Re: [secdir] secdir review of draft-ietf-softwire-lw4over6-11

<ian.farrer@telekom.de> Thu, 30 October 2014 11:23 UTC

Return-Path: <ian.farrer@telekom.de>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 344431AD0BA; Thu, 30 Oct 2014 04:23:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.26
X-Spam-Level:
X-Spam-Status: No, score=-3.26 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, J_CHICKENPOX_31=0.6, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GNaCOTNo22J9; Thu, 30 Oct 2014 04:23:22 -0700 (PDT)
Received: from tcmail23.telekom.de (tcmail23.telekom.de [80.149.113.243]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53CF71AD0B8; Thu, 30 Oct 2014 04:23:20 -0700 (PDT)
Received: from qdezc2.de.t-internal.com ([10.125.181.10]) by tcmail21.telekom.de with ESMTP; 30 Oct 2014 12:23:16 +0100
X-IronPort-AV: E=Sophos;i="5.07,285,1413237600"; d="scan'208";a="158411445"
Received: from he113443.emea1.cds.t-internal.com ([10.134.93.103]) by qde0ps.de.t-internal.com with ESMTP/TLS/AES128-SHA; 30 Oct 2014 12:23:16 +0100
Received: from HE111643.EMEA1.CDS.T-INTERNAL.COM ([10.134.93.12]) by HE113443.emea1.cds.t-internal.com ([::1]) with mapi; Thu, 30 Oct 2014 12:23:16 +0100
From: <ian.farrer@telekom.de>
To: <weiler@watson.org>, <draft-ietf-softwire-lw4over6.all@tools.ietf.org>
Date: Thu, 30 Oct 2014 12:23:13 +0100
Thread-Topic: secdir review of draft-ietf-softwire-lw4over6-11
Thread-Index: Ac/vBgOl6BPZm3xETd2bBcEBL00r+QFLT9Mw
Message-ID: <8A1B81989BCFAE44A22B2B86BF2B76318B36A653AF@HE111643.EMEA1.CDS.T-INTERNAL.COM>
References: <alpine.BSF.2.11.1410231708570.60907@fledge.watson.org>
In-Reply-To: <alpine.BSF.2.11.1410231708570.60907@fledge.watson.org>
Accept-Language: en-US, de-DE
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US, de-DE
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/LWf1WfKzb-oJDVqOB1Af3iqAJ9w
X-Mailman-Approved-At: Thu, 30 Oct 2014 04:26:57 -0700
Cc: iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-softwire-lw4over6-11
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Oct 2014 11:23:25 -0000

Hi Samuel,

Thanks for your review. Regarding the DISCUSSs that you've raised, I've suggested some additional text that could be added in each case. Please let me know what you think.

Cheers,
Ian

-----Original Message-----
From: Samuel Weiler [mailto:weiler@watson.org] 
Sent: Donnerstag, 23. Oktober 2014 23:12
To: draft-ietf-softwire-lw4over6.all@tools.ietf.org
Cc: secdir@ietf.org; iesg@ietf.org
Subject: secdir review of draft-ietf-softwire-lw4over6-11

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.


Does this mechanism introduce new points for a DoS attack, e.g. forging the ICMPv6 error message (type 1, code 5) mentioned in Section 5.1?  I would like to see a list and discussion of these or, if appropriate, an analysis showing that none exist.

[if] What about adding the following text to Sec 5.1:

On receipt of such and ICMP error message, the lwB4 MUST validate the source address to be the same as the lwAFTR address which is configured. In the event that these addresses do not match, the lwAFTR MUST discard the ICMP error message.

In order to prevent forged ICMP messages using the spoofed lwAFTR address as the source being sent to lwB4s, the operator can implement network ingress filtering as described in [RFC2827].
----
It's probably worth explaining this 2119 RECOMMENDation in more
detail:

    Unless an lwB4 is being allocated a full IPv4 address, it is
    RECOMMENDED that PSIDs containing the well-known ports (0-1023) are
    not allocated to lwB4s.

[if] We could extend this with the following sentence:

Section 5.2.2 of [RFC6269] provides analysis of allocating well-known ports to clients with IPv4 address sharing.
------
I would like to see a discussion of provisioning mechanism security.
Are there security-related factors that should drive the choice of provisioning mechanism (the doc mentions several options...)?  Are there configuration choices that should or must be made when using one of thsoe for this purpose?

[if] The following could be added to Sec 9 (Security Considerations):

This document describes a number of different protocols which may be used for the provisioning of lw4o6. In each case, the security considerations relevant to the provisioning protocol are also relevant to the provisioning of lw4o6 using that protocol. lw4o6 does not add any additional provisioning protocol specific security considerations.
------

Non-security stuff:

I'm not seeing any explicit discussion of whether (and how) a lwB4 can request additional port space after the initial assignment.  If that feature does not exist, I would like to see it explicitly acknowledged as a limitation with a discussion of why it is not being provided.

Again, assuming that there is not such a mechanism: since this is the architecture document, I would like to see a few words on expected port assignment/utilization ratios.  Assuming a typical case of a residential subscriber, it seems that lw4o6 would need to assign enough ports to each user to accommodate expected peak usage.  This pretty clearly results in fewer users accommodated on a public v4 address than if they were sharing the port space on demand.  How much much v4 space does lw4o6 consume in this environment compared to DS-Lite?

[if] Propose the following wording to be added after the paragraph starting ³An lwB4 MUST support dynamic port-restricted IPv4 address provisioning²:

Provisioning of the lwB4 using DHCPv6 as described here allocates a single PSID to the client. In the event that the client is concurrently using all of the provisioned L4 ports it may be unable to initiate any additional outbound connections. DHCPv6 based provisioning does not provide a mechanism for the client to request more L4 ports. Other provisioning mechanisms (e.g. PCP based
provisioning)
provide this function.

Issues relevant to IP address sharing are discussed in more detail in [RFC6269].