Re: [secdir] SecDir review of draft-ietf-6man-dns-options-bis-03

Vincent Roca <vincent.roca@inrialpes.fr> Sat, 03 July 2010 13:03 UTC

Return-Path: <secdir-bounces@mit.edu>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 276513A6844 for <secdir@core3.amsl.com>; Sat, 3 Jul 2010 06:03:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.204
X-Spam-Level:
X-Spam-Status: No, score=-4.204 tagged_above=-999 required=5 tests=[AWL=0.555, BAYES_05=-1.11, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6SLB3xn0DtiA for <secdir@core3.amsl.com>; Sat, 3 Jul 2010 06:03:56 -0700 (PDT)
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by core3.amsl.com (Postfix) with ESMTP id 121373A67FC for <secdir@ietf.org>; Sat, 3 Jul 2010 06:03:55 -0700 (PDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o63D46od014430 for <secdir@ietf.org>; Sat, 3 Jul 2010 09:04:06 -0400
Received: from mailhub-dmz-2.mit.edu (MAILHUB-DMZ-2.MIT.EDU [18.7.62.37]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o63D44TU014427 for <secdir@PCH.mit.edu>; Sat, 3 Jul 2010 09:04:04 -0400
Received: from dmz-mailsec-scanner-7.mit.edu (DMZ-MAILSEC-SCANNER-7.MIT.EDU [18.7.68.36]) by mailhub-dmz-2.mit.edu (8.13.8/8.9.2) with ESMTP id o63D43SA001633 for <secdir@mit.edu>; Sat, 3 Jul 2010 09:04:04 -0400
X-AuditID: 12074424-b7b63ae000000a0b-78-4c2f35439c2d
Received: from mail1-relais-roc.national.inria.fr (mail1-relais-roc.national.inria.fr [192.134.164.82]) by dmz-mailsec-scanner-7.mit.edu (Symantec Brightmail Gateway) with SMTP id 58.F7.02571.3453F2C4; Sat, 3 Jul 2010 09:04:03 -0400 (EDT)
X-IronPort-AV: E=Sophos;i="4.53,530,1272837600"; d="scan'208";a="62666158"
Received: from dom38-1-82-236-155-50.fbx.proxad.net (HELO macbook-pro-de-roca.local) ([82.236.155.50]) by mail1-relais-roc.national.inria.fr with ESMTP/TLS/DHE-RSA-CAMELLIA256-SHA; 03 Jul 2010 15:04:01 +0200
Message-ID: <4C2F3541.7000206@inrialpes.fr>
Date: Sat, 03 Jul 2010 15:04:01 +0200
From: Vincent Roca <vincent.roca@inrialpes.fr>
Organization: INRIA
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; fr; rv:1.9.1.9) Gecko/20100317 Thunderbird/3.0.4
MIME-Version: 1.0
To: Jaehoon Jeong <pjeong@Brocade.com>
References: <4C248D9A.5080508@inrialpes.fr> <5A6980BCAE9E6D438D4D8A05540F6FB70113043B9B@BRM-EXCH-3.corp.brocade.com> <4C25CA06.1080809@piuha.net> <5A6980BCAE9E6D438D4D8A05540F6FB70113658855@BRM-EXCH-3.corp.brocade.com>
In-Reply-To: <5A6980BCAE9E6D438D4D8A05540F6FB70113658855@BRM-EXCH-3.corp.brocade.com>
X-Enigmail-Version: 1.0.1
X-Brightmail-Tracker: AAAAAhTzSz4U9B3E
X-BeenThere: secdir@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: secdir-bounces@mit.edu
Errors-To: secdir-bounces@mit.edu
Cc: 6man Chairs <6man-chairs@tools.ietf.org>, "secdir@mit.edu" <secdir@mit.edu>, Jari Arkko <jari.arkko@piuha.net>, IESG <iesg@ietf.org>, "draft-ietf-6man-dns-options-bis.all@tools.ietf.org" <draft-ietf-6man-dns-options-bis.all@tools.ietf.org>
Subject: Re: [secdir] SecDir review of draft-ietf-6man-dns-options-bis-03
X-BeenThere: secdir@ietf.org
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Jul 2010 13:03:57 -0000

Dear authors,

Thanks for your prompt reply. A few additional comments
(it's my role ;-))

** new "Security Considerations" section says:
>    This attack
>    is similar to Neighbor Discovery attacks that use Redirect or
>    Neighbor Advertisement messages to redirect traffic to individual
>    addresses to malicious parties.  In general, the attacks related to
>    RDNSS and DNSSL are similar to both Neighbor Discovery attacks and
>    attacks against unauthenticated DHCP, as both can be used for both
>    "wholesale" traffic redirection and more specific attacks.
>   
You're right, other attacks are possible that lead to
the same result. ND and unauthenticated DHCP are
such possibilities. However, IMHO this is not a sufficient
reason not to RECOMMEND a security solution for RA.
Indeed, if ND / DHCP are made robust but nothing is done
for RA, then the threat remains.

So the updated text does not fully satisfies me, even if
the new paragraph is more clear than the old one.

>> ** Section 7:
>> Another point... the authors explain than network devices like
>> switches can be configured in such a way to disable ND/DHCP from
>> some ports.  That's great and I agree it helps preventing attacks.
>> However this is limited to wired networks. Nothing is said concerning
>> ND configurations in wireless networks. The situation is rather
>> different since any host can issue ND/DHCP traffic as if it were a
>> legitimate server if I understand correctly. The document MUST
>> include this kind of discussion.
>>   
>>     
> But this is generic issue with spoofing RAs and I am not sure it is the 
> task of this document to specify the solutions. One solution exists in 
> SEND (RFC 3791).
>   
Once again I agree. You don't have to specify technical
solutions. However you need to provide a good security
analysis, perhaps inherited from that of the base RA
document for the generic RA threats, with some text
describing the additional threats added by the proposed
extensions. And since security solutions exist elsewhere
(SEND), you should recommend their use. That's your
responsibility.

>> ** Section 7:
>> Yet another remark: SEND is listed as one potential solution to
>> add signatures in ND packets issued from servers.
>> I don't know SEND at all, so may be my remarks are flawed (but in
>> that case the text should be at least clarified).
>> - Shouldn't the use of SEND be RECOMMENDED as a solution to
>> mitigate attacks? Current document is not clear.
>> - Does SEND enable an authentication of the sender (the document
>> only mentions integrity protection)? If there's no sender
>> authentication, then I agree that the added value of SEND would be
>> limited. I'd like the authors to clarify this as well.
>>   
>>     
> The details are in RFC 3791 and its companion documents. SEND does 
> enable a host to verify that the sender of an RA is actually a router 
> authorized to act as a router.
>   

The text in your proposed I-D update does not
reflect this. Can you add it? Being able to authenticate
the sender is as important as being able to check the
packet integrity.

** I'm coming back to a comment I made earlier
and that has not been answered.

In the updated I-D, section 5.3.1, I read:

  "In the case where the DNS options of RDNSS and DNSSL can be obtained
   from multiple sources, such as RA and DHCP, the IPv6 host SHOULD keep
   some DNS options from all sources. "

I don't see (but I read very quickly so I may have missed
something) that secured RA/RDNSS/DNSSL messages
be prefered in the choice. If some RA use SEND, they must
be preferred over others.

I hope my comments are useful.
Cheers,

    Vincent

_______________________________________________
secdir mailing list
secdir@mit.edu
https://mailman.mit.edu/mailman/listinfo/secdir