Re: [secdir] secdir review of draft-vinapamula-softwire-dslite-prefix-binding-07

<mohamed.boucadair@orange.com> Mon, 10 August 2015 08:37 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74C241B334A; Mon, 10 Aug 2015 01:37:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.7
X-Spam-Level:
X-Spam-Status: No, score=-0.7 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C0t04kPrJWET; Mon, 10 Aug 2015 01:37:23 -0700 (PDT)
Received: from relais-inet.francetelecom.com (relais-ias91.francetelecom.com [193.251.215.91]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 095D91B3348; Mon, 10 Aug 2015 01:37:06 -0700 (PDT)
Received: from omfedm07.si.francetelecom.fr (unknown [xx.xx.xx.3]) by omfedm11.si.francetelecom.fr (ESMTP service) with ESMTP id 3DB093B4D28; Mon, 10 Aug 2015 10:37:04 +0200 (CEST)
Received: from Exchangemail-eme2.itn.ftgroup (unknown [10.114.31.32]) by omfedm07.si.francetelecom.fr (ESMTP service) with ESMTP id 162544C048; Mon, 10 Aug 2015 10:37:04 +0200 (CEST)
Received: from OPEXCLILMA3.corporate.adroot.infra.ftgroup ([fe80::60a9:abc3:86e6:2541]) by OPEXCLILM32.corporate.adroot.infra.ftgroup ([fe80::8924:188:2124:a046%19]) with mapi id 14.03.0248.002; Mon, 10 Aug 2015 10:37:03 +0200
From: <mohamed.boucadair@orange.com>
To: Dan Harkins <dharkins@lounge.org>, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Thread-Topic: [secdir] secdir review of draft-vinapamula-softwire-dslite-prefix-binding-07
Thread-Index: AQHQ0WEFIcXnhVLSekOK9UP+d8zvZZ4Eu1uA
Date: Mon, 10 Aug 2015 08:37:03 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93300537662F@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
References: <d382a567352201437592e63f00180e93.squirrel@www.trepanning.net> <87si7vt4b1.fsf@alice.fifthhorseman.net> <8d0721840eaf232d895b0e2c8b50ead9.squirrel@www.trepanning.net>
In-Reply-To: <8d0721840eaf232d895b0e2c8b50ead9.squirrel@www.trepanning.net>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.168.234.3]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-PMX-Version: 6.2.1.2478543, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2015.7.16.85415
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/Ie3wrKAytp6JPUN0hIKPV76h-vc>
Cc: "draft-vinapamula-softwire-dslite-prefix-binding.all@tools.ietf.org" <draft-vinapamula-softwire-dslite-prefix-binding.all@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] secdir review of draft-vinapamula-softwire-dslite-prefix-binding-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Aug 2015 08:37:25 -0000

Hi Dan, all, 

Please see inline. 

Cheers,
Med

> -----Message d'origine-----
> De : Dan Harkins [mailto:dharkins@lounge.org]
> Envoyé : samedi 8 août 2015 00:33
> À : Daniel Kahn Gillmor
> Cc : iesg@ietf.org; secdir@ietf.org; draft-vinapamula-softwire-dslite-
> prefix-binding.all@tools.ietf.org
> Objet : Re: [secdir] secdir review of draft-vinapamula-softwire-dslite-
> prefix-binding-07
> 
> 
> On Fri, August 7, 2015 10:08 am, Daniel Kahn Gillmor wrote:
> > On Fri 2015-08-07 12:13:30 -0400, Dan Harkins wrote:
> >>   [ draft-vinapamula-softwire-dslite-prefix-binding-07 ]
> >
> >>   The main part of the solution is the introduction of a "Subscriber
> >> Mask" that allows a subscriber's CPE to be unambiguously identified
> >> when the mask is applied to a source IPv6 address. This identification
> >> allows for enforcement of per-subscriber policies even in the event of
> >> an address change.
> >>
> >>   The Security Considerations are sparse but address a potential
> >> DOS issue with a misbehaving user attempting to obtain additional
> >> resources by changing the address on its Basic Bridging Broadband
> >> element which seems to be the big issue here. All the other
> >> Security Considerations of DS-Lite apply and it refers to RFC 6333.
> >
> > I'm a bit puzzled by this document.  The Introduction says:
> >
> >    Note that in some deployments, CPE renumbering may be required to
> >    accommodate some privacy-related requirements to avoid assigning the
> >    same prefix to the same customer.  It is out of scope of this
> >    document to discuss such contexts.
> >
> > And then there is no mention of this concern ever again.  There is no
> > Privacy Considerations section (though the Security Considerations
> > section does mention one privacy consideration unrelated to the concern
> > raised in the Introduction).
> 
>   That's a very interesting point. The way I read it was that
> this draft deals with the impact of renumbering and not the reason
> why renumbering happened, so I didn't comment about it.

[Med] That's exactly the point.

