or respond to the Discuss holders, as appropriate. There are >>>> many detailed things, but the key takeaways that I took from my IESG >>>> colleagues were the following: >>>> >>>> * Changes agreed after Gen-ART discussion need to be incorporated in a >>>> new version of the document (Russ' Discuss) >>>> >>>> * Many of the issues around precise definitions and additional >>>> information brought up by Ralph's Discuss seemed correct. Please ensure >>>> that you adopt these in a new version as well. >>>> >>>> * I think you need to fix many of the details pointed to in Stephen's >>>> Discuss, and explain that this document is not the one that will >>>> describe what the residual threats are after SAVI is implemented. (That >>>> would be the job of the individual SAVI mechanism documents). >>>> >>>> Jari >>>> >>>>> >>>>> Dan Romascanu >>>>> >>>>> *Comment (2011-05-25)* >>>>> >>>>> I find the document comprehensive but I share DBH's observation that >>>>> it's a >>>>> little too verbose and could use some fixes in the details. >>>>> >>>>> Beyond what he found I have a few more observations. None is critical >>>>> for this >>>>> informational document, but cleaning up all these text unclarities in >>>>> a new >>>>> version would be recommended; >>>>> >>>>> 1. In the Glossary section >>>>> >>>>> NNI Router: Network to Network Interface Router. This router >>>>> interface faces a similar system operated by another ISP or other >>>>> large network. >>>>> >>>>> I think that the definition should read something like 'A router with >>>>> interfaces >>>>> facing a similar system ...' >>>>> >>>>> 2. Section 4.2.3.3 >>>>> >>>>> IEEE 802.1x is an authentication protocol that permits a network to >>>>> determine the identity of a system seeking to join it and apply >>>>> authorization rules to permit or deny the action. In and of >>>>> themselves, such tools confirm only that the user is authorized to >>>>> use the network, but do not enforce what IP address the user is >>>>> allowed to use. It is worth noting that elements of 802.1x may well >>>>> be useful as binding anchors for SAVI solutions. >>>>> >>>>> This is quite confusing. IEEE 802.1X is a port (in the sense of bridge >>>>> or layer >>>>> 2 switch) access control standard that controls the joining of devices >>>>> to a >>>>> layer 2 bridged network. The term 'tools' is not in place and there is >>>>> nothing >>>>> about the 'user' in the protocol itself but about the device - the >>>>> standard uses >>>>> the term 'supplicant' which is rather the device or the piece of software >>>>> running on the device that presents credentials to an authenticator. >>>>> >>>>> 3. In section 5.2 'hosts connected to switch ports that may have one >>>>> or more IP >>>>> addresses' is probably rather 'hosts that may have one or more IP >>>>> addresses >>>>> connected to (layer 2) switch ports' >>>>> >>>>> >>>>> David Harrington >>>>> >>>>> *Comment (2011-05-23)* >>>>> >>>>> I found this document to be very informative about the problem space. >>>>> I think >>>>> this document could have been far more effective if the text didn't >>>>> meander >>>>> around the points it was trying to make; it could habve been far more >>>>> succinct. >>>>> Here are some suggestions that I think could improve the document. >>>>> >>>>> 1) I find the following ambiguous, "the operational staff needs to be >>>>> able to >>>>> track from the IP address sourcing the attack to the particular >>>>> machine within >>>>> the enterprise that is the source. " I think the intention is that >>>>> "the IP >>>>> address sourcing the attack" means the spoofed address, and "that is >>>>> the source" >>>>> means the actual sending machine, but I'm not sure. This can be read >>>>> as "the >>>>> staff needs to track from the source to the source." >>>>> 2) This sentence doesn't >>>>> parse properly, "This both that the information be useable ..." I >>>>> think the >>>>> sentence is missing "means" or "requires" or something. >>>>> 3) The glossary should >>>>> include references to the defining documents. >>>>> 4) "or order to disrupt" -> "in >>>>> order to disrupt" >>>>> 5) 3.1.3 doesn't describe what a poison attack is. It also >>>>> refers to "the same kinds of poisonings as above", but above never >>>>> spoke of >>>>> poisoning attacks. >>>>> 6) the following seems a bit perverted logic - a malware >>>>> attack is important because it is a justification for SAVI? >>>>> "This attack is >>>>> important both in terms of an attack vector that SAVI may help >>>>> prevent, and also >>>>> as a problem which SAVI can help track back to find infected systems. " >>>>> Shouldn't you be arguing that savi is important for preventing these >>>>> types of >>>>> attacks? 