[secdir] Secdir review of draft-ietf-behave-nat64-learn-analysis-03.txt

Alexey Melnikov <alexey.melnikov@isode.com> Tue, 10 April 2012 12:35 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 33BE821F85CF; Tue, 10 Apr 2012 05:35:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.135
X-Spam-Status: No, score=-102.135 tagged_above=-999 required=5 tests=[AWL=0.464, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id Mxg+tDZnm3MQ; Tue, 10 Apr 2012 05:35:32 -0700 (PDT)
Received: from rufus.isode.com (rufus.isode.com []) by ietfa.amsl.com (Postfix) with ESMTP id 019DE21F85CC; Tue, 10 Apr 2012 05:35:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1334061330; d=isode.com; s=selector; i=@isode.com; bh=IqqdOZbULxsTWwwTPG1ukQ6gJnjxc0qr7Zf4aX18F3Q=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=ghK12K98dlUnn8WowHUqG0cf6Vxlu9Mt0Exq4e5Qw7/n9usGMu9GaY++afuRZDpNSsG5/O jSexHGyaOoV6JQlU8wCXfNEjID/7NrP2hF2xRKKPe/DdAtdyfz7MSVVuIbMdmdyF5m/ayV IQ+i/tuj5loE2/fM13S7JTGEqJWK5fM=;
Received: from [] (shiny.isode.com []) by rufus.isode.com (submission channel) via TCP with ESMTPSA id <T4QpEQAg25x6@rufus.isode.com>; Tue, 10 Apr 2012 13:35:30 +0100
X-SMTP-Protocol-Errors: PIPELINING
Message-ID: <4F842937.9050305@isode.com>
Date: Tue, 10 Apr 2012 13:36:07 +0100
From: Alexey Melnikov <alexey.melnikov@isode.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
To: secdir@ietf.org, Jouni Korhonen <jouni.nospam@gmail.com>, Teemu Savolainen <teemu.savolainen@nokia.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: IESG <iesg@ietf.org>, Dan Wing <dwing@cisco.com>
Subject: [secdir] Secdir review of draft-ietf-behave-nat64-learn-analysis-03.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Apr 2012 12:35:33 -0000


I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.

The document reviews possible solutions for the problem of allowing 
hosts and applications to learn if an IPv6 address is synthesized, which 
means a NAT64 is used to reach the IPv4 network or Internet. The 
document analyzes pros and cons of various approaches and also concludes 
with some recommendations about which approach is recommended.

Overall I think the Security Considerations section is reasonable (see 
some minor comments below). I think it is reasonable for the document to 
point to RFC 6147 for DSN64 related Security Considerations. The 
document also talks about Man-in-the-middle and Denial-of-Service 
attacks caused by forging of information required for IPv6 synthesis 
from corresponding IPv4 addresses.

Additionally, the document says:

    The DHCPv6 and RA
    based approaches are vulnerable for the forgery as the attacker may
    send forged RAs or act as a rogue DHCPv6 server (unless DHCPv6
    authentication or SEND are used).

I think some Informative references to relevant documents should be 
inserted here in order to help readers find relevant information.

    If the attacker is already able to
    modify and forge DNS responses (flags, addresses of know IPv4-only
    servers, records, etc), ability to influence local address synthesis
    is likely of low additional value.  Also, a DNS-based mechanism is
    only as secure as the method used to configure the DNS server's IP
    addresses on the host.  Therefore, if the host cannot trust e.g.
    DHCPv6 it cannot trust the DNS server learned via DHCPv6 either,
    unless the host has a way to authenticate all DNS responses.

Maybe add an explicit DNSSEC reference here?

One other possible issue that you should consider:

5.1.2.  Analysis and discussion

    The CONs of the proposal are listed below:

I don't know how much of an issue this is in a real world, but one thought:

Can use of a well known IPv4-only FQDN be used for tracking 
applications/hosts which try to employ this algorithm? Such IPv4-only 
host might be an attractive target for compromise, if such information 
is valuable to an attacker.

(This might also apply to other DNS methods.)

Other comments (not really SecDir related):

I found the Abstract to be quite hard to read. Maybe reword to use 
shorter/simpler sentences?

5.1.1.  Solution description

    The Well-Known Name may be assigned by IANA or provided some third
    party, including application or operating system vendor.  The IPv4
    address corresponding to the Well-Known Name may be resolved via A
    query to Well-Known Name, assigned by IANA, or hard-coded.

Is IANA already providing one of these? If not, why speculate about 
this, as there is no action for IANA specified in this document.