Re: [secdir] secdir review of draft-ietf-v6ops-siit-dc-02
Tobias Gondrom <tobias.gondrom@gondrom.org> Sun, 25 October 2015 20:55 UTC
Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 382BB1B319B; Sun, 25 Oct 2015 13:55:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -93.363
X-Spam-Level:
X-Spam-Status: No, score=-93.363 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FH_HELO_EQ_D_D_D_D=1.597, HELO_DYNAMIC_IPADDR=1.951, HELO_EQ_DE=0.35, HELO_MISMATCH_DE=1.448, HTML_MESSAGE=0.001, J_CHICKENPOX_72=0.6, NORMAL_HTTP_TO_IP=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_WHITELIST=-100] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QBwe_qt5Zwls; Sun, 25 Oct 2015 13:55:19 -0700 (PDT)
Received: from lvps5-35-241-16.dedicated.hosteurope.de (www.gondrom.org [5.35.241.16]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C87051B319C; Sun, 25 Oct 2015 13:55:18 -0700 (PDT)
Received: from [192.168.178.26] (x590f7e4f.dyn.telefonica.de [89.15.126.79]) by lvps5-35-241-16.dedicated.hosteurope.de (Postfix) with ESMTPSA id 7E7DE62DD5; Sun, 25 Oct 2015 21:55:16 +0100 (CET)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=0E7rXhcyAqaYbDck29YSx+lTHvUzgRC7XbNDNTOwgSJqEoSNntWPEUh/9cOFG+x5CvEv6cHmbSS9FjFNHy7gzskBbj/NoV9UYHcymg3dFaKsS4gxEbCM7KqMMbnDMfZvBk7WvsKrOxJYX5N/YeDNvHYmapzCOi8SBG/n7oxh2Xs=; h=Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:Content-Type;
Message-ID: <562D41B4.7020008@gondrom.org>
Date: Sun, 25 Oct 2015 21:55:16 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: tore@redpill-linpro.com
References: <5603D448.3060701@gondrom.org> <20151007095517.57b606ae@echo.ms.redpill-linpro.com>
In-Reply-To: <20151007095517.57b606ae@echo.ms.redpill-linpro.com>
Content-Type: multipart/alternative; boundary="------------070701040302040600040702"
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/4VvXSAf29tOQHY9F1CWYBBwK4Pw>
Cc: draft-ietf-v6ops-siit-dc.all@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-v6ops-siit-dc-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 25 Oct 2015 20:55:23 -0000
Thank you for your feedback. answers inline. On 07/10/15 09:55, Tore Anderson wrote: > Hello Tobias, and thank you very much for your feedback! > > My comments in-line. > > * Tobias Gondrom <tobias.gondrom@gondrom.org> > >> One main question: Technically this document looks to me more like >> standards and not informational as I think we need to enforce consistent >> behaviour and restrictions to ensure overall consistency. IMO we need to >> spell this out more explicitly. This is a repeating element, I >> encountered in this review across multiple sections of the document (see >> explanations below). > The only standard/protocol used SIIT [RFC6145] plus its EAM extension > [I-D.ietf-v6ops-siit-eam]. That is, if an operator has an > implementation of RFC6145 and I-D.ietf-v6ops-siit-eam, then the > operator can use that implementation to deploy SIIT-DC as described in > I-D.ietf-v6ops-siit-dc. > > No additional protocols, algorithms, or features is used beyond those > already specified in RFC6145 and I-D.ietf-v6ops-siit-eam are required. > This is the reason on why I-D.ietf-v6ops-siit-dc is Informational; it > merely describes one way to deploy the standard protocols defined > elsewhere in the context of a specific use case. > >> COMMENTS: >> 0. starting with a personal comment:in general it is nice to move again >> a step closer to a V6, even though these series of baby transition steps >> are quite small. Whether we need this in addition to other existing 64 >> protocols, I leave to the V6ops WG who has much better insight into this >> one than me. >> >> 1. This document has two strong requirements, that should be expressed >> in 2119 language. >> 1.1. the SIIT algorithm MUST be used. > Ok, how about this (in section 2): > > SIIT-DC Border Relay (BR) > A device or a logical function that performs stateless protocol > translation between IPv4 and IPv6. It MUST do so in accordance with > [RFC6145] and [I-D.ietf-v6ops-siit-eam]. WFM. > >> 1.2. And the security considerations section MUST be followed. > Like so? > > If a Network-Specific Prefix from the provider's own address space is > chosen for the translation prefix, as recommended in Section 4.4, > care MUST be taken [...] WFM. Thanks. > >> 2. Section 7 Security Considerations: >> 2.1. The listed concern is correct. The listed mitigation step may work, >> I would suggest to also add a sentence when you do