Re: [secdir] Secdir review of draft-ietf-tsvwg-sctp-udp-encaps-07.txt

Tero Kivinen <kivinen@iki.fi> Mon, 04 February 2013 13:24 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5363521F859D; Mon, 4 Feb 2013 05:24:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SrHZQZsx9Mic; Mon, 4 Feb 2013 05:24:55 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) by ietfa.amsl.com (Postfix) with ESMTP id 9B93021F8599; Mon, 4 Feb 2013 05:24:54 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.5/8.14.5) with ESMTP id r14DOgUo013533 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 4 Feb 2013 15:24:42 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.5/8.12.11) id r14DOfYq011625; Mon, 4 Feb 2013 15:24:41 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <20751.46745.772166.652412@fireball.kivinen.iki.fi>
Date: Mon, 4 Feb 2013 15:24:41 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Michael Tuexen <tuexen@fh-muenster.de>
In-Reply-To: <0A880226-D910-403B-8D17-1AB928612E36@fh-muenster.de>
References: <20718.54159.713629.567812@fireball.kivinen.iki.fi> <8D58A3AD-A276-4AA6-B454-E3D07AB7C90A@fh-muenster.de> <20743.57390.456600.844778@fireball.kivinen.iki.fi> <2D128C1C-ADE8-43CB-990C-56CB7E0C327C@fh-muenster.de> <20746.18802.364266.587982@fireball.kivinen.iki.fi> <0A880226-D910-403B-8D17-1AB928612E36@fh-muenster.de>
X-Mailer: VM 7.19 under Emacs 21.4.1
X-Edit-Time: 46 min
X-Total-Time: 47 min
Cc: draft-ietf-tsvwg-sctp-udp-encaps.all@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] Secdir review of draft-ietf-tsvwg-sctp-udp-encaps-07.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Feb 2013 13:24:56 -0000

Michael Tuexen writes:
> > Michael Tuexen writes:
> >>> It might be good to say that in the document, i.e. that it is out of
> >>> scope of this document. 
> >> 
> >> What about adding
> >> <t>Please note that this document does not provide all techniques necessary
> >> for building a complete NAT-capable application using SCTP. This document
> >> focuses on the functionality required within the SCTP stack and making
> >> this available via an API.</t>
> >> to the Abstract?
> > 
> > I think it would be better to add more explicit notice what is left
> > outside of the scope. 
> 
> So what about adding in addition to the above:
> 
> It does not cover mechanism to determine whether UDP encapsulation is
> required to reach the peer and, if UDP encapsulation is used, which remote
> UDP port number can be used.

That is better. But see below.

> > That was my understanding, and thats why it was bit odd to see text
> > that says that you have one UDP port only, and it is not possible to
> > do that if SCTP stack is in the application.
> 
> The above text was changed while addressing other IESG comments to
> 
> Using a single UDP encapsulation port number per host is not possible
> if the SCTP stack is implemented as part of each application,
> and there are multiple applications.
> 
> Does that make things clearer?

It makes it bit clearer, but there is still the same problem. It is
really hard to try to understand what should be done when the document
just says "it is not possible". What is implementor trying to
implement this document doing when he is trying to implement SCTP as
part of application. He does not have any idea whether there are going
to be multiple applications each supporting SCTP. How is he trying to
solve this issue.

This document seems to be only covering some small technical bits, but
the overall architecture picture is completely left out, which makes
it very hard to make interoperable implementations. If one implementor
reads the text above and selects solution A and another implementor
selects solution B to the same problem they are not going to
interoperate.

It almost seems like this is missing the scenarios and uses cases
document. In the UDP Encapsulation of IPsec ESP Packets (RFC3948) we
had RFC 3715 which covered the use cases and RFC3947 (how the
negotiation is done) for example said:

   This document defines a protocol that will work even if both ends are
   behind NAT, but the process of how to locate the other end is out of
   the scope of this document.  In one scenario, the responder is behind
   a static host NAT (only one responder per IP, as there is no way to
   use any destination ports other than 500/4500).  That is, it is known
   by the configuration.

I.e it said it is out of scope of the document to explain how it
works specifically, but gives one example which can be implemented and
supported. 

> > Which is again one thing that should be explictly mentioned. It makes
> > hard to understand what this document is for, as you would expect this
> > kind of things to be solved here, or at least pointed to a pointer
> > telling where they are solved, but this document is silent about the
> > issue.
>
> OK, I think you are expecting a complete NAT traversal solution provide
> in the document whereas the document only addresses how to encapsulate
> SCTP in UDP packets and how to control this via the socket API.

Mostly yes. Or at least I would expect to see pointers to other
documents explaining the architecture and solutions for the complete
NAT traversal solution.

If you do not know what kind of architecture you are aiming for and
what kind of use cases you have, it is very hard to get the technical
details right. It seems that you most likely do have an architecture
in your mind, and the current document is designed to solve the issues
coming from that architecture, but it would make things much better if
the architecture is written down before the technical bits are
published as RFC. 

