[secdir] Secdir review of draft-ietf-opsawg-capwap-alt-tunnel-08

Catherine Meadows <catherine.meadows@nrl.navy.mil> Thu, 13 October 2016 19:27 UTC

Return-Path: <catherine.meadows@nrl.navy.mil>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id A92D5129502; Thu, 13 Oct 2016 12:27:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.897
X-Spam-Status: No, score=-4.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-2.996, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id VvmkgF60RWP8; Thu, 13 Oct 2016 12:27:40 -0700 (PDT)
Received: from ccs.nrl.navy.mil (mx0.ccs.nrl.navy.mil [IPv6:2001:480:20:118:118::211]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08C9612955C; Thu, 13 Oct 2016 12:27:39 -0700 (PDT)
Received: from ashurbanipal.fw5540.net (fw5540.nrl.navy.mil []) by ccs.nrl.navy.mil (8.14.4/8.14.4) with ESMTP id u9DJRc5b010390 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NOT); Thu, 13 Oct 2016 15:27:38 -0400
From: Catherine Meadows <catherine.meadows@nrl.navy.mil>
Content-Type: multipart/alternative; boundary="Apple-Mail=_5F7C8210-46FB-496C-969C-97F3193044A4"
Date: Thu, 13 Oct 2016 15:27:37 -0400
Message-Id: <7AD6521F-A786-4333-B219-9031464AFD43@nrl.navy.mil>
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-opsawg-capwap-alt-tunnel.all@ietf.org
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
X-Mailer: Apple Mail (2.3124)
X-CCS-MailScanner: No viruses found.
X-CCS-MailScanner-Info: See: http://www.nrl.navy.mil/ccs/support/email
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/COwNO9BCyCPzgOE35fVjTXUyMRk>
Subject: [secdir] Secdir review of draft-ietf-opsawg-capwap-alt-tunnel-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Oct 2016 19:27:43 -0000

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

This draft describes an extension to the Control and Provisioning of Wireless Access Points (CAPWAP) protocol that encapsulates a station’s data frames between the Wireless Transition Point (ATP) and Access Controller (AC).  In some cases, it may be desirable to encapsulate data frames to an entity other than the AC (e.g. to an Access Router) or to use different
encapsulation models.  In particular, this would allow the WTP to tunnel non-management data frames to an endpoint different than the AC and to tunnel using different known encapsulation types, such as IP-IP, IP-GRE, or CAPWAP.  A particular advantage of this approach that  encapsulating only the control plane to the AC, and thus separating management of the control plane from the management of the data plane, makes scaling easier and more efficient.

As far as I can tell, there do not seem to be any serious security issues with implementing this approach, especially since, as is noted in RFC [RFC5415], the data plane is already handled differently from the control plane, the control plane usually being protected by DTLS while the data plan is not. However, I think the Security Considerations Section needs to make a better case for this.

The text of the Security Considerations section is as follows:

This document introduces three new CAPWAP WTP message elements.
   These elements are transported within CAPWAP Control messages as the
   existing message elements.  Therefore, this document does not
   introduce any new security risks compared to [RFC5415] and [RFC5416].
   In CAPWAP, security for CAPWAP Data Channel is optional and security
   policy is determined by AC.  Similarly, the AC determines the
   security for the Alternate Tunnel between WTP and Alternate Tunnel
   Encapsulation Gateway.  The security considerations described in
   [RFC5415] and [RFC5416] apply here as well.

I find it hard to agree with the first three sentences. The document does more than simply introduce three new message elements.  It also
provides considerably more freedom in encapsulating data frames.  So it appears to me that what the Security Considerations section should concentrate on is the potential risk in providing this greater freedom. 

It’s also not clear to me what the purpose of the remaining part of the section, about the AC determining the policy.  Are you saying that, because the AC determines the policy in both CAPWAP and the CAPWAP extension, the security considerations for the first case also apply to the second case?  Some more discussion of why this is true, with references to the relevant risks discussed in [RFC5415] and [RFC5416], would be useful.  

Catherine Meadows
Naval Research Laboratory
Code 5543
4555 Overlook Ave., S.W.
Washington DC, 20375
phone: 202-767-3490
fax: 202-404-7942
email: catherine.meadows@nrl.navy.mil <mailto:catherine.meadows@nrl.navy.mil>