Re: [secdir] Sector review of draft-ietf-alto-deployments-15

Sebastian Kiesel <ietf-alto@skiesel.de> Tue, 21 June 2016 21:54 UTC

Return-Path: <sebi@gw01.ehlo.wurstkaes.de>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60CB512DE46 for <secdir@ietfa.amsl.com>; Tue, 21 Jun 2016 14:54:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.325
X-Spam-Level:
X-Spam-Status: No, score=-3.325 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RP_MATCHES_RCVD=-1.426] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 383EM-LFr-Fs for <secdir@ietfa.amsl.com>; Tue, 21 Jun 2016 14:54:34 -0700 (PDT)
Received: from gw01.ehlo.wurstkaes.de (gw01.ehlo.wurstkaes.de [IPv6:2a02:a00:e000:116::41]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F67012DA49 for <secdir@ietf.org>; Tue, 21 Jun 2016 14:54:33 -0700 (PDT)
Received: from sebi by gw01.ehlo.wurstkaes.de with local (Exim 4.80) (envelope-from <sebi@gw01.ehlo.wurstkaes.de>) id 1bFTcq-0001OC-5z; Tue, 21 Jun 2016 23:54:28 +0200
Date: Tue, 21 Jun 2016 23:54:28 +0200
From: Sebastian Kiesel <ietf-alto@skiesel.de>
To: "Klaas Wierenga (kwiereng)" <kwiereng@cisco.com>
Message-ID: <20160621215428.GA3915@gw01.ehlo.wurstkaes.de>
References: <etPan.5767e90e.4c847566.f16f@KWIERENG-M-H01C>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <etPan.5767e90e.4c847566.f16f@KWIERENG-M-H01C>
Accept-Languages: en, de
Organization: my personal mail account
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/1s88K-LXgHVGHfmnHFpgDLxYmiY>
Cc: draft-ietf-alto-deployments.all@tools.ietf.org, secdir@ietf.org
Subject: Re: [secdir] Sector review of draft-ietf-alto-deployments-15
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jun 2016 21:54:36 -0000

Hi Klaas,

thanks for the review and your comments. Please see below

On Mon, Jun 20, 2016 at 01:01:04PM +0000, Klaas Wierenga (kwiereng) wrote:
> Hi,
> 
>  have reviewed this document as part of the security directorate's
>  ongoing effort to review all IETF documents being processed by the
>  IESG. These comments were written primarily for the benefit of the
>  security area directors. Document editors and WG chairs should treat
>  these comments just like any other last call comments.
> 
> This document describes use cases when deploying ALTO (Application
> Layer Traffic Optimization). It provides guidance for using and
> deploying ALTO services.
> 
> The document reads well and is as far as I can tell pretty exhaustive
> (if anything the emphasis seems slightly on P2P rather than CDN, but
> that seems justified by the number of different P2P deployments as
> opposed to CDN).  I particularly like the extensive coverage of
> privacy and security issues throughout the document, this was clearly
> not bolted on late in the process. I have only a few comments and
> therefore believe the document is:
> 
> ready with nits
> 
> - A number of the comments throughout the document pertain to privacy,
> I think the document would have benefited from a separate privacy
> considerations paragraph, in addition to the security considerations.

Could you please have a look at Section 5.2 of RFC 6708.  Does the
discussion there address your comment? If so, we could add another
direct reference to that section at a suitable place in our document.
If not, what is still missing?

> - Not directly security related (apart from DoS), but I wonder in how
> far it is a risk that clients have a relatively static view of the
> world (3.4.4), i.e. it is assumed that the network characteristics
> don???t change rapidly. To use an analogy, is there a risk that when
> there is some holdup on the highway, that all cars will take the sand
> path for some extended period of time, thus clogging the sand path? If
> this is covered in other documents I apologise, but in the reviewed
> document that appears to be a risk.

First, to stick with the analogy with cars, the baseline ALTO scenario
is not so much about whether to drive on the highway vs. on a sand path
to get to a specific destination.  It's more like wisely choosing the
destination, e.g.: 
I want to buy a specific product and I know that it is available at
identical price and quality in chain stores in X street and Y street,
respecively.  Where should I drive to get the product?  The ALTO answer
would be something like: To get from your home to X street you will have
to drive 5 km through a residential area with 30 km/h speed limit, while
to Y street it is 8 km on a freeway with 120 km/h speed limit, but it is
usually badly congested during rush hour.  
Obviously, this answer would not allow you to drive constantly at this
speed without looking for the actual traffic conditions.  

In other words, leaving the analogy: ALTO is not a replacement for TCP
or similar mechanisms; see AR-14 in RFC 6708 and the second part of 
Sec. 3.2.4. of our document, starting with "All the above listed rating
criteria are subject to the remarks below: ..." on page 27.
Section 7.4, "Preference of a single peer" points out the DoS risk.


Does this make sense or did I miss some point?


> - There is text around validation of the clients (7.3 ALTO server
> access), but to my surprise there is no wording to authentication of
> the server. As a client operator I would expect to be able to validate
> the server, after all the server is telling me where to go for the
> resources I need. The text explains what the risk of injecting wrong
> information is (7.4), but the authenticity of the server itself is not
> discussed. A simple server authentication seems to go a long way in
> preventing rogue ALTO servers.

ALTO servers and clients MUST implement https (see Sec. 8.3.5. 
of RFC 7285).

However, in some (P2P) scenarios, there is very limited trust
between the participants of the application overlay and the
ALTO server operator(s).  So verifying the server identity by
means of the TLS cert may not be enough to answer the question
whether this information source is trustworthy. This section
intends to extend the guidance given in section 15.2. of RFC 7285.



Thanks,
Sebastian