Re: [secdir] SecDir review of draft-ietf-dhc-dhcpv4-bulk-leasequery-05
Kim Kinnear <kkinnear@cisco.com> Thu, 16 February 2012 15:40 UTC
Return-Path: <kkinnear@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F97121F87FC; Thu, 16 Feb 2012 07:40:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.799
X-Spam-Level:
X-Spam-Status: No, score=-8.799 tagged_above=-999 required=5 tests=[AWL=1.200, BAYES_00=-2.599, J_CHICKENPOX_101=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7vprBHk2LNG4; Thu, 16 Feb 2012 07:40:40 -0800 (PST)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) by ietfa.amsl.com (Postfix) with ESMTP id 4612621F87AD; Thu, 16 Feb 2012 07:40:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=kkinnear@cisco.com; l=4822; q=dns/txt; s=iport; t=1329406840; x=1330616440; h=subject:mime-version:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=wW3CqdsNLB+YBeCKk8ft0fIVekUrzvJZtjEgVSycEwE=; b=Sg4TxWPRVtNlFPfLaPSXmMkCHkxAXqLoiUU05jmlm5E82P2OFlOmBLK6 sWfPPX3hrk3kFXZQ1abmYi923kd9tZsFbRoNzqn80wW0K8izS+lTGMMnP 8HpyWfjKVtrXQvtmZmzylYfPYel0BE8X58rV+qEPceT0avelISpVRakJe U=;
X-IronPort-AV: E=Sophos;i="4.73,430,1325462400"; d="scan'208";a="59464365"
Received: from rcdn-core2-3.cisco.com ([173.37.113.190]) by rcdn-iport-2.cisco.com with ESMTP; 16 Feb 2012 15:40:40 +0000
Received: from [161.44.65.167] ([161.44.65.167]) by rcdn-core2-3.cisco.com (8.14.3/8.14.3) with ESMTP id q1GFed3U011545; Thu, 16 Feb 2012 15:40:39 GMT
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Kim Kinnear <kkinnear@cisco.com>
In-Reply-To: <4F3405D0.7010603@gmail.com>
Date: Thu, 16 Feb 2012 10:40:41 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <BEBB1035-2865-44AA-A3D8-D3F35C7FAB68@cisco.com>
References: <4F3405D0.7010603@gmail.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
X-Mailer: Apple Mail (2.1084)
Cc: secdir@ietf.org, draft-ietf-dhc-dhcpv4-bulk-leasequery.all@tools.ietf.org, iesg@ietf.org, Kim Kinnear <kkinnear@cisco.com>
Subject: Re: [secdir] SecDir review of draft-ietf-dhc-dhcpv4-bulk-leasequery-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Feb 2012 15:40:44 -0000
Yaron, On Feb 9, 2012, at 12:43 PM, Yaron Sheffer wrote: > I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. > > The document defines a protocol extension that allows infrastructure components in DSL/cable networks to query a master DHCP server for its static and/or dynamic bindings, to allow them to quickly recovery after reboot. > > Summary > > In my opinion, a major security issue is not covered sufficiently. > > Details > > I have not reviewed the protocol itself in depth. However I believe that it suffers from the "recursive security considerations" syndrome, where the current draft depends on RFC 4388 (6 years old) for its security, which in turn refers to RFC 3118 (11 years old) for parts of its security. IMHO the relevant threats for a bulk DHCP query are very different from those that RFC 3118 considered for generic DHCP. For what it is worth, the security section for this draft is taken essentially verbatim from RFC 5460, DHCPv6 Bulk Leasequery. But I assume that we must be raising the bar here, since that was 3 years ago. > > I worry most about the privacy implications: if I am a subscriber in Smalltown, pop. 10,000, I may be sharing a single DHCP server with the entire population. If any subscriber can issue a bulk query for the whole town once every hour, and thereby map any IP address to a MAC address, this has a serious effect on subscribers' privacy. > > This is what the current draft says about access control: > > Servers MAY restrict Bulk Leasequery connections and DHCPBULKLEASEQUERY messages to certain requestors. Connections not from permitted requestors SHOULD be closed immediately, to avoid server connection resource exhaustion. Servers MAY restrict some requestors to certain query types. Servers MAY reply to queries that are not permitted with the DHCPLEASEQUERYDONE message with a status-code option status of NotAllowed, or MAY simply close the connection. > > This IMHO is way too weak, specifically the first MAY. The Security Considerations refer to RFC 4388 for "restriction to trusted requestors", but I couldn't find any relevant language there either, other than a reference to RFC 3118. The theory behind all of this is that you should not allow TCP connections to the DHCPv4 ports from any devices or programs that are not part of your infrastructure. In almost all cases, the actual DHCP server isn't involved in the configuration of these restrictions, but rather these restrictions are imposed by network elements at a deeper level of the network than the DHCPv4 server (which is, after all, most usually an application running on a standard operating system). Of course, that doesn't mean that we shouldn't give people guidance as to what is important to restrict and what isn't. It seems a bit ... unenforceable .. to say that DHCPv4 servers which implement the Bulk Leasequery capability MUST be installed in environments where it is possible to configure access to the Bulk Leasequery capability only to trusted network components.d But I'll give it a try, below. I can certainly uplift the paragraph above on access control to SHOULD (and replicate it in the Security section), like this: > > Servers SHOULD restrict Bulk Leasequery connections and > DHCPBULKLEASEQUERY messages to certain requestors, either > through explicit configuration of the Server itself or by > employing external network elements to provide such > restrictions. In particular, the typical DHCPv4 client SHOULD > NOT be allowed to receive a response to a Bulk Leasequery > request, and some technique MUST exist to allow prevention of > such access in any environment where Bulk Leasequery is > deployed. > > Connections not from permitted requestors SHOULD be > closed immediately, to avoid server connection resource > exhaustion or alternatively, simply not be allowed to reach > the server at all. Servers SHOULD have the capability to > restrict certain requestors to certain query types. Servers > MAY reply to queries that are not permitted with the > DHCPLEASEQUERYDONE message with a status-code option status > of NotAllowed, or MAY simply close the connection. Would this change sufficiently mitigate your concerns regarding this draft? Regards -- Kim > > > Thanks, > Yaron >
- [secdir] SecDir review of draft-ietf-dhc-dhcpv4-b… Yaron Sheffer
- Re: [secdir] SecDir review of draft-ietf-dhc-dhcp… Bernie Volz (volz)
- Re: [secdir] SecDir review of draft-ietf-dhc-dhcp… Kim Kinnear
- Re: [secdir] SecDir review of draft-ietf-dhc-dhcp… Yaron Sheffer