Re: [secdir] secdir review of draft-ietf-roll-routing-metrics-14

[Adrian Farrel <Adrian.Farrel@huawei.com>]

I added an RFC note capturing this text (translated into English ;-) and put it
on the agenda for the IESG on 1/20 (ballot had already been issued).
 
Adrian
 
From: iesg-bounces@ietf.org [mailto:iesg-bounces@ietf.org] On Behalf Of JP
Vasseur
Sent: 13 January 2011 14:39
To: Joseph Salowey (jsalowey)
Cc: draft-ietf-roll-routing-metrics.all@tools.ietf.org; The IESG;
secdir@ietf.org
Subject: Re: secdir review of draft-ietf-roll-routing-metrics-14
 
Dear Joseph,
 
Thanks for your review.
 
On Jan 6, 2011, at 11:42 PM, Joseph Salowey (jsalowey) wrote:



I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

In general I think the document is clear.  I have one security related issue.
The security considerations mention attacks where the metric information is
manipulated to cause problems.  I think there may also be cases where disclosure
of some of the metric information may be an issue.  the main area of concern for
me is the node energy metric.  This information may be useful to an attacker to
determine which devices to attack with out-of-band or in-band attacks involving
energy draining.   I have not had a chance to see if the RPL protects the
confidentiality of these attributes.  If this is a concern in a deployment
environment then the usage of these attributes may be limited.   I think it is
probably worth mentioning this in the security considerations.
JP> This is a very good point. How about adding the following: 
 
"Some routing metrics may also be used to identify some areas of weaknesses in
the network (a highly unreliable links, a node running low in terms of energy,
...): such information may be used by a potential attacker. Thus it is
RECOMMENDED to carefully consider which metrics should be used by RPL and the
level of visibility that they provide about the network state or to use
appropriate the security measures as specified in draft-ietf-roll-rpl to protect
that information."
Also energy metric introduce a new vector into the system for an attacker to
modify routing behavior.  An attacker can purposely attempt to modify the stored
energy in a node to modify the metrics advertised.   
JP> Right but this is also true for other metrics, this is why we made a
recommendation to stop advertising metrics for unstable links, which should
address your point. It is a generally accepted feature of routing security that
it is not possible to protect against subverted routers. That is, a router that
can be made to lie is a significant security risk and the protection must be
physical or in the management system access, not in the routing protocol.
Modifying the stored energy in a router constitutes a physical attack on the
router (i.e. subversion) and would, of course, modify the router's ability to
forward data. Thus, the routing protocol would be correct to notify the rest of
the network of the revised state of power in the router and this would affect
how packets are routed.
Its not clear to me at this point if this is significant since the power drain
may have effect on metrics and routing beyond what is advertised and it seems
the recommendation to protect against unstable links would be effective in this
case as well.  
Exactly.
 
Thanks a lot.
 
Cheers.
 
JP.
Cheers,

Joe