> 
> > Is it acceptable to simply declare privacy considerations out-of-scope
> > for an I-D?  What are the "privacy-related requirements to avoid
> > assigning the same prefix to the same customer"?  in what deployments
> > should they be considered?
> >
> > https://tools.ietf.org/html/rfc6973 says:
> >
> >    The guidance provided here can and should be used to assess the
> >    privacy considerations of protocol, architectural, and operational
> >    specifications and to decide whether those considerations are to be
> >    documented in a stand-alone section, within the security
> >    considerations section, or throughout the document.
> >
> > Why are we considering these concerns (as important today as ever) "out
> > of scope" for the draft-vinapamula-softwire-dslite-prefix-binding?  How
> > is a potential deployer of this situation supposed to know whether their
> > context is one of the contexts where they should avoid this draft?
> >
> > To be clear: i'm not asking that the draft indicate how someone in one
> > of these privacy-sensitive contexts should approach enforcement of
> > per-subscriber policies.  But shouldn't the draft help a potential
> > deployer to decide whether they are in a context where they should or
> > should not apply the proposed standard?
> 
>   I thought a potential deployer should apply the proposed standard
> if they foresaw renumbering happening regardless of the reason. But
> your quote of RFC 6973 does seem to imply that if there are privacy
> considerations surrounding the use of the protocol (and privacy is
> obviously a reason for renumbering) then a stand alone section
> would be appropriate.
> 
>   Come to think of it, if the "Subscriber Mask" can be used to
> unambiguously identify a subscriber across renumbering then there
> is obviously a privacy consideration. Namely, if you are renumbering
> for privacy reasons, this protocol may mitigate the privacy effects
> of renumbering.

[Med] The mask does not allow to identify a CPE across renumbering (even within a DS-lite domain).

> 
>   Thank you for bringing this up! Let me retract my statement that
> this document is Ready. I will now say it is Almost Ready with the
> comment being that a Privacy Considerations section must be added
> to address the impact this protocol can have if the reason for
> renumbering was for privacy reasons.

[Med] There is already this text in the Security section:

   Also, the recommendations in Section 4 ensure the traffic is
   forwarded to a legitimate CPE.  If those recommendations are not
   implemented, privacy concerns may arise (e.g., If an IPv6 prefix is
   reassigned while mapping entries associated with that prefix are
   still active in the AFTR, sensitive data that belong to a previous
   prefix owner may be disclosed to the new prefix owner).

I have no problem to add a privacy section. What about the following change:

OLD:

5. Security Considerations

   Security considerations related to DS-Lite are discussed in
   [RFC6333].

   Enforcing the recommendations documented in Section 4 together with
   rate limiting softwires with new source IPv6 addresses from the same
   prefix defend against DoS attacks that would result in varying the
   B4's IPv6 address to exhaust AFTR resources.  A misbehaving CPE can
   be blacklisted by enforcing appropriate policies based on the prefix
   derived from the subscriber-mask.

   Also, the recommendations in Section 4 ensure the traffic is
   forwarded to a legitimate CPE.  If those recommendations are not
   implemented, privacy concerns may arise (e.g., If an IPv6 prefix is
   reassigned while mapping entries associated with that prefix are
   still active in the AFTR, sensitive data that belong to a previous
   prefix owner may be disclosed to the new prefix owner).

NEW:

5.  Security Considerations

   Security considerations related to DS-Lite are discussed in
   [RFC6333].

   Enforcing the recommendations documented in Section 4 together with
   rate limiting softwires with new source IPv6 addresses from the same
   prefix defend against DoS attacks that would result in varying the
   B4's IPv6 address to exhaust AFTR resources.  A misbehaving CPE can
   be blacklisted by enforcing appropriate policies based on the prefix
   derived from the subscriber-mask.

6.  Privacy Considerations

   A CPE connected to a DS-Lite network is identified by a set of
   information that is specific to each network domain (e.g., service
   credentials, device identifiers, etc.).  This document does not make
   any assumption nor introduce new requirements on how such
   identification is implemented network-wide.

   This document adheres to Sections 6 and 8 of [RFC6333] for handling
   IPv4-in-IPv6 packets and IPv4 translation operations.  In particular, this
   document does not leak extra information in packets exiting a DS-Lite
   network domain.

   The recommendations in Section 4 (bullet 6, in particular) ensure the
   traffic is forwarded to a legitimate CPE.  If those recommendations
   are not implemented, privacy concerns may arise (e.g., If an IPv6
   prefix is reassigned while mapping entries associated with that
   prefix are still active in the AFTR, sensitive data that belong to a
   previous prefix owner may be disclosed to the new prefix owner).

   These recommendations do not interfere with privacy extensions for
   generating IPv6 addresses (e.g., [RFC7217] or [RFC4941]).  These
   recommendations allow a CPE to generate new IPv6 addresses with
   privacy extensions without experiencing DS-Lite service degradation.

   This document does not nullify the privacy effects of non-stable IPv6
   prefixes.  Concretely, the subscriber-mask does not allow to identify
   a CPE across renumbering (even within a DS-Lite network domain).
   This document mitigates some of the undesired effects of reassigning
   an IPv6 prefix to another CPE (e.g., update a rendezvous service,
   remove stale mappings).

Better?

> 
>   Thanks again,
> 
>   Dan.
> 
>