7) section 3.2.2 "Another example of sighted attack" - this >>>>> is the >>>>> first mention of "sighted attack". Please use consistent terminology. >>>>> 8) in >>>>> section 3.2.2, "The use of spoofed addresses, while not necessary for >>>>> this, can >>>>> often provide additional information, and helps mask the traceability >>>>> of the >>>>> activity." would seem to be the conclusion of the paragraph, but this >>>>> precedes >>>>> the discussion of what the attack is. >>>>> 9) in scetion 4, "the first requirement" >>>>> isn't followed by any further requirements. and is this section going to >>>>> describe the requirements or the solutions? >>>>> 10) "The IP source address is >>>>> appropriate for the lower layer address (they both identify the same >>>>> system)". >>>>> I find "is appropriate" too ambiguous, although the following >>>>> parethetical text >>>>> explains it. I suggest this would be better written as "the IP source >>>>> address >>>>> and the lower layer address both identify the same system." >>>>> 11) "The IP source >>>>> address is appropriate for the device at the layer 2 switch port" I >>>>> find "is >>>>> appropriate" too ambiguous. " (the address was assigned to a, and >>>>> perhaps the, >>>>> system that uses that port) " doesn't parse appropriately. I think >>>>> this bullet >>>>> needs a better description. >>>>> 12) section 4.1.1 "Port identification prevents >>>>> transmission of malicious datagrams" Is thistrue? or is port >>>>> identification one >>>>> method that can be used to help prevent transmission? 13) 4.1.3 "An >>>>> obvious >>>>> special case of the discussion is with an ISP PE router, " - what >>>>> discussion? >>>>> This section seems based on speculation about possible solutions, >>>>> including >>>>> contract negotiations. I think this would be much better if it >>>>> actually focused >>>>> on technical solutions for validating addresses for ISP edge routers. >>>>> 14) 4.1.4 >>>>> again discusses business agreements between two conpanies. Please >>>>> focus on >>>>> ***technical*** solutions at this topological location. >>>>> 15) 4.1.4 "However, when >>>>> it can be shown that spoofed addresses are present, the procedure can be >>>>> applied. " what procedure? >>>>> 16) 4.2.5 is entitled residual attacks, but there is >>>>> no discussion of residual attacks in the paragraph. The hand-waving >>>>> contained in >>>>> the paragraph doesn't seem worth documenting. >>>>> 17) why is 4.2.5, "residual >>>>> attacks", included in section 4 "Current anti-spoofing solutions"? >>>>> 18) 5.2.6 >>>>> what does "proper member" mean? where is this defined? >>>>> 19) 5.2.7 - doesn't this >>>>> sum up the whole section 5? since it includes anything not covered in >>>>> 5.1 or >>>>> 5.2, shouldn't this be 5.3? >>>>> 20) is 5.3 about topological challenges? it seems to >>>>> meander on about additioonal capabilites, rather than discussing the >>>>> topological >>>>> challenge to SAVI. >>>>> >>>>> >>>>> Peter Saint-Andre >>>>> >>>>> *Comment (2011-05-23)* >>>>> >>>>> Please expand "DoS" on first use and add an informational reference to >>>>> RFC 4732. >>>>> >>>>> >>>>> Russ Housley >>>>> >>>>> *Discuss (2011-05-24)* >>>>> >>>>> The Gen-ART Review by David Black on 12-May-2011 lead to a discussion >>>>> with one of the authors. At the end of the discussion, several >>>>> changes to the document were agreed. However, those changes have >>>>> not been made. >>>>> >>>>> >>>>> Stewart Bryant >>>>> >>>>> *Comment (2011-05-23)* >>>>> >>>>> A useful document which I enjoyed reading >>>>> >>>>> >>>>> Wesley Eddy >>>>> >>>>> *Comment (2011-05-24)* >>>>> >>>>> The document looks good, I just have a few comments that the authors >>>>> might think >>>>> about: >>>>> >>>>> Section 3.1.7 is titled "other blind spoofing attacks" but talks about >>>>> non-blind >>>>> attacks just as much. The example given of a host on-link with routers >>>>> is non- >>>>> blind, for instance. However, seciton 3.2 is where non-blind attacks are >>>>> supposed to be discussed, so this part of 3.1.7 seems rather odd. >>>>> >>>>> >>>>> Why isn't the relationship to SeND discussed in this document? >>>>> >>>>> >>>>> VPN gateways have similar considerations as the Mobile IP HA in >>>>> sectino 5.2.6, >>>>> but VPN gateways don't appear