Re: [secdir] SecDir review of draft-ietf-6man-dns-options-bis-03
Vincent Roca <vincent.roca@inrialpes.fr> Sat, 03 July 2010 13:03 UTC
Return-Path: <secdir-bounces@mit.edu>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 276513A6844 for <secdir@core3.amsl.com>; Sat, 3 Jul 2010 06:03:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.204
X-Spam-Level:
X-Spam-Status: No, score=-4.204 tagged_above=-999 required=5 tests=[AWL=0.555, BAYES_05=-1.11, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6SLB3xn0DtiA for <secdir@core3.amsl.com>; Sat, 3 Jul 2010 06:03:56 -0700 (PDT)
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by core3.amsl.com (Postfix) with ESMTP id 121373A67FC for <secdir@ietf.org>; Sat, 3 Jul 2010 06:03:55 -0700 (PDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o63D46od014430 for <secdir@ietf.org>; Sat, 3 Jul 2010 09:04:06 -0400
Received: from mailhub-dmz-2.mit.edu (MAILHUB-DMZ-2.MIT.EDU [18.7.62.37]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o63D44TU014427 for <secdir@PCH.mit.edu>; Sat, 3 Jul 2010 09:04:04 -0400
Received: from dmz-mailsec-scanner-7.mit.edu (DMZ-MAILSEC-SCANNER-7.MIT.EDU [18.7.68.36]) by mailhub-dmz-2.mit.edu (8.13.8/8.9.2) with ESMTP id o63D43SA001633 for <secdir@mit.edu>; Sat, 3 Jul 2010 09:04:04 -0400
X-AuditID: 12074424-b7b63ae000000a0b-78-4c2f35439c2d
Received: from mail1-relais-roc.national.inria.fr (mail1-relais-roc.national.inria.fr [192.134.164.82]) by dmz-mailsec-scanner-7.mit.edu (Symantec Brightmail Gateway) with SMTP id 58.F7.02571.3453F2C4; Sat, 3 Jul 2010 09:04:03 -0400 (EDT)
X-IronPort-AV: E=Sophos;i="4.53,530,1272837600"; d="scan'208";a="62666158"
Received: from dom38-1-82-236-155-50.fbx.proxad.net (HELO macbook-pro-de-roca.local) ([82.236.155.50]) by mail1-relais-roc.national.inria.fr with ESMTP/TLS/DHE-RSA-CAMELLIA256-SHA; 03 Jul 2010 15:04:01 +0200
Message-ID: <4C2F3541.7000206@inrialpes.fr>
Date: Sat, 03 Jul 2010 15:04:01 +0200
From: Vincent Roca <vincent.roca@inrialpes.fr>
Organization: INRIA
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; fr; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: Jaehoon Jeong <pjeong@Brocade.com>
References: <4C248D9A.5080508@inrialpes.fr> <5A6980BCAE9E6D438D4D8A05540F6FB70113043B9B@BRM-EXCH-3.corp.brocade.com> <4C25CA06.1080809@piuha.net> <5A6980BCAE9E6D438D4D8A05540F6FB70113658855@BRM-EXCH-3.corp.brocade.com>
In-Reply-To: <5A6980BCAE9E6D438D4D8A05540F6FB70113658855@BRM-EXCH-3.corp.brocade.com>
X-Enigmail-Version: 1.0.1
X-Brightmail-Tracker: AAAAAhTzSz4U9B3E
X-BeenThere: secdir@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: secdir-bounces@mit.edu
Errors-To: secdir-bounces@mit.edu
Cc: 6man Chairs <6man-chairs@tools.ietf.org>, "secdir@mit.edu" <secdir@mit.edu>, Jari Arkko <jari.arkko@piuha.net>, IESG <iesg@ietf.org>, "draft-ietf-6man-dns-options-bis.all@tools.ietf.org" <draft-ietf-6man-dns-options-bis.all@tools.ietf.org>
Subject: Re: [secdir] SecDir review of draft-ietf-6man-dns-options-bis-03
X-BeenThere: secdir@ietf.org
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Jul 2010 13:03:57 -0000
Dear authors, Thanks for your prompt reply. A few additional comments (it's my role ;-)) ** new "Security Considerations" section says: > This attack > is similar to Neighbor Discovery attacks that use Redirect or > Neighbor Advertisement messages to redirect traffic to individual > addresses to malicious parties. In general, the attacks related to > RDNSS and DNSSL are similar to both Neighbor Discovery attacks and > attacks against unauthenticated DHCP, as both can be used for both > "wholesale" traffic redirection and more specific attacks. > You're right, other attacks are possible that lead to the same result. ND and unauthenticated DHCP are such possibilities. However, IMHO this is not a sufficient reason not to RECOMMEND a security solution for RA. Indeed, if ND / DHCP