Re: [secdir] secdir review of draft-ietf-roll-admin-local-policy-02

[<Steve.Hanna@infineon.com>]

Peter,

Thanks for your prompt response. I have added some more comments below, 
delimited with <steve>.

Steve

-----Original Message-----
From: peter van der Stok [mailto:stokcons@xs4all.nl]
Sent: Friday, January 02, 2015 5:19 AM
To: Hanna Steve (IFNA CCS SMD AMR)
Cc: secdir@ietf.org; iesg@ietf.org; 
draft-ietf-roll-admin-local-policy.all@tools.ietf.org
Subject: Re: secdir review of draft-ietf-roll-admin-local-policy-02

Dear Steve,

thanks for the comments. I will respond below to the points you raise.

Greetings, Peter

Steve.Hanna@infineon.com schreef op 2014-12-30 13:55:

> This document describes a technique for automatically managing the
> boundaries of the admin-local multicast scope in a border router,
> using MPL (Multicast Protocol for Low power and Lossy Networks).
<peter>
Correct
</peter>
>
> In my view, this document is Not Ready.
>
> The document is hard to understand. For example, the acronyms MPL and
> MPL4 are used throughout the document but they are not defined.
<peter>
You are the third to remark on this point. Adrian did suggestions to
improve the document with a definition of MPL, that we will take over.
MPL4 concepts are defined in section 1.2.
</peter>
<steve>
I'm happy to see that you'll be adding a definition of MPL. That's good.

While it's true that section 1.2 defines several terms that include MPL4
(e.g., "MPL4 message"), the term "MPL4" is never defined anywhere.
I found that confusing.
</steve>
>
> After reading the document several times, I have concluded that
> section 3.2 contains the most important part of the document: an
> algorithm for automatically defining the boundaries of the admin-local
> multicast scope using MPL. This section basically says that a border
> router should periodically send an MPL message on all interfaces to
> the ALL_MPL_FORWARDERS multicast address with admin-local scope. It
> should also listen for such messages on all interfaces. If it receives
> such a message, that interface should be marked as part of the
> admin-local scope.
>
> This algorithm seems problematic from a security standpoint. Because
> any device on a network can send an MPL message to the
> ALL_MPL_FORWARDERS multicast address with admin-local scope, the
> boundaries of the admin-local multicast scope can be expanded by
> attackers fairly easily. Such manipulation may permit nodes that
> should be outside a particular administrative domain to join that
> domain and participate in receiving and sending multicast traffic
> within that domain. The implications of such an attack are not clear
> to me because I am not familiar with the protocols and devices that
> use admin-local multicast scope. However, it seems likely that
> expanding the admin-local multicast scope will permit external
> attackers to more easily monitor multicast traffic that should be
> private and to inject multicast messages into a relatively trusted
> domain.
<peter>
In the discussion with Joel, we came to the conclusion that we were not
very clear with respect to the administrative zone specification.
We suggested to limit the mpl admin-local scope within one zone.
The text will be extended to include this extra limit on the boundary of
admin-local-scope.
The extent of the scope does not specify anything about the contents of
the MPL messages.
It is expected that MPL messages are encrypted depending on the wanted
security level.
Monitoring by an attacker limits itself to counting messages, which is
already possible on wireless links any way.
To inject messages, the attacker should know the keys necessary to
encrypt.
When messages are not encrypted they are already readable on the
wireless links, and the monitoring by extending the mpl-admin-local
scope does not increase the vulnerability to snooping the messages.
</peter>
<steve>
Please send me a copy of your new text limiting the admin-local scope
to one zone. I don't see how this will help but maybe the new text will
make it clear.

You just stated that "It is expected that MPL messages are encrypted".
However, this is never stated in draft-ietf-roll-trickle-mcast-11.txt or in
draft-ietf-roll-admin-local-policy-02.txt. In fact, there's no mention of
encryption in those documents at all. If the security of your design
depends on this encryption, you'd better talk about it somewhere!

Now I'd like to investigate the security provided by this encryption.
Are you expecting that application-layer encryption will be used?
I suppose not because that would require extensive description
And you provided none. Probably you're thinking about link-layer
encryption such as that provided by IEEE 802.11i. However, I don't
think that such encryption will prevent the attacks that I described.

A border router frequently spans networks that are part of multiple
administrative domains. Your current design (even with link encryption)
means that any device connected to any of these networks can dictate
the boundaries of the admin-local scope. Is it really desirable to trust
all those devices to that extent? I think not.
</steve>

>
> In addition to this fundamental concern, I have a few minor concerns
> about the readability of the document. However, I seem to have mislaid
> my notes during the holidays. Because this review is already late and
> I'm on vacation, I will send the review now and follow up with the
> minor concerns at a later date if I can find them when I return to the
> office.
<peter>
If you find terms which are not defined in this draft,
ietf-rol-trickle-mcast or RFC7346, I will be happy to extend the
definitions of section 1.2.
</peter>
<steve>
OK, I'll look for my notes. However, the most important aspect of
my review is the security issue described above.
</steve>