[secdir] Secdir review of draft-ietf-dhc-dhcpv6-vendor-message-01
Tobias Gondrom <tobias.gondrom@gondrom.org> Mon, 15 February 2010 16:23 UTC
Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C6F9328C0F3 for <secdir@core3.amsl.com>; Mon, 15 Feb 2010 08:23:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 4.639
X-Spam-Level: ****
X-Spam-Status: No, score=4.639 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r-JrHcNguiFD for <secdir@core3.amsl.com>; Mon, 15 Feb 2010 08:23:16 -0800 (PST)
Received: from lvps83-169-7-107.dedicated.hosteurope.de (lvps83-169-7-107.dedicated.hosteurope.de [83.169.7.107]) by core3.amsl.com (Postfix) with ESMTP id 7625028C0F9 for <secdir@ietf.org>; Mon, 15 Feb 2010 08:23:15 -0800 (PST)
Received: (qmail 24267 invoked from network); 15 Feb 2010 17:24:16 +0100
Received: from 188-220-241-66.zone11.bethere.co.uk (HELO ?192.168.1.64?) (188.220.241.66) by lvps83-169-7-107.dedicated.hosteurope.de with (DHE-RSA-AES256-SHA encrypted) SMTP; 15 Feb 2010 17:24:16 +0100
Message-ID: <4B797538.7020401@gondrom.org>
Date: Mon, 15 Feb 2010 16:24:24 +0000
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.1.5) Gecko/20091130 SUSE/3.0.0-1.1.1 Lightning/1.0b1 Thunderbird/3.0
MIME-Version: 1.0
To: secdir@ietf.org, draft-ietf-dhc-dhcpv6-vendor-message.all@tools.ietf.org
X-Enigmail-Version: 1.0
Content-Type: multipart/alternative; boundary="------------090200090808080905030707"
Cc: iesg@ietf.org
Subject: [secdir] Secdir review of draft-ietf-dhc-dhcpv6-vendor-message-01
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Feb 2010 16:23:16 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The draft correctly states that the introduction basically allows each vendor to introduce its own security problems based on the functionality triggered by the vendor specific messages. The specification that "Relay agents SHOULD relay these messages ... unless the relay agent understands the specific message and knows that the message was directed at it." can worsen security risks by allowing quite far reaching/remote attacks as relays will forward any vendor message which they do not understand. Although this paradigm makes sense for network operation, this may result in unintended side effects regarding security and attack vectors. 1. COMMENT on section 3 on page 3: - msg-type VENDOR-SPECIFIC (TBD) What do you mean by TBD? (if you mean "to be defined", my opinion is that this is definitely not appropriate for a Standards Track document) 2. COMMENT on section 4 page 4: "Vendors using this new message should use the DHCPv6 security mechanisms..." => maybe a SHOULD would be more appropriate in this case. 3. Minor note: the draft has expired on Feb-2. 4. COMMENT: And last but not least a general personal comment: The document describes how to introduce vendor specific messages which will be solely in the control of the vendor. These message codes and their underlying functionality are unspecified and totally beyond IANA or IETF control. This can introduce basically any set of security and interoperability problems and I am not sure how this approach will support interoperability or would benefit the operation of the internet as a whole. But probably the DHC WG members knows better. Still, considering this question I wonder why this is in the status of "Standards Track" and not "Experimental". Best regards, Tobias Tobias Gondrom Sloan Fellowship 2009 London Business School email: tobias.gondrom@gondrom.org mobile: +447521003005
- [secdir] Secdir review of draft-ietf-dhc-dhcpv6-v… Tobias Gondrom