Re: [secdir] SecDir review of draft-ietf-6man-dns-options-bis-03
Jari Arkko <jari.arkko@piuha.net> Sat, 26 June 2010 09:36 UTC
Return-Path: <secdir-bounces@mit.edu>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 565633A690D for <secdir@core3.amsl.com>; Sat, 26 Jun 2010 02:36:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.75
X-Spam-Level:
X-Spam-Status: No, score=-2.75 tagged_above=-999 required=5 tests=[AWL=1.249, BAYES_50=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RM0W9Ovy1ErR for <secdir@core3.amsl.com>; Sat, 26 Jun 2010 02:36:19 -0700 (PDT)
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by core3.amsl.com (Postfix) with ESMTP id 6C4C63A68F6 for <secdir@ietf.org>; Sat, 26 Jun 2010 02:36:18 -0700 (PDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o5Q9aOWH017615 for <secdir@ietf.org>; Sat, 26 Jun 2010 05:36:24 -0400
Received: from mailhub-dmz-4.mit.edu (MAILHUB-DMZ-4.MIT.EDU [18.7.62.38]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o5Q9aKHA017601 for <secdir@PCH.mit.edu>; Sat, 26 Jun 2010 05:36:20 -0400
Received: from dmz-mailsec-scanner-5.mit.edu (DMZ-MAILSEC-SCANNER-5.MIT.EDU [18.7.68.34]) by mailhub-dmz-4.mit.edu (8.13.8/8.9.2) with ESMTP id o5Q9aCum003692 for <secdir@mit.edu>; Sat, 26 Jun 2010 05:36:20 -0400
X-AuditID: 12074422-b7b0eae000000a2e-33-4c25ca1347ef
Received: from p130.piuha.net (p130.piuha.net [193.234.218.130]) by dmz-mailsec-scanner-5.mit.edu (Symantec Brightmail Gateway) with SMTP id E6.12.02606.31AC52C4; Sat, 26 Jun 2010 05:36:20 -0400 (EDT)
Received: from localhost (localhost [127.0.0.1]) by p130.piuha.net (Postfix) with ESMTP id 331652CCCF; Sat, 26 Jun 2010 12:36:16 +0300 (EEST)
X-Virus-Scanned: amavisd-new at piuha.net
Received: from p130.piuha.net ([127.0.0.1]) by localhost (p130.piuha.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ODhtqa1NJbbX; Sat, 26 Jun 2010 12:36:15 +0300 (EEST)
Received: from [IPv6:::1] (unknown [IPv6:2001:14b8:400::130]) by p130.piuha.net (Postfix) with ESMTP id 33EC12CC62; Sat, 26 Jun 2010 12:36:09 +0300 (EEST)
Message-ID: <4C25CA06.1080809@piuha.net>
Date: Sat, 26 Jun 2010 12:36:06 +0300
From: Jari Arkko <jari.arkko@piuha.net>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: Vincent Roca <vincent.roca@inrialpes.fr>
References: <4C248D9A.5080508@inrialpes.fr> <5A6980BCAE9E6D438D4D8A05540F6FB70113043B9B@BRM-EXCH-3.corp.brocade.com>
In-Reply-To: <5A6980BCAE9E6D438D4D8A05540F6FB70113043B9B@BRM-EXCH-3.corp.brocade.com>
X-Brightmail-Tracker: AAAAAhTf0JkU4LMb
X-BeenThere: secdir@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: secdir-bounces@mit.edu
Errors-To: secdir-bounces@mit.edu
Cc: 6man Chairs <6man-chairs@tools.ietf.org>, Jaehoon Jeong <pjeong@brocade.com>, "draft-ietf-6man-dns-options-bis.all@tools.ietf.org" <draft-ietf-6man-dns-options-bis.all@tools.ietf.org>, "secdir@mit.edu" <secdir@mit.edu>, IESG <iesg@ietf.org>
Subject: Re: [secdir] SecDir review of draft-ietf-6man-dns-options-bis-03
X-BeenThere: secdir@ietf.org
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Jun 2010 09:36:45 -0000
Vincent, Thank you for your review! I have some comments on the issues that you raise below as well as some suggested new text: > ** Section 7 "Security considerations" > I don't share all the ideas of the authors. If I understand the point > of view, the authors say that the situation is not worse than before, > without these DNS options. > "...learning DNS information via the RA options cannot be worse than > learning bad router information via the RA options." > > Well, it depends on the security level we consider... > >From the point of view of the ND protocol itself, I agree. But from > the end user point of view, the situation is quite different, since > sending forged packets (for instance) and controlling which DNS server > is trusted by the client opens the way to, for instance, fishing > attacks. This attack enables an attacker to make a client use a > compromised DNS server that behaves perfectly except for one particular > DNS query. If the attacker can send an email to this client, then many > things can happen. This attack could be launched e.g. during next IETF > plenary ;-). The attacker knows the email off all participants, so if > he can control their DNS configuration as well, many things may > happen... IMHO