[secdir] secdir review for draft-ietf-tsvwg-ecn-tunnel-08
Stephen Hanna <shanna@juniper.net> Fri, 07 May 2010 02:01 UTC
Return-Path: <shanna@juniper.net>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 70AB73A68B9; Thu, 6 May 2010 19:01:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.999
X-Spam-Level:
X-Spam-Status: No, score=-3.999 tagged_above=-999 required=5 tests=[BAYES_50=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DYwJaXmd2knt; Thu, 6 May 2010 19:01:33 -0700 (PDT)
Received: from exprod7og103.obsmtp.com (exprod7og103.obsmtp.com [64.18.2.159]) by core3.amsl.com (Postfix) with ESMTP id 510563A683A; Thu, 6 May 2010 19:00:58 -0700 (PDT)
Received: from source ([66.129.224.36]) (using TLSv1) by exprod7ob103.postini.com ([64.18.6.12]) with SMTP ID DSNKS+N0SqZolZqw07Wt1BRj5tJV+9Ei56M3@postini.com; Thu, 06 May 2010 19:01:08 PDT
Received: from p-emfe02-wf.jnpr.net (172.28.145.25) by P-EMHUB02-HQ.jnpr.net (172.24.192.36) with Microsoft SMTP Server (TLS) id 8.1.436.0; Thu, 6 May 2010 18:58:33 -0700
Received: from EMBX01-WF.jnpr.net ([fe80::1914:3299:33d9:e43b]) by p-emfe02-wf.jnpr.net ([fe80::c126:c633:d2dc:8090%11]) with mapi; Thu, 6 May 2010 21:58:33 -0400
From: Stephen Hanna <shanna@juniper.net>
To: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "jmpolk@cisco.com" <jmpolk@cisco.com>, "gorry@erg.abdn.ac.uk" <gorry@erg.abdn.ac.uk>, "tsvwg@ietf.org" <tsvwg@ietf.org>, "bob.briscoe@bt.com" <bob.briscoe@bt.com>
Date: Thu, 06 May 2010 21:58:31 -0400
Thread-Topic: secdir review for draft-ietf-tsvwg-ecn-tunnel-08
Thread-Index: Acq81GWjk8ZNKlT9TYCK72AfCxOyTQwlIo7Q
Message-ID: <AC6674AB7BC78549BB231821ABF7A9AE903DBEF2A6@EMBX01-WF.jnpr.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [secdir] secdir review for draft-ietf-tsvwg-ecn-tunnel-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 May 2010 02:01:34 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other comments. This document describes revised, consistent semantics for setting the ECN (Explicit Congestion Notification) field in the IP header on entry to and exit from any IP in IP tunnel. The document updates RFC 3168 (the main ECN RFC) and RFC 4301 (IPsec) to say that all IP in IP tunnels should follow the new rules for setting the ECN bits. The new rules are similar to the IPsec rules, with the exception of special handling for several previously unused combinations of the ECN bits. These unused combinations provide support for PCN (Pre-Congestion Notification). The primary security concern here is that the ECN bits can serve as a covert channel allowing parties inside and outside the secure area to communicate even though they are not supposed to be able to do so. Malicious parties inside the secure area can set the ECN bits on packets to carefully selected values, exposing 2 bits of information per packet to parties outside the secure area. This covert channel can also operate in the opposite direction (insecure to secure). During the development of RFC 4301, the IPsec Working Group evidently determined that the risks of leaving this small covert channel open are exceeded by the benefits of allowing ECN information to be properly processed end-to-end. Therefore, they elected to permit the ECN bits to be copied from inner to outer IP headers at tunnel ingress (encapsulation) and described how the ECN bits in the outer IP header can be merged into the inner IP header at tunnel egress (decapsulation). The document under review proposes to standardize ECN handling for all IP in IP tunnels with a system that is very similar to the current IPsec behavior. The only difference is that the merging of ECN bits at tunnel egress better accommodates PCN. Because the IPsec Working Group has previously decided that the risks of this small covert channel are exceeded by the benefits of properly functioning ECN and the only change here is to increase the benefits of ECN be supporting PCN, I conclude that the document under review is not problematic from a security perspective. In fact, it can be considered beneficial since it will help avoid dropped packets due to undetected congestion. This improves availability, which is a security characteristic.
- [secdir] secdir review for draft-ietf-tsvwg-ecn-t… Stephen Hanna