> I hope I made the scope clearer by adding the above sentence to the
> abstract.

Scope might be clearer, but that does not solve the issue what I have
with the document, i.e. it is very hard to evaluate the proposal when
I do not know the architecture. 

> But that is not true. If you are using single-homed SCTP association
> and you don't want to survive a reboot of NAT boxes, you don't need
> RFC 5061. This setup is similar to TCP.
> Using an ABORT as an indication of a NAT having rebooted and the
> appropriate behavior is currently not specified and only needs to
> be specified if you want to make SCTP/UDP resistant against NAT
> reboots. Personally, I didn't see this within the scope of this
> ID, but if the IESG thinks that this should be the case, we
> can add this.

Whether that is added here or as separate protocol is not really an
issue, the problem is that for the implementor implementing or the
reader of this document does not have any idea how many this kind of
details have been omitted from this document.

It would be fine to say that this document only scopes the case where
the SCTP initiator is behind NAT and the responder always uses the one
fixed port (which might be known either from the configuration or some
protocol designed later) when connecting.

Then it would be clear what kind of situations are covered. Now it
seems to be that this document might allow all kind of things but
nothing is specified here so it makes it very hard for implementor to
know what things needs to be implemented.

For protocol design point it might be nice to design protocol as open
as possible, and leave all details open as that allows all kind of
uses for the protocol. As an implementor implementing such
specification is really hard. The implementor needs to implement all
corner cases which were left out from the specification, and the
implementor needs to decide how to act when X happens even when that
was not specified in the specifications. Now multiple implementors will
most likely do different things when X happens, and then the
implementations are not interoperable. 

> > I would like think it would be better to add new section explaining
> > how this is supposed to interact with NAT boxes loosing state. I.e.
> > the text what you explained above to me. Until now I had only assumed
> > that if I would be implementing that, I do not need to care about
> > RFC5061 unless I want to support IP-addresses changing. After your
> > explination it is clear that all implementations who want to work
> > through NATs do need to support it.
>
> OK, if the IESG want this, it can be added.
> This would require:
> * Add specific exception for the reception of ABORTs with the T-bit
>   set. Handle this as an indication that a NAT-box has rebooted.
> * Add an example showing the ASCONF message exchange which is used if
>   the end-point thinks that a NAT-box lost its state.

I think adding that would make document more usable, and would allow
making interoperable implementations already based on this document,
without the need of another document explaining how this is used in
real world (or interop event where implementors decide and agree on
the cases, and then those decisions are left as folklore in the
industry, and there is no written description about it). 

> > Is just what this document does, i.e. limits the scope so that only
> > outbound ocnnections are allowed or similar constraints, but does not
> > mention what those constraints are.
>
> I don't think we are limiting the scope to outbound associations.

As I said as I do not know what is the scope of the document, it is
really hard to say what is needed... 

> > What you are trying to say is that UNSAF considerations do not apply
> > as you have scoped them out, but that is exactly one UNSAF
> > consideration. In real world case those problems do need to be solved,
> > and this document is not really that useful if it cannot be used in
> > real world...
>
> I'm not sure what you are requesting here...

UNSAF considerations is separate issue to the other issues we have
there. 

> An attacker can only change the UDP port number if he provides an
> SCTP packet which can be mapped to the association. This requires
> that the V-tag is correct. This way this mechanism is protected
> against blind attackers the same way as the base protocol is.
> 
> So in summary I see two issues:
> (1) Add text how to make SCTP/UDP resistant against state loss of NAT boxes
> (2) Potential insufficient protection against attackers trying to
>     change the remote UDP encapsulation port.
> Is this correct?
> 
> For addressing (1), text can be added if wanted by the IESG.

I am not sure the (1) is the only thing that needs to be added. It is
the only one I could immediately think of based on my limited
guesswork what the scope of the document is. If the scope would be
clear there might be other similar issues, but without knowing what is
the actual scope of the document I cannot be sure.

For exmaple you mentioned that the scope is not limited to only
outbound associations. That indicates there needs to be some way for
the servers to punch holes to the NAT so the initial incoming
connection packets comes to the host. Those hole punching mechanisms
are now part of the security properties of the solution, i.e. if there
is no authentication or anything, i.e. anybody behind the NAT box can
punch or modify those holes as they like, then that would allow
trivial way to redirect traffic to attacker. 

> I'm not completely understanding issue (2). So it would be helpful
> if you could describe the potential attack a bit more.

It is really hard to describe the attacks when you do not know the
architecture of the system (and I do not have enough understanding of
the SCTP).

I can try to invent couple different attacks, but all of those would
be depended how the bits which are left out of this document is done.
But before going to those it would be much better to know what is the
scope of this document.
-- 
kivinen@iki.fi