[secdir] Review of draft-ietf-ipsecme-esp-null-heuristics-06.txt
Rob Austein <sra@hactrn.net> Tue, 02 March 2010 19:48 UTC
Return-Path: <sra@hactrn.net>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B78ED3A8C86; Tue, 2 Mar 2010 11:48:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tZ7MdQnNBhd9; Tue, 2 Mar 2010 11:48:25 -0800 (PST)
Received: from cyteen.hactrn.net (cyteen.hactrn.net [IPv6:2002:425c:4242:0:210:5aff:fe86:1f54]) by core3.amsl.com (Postfix) with ESMTP id 84BD03A8C84; Tue, 2 Mar 2010 11:48:24 -0800 (PST)
Received: from thrintun.hactrn.net (thrintun.hactrn.net [IPv6:2002:425c:4242:0:219:d1ff:fe12:5d30]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "thrintun.hactrn.net", Issuer "Grunchweather Associates" (verified OK)) by cyteen.hactrn.net (Postfix) with ESMTPS id 3E1A128473; Tue, 2 Mar 2010 19:48:23 +0000 (UTC)
Received: from thrintun.hactrn.net (localhost [IPv6:::1]) by thrintun.hactrn.net (Postfix) with ESMTP id EA82A22807; Tue, 2 Mar 2010 14:48:22 -0500 (EST)
Date: Tue, 02 Mar 2010 14:48:22 -0500
From: Rob Austein <sra@hactrn.net>
To: iesg@ietf.org, secdir@ietf.org
User-Agent: Wanderlust/2.14.0 (Africa) Emacs/21.3 Mule/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20100302194822.EA82A22807@thrintun.hactrn.net>
Cc: ipsecme-chairs@tools.ietf.org, draft-ietf-ipsecme-esp-null-heuristics@tools.ietf.org
Subject: [secdir] Review of draft-ietf-ipsecme-esp-null-heuristics-06.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Mar 2010 19:48:25 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This draft documents a set of heuristics to allow a packet inspection engine (stateful firewall, protocol analyzer, ...) to spot IPsec ESP streams that use NULL encryption as efficiently as possible, without modifications to the IPsec protocols. While I have reservations about some of the scenarios in which such a mechanism might be useful, this is clearly a chartered work item for the IPSECME WG, this is happening at a deep enough level that any a priori correlation between role and hat color is quite weak, it seems likely to be deployed whether I like it or not, and, in any case, as this draft makes no changes to IPsec itself (thus placing the workload on the packet inspection engine), this draft is less troubling than other approaches in this space. The Security Considerations section is OK as far as it goes, but could benefit from some additional text or references to other parts of the document. Specifically: - The discussion of failure modes for the heuristics is in section 3, with no reference from the Security Considerations section. - The discussion of failure modes for the heuristics in section 3 is also incomplete: while it (correctly, I think) concludes that misclassifying traffic as ESP-NULL is no worse than a DoS attack which an attacker could have launched anyway, it does not discuss the other failure mode: what happens if a stream is misclassified as non-NULL ESP, thus (depending on policy) allowing it through without inspection, or dropping it on the floor? The above suggestions notwithstanding, I have no serious security concerns with this document. It doesn't modify IPsec, so from the IPsec point of view this is at worst a public analysis of some techniques for detecting a set of configuration choices that an IPsec user presumably made intentionally. From the packet inspection point of view, the heuristics are probably both harmless and useful, subject to the caveats above and in the document; packet inspection is an error-prone activity in any case, and following the advice in this document (which is targeted for Informational status) seems unlikely to make things worse. I did not attempt to review the pseudo-code in Appendix A.
- [secdir] Review of draft-ietf-ipsecme-esp-null-he… Rob Austein
- [secdir] Review of draft-ietf-ipsecme-esp-null-he… Tero Kivinen
- Re: [secdir] Review of draft-ietf-ipsecme-esp-nul… Dan McDonald