to be discussed in 5.2. >>>>> >>>>> >>>>> Ralph Droms >>>>> >>>>> *Discuss (2011-05-25)* >>>>> >>>>> I will raise a meta-discussion issue before listing several specific >>>>> Discuss points. This issue may be just the suppressed pedantic >>>>> ex-professor side of my personality expressing itself. My issue is >>>>> that the contents of this document are useful and not incorrect. >>>>> However, in my opinion the document would be more useful, especially >>>>> to someone who reads this document without a lot of background in the >>>>> type of threats described, with some additional detail. I could be >>>>> persuaded that I am being overly pedantic, in which case I will clear >>>>> my Discuss and move my points to Comments. I will be happy to send >>>>> text if the authors would find it helpful. >>>>> >>>>> 1. In section 1: >>>>> >>>>> At the IP Network Layer, or Internet Layer, there is typically no >>>>> required transactional state when communicating with other hosts on >>>>> the network. Hosts generating packets for transmission have the >>>>> opportunity to spoof (forge) the source address of packets which they >>>>> transmit. >>>>> >>>>> I think this paragraph needs more detail to connect the first sentence >>>>> with the last sentence. >>>>> >>>>> 2. Next paragraph: >>>>> >>>>> Source address verification is necessary in order to detect and >>>>> reject spoofed packets and contribute to the overall security of IP >>>>> networks. In particular, source address verification techniques >>>>> enable detection and rejection of spoofed packets, and also >>>>> implicitly provide some assurances that the source address in an IP >>>>> packet is legitimately assigned to the system that generated the >>>>> packet. >>>>> >>>>> "Source address verification" can be used or is necessary? You >>>>> haven't told us what source address verification is, yet. The second >>>>> sentence in this paragraph doesn't seem to add any new information. >>>>> What would be more helpful would be a sentence or two foreshadowing >>>>> the details in section 3. Why are packets with spoofed addresses >>>>> dangerous? >>>>> >>>>> 3. The attacks in section 3 fall, roughly, into two buckets: those that >>>>> require spoofed source addresses and those that can use spoofed >>>>> addresses to obfuscate the source of the attack. SAVI can eliminate >>>>> the former but only deter, through threat of discovering the >>>>> perpetrator, the latter. The difference is important to someone using >>>>> this document to learn about how SAVI contributes to security in a >>>>> network. Otherwise, a network administrator might expect to eliminate >>>>> all of the listed attacks with SAVI. >>>>> >>>>> An improvement would be to explain the two types of attacks and >>>>> indicate the type of the attacks in section 3. >>>>> >>>>> 4. I found the second sentence of the first paragraph of section 4 >>>>> very hard to parse and not entirely consistent with the title of the >>>>> section. While most of the solutions in section 4 have to do with the >>>>> network topology, the first bullet: >>>>> >>>>> o The IP source address is appropriate for the lower layer address >>>>> (they both identify the same system) >>>>> >>>>> has nothing to do with network topology. >>>>> >>>>> The second bullet: >>>>> >>>>> o The IP source address is appropriate for the device at the layer 2 >>>>> switch port (the address was assigned to a, and perhaps the, >>>>> system that uses that port) >>>>> >>>>> does use network topology, but seems specific to wired networks; in >>>>> fact, later in section 4, wireless networks are mentioned as using >>>>> different techniques. Might be better to write: >>>>> >>>>> o The IP source address is explicitly identified as appropriate >>>>> for the physical topology; for example, the source address >>>>> is appropriate for the layer 2 switch port through which the >>>>> datagram was received >>>>> >>>>> 5. Section 4.1.1 changes in mid-section from checking the IP address >>>>> against the Link Layer address to checking the IP address against the >>>>> physical attachment point. Is Link Layer address checking ever >>>>> implemented on switches or is it always IP address checking versus the >>>>> physical attachment point? >>>>> 6. I suggest augmenting section 4.1.3 with a mention of IPv6 prefix >>>>> checking, where the PE can be populated with the customer prefix >>>>> through monitoring DHCPv6 prefix delegation. >>>>> >>>>> Also, the enterprise case can be augmented with prefix