Re: [secdir] SecDir review of draft-ietf-dhc-dhcpv4-bulk-leasequery-05
Yaron Sheffer <yaronf.ietf@gmail.com> Thu, 16 February 2012 15:49 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C69221F85C4; Thu, 16 Feb 2012 07:49:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.999
X-Spam-Level:
X-Spam-Status: No, score=-102.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_101=0.6, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jF2KLG4UAEBH; Thu, 16 Feb 2012 07:49:58 -0800 (PST)
Received: from mail-ee0-f44.google.com (mail-ee0-f44.google.com [74.125.83.44]) by ietfa.amsl.com (Postfix) with ESMTP id ACC6421F85D5; Thu, 16 Feb 2012 07:49:57 -0800 (PST)
Received: by eekc41 with SMTP id c41so869170eek.31 for <multiple recipients>; Thu, 16 Feb 2012 07:49:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=hvJLTc89Jj65TTfuZE/WRBq4F4szj2fiKZASuzujRiY=; b=gxLYUl0Y/WUxIz3LZv2cJPADpf3DyjWog1nGRCepxlApjVfA9m9BZ8BbViKxScsVbl MsmYp36HJjSqZfuuT1g38ip0Xx7Tzwq5Y5y7DUvZbnW2UA/zhvZqHJsmJIpIZ3+Rf7QK UOZbdW7q+BH26YUlRMMb2GlOPi5+kVax2kZzE=
Received: by 10.112.84.1 with SMTP id u1mr1147029lby.35.1329407396652; Thu, 16 Feb 2012 07:49:56 -0800 (PST)
Received: from [192.168.7.200] (89-139-10-131.bb.netvision.net.il. [89.139.10.131]) by mx.google.com with ESMTPS id od2sm6354258lab.11.2012.02.16.07.49.54 (version=SSLv3 cipher=OTHER); Thu, 16 Feb 2012 07:49:55 -0800 (PST)
Message-ID: <4F3D25A0.1060302@gmail.com>
Date: Thu, 16 Feb 2012 17:49:52 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20111229 Thunderbird/9.0
MIME-Version: 1.0
To: Kim Kinnear <kkinnear@cisco.com>
References: <4F3405D0.7010603@gmail.com> <BEBB1035-2865-44AA-A3D8-D3F35C7FAB68@cisco.com>
In-Reply-To: <BEBB1035-2865-44AA-A3D8-D3F35C7FAB68@cisco.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: draft-ietf-dhc-dhcpv4-bulk-leasequery.all@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] SecDir review of draft-ietf-dhc-dhcpv4-bulk-leasequery-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Feb 2012 15:49:59 -0000
Hi Kim, thanks for the new text. Yes, it does mitigate my concerns. Regards, Yaron On 02/16/2012 05:40 PM, Kim Kinnear wrote: > > Yaron, > > > On Feb 9, 2012, at 12:43 PM, Yaron Sheffer wrote: > >> I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. >> >> The document defines a protocol extension that allows infrastructure components in DSL/cable networks to query a master DHCP server for its static and/or dynamic bindings, to allow them to quickly recovery after reboot. >> >> Summary >> >> In my opinion, a major security issue is not covered sufficiently. >> >> Details >> >> I have not reviewed the protocol itself in depth. However I believe that it suffers from the "recursive security considerations" syndrome, where the current draft depends on RFC 4388 (6 years old) for its security, which in turn refers to RFC 3118 (11 years old) for parts of its security. IMHO the relevant threats for a bulk DHCP query are very different from those that RFC 3118 considered for generic DHCP. > > For what it is worth, the security section for this draft > is taken essentially verbatim from RFC 5460, DHCPv6 Bulk > Leasequery. But I assume that we must be raising the bar > here, since that was 3 years ago. >> >> I worry most about the privacy implications: if I am a subscriber in Smalltown, pop. 10,000, I may be sharing a single DHCP server with the entire population. If any subscriber can issue a bulk query for the whole town once every hour, and thereby map any IP address to a MAC address, this has a serious effect on subscribers' privacy. > >> >> This is what the current draft says about access control: >> >> Servers MAY restrict Bulk Leasequery connections and DHCPBULKLEASEQUERY messages to certain requestors. Connections not from permitted requestors SHOULD be closed immediately, to avoid server connection resource exhaustion. Servers MAY restrict some requestors to certain query types. Servers MAY reply to queries that are not permitted with the DHCPLEASEQUERYDONE message with a status-code option status of NotAllowed, or MAY simply close the connection. >> >> This IMHO is way too weak, specifically the first MAY. The Security Considerations refer to RFC 4388 for "restriction to trusted requestors", but I couldn't find any relevant language there either, other than a reference to RFC 3118. > > The theory behind all of this is that you should not > allow TCP connections to the DHCPv4 ports from any > devices or programs that are not part of your > infrastructure. > > In almost all cases, the actual DHCP server isn't > involved in the configuration of these restrictions, but > rather these restrictions are imposed by network elements > at a deeper level of the network than the DHCPv4 server > (which is, after all, most usually an application running > on a standard operating system). > > Of course, that doesn't mean that we shouldn't give > people guidance as to what is important to restrict and > what isn't. > > It seems a bit ... unenforceable .. to say that DHCPv4 > servers which implement the Bulk Leasequery capability > MUST be installed in environments where it is possible to > configure access to the Bulk Leasequery capability only > to trusted network components.d But I'll give it a > try, below. > > I can certainly uplift the paragraph above on access > control to SHOULD (and replicate it in the Security > section), like this: >> >> Servers SHOULD restrict Bulk Leasequery connections and >> DHCPBULKLEASEQUERY messages to certain requestors, either >> through explicit configuration of the Server itself or by >> employing external network elements to provide such >> restrictions. In particular, the typical DHCPv4 client SHOULD >> NOT be allowed to receive a response to a Bulk Leasequery >> request, and some technique MUST exist to allow prevention of >> such access in any environment where Bulk Leasequery is >> deployed. >> >> Connections not from permitted requestors SHOULD be >> closed immediately, to avoid server connection resource >> exhaustion or alternatively, simply not be allowed to reach >> the server at all. Servers SHOULD have the capability to >> restrict certain requestors to certain query types. Servers >> MAY reply to queries that are not permitted with the >> DHCPLEASEQUERYDONE message with a status-code option status >> of NotAllowed, or MAY simply close the connection. > > Would this change sufficiently mitigate your concerns > regarding this draft? > > Regards -- Kim > >> >> >> Thanks, >> Yaron >> >
- [secdir] SecDir review of draft-ietf-dhc-dhcpv4-b… Yaron Sheffer
- Re: [secdir] SecDir review of draft-ietf-dhc-dhcp… Bernie Volz (volz)
- Re: [secdir] SecDir review of draft-ietf-dhc-dhcp… Kim Kinnear
- Re: [secdir] SecDir review of draft-ietf-dhc-dhcp… Yaron Sheffer