choose this distinct >> translation prefix, you also must configure your FW/GW at the edge to >> enforce the integrity of that naming scheme (e.g. by dropping packets >> from that prefix if not coming from a IPv4) to make sure there is no >> ambiguity or spoofing. We must avoid a blend of translated and >> untranslated addresses in the same prefix if you use the prefix as a >> marker. > I disagree with this. RFC6052 makes a distinction between > "IPv4-converted" IPv6 addresses (which occur in packets that were > originally IPv4 packets) and "IPv4-translatable" IPv6 addresses (which > are normal unicast addreses that happen to follow the address format > specified in RFC6052). > > If I understand you correctly, what you propose here would be > essentially mean forbidding the use of IPv4-translatable IPv6 > addresses. In my opinion, I-D.ietf-v6ops-siit-dc is not the right place > for such an undertaking, that would require updates to RFC6052 and > RFC6145 (and probably others). ACK. It was a suggestion. I still think that there is a potential security risk coming from that, but I leave this to the WG to decide. > >> 2.2. I am not sure you covered all the security concerns in this section. >> 2.2.1. e.g. we might want to expand more on the risk that the DC does by >> design not see that we translate this down to V4 at the edge and thereby >> loose some of the capabilities of V6 beyond the edge. Therefore the DC >> may assume a fully V6 conformant client, which is not the case. This may >> lead to the need of further filtering or protection mechanisms at the edge. > I am having difficulty understanding exactly what the possibly security > concern you have here is, and how it would need to be mitigated. > > Keep in mind that one can perform IPv4-to-IPv6 translation anywhere on > the Internet. In other words, any IPv6 packet received by any node is > possibly translated from IPv4. So if there truly is a security concern > here, it would apply to any deployment of IPv6 (except isolated > networks not connected to the Internet). > > If you'd like a demo of the above, by the way, you can visit > http://87.238.60.1/. This traffic is routed to one of my SIIT-DC BRs > located in Norway or Sweden, and afterwards forwarded as IPv6 to the > site "www.whatismyipv6.com" in the USA (I have no affiliation with this > site and it's not in my network). This means that if the > www.whatismyipv6.com web site incorrectly "assumes [your connection is > from] a fully V6 conformat client", and this assumption somehow causes > a security concern, then that security concern would have much wider > ramifications than being of interest only to operators who are > deploying SIIT-DC and thus are likely to read I-D.ietf-v6ops-siit-dc. > It would also apply to RFC6146, as you can use Stateful NAT64 to > accomplish the same thing as I use SIIT-DC. > >> 2.2.2. the authors should expand more on architecture requirements not >> to put two of these translators in sequence (see possibly conflicts with > This is exactly the subject being discussed in > I-D.ietf-v6ops-siit-dc-2xlat, which is referred to numerous times. Noted. > >> 2.2.3. the authors should expand more on restrictions of putting this in >> a mixed environment with NAT64 > To the best of my knowledge, there exist no such restrictions, beyond > the fact that you'd need to use differing RFC6052 prefixes. This fact is > mentioned in section 4.4. > >> 3. section "4.4. Choice of Translation Prefix" >> - states: "Either a Network-Specific Prefix (NSP) from the provider's >> own IPv6 address space or the IANA-allocated Well-Known Prefix >> 64:ff9b::/96 (WKP) may be used." >> I think this needs to be a MUST instead of the "may". > Could you elaborate on why? From a technical point of view, the WKP > works just as well as any NSP, and if the operator really wants to use > it (in spite of the stated disadvantages), I do not see that I have any > justification for denying that outright. > > Note that RFC6052 also discusses the use of a WKP vs an NSP at length in > section 3.3; while it advises the use of an NSP, it does not make it a > MUST. I fail to see a rationale for making I-D.ietf-v6ops-siit-dc be > more restrictive. One of my concerns is to avoid the case where addresses from none of the two would be used and potential risks arising from that. I am also not sure why we should leave this open as a "may" instead of locking this down with a "MUST". However, my knowledge