filtering based >>>>> on the prefixes known by the ISP to be assigned to the customer. >>>>> >>>>> 7. Sections 4.1.5 either needs more detail or pointers to references >>>>> where more detail is available. In its current form, it has little >>>>> or no content. The interesting parts of DOCSIS are the authentication >>>>> and trust model, in which the ISP can control and trust the cable >>>>> modem. >>>>> >>>>> 8. Section 4.1.6 has more detail than section 4.1.5, but assumes some >>>>> experience with DSL deployments and architectures. Both of these >>>>> sections would benefit from some explanation of the accountability >>>>> model in which packets can be traced to an accountable entity, >>>>> regardless of the specific address or prefix in the source address of >>>>> a packet. >>>>> >>>>> 9. Section 4.2.3.2 might benefit from just a little more detail, or a >>>>> pointer to more detail: >>>>> >>>>> switch uses IP address to port binding >>>>> switch enforces restrictions that DHCP server traffic is only >>>>> accepted from "upstream" >>>>> switch monitors DHCP traffic to glean address-port bindings >>>>> >>>>> This technique works for both IPv4 and IPv6. >>>>> >>>>> And, the discussion of SLAAC brings up the issue of authenticated SAVI >>>>> versus "ad hoc" SAVI. In the case of DHCP based SAVI, the switch can >>>>> have authoritative information about the address/port binding, because >>>>> it came from a reliable source (DHCP server). SLAAC-based SAVI can >>>>> only identify claimed addresses, where the hose may not be authorized >>>>> to use the claimed address. >>>>> >>>>> 10. Are the techniques mentioned in 4.2.4 really SAVI? >>>>> >>>>> 11. What is a "residual attack" and how does the text in section 4.2.5 >>>>> describe a residual attack? >>>>> >>>>> *Comment (2011-05-25)* >>>>> >>>>> 1. Add DoS (yeah, I know DoS is pretty widely used already), "binding >>>>> anchor" (and use "binding anchor" through the document), MITM, LAND, >>>>> smurf attack, uRPF to section 2. Some of these also have first-use >>>>> expansion, which might be OK ... this suggestion is just a Comment. >>>>> >>>>> 2. Suggestion: it would be more useful to incorporate any issues >>>>> specific to IPv6 in the body of the document. >>>>> >>>>> 3. First sentence of section 4: >>>>> >>>>> The first requirement is to eliminate datagrams with spoofed IP >>>>> addresses from the Internet. >>>>> >>>>> First requirement for what? I thought this document was exactly about >>>>> "eliminat[ing] datagrams with spoofed IP addresses from the Internet." >>>>> I suggest dropping the sentence. >>>>> >>>>> 4. At the end of section 4, the bullet list calls out "enterprise CPE >>>>> Router" explicitly. Aren't residential CPE routers also a big >>>>> opportunity? How are they different from enterprise CPE routers. In >>>>> fact, perhaps "CPE" is not the best term? How about "Enterprise edge >>>>> router" and add "subscriber home router"? >>>>> >>>>> 5. At the end of section 1, have the strength of your convictions: >>>>> >>>>> This document provides [...], and discusses [...]. >>>>> >>>>> 6. For consistency, in sections 3.2.1 and 4.1.1 >>>>> s/MAC address/Layer 2 address/ >>>>> 7. Is "source address verification" equivalent to "Source Address >>>>> Validation Improvement (SAVI)"? If so, for consistency use one phrase >>>>> or acronym throughout. >>>>> >>>>> >>>>> Stephen Farrell >>>>> >>>>> *Discuss (2011-05-26)* >>>>> >>>>> (1) What's the difference between "validation" (abstract) and >>>>> "verification" (overview, 3rd para) as used here? If there is >>>>> none, then just use one. If this is a difference, then where are >>>>> these defined? I think in either case, some definition is needed. >>>>> >>>>> (2) I expected this document to also analyse source-address >>>>> spoofing threats after SAVI mechanisms are deployed. If some simple >>>>> form(s) of source address spoofing will work regardless of which >>>>> SAVI mechanism(s) are in place then one would have to wonder if >>>>> SAVI is worth deploying or not. If this is not the right document >>>>> to cover that then what is? The fact that the SAVI mechanisms will >>>>> each be in separate documents would seem to mean that this question >>>>> won't otherwise be answered by the WG, and I think we do need an >>>>> answer somewhere. (The security considerations of the SAVI >>>>> framework is currently one paragraph so that's not the place, at >>>>> least not now.) Its probably worth noting that this issue is behind >>>>> a number