Re: [secdir] Review of draft-livingood-woundy-congestion-mgmt-05

Jason Livingood <jason_livingood@cable.comcast.com> Thu, 29 July 2010 13:35 UTC

Return-Path: <jason_livingood@cable.comcast.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CD2013A6A03; Thu, 29 Jul 2010 06:35:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.452
X-Spam-Level: *
X-Spam-Status: No, score=1.452 tagged_above=-999 required=5