is not as deep as yours on this, so I leave this to you and your WG. >> Also I do not like >> the ambiguity of prefixes here. We need to make it clear that this >> translastion MUST be consistent across all edges to the DC. > Section 3 states: > > Any number of BRs may exist simultaneously in the IDC's network > infrastructure, as long as they all configured with the same > Translation Prefix and an identical EAM Table. > > Is this somehow unclear? If so, could you propose an improved text? > >> 4. section 4.5. routing considerations: >> - do we need to specify that all alternate BRs must use the same >> algorithm and all MUST be able to support SIIT-DC? > There exists only one definition of "BR" in the document: > > SIIT-DC Border Relay (BR) > A device or a logical function that performs stateless protocol > translation between IPv4 and IPv6 in accordance with [RFC6145] and > [I-D.ietf-v6ops-siit-eam]. > > It would appear to me, therefore, that the document already makes the > statement you propose. That is, it is impossible for an alternate BR to > use another translation algorithm, because if it did so, it would by > definition no longer be a BR. That might be the case. It might not have been clear to me during the review. Therefore my question. Please consider this only as a suggestion or question for your decision. >> 5. section 4.6: >> we say "This should be understood to include all servers," >> I am not sure this is only a "should". From a lingual perspective it >> might be meaning that it "it should be understood that it requires..." >> but as the word "required" is not used, it is a bit unclear to me, >> whether that is also understood by the author/WG for this protocol. > Ack. How about this? > > [..] the BRs must be located somewhere between the IPv4 Internet > and the application delivery stack - which includes all servers, > load balancers, firewalls, intrusion detection systems, and similar > devices that are processing traffic to a greater extent than merely > forwarding it. WFM. Thank you. > >> 6. section 4.8.: >> we use "To facilitate reliable delivery of such ICMPv6 errors n SIIT-DC >> operator SHOULD implement the recommendations in [RFC6791] in the BRs." >> Is there a security consideration on the impact what happens if RFC6791 >> is not followed and ICMPv6 errors are dropped? What would be the >> security implications of loosing not transmitting these messages? > That is a question for RFC6791, which states the following: > > 6. Security Considerations > > This document recommends the generation of IPv4 ICMP messages from > IPv6 ICMP messages. These messages would otherwise have been > discarded. New considerations are not expected to result from this > change. As with a number of ICMP messages, a spoofed source address > may result in replies arriving at hosts that did not expect them > using the facility of the translator. > >> 7. section 4.9. "MTU and Fragmentation": >> it is good that we spell out the series of key differences between IPv4 >> and IPv6 relating to packet sizes and fragmentation that one needs to >> consider when deploying SIIT-DC. I am not sure a "should" is sufficient >> here. > Ack, will change to "must". Thank you. > >> Furthermore, it would be good to consider whether we need to >> specify and mandate the specific behaviour when encountering these >> limitations to avoid inconsistent behaviour from the BR if these >> parameters are encountered and this might be exploited as an attack vector. > True, but on the other hand if such attack vectors exists it is > extremely likely that these are not specific to SIIT-DC, but in SIIT > [RFC6145] itself and in quite possibly other derivative protocols such > as Stateful NAT64 [RFC6145], MAP-T [RFC7599], and likely others. > > As I mentioned earlier, please keep in mind that SIIT-DC is just > description of how one can go about deploy SIIT [RFC6145] in a > particular environment; it does not specify any new protocols or > algorithms. If there are inherent security problems inherent in the > protocols used by SIIT-DC, then the right place to deal with or > document those problems is in the specifications of those protocols, > not in a use-case document such as I-D.ietf-v6ops-siit-dc. > > Tore Thank you for your reply and considerations. Best regards, Tobias
- [secdir] secdir review of draft-ietf-v6ops-siit-d… Tobias Gondrom
- Re: [secdir] secdir review of draft-ietf-v6ops-si… Tobias Gondrom