[secdir] secdir review of draft-ietf-behave-turn-ipv6-09

Richard Barnes <rbarnes@bbn.com> Mon, 29 March 2010 21:44 UTC

Return-Path: <rbarnes@bbn.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 45A343A6998; Mon, 29 Mar 2010 14:44:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.159
X-Spam-Level: *
X-Spam-Status: No, score=1.159 tagged_above=-999 required=5 tests=[AWL=0.028, BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zz0i76oX8tqz; Mon, 29 Mar 2010 14:44:58 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by core3.amsl.com (Postfix) with ESMTP id 2902C3A698E; Mon, 29 Mar 2010 14:44:58 -0700 (PDT)
Received: from [128.89.254.172] (port=51407 helo=[192.168.1.46]) by smtp.bbn.com with esmtp (Exim 4.71 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1NwMlx-000Cft-Ho; Mon, 29 Mar 2010 17:45:26 -0400
Message-Id: <188D3671-05E9-40A2-9498-24BAE91B269E@bbn.com>
From: Richard Barnes <rbarnes@bbn.com>
To: secdir@ietf.org, iesg@ietf.org, draft-ietf-behave-turn-ipv6@tools.ietf.org
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Mon, 29 Mar 2010 17:45:24 -0400
X-Mailer: Apple Mail (2.936)
Subject: [secdir] secdir review of draft-ietf-behave-turn-ipv6-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Mar 2010 21:44:59 -0000

I have reviewed this document as part of the security directorate's  
ongoing effort to review all IETF documents being processed by the  
IESG.  These comments were written primarily for the benefit of the  
security area directors.  Document editors and WG chairs should treat  
these comments just like any other last call comments.

This document defines an extension to the TURN protocol, a relay  
protocol for NAT traversal, that allows endpoints to request that the  
TURN server allocate them an IPv4 or IPv6 address (the protocol  
currently supports only IPv4).  On important feature of this extension  
is that it allows a TURN server to act as a relay in all four  
combinations of protocols (4-4, 4-6, 6-4, 6-6), depending on which  
protocol the TURN request is carried in and which address family is  
requested.

As the Security Considerations correctly note, TURN with this  
extension is basically equivalent to TURN without it, with the  
exception that certain routing loop attacks inherent to TURN could be  
easier with this mechanism.  My only significant concern that is not  
addressed in the document is how this mechanism relates to the routing  
loop attacks introduced by other forms of v4/v6 translation and  
tunneling, e.g., as discussed in this paper:
<http://www.usenix.org/events/woot09/tech/full_papers/nakibly.pdf>
It's not immediately obvious to me that extending TURN in this way  
makes these (currently non-TURN-related) attacks viable, but I would  
encourage the authors to consider the issue and add some text to the  
document explaining how the attacks do or do not apply here.

A few specific comments follow.

--Richard

Comments on draft-ietf-behave-turn-ipv6

S.3, Paragraph "Assuming the request..."
The server doesn't "assume" that the request is authenticated.   
Suggest rephrasing as "After the request has been successfully  
authenticated, ..."

S4.1.1
Why not just make this option one byte long?  If you're already  
anticipating a usage for the reserved space, you should just specify it.

S4.2, First paragraph
As above, suggest rephrasing as "Once a server has verified that the  
request is authenticated and has not been tampered with, ..."

S4.3
Why is this a SHOULD NOT and not a MUST NOT?  What's the exceptional  
case?

Section 9, First para
It seems overly broad to say that "an IPv4-only client having access  
to ... this specifictation is now able to access the IPv6 Internet".   
The client can't just send/receive traffic with any node, right?   
Explain the restrictions in place here.

Section 9,
Might some of the Teredo / 6to4 loop attacks apply as well?  If not,  
why not?
-- Spoof 4-to-6 allocate request from relay's v4 address
-- Spoof authorization relay's v6 address
-- Spoof packet from either of relay's addresses
If there is some risk here, you might consider saying something like  
"Server MUST NOT allocate 6to4 or Teredo addresses or accept them as  
peers"?