Re: [secdir] secdir review of draft-raj-dhc-tftp-addr-option-04
Cullen Jennings <fluffy@cisco.com> Sun, 07 December 2008 19:18 UTC
Return-Path: <secdir-bounces@ietf.org>
X-Original-To: secdir-archive@ietf.org
Delivered-To: ietfarch-secdir-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1E0BB3A68F0; Sun, 7 Dec 2008 11:18:48 -0800 (PST)
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A6AC53A67B4; Sun, 7 Dec 2008 11:18:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.528
X-Spam-Level:
X-Spam-Status: No, score=-106.528 tagged_above=-999 required=5 tests=[AWL=0.071, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zAmTzMkUUuou; Sun, 7 Dec 2008 11:18:45 -0800 (PST)
Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id 8238B3A68F0; Sun, 7 Dec 2008 11:18:45 -0800 (PST)
X-IronPort-AV: E=Sophos;i="4.33,730,1220227200"; d="scan'208";a="208312197"
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-6.cisco.com with ESMTP; 07 Dec 2008 19:18:40 +0000
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id mB7JIeu6022028; Sun, 7 Dec 2008 11:18:40 -0800
Received: from [192.168.4.177] (rcdn-fluffy-8711.cisco.com [10.99.9.18]) by sj-core-5.cisco.com (8.13.8/8.13.8) with ESMTP id mB7JHavP011747; Sun, 7 Dec 2008 19:18:37 GMT
From: Cullen Jennings <fluffy@cisco.com>
To: Ralph Droms <rdroms@cisco.com>
In-Reply-To: <B111CDE5-E8D0-4C96-AD53-B8580274F949@cisco.com>
Impp: xmpp:cullenfluffyjennings@jabber.org
References: <alpine.BSF.1.10.0811260255330.4213@fledge.watson.org> <90AC45ED-BF49-46ED-A35A-14E1BF699959@cisco.com><56DEB14D23377D001B19EFE5@p3.int.jck.com><493661F5.10705@piuha.net> <B111CDE5-E8D0-4C96-AD53-B8580274F949@cisco.com>
Message-Id: <DAFDF330-A31C-4CC9-AB47-5700C0C304A7@cisco.com>
Mime-Version: 1.0 (Apple Message framework v929.2)
Date: Sun, 07 Dec 2008 12:18:37 -0700
X-Mailer: Apple Mail (2.929.2)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=6423; t=1228677520; x=1229541520; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=fluffy@cisco.com; z=From:=20Cullen=20Jennings=20<fluffy@cisco.com> |Subject:=20Re=3A=20secdir=20review=20of=20draft-raj-dhc-tf tp-addr-option-04 |Sender:=20; bh=G1ePE7ScBzvfIvXCXE8ifEZBmoxPB0qgWryu8CjkTK0=; b=VTIEFackpfgO1GB0f177hjIdO5Y4hqbVPplNu6+8ViyPy0GPjADpHgKxM7 U1rTaRwnzvH9UH0PC3UxRWMGV2Fq6fTQM/K2kwOcNxU9W96cniVl9eLV6sdS KVbqYCAtia/WKAt5+uoyWi6Raqn5J5bScMmnUKOceymNlBZ6U6C74=;
Authentication-Results: sj-dkim-1; header.From=fluffy@cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; );
Cc: "Richard Johnson (raj)" <raj@cisco.com>, IETF Discussion <ietf@ietf.org>, secdir@ietf.org, draft-raj-dhc-tftp-addr-option@tools.ietf.org, dhc Chairs <dhc-chairs@tools.ietf.org>, Samuel Weiler <weiler@watson.org>, Jari Arkko <jari.arkko@piuha.net>, IESG IESG <iesg@ietf.org>, John C Klensin <john-ietf@jck.com>
Subject: Re: [secdir] secdir review of draft-raj-dhc-tftp-addr-option-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes"
Sender: secdir-bounces@ietf.org
Errors-To: secdir-bounces@ietf.org
I find the claim that attacks are easier to do with "VoIP
Configuration Server Address" than the "TFTP Server Name" to be pretty
dubious. All the devices I am aware of that use either option also get
the DNS server from DHCP. If I can attack the DHCP response, I can
probably get a DNS server running on the network and point the device
at the alternative DNS server. If one is more secure than the other,
it's not by much.
That said, I think this security discussion is going the wrong
direction. What is common practice, and what I think this should
suggest, is that DHCP can be spoofed in some cases. The correct thing
to do is to secure the object that is retrieved via tftp. One do
things such as make sure it is signed such that the phone can verify
it contains authorized data from correct source and if it contains any
private data, like SIP passwords, that it is encrypted. There are
ways to mitigate DHCP spoofing but discussion of those is outside
scope of this draft.
