Re: [secdir] Secdir review of draft-ietf-mif-problem-statement-07

Jari Arkko <jari.arkko@piuha.net> Thu, 26 August 2010 05:20 UTC

Return-Path: <jari.arkko@piuha.net>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6E22C3A6A6A; Wed, 25 Aug 2010 22:20:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.363
X-Spam-Level:
X-Spam-Status: No, score=-102.363 tagged_above=-999 required=5 tests=[AWL=0.236, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gCinq8452Nql; Wed, 25 Aug 2010 22:20:23 -0700 (PDT)
Received: from p130.piuha.net (p130.piuha.net [IPv6:2001:14b8:400::130]) by core3.amsl.com (Postfix) with ESMTP id 92FD83A690D; Wed, 25 Aug 2010 22:20:22 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by p130.piuha.net (Postfix) with ESMTP id 208E22CC34; Thu, 26 Aug 2010 08:20:51 +0300 (EEST)
X-Virus-Scanned: amavisd-new at piuha.net
Received: from p130.piuha.net ([127.0.0.1]) by localhost (p130.piuha.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aePgvxTtXmfv; Thu, 26 Aug 2010 08:20:50 +0300 (EEST)
Received: from [IPv6:::1] (unknown [IPv6:2001:14b8:400::130]) by p130.piuha.net (Postfix) with ESMTP id 81D442CC32; Thu, 26 Aug 2010 08:20:48 +0300 (EEST)
Message-ID: <4C75F9B2.4070201@piuha.net>
Date: Thu, 26 Aug 2010 01:20:50 -0400
From: Jari Arkko <jari.arkko@piuha.net>
User-Agent: Thunderbird 2.0.0.24 (X11/20100411)
MIME-Version: 1.0
To: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
References: <AC1CFD94F59A264488DC2BEC3E890DE50B4CFB04@xmb-sjc-225.amer.cisco.com>
In-Reply-To: <AC1CFD94F59A264488DC2BEC3E890DE50B4CFB04@xmb-sjc-225.amer.cisco.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Cc: iesg@ietf.org, draft-ietf-mif-problem-statement.all@tools.ietf.org, secdir@ietf.org
Subject: Re: [secdir] Secdir review of draft-ietf-mif-problem-statement-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Aug 2010 05:20:25 -0000

Joe,

Thanks for your review!

> 1) Lower layer authentication and encryption
>
> It's possible that some interfaces may have link layer or IP layer
> encryption and authentication.  Its possible that this characteristic
> might be used in determining how configuration parameters are processed.
> Some connection managers may already do this to a certain extent.  I
> think this should be listed as a consideration in the appropriate
> sections of the document (3.1, 3.6,5)
>   

This seems reasonable. Authors, can you suggest some text and update the 
draft?

> 2) I think the security considerations can be expanded
>
> It discusses that information may be leaked from one network to another
> which seems to be talking about generic data.  This is true, but it
> seems that would be worthwhile to talk specifically about the
> information discussed in the document.  For example it seems that it is
> at least possible for one interface to send configuration parameters
> that will cause a denial of service on another interface.  It may also
> be possible for one host to set configuration parameters which cause
> certain traffic to be forwarded to an attacker.  
>   

OK.

> The last paragraph is also not very clear.  What I think you are trying
> to say is that the information that is used by the connection manager
> may be vulnerable to spoofing and forgery if it is unprotected.  In
> general its not possible to protect this information in all cases, so it
> is not clear what you are recommending.  
>   

I agree that configuration information is unlikely to be fully secured, 
at least if "secured" means communications security or authentication.

Here's what I would say in that paragraph:

Additional security concerns raise up when information is provided to
the host so that it could make a more intelligent decision (e.g.
provide selection policies to the connection manager). This
additional information should be protected in some manner.
=>
Additional security concerns are raised by possible future mechanisms that
provide additional information to the host so that it can make a more
intelligent decision with regards to the issues discussed in this document.
Such future mechanisms may themselves be vulnerable and may not be
easy to protect in the general case.

Jari