Re: [secdir] pana-relay security considerations

"Alper Yegin" <alper.yegin@yegin.org> Mon, 10 January 2011 11:15 UTC

Return-Path: <alper.yegin@yegin.org>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 06EA428C146; Mon, 10 Jan 2011 03:15:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.56
X-Spam-Level:
X-Spam-Status: No, score=-100.56 tagged_above=-999 required=5 tests=[AWL=-0.010, BAYES_00=-2.599, J_CHICKENPOX_33=0.6, MSGID_MULTIPLE_AT=1.449, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bZIahc2miQq7; Mon, 10 Jan 2011 03:15:18 -0800 (PST)
Received: from mout.perfora.net (mout.perfora.net [74.208.4.194]) by core3.amsl.com (Postfix) with ESMTP id 3CEDE28C13A; Mon, 10 Jan 2011 03:15:18 -0800 (PST)
Received: from ibm (dsl88-247-34762.ttnet.net.tr [88.247.135.202]) by mrelay.perfora.net (node=mrus1) with ESMTP (Nemesis) id 0MBEIX-1PUncX3ghh-009uyg; Mon, 10 Jan 2011 06:17:27 -0500
From: "Alper Yegin" <alper.yegin@yegin.org>
To: "'Alan DeKok'" <aland@deployingradius.com>
References: <4D009D34.1020809@deployingradius.com> <4D01DABF.6060604@toshiba.co.jp> <001101cb9aa0$367b3480$a3719d80$@yegin@yegin.org> <4D064683.30009@deployingradius.com> <4D07A874.4010702@gridmerge.com> <4D07D090.9020407@deployingradius.com> <070601cba3ad$63852150$2a8f63f0$@yegin@yegin.org> <4D270D1D.8090006@deployingradius.com> <005f01cbb0b2$2bc21cc0$83465640$@yegin@yegin.org> <4D2AE752.2000504@deployingradius.com>
In-Reply-To: <4D2AE752.2000504@deployingradius.com>
Date: Mon, 10 Jan 2011 13:16:25 +0200
Message-ID: <006001cbb0b7$da450050$8ecf00f0$@yegin@yegin.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: Acuwtei1MAWfTMPWSv6RWCiLEVgL9wAAKEVQ
Content-Language: en-us
X-Provags-ID: V02:K0:7MlJwzroWSRyEcbDzi8Yy6IqtktPlJ8V8nLaK1oYtSI RoSlKmaoC9/5C9g70op1fGt1GOy/1ehPVau7Uos5MB5V3wlvKu GBg5TF3Ex4/qE33Wi1TdUza0JPKeeBY4m/xRLUpz/zbrNnAbDs abHJKojOlJkxTd3KJdpmBdoXxde85LYiZCzwKi285LxYvr7EvT j0KKVhR2W85O/67eZLxvx68MV96yuiBMq4rfCKFA7c=
Cc: secdir@ietf.org, paduffy@cisco.com, margaretw42@gmail.com, pana@ietf.org, robert.cragie@gridmerge.com, samitac@ipinfusion.com, 'Ralph Droms' <rdroms.ietf@gmail.com>
Subject: Re: [secdir] pana-relay security considerations
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jan 2011 11:15:19 -0000

> > The PaC picks an ephemeral port when sending the PANA packet.
> Src:any, dst:
> > 716. And the response from the PAA reverses the ports.
> 
>   OK.
> 
> > The most PRE can do is to check if source port is 716.
> >
> > If the PRE knows that it received the packet from a trusted source
> (by means
> > of DTLS, physical security, IPsec, etc.), then the PRE should not
> > normally(*) have to perform another level of check on the packets.
> 
>   And if not?  Anyone can pretend to be the PAA, and send any data to
> any port on the PaC.  

PRE would authenticate and authorize the other end-point who claims to be a
legit PAA before accepting any packets from it. So, it's not  "anyone".


> If this data MUST be a well-formed PANA packet,
> the security issues are minimal.  But I don't see that requirement
> clearly in the document.

This is the DPI aspect. 

What should we check for well-formation? Many if not all fields in the PANA
header may be updated by future releases of the spec (extensions, etc.). so
checking on them would force the PRE to get upgraded (with a revised version
of PANA-relay spec each time) when PaC/PAA gets upgraded. This is very
undesirable. 


I think we shall stick to relying on PAA-PRE security.

Alper

> 
>   Alan DeKok.