Suggesting the Auth option is a total non starter in every case I am
aware of where this is used because the important thing is for this
scheme to work when a new phone arrives without the administrator
having to take the phone out of the box and enter a credential on the
phone - the operational expense of something like this is just too
high. Multiple manufactures resolve this by including factory
installed public/private key pairs and certificates that bind the
serial number of the phone and making sure the serial number of the
phone is on a bar code on the outside of the box. The admin can then
barcode scan the box, associate it with a given user, print a label
for that user, ship the phone to that user, and when the user boots
it, provide user specific data for the phone as well as replace the
manufacture certificates with ones where the manufacture is not in the
trust chain. Similar things are done for residential voice where the
user enters the serial number of the phone and their credit care on
the service providers web site and the service provider never has to
touch the phone. They can ship from distributors to end users with no
intermediate provisioning steps. One of the uses of this is firmload
upgrades and many vendors have existing methods to check that code is
appropriately signed.
Many phones from more vendors than just Cisco support variants of the
above. The key things is that one can, and many do, implement secure
systems even in environments where tftp is not secure.
Cullen, in my IETF participant role
PS. I am not aware of a single device that implements or uses this
option that does not implement DNS. Certainly there are devices that I
am not aware of but does anyone else have an example of one? A more
relevant concern might be that you want the phones to get their
configuration from a differnt server than the diskless sun
workstations and a separate option makes this a bit easier.
On Dec 3, 2008, at 4:29 AM, Ralph Droms (rdroms) wrote:
> Jari - I agree that mentioning security issues, pointing to the
> Security Considerations in RFC 2131 and citing RFC 3118, is
> appropriate.
>
> Responding to Richard...
>
> On Dec 2, 2008, at Dec 2, 2008,5:35 PM, Richard Johnson wrote:
>
> > Ok, maybe I'm not understanding what's being suggested or maybe I'm
> > simply reading the existing text in a different way. Here's the
> > contents of the draft's "Security Considerations" section:
> >
> >> A rogue DHCP Server could use this option in order to coerce a
> >> Client
> >> into downloading configuration from an alternate Configuration
> >> Server
> >> and thus gain control of the device's configuration. This is
> more
> >> easily done with the VoIP Configuration Server Address option
> >> than it
> >> was with the "TFTP Server Name" option, because in the latter
> case
> >> the attack would need to control DNS responses as well as
> inserting
> >> the rogue DHCP option information. If this is a concern, then
> >> either
> >> DHCP Authentication may be used, or the "TFTP Server Name" option
> >> may
> >> be used instead.
> >>
> >> Message authentication in DHCP for intradomain use where the out-
> >> of-
> >> band exchange of a shared secret is feasible is defined in
> >> [RFC3118].
> >> Potential exposures to attack are discussed in section 7 of the
> >> DHCP
> >> protocol specification in [RFC2131].
> >>
> >> Other out-of-band methods of verifying the validity of the VoIP
> >> Configuration Server Address, such as certificates of trust,
> >> could be
> >> used to mitigate some security concerns.
> >
> > So, it only mentions option 66 ("TFTP Server Name" option) by
> > comparison and in order to point out the relative levels of security
> > involved. It has no "suggestion to use option 66".
> >
> > The text already has an "explanation about why the use of this
> > option without authentication might be problematic". As a matter of
> > fact, it seems rather explicit on the matter.
>
> I suggest we elide the first paragraph Richard quoted, and leave the
> remainder unchanged ... except for fixing what appears to be a typo in
> the first sentence of the second paragraph: s/is feasible is/is
> feasible as/
>
> Jeff Hutzelman mentioned other common techniques for mitigating the
> risk from DHCP server spoofing attacks, which have not, to date, been
> mentioned in any other DHCP RFCs. If there is serious interest in a
> review of DHCP security practices, the dhc WG could return to its work
> on a DHCP threat analysis and BCP for threat mitigation.
>
> On Dec 3, 2008, at Dec 3, 2008,5:39 AM, Jari Arkko wrote:
>
> > I think John's advice is solid. We really need to document the
> > properties of our specifications, including being very clear about
> > the shortcomings and recommended workarounds. Truth in advertising.
> > (However, I'd would avoid making mandatory-to-implement changes that
> > do not match with codebase for a legacy option document such as this
> > is.)
> >
> > I'm expecting a draft revision.
> >
> > Jari
> >
>
> - Ralph
>
>
> _______________________________________________
> Ietf mailing list
> Ietf@ietf.org
> https://www.ietf.org/mailman/listinfo/ietf
_______________________________________________
secdir mailing list
secdir@ietf.org
https://www.ietf.org/mailman/listinfo/secdir
- [secdir] secdir review of draft-raj-dhc-tftp-addr… Samuel Weiler
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Jeffrey Hutzelman
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Ralph Droms
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… John C Klensin
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Jeffrey Hutzelman
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Samuel Weiler
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Richard Johnson
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Richard Johnson
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Jari Arkko
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Ralph Droms
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Ralph Droms
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Cullen Jennings
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Jeffrey Hutzelman
- Re: [secdir] secdir review of draft-raj-dhc-tftp-… Samuel Weiler