[secdir] secdir review of draft-ietf-behave-turn-ipv6-09
Richard Barnes <rbarnes@bbn.com> Mon, 29 March 2010 21:44 UTC
Return-Path: <rbarnes@bbn.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 45A343A6998; Mon, 29 Mar 2010 14:44:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.159
X-Spam-Level: *
X-Spam-Status: No, score=1.159 tagged_above=-999 required=5 tests=[AWL=0.028, BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zz0i76oX8tqz; Mon, 29 Mar 2010 14:44:58 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by core3.amsl.com (Postfix) with ESMTP id 2902C3A698E; Mon, 29 Mar 2010 14:44:58 -0700 (PDT)
Received: from [128.89.254.172] (port=51407 helo=[192.168.1.46]) by smtp.bbn.com with esmtp (Exim 4.71 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1NwMlx-000Cft-Ho; Mon, 29 Mar 2010 17:45:26 -0400
Message-Id: <188D3671-05E9-40A2-9498-24BAE91B269E@bbn.com>
From: Richard Barnes <rbarnes@bbn.com>
To: secdir@ietf.org, iesg@ietf.org, draft-ietf-behave-turn-ipv6@tools.ietf.org
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Mon, 29 Mar 2010 17:45:24 -0400
X-Mailer: Apple Mail (2.936)
Subject: [secdir] secdir review of draft-ietf-behave-turn-ipv6-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Mar 2010 21:44:59 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document defines an extension to the TURN protocol, a relay protocol for NAT traversal, that allows endpoints to request that the TURN server allocate them an IPv4 or IPv6 address (the protocol currently supports only IPv4). On important feature of this extension is that it allows a TURN server to act as a relay in all four combinations of protocols (4-4, 4-6, 6-4, 6-6), depending on which protocol the TURN request is carried in and which address family is requested. As the Security Considerations correctly note, TURN with this extension is basically equivalent to TURN without it, with the exception that certain routing loop attacks inherent to TURN could be easier with this mechanism. My only significant concern that is not addressed in the document is how this mechanism relates to the routing loop attacks introduced by other forms of v4/v6 translation and tunneling, e.g., as discussed in this paper: <http://www.usenix.org/events/woot09/tech/full_papers/nakibly.pdf> It's not immediately obvious to me that extending TURN in this way makes these (currently non-TURN-related) attacks viable, but I would encourage the authors to consider the issue and add some text to the document explaining how the attacks do or do not apply here. A few specific comments follow. --Richard Comments on draft-ietf-behave-turn-ipv6 S.3, Paragraph "Assuming the request..." The server doesn't "assume" that the request is authenticated. Suggest rephrasing as "After the request has been successfully authenticated, ..." S4.1.1 Why not just make this option one byte long? If you're already anticipating a usage for the reserved space, you should just specify it. S4.2, First paragraph As above, suggest rephrasing as "Once a server has verified that the request is authenticated and has not been tampered with, ..." S4.3 Why is this a SHOULD NOT and not a MUST NOT? What's the exceptional case? Section 9, First para It seems overly broad to say that "an IPv4-only client having access to ... this specifictation is now able to access the IPv6 Internet". The client can't just send/receive traffic with any node, right? Explain the restrictions in place here. Section 9, Might some of the Teredo / 6to4 loop attacks apply as well? If not, why not? -- Spoof 4-to-6 allocate request from relay's v4 address -- Spoof authorization relay's v6 address -- Spoof packet from either of relay's addresses If there is some risk here, you might consider saying something like "Server MUST NOT allocate 6to4 or Teredo addresses or accept them as peers"?
- [secdir] secdir review of draft-ietf-behave-turn-… Richard Barnes
- Re: [secdir] secdir review of draft-ietf-behave-t… Simon Perreault
- Re: [secdir] secdir review of draft-ietf-behave-t… Richard L. Barnes
- Re: [secdir] secdir review of draft-ietf-behave-t… Simon Perreault
- [secdir] secdir review of draft-ietf-isis-ieee-aq… Richard L. Barnes