are made robust but nothing is done for RA, then the threat remains. So the updated text does not fully satisfies me, even if the new paragraph is more clear than the old one. >> ** Section 7: >> Another point... the authors explain than network devices like >> switches can be configured in such a way to disable ND/DHCP from >> some ports. That's great and I agree it helps preventing attacks. >> However this is limited to wired networks. Nothing is said concerning >> ND configurations in wireless networks. The situation is rather >> different since any host can issue ND/DHCP traffic as if it were a >> legitimate server if I understand correctly. The document MUST >> include this kind of discussion. >> >> > But this is generic issue with spoofing RAs and I am not sure it is the > task of this document to specify the solutions. One solution exists in > SEND (RFC 3791). > Once again I agree. You don't have to specify technical solutions. However you need to provide a good security analysis, perhaps inherited from that of the base RA document for the generic RA threats, with some text describing the additional threats added by the proposed extensions. And since security solutions exist elsewhere (SEND), you should recommend their use. That's your responsibility. >> ** Section 7: >> Yet another remark: SEND is listed as one potential solution to >> add signatures in ND packets issued from servers. >> I don't know SEND at all, so may be my remarks are flawed (but in >> that case the text should be at least clarified). >> - Shouldn't the use of SEND be RECOMMENDED as a solution to >> mitigate attacks? Current document is not clear. >> - Does SEND enable an authentication of the sender (the document >> only mentions integrity protection)? If there's no sender >> authentication, then I agree that the added value of SEND would be >> limited. I'd like the authors to clarify this as well. >> >> > The details are in RFC 3791 and its companion documents. SEND does > enable a host to verify that the sender of an RA is actually a router > authorized to act as a router. > The text in your proposed I-D update does not reflect this. Can you add it? Being able to authenticate the sender is as important as being able to check the packet integrity. ** I'm coming back to a comment I made earlier and that has not been answered. In the updated I-D, section 5.3.1, I read: "In the case where the DNS options of RDNSS and DNSSL can be obtained from multiple sources, such as RA and DHCP, the IPv6 host SHOULD keep some DNS options from all sources. " I don't see (but I read very quickly so I may have missed something) that secured RA/RDNSS/DNSSL messages be prefered in the choice. If some RA use SEND, they must be preferred over others. I hope my comments are useful. Cheers, Vincent _______________________________________________ secdir mailing list secdir@mit.edu https://mailman.mit.edu/mailman/listinfo/secdir
- [secdir] SecDir review of draft-ietf-6man-dns-opt… Vincent Roca
- Re: [secdir] SecDir review of draft-ietf-6man-dns… Jari Arkko
- Re: [secdir] SecDir review of draft-ietf-6man-dns… Jaehoon Jeong
- Re: [secdir] SecDir review of draft-ietf-6man-dns… Bob Hinden
- Re: [secdir] SecDir review of draft-ietf-6man-dns… Vincent Roca
- Re: [secdir] SecDir review of draft-ietf-6man-dns… Jaehoon Jeong
- Re: [secdir] SecDir review of draft-ietf-6man-dns… Jaehoon Jeong
- Re: [secdir] SecDir review of draft-ietf-6man-dns… Sandra Murphy
- Re: [secdir] SecDir review of draft-ietf-6man-dns… Jaehoon Jeong
- Re: [secdir] SecDir review of draft-ietf-6man-dns… Vincent Roca
- Re: [secdir] SecDir review of draft-ietf-6man-dns… Jaehoon Jeong
- Re: [secdir] SecDir review of draft-ietf-6man-dns… Vincent Roca
- Re: [secdir] SecDir review of draft-ietf-6man-dns… Jaehoon Jeong
- Re: [secdir] SecDir review of draft-ietf-6man-dns… Jaehoon Jeong