a serious threat is introduced by this document that > needs to be seriously discussed. > I agree that in general the ability to redirect specific traffic instead of all traffic is an interesting attack. However, in this case the specific attack already exists in plain ND. If you want to redirect DNS server traffic to a malicious node, this can be done not just with RA DNS options, but also with ICMP Redirects or unsolicited Neighbor Advertisements. > ** Section 7: > Another point... the authors explain than network devices like > switches can be configured in such a way to disable ND/DHCP from > some ports. That's great and I agree it helps preventing attacks. > However this is limited to wired networks. Nothing is said concerning > ND configurations in wireless networks. The situation is rather > different since any host can issue ND/DHCP traffic as if it were a > legitimate server if I understand correctly. The document MUST > include this kind of discussion. > But this is generic issue with spoofing RAs and I am not sure it is the task of this document to specify the solutions. One solution exists in SEND (RFC 3791). > ** Section 7: > Yet another remark: SEND is listed as one potential solution to > add signatures in ND packets issued from servers. > I don't know SEND at all, so may be my remarks are flawed (but in > that case the text should be at least clarified). > - Shouldn't the use of SEND be RECOMMENDED as a solution to > mitigate attacks? Current document is not clear. > - Does SEND enable an authentication of the sender (the document > only mentions integrity protection)? If there's no sender > authentication, then I agree that the added value of SEND would be > limited. I'd like the authors to clarify this as well. > The details are in RFC 3791 and its companion documents. SEND does enable a host to verify that the sender of an RA is actually a router authorized to act as a router. All this being said I also re-read the Security Considerations section, and was not super happy with it myself. I would suggest the following change: OLD: Also, an attacker could configure a host to send out an RA with a fraudulent RDNSS address, which is presumably an easier avenue of attack than becoming a rogue router and having to process all traffic for the subnet. It is necessary to disable the RA RDNSS option or DNSSL option in both routers and clients administratively to avoid this problem. All of this can be done independently of implementing ND. Therefore, it can be claimed that the RA options for RDNSS and DNSSL has vulnerabilities similar to those existing in unauthenticated DHCPv6. NEW: Also, an attacker could send an RA with a fraudulent RDNSS address, which is presumably an easier avenue of attack than becoming a rogue router and having to process all traffic for the subnet. This attack is similar to Neighbor Discovery attacks that use Redirect or Neighbor Advertisement messages to redirect traffic to individual addresses to malicious parties. In general, the attacks related to RDNS and DNSSL are similar to both Neighbor Discovery attacks and attacks against unauthenticated DHCP, as both can be used for both "wholesale" traffic redirection and more specific attacks. Jari _______________________________________________ secdir mailing list secdir@mit.edu https://mailman.mit.edu/mailman/listinfo/secdir
- [secdir] SecDir review of draft-ietf-6man-dns-opt… Vincent Roca
- Re: [secdir] SecDir review of draft-ietf-6man-dns… Jari Arkko
- Re: [secdir] SecDir review of draft-ietf-6man-dns… Jaehoon Jeong
- Re: [secdir] SecDir review of draft-ietf-6man-dns… Bob Hinden
- Re: [secdir] SecDir review of draft-ietf-6man-dns… Vincent Roca
- Re: [secdir] SecDir review of draft-ietf-6man-dns… Jaehoon Jeong
- Re: [secdir] SecDir review of draft-ietf-6man-dns… Jaehoon Jeong
- Re: [secdir] SecDir review of draft-ietf-6man-dns… Sandra Murphy
- Re: [secdir] SecDir review of draft-ietf-6man-dns… Jaehoon Jeong
- Re: [secdir] SecDir review of draft-ietf-6man-dns… Vincent Roca
- Re: [secdir] SecDir review of draft-ietf-6man-dns… Jaehoon Jeong
- Re: [secdir] SecDir review of draft-ietf-6man-dns… Vincent Roca
- Re: [secdir] SecDir review of draft-ietf-6man-dns… Jaehoon Jeong
- Re: [secdir] SecDir review of draft-ietf-6man-dns… Jaehoon Jeong