of cases below where I ask for evidence to justify what >>>>> appear to be overly broad claims made. >>>>> >>>>> (3) What is the evidence that "Source address verification is >>>>> necessary in order to detect and reject spoofed packets"? I'm >>>>> asking why this is "necessary"as opposed to sufficient (if it is >>>>> sufficient - see (2) above). >>>>> >>>>> (2) This presumably needs some form of qualification if not all >>>>> packets with spoofed source addresses can be spotted: "source >>>>> address verification techniques enable detection and rejection of >>>>> spoofed packets." I'm not sure if "some spoofed packets" would be a >>>>> good thing to say there but it does seem to be the case - a better >>>>> qualification (or a forward reference to where that is described) >>>>> would represent truth-in-advertising. >>>>> (3) Where in the charter is "local traceability" in scope? The >>>>> charter does say that "tracking other protocols is not in scope" so >>>>> local traceability needs to be defined as something limited >>>>> to/scoped to spoofed source addresses. >>>>> >>>>> (4) "For example, when an enterprise receives a report of an attack >>>>> originating within that enterprise, the operational staff needs to >>>>> be able to track from the IP address sourcing the attack to the >>>>> particular machine within the enterprise that is the source." I >>>>> don't think that's true in general - "needs" is wrong since there >>>>> can be other ways to find a zombie. >>>>> >>>>> (5) Spoofing is defined to cover both IP and MAC address spoofing. >>>>> SAVI does not address the latter I believe (right?). If so, then I >>>>> think you need to separate these as otherwise confusion between >>>>> them might lead to incorrect conclusions being stated. Spoofing is >>>>> also defined as "forging" but that is not defined and could be >>>>> considered to be synonymous with "spoofing" here which would make >>>>> this a circular definition. I think the definition of spoofing >>>>> needs to be more precise basically. >>>>> >>>>> (6) 3.1: " The result is that they have no access to legitimate >>>>> source and target systems." I think that's wrong - are you trying >>>>> to say that "The attacker in this case should have no legitimate >>>>> access to source and target systems." >>>>> (7) Does the ARP example in 3.2.1 really involve a spoofed IP >>>>> source? If not, then you should note that its not in scope for >>>>> SAVI. If it is, then say why its in scope. >>>>> >>>>> (8) I'd be interested in knowing if SAVI can help with 3.2.2 - if >>>>> not then saying so would be right. If so, then saying when SAVI >>>>> might help would be good. >>>>> >>>>> (9) If "The first requirement is to eliminate datagrams with >>>>> spoofed IP addresses from the Internet." then SAVI would seem to be >>>>> facing an impossible problem. The "can eliminate such datagrams" >>>>> part also seems overstated - where's the evidence that that's true? >>>>> s/eliminate/reduce/ would seem to be more correct. >>>>> (10) Saying that "Internet devices can...confirm...that the IP >>>>> address is appropriate for the lower layer address" is not true of >>>>> all "Internet devices" only for some near the source, so that's >>>>> also overstated and needs to be qualified. (It is later to be fair >>>>> but the statement itself is wrong.) >>>>> >>>>> (11) I don't know the answer here, so this is just a question - >>>>> what is the likelihood the uRPF check works well? (I didn't find >>>>> the string uRPF in RFC 3704, so I'm not sure, but I didn't really >>>>> read 3704;-) I guess the real question is whether a failure in uRPF >>>>> might break anything for a non-spoofing host and whether a spoofing >>>>> host could make it so that uRPF checks allow the packet with a >>>>> spoofed address through (from e.g. the same subnet, or for certain >>>>> guessable source addresses). I ask (in part) since 4.2.2 says that >>>>> uRPF is a crude mechanism. >>>>> >>>>> (12) I'm not sure whether 4.1.3 and 4.1.4 are in or out of scope >>>>> for SAVI. Can you make that clear? >>>>> >>>>> (13) What does "unforgeable" mean in 4.2.3? Perhaps you need to >>>>> define that term as well? It may be that the meaning differs for >>>>> e.g. MAC addresses and other credentials (noting that passwords can >>>>> be guessed or shared of course). >>>>> (14) In 4.2.3 where is the evidence that "a large portion of the >>>>> ...threat space...can be marginalized" - I think that needs some >>>>> qualification. >>>>> >>>>> (15) 4.2.3.2 says that DHCP and sniffing "can...auotmatically >>>>> provide sufficient binding information" - is there evidence for >>>>> that somewhere? Be good to reference it. >>>>> >>>>> (16) 802.1X determines the identity of a user, not a system I >>>>> think. >>>>> >>>>> (17) I think 4.2.5 needs to better characterise the "residual >>>>> threat" (not "residual attack") - for each of the various forms of >>>>> SAVI. I had hoped this document would say what spoofing >>>>> possibilities remain. Providing just one example doesn't seem >>>>> sufficient. >>>>> >>>>> (18) Section 6 (at least) should also recognise that there are >>>>> privacy considerations that apply and that more-or-less directly >>>>> run counter to the ability to trace the source of problems. >>>>> >>>>> (19) Section 8 should note that circumstantial evidence linking a >>>>> person to an IP address can be dangerous for the person. There have >>>>> been cases where such tracking has mis-identified people >>>>> responsible for some act. (I don't have a reference to hand sorry.) >>>>> >>>>> (20) If no set of deployed SAVI instances can prevent all spoofing >>>>> from a given network then an attacker could probe the network to >>>>> find out what spoofing works from where they are at, and then use >>>>> that. Success in spoofing would then likely have more consequences >>>>> for an innocent spoofed party. This would be a new threat caused by >>>>> SAVI itself. >>>>> >>>>> (21) If binding anchors are personally identifying or stable over >>>>> time or location then recording those creates new threats for tracking >>>>> the user or host associated with the binding anchor. That needs to be >>>>> noted. >>>>> >>>>> *Comment (2011-05-26)* >>>>> >>>>> (1) 2nd para of overview says that there is "typically no required >>>>> transactional state when communicating with other hosts on the >>>>> network." I think it'd be good to say why that's the case, via a >>>>> reference to something. (Not sure what reference is best exactly.) >>>>> >>>>> (2) What is a "better Internet participant"? It sounds like a scary >>>>> thing. >>>>> >>>>> (3) s/This both that the information be useable/This requires both >>>>> that the information be useable/ >>>>> >>>>> (4) I expected to see some CVE references in section 3 but didn't >>>>> see any. I'd encourage adding some of those for each of the threats >>>>> covered since that should help motivate the work and would >>>>> demonstrate that there are real threats to mitigate. (E.g. a quick >>>>> search on "CVE spoofed source" throws up a bunch.) To take one >>>>> example, 3.1.4 could do with such a reference. >>>>> >>>>> (5) Expand "LAND" >>>>> >>>>> (6) The DNS attack described around the top of page 9 isn't >>>>> relevant to SAVI, right? Maybe the smurf attack is enough there. >>>>> >>>>> (7) Do 3.1.6 and 3.1.7 really fit in 3.1? >>>>> (8) Do *all* CMTS employ DOCSIS? 4.1.5 says that they do. >>>>> >>>>> (9) Even IPsec doesn't unquestionably verify source address if >>>>> load-balancing is in place with private key sharing. >>>> >>>> _______________________________________________ >>>> savi mailing list >>>> savi@ietf.org >>>> https://www.ietf.org/mailman/listinfo/savi >>>> >>> _______________________________________________ >>> savi mailing list >>> savi@ietf.org >>> https://www.ietf.org/mailman/listinfo/savi >>> >> _______________________________________________ >> savi mailing list >> savi@ietf.org >> https://www.ietf.org/mailman/listinfo/savi >> >
- [savi] Status of draft-ietf-savi-threat-scope Jari Arkko
- Re: [savi] Status of draft-ietf-savi-threat-scope Joel M. Halpern
- Re: [savi] Status of draft-ietf-savi-threat-scope Jari Arkko
- Re: [savi] Status of draft-ietf-savi-threat-scope Jean-Michel Combes
- Re: [savi] Status of draft-ietf-savi-threat-scope Jean-Michel Combes
- Re: [savi] Status of draft-ietf-savi-threat-scope Stephen Farrell
- Re: [savi] Status of draft-ietf-savi-threat-scope Jean-Michel Combes
- Re: [savi] Status of draft-ietf-savi-threat-scope Stephen Farrell
- Re: [savi] Status of draft-ietf-savi-threat-scope Jean-Michel Combes
- Re: [savi] Status of draft-ietf-savi-threat-scope Stephen Farrell
- Re: [savi] Status of draft-ietf-savi-threat-scope Stephen Farrell
- Re: [savi] Status of draft-ietf-savi-threat-scope Jean-Michel Combes
- Re: [savi] Status of draft-ietf-savi-threat-scope Stephen Farrell
- Re: [savi] Status of draft-ietf-savi-threat-scope Jean-Michel Combes
- Re: [savi] Status of draft-ietf-savi-threat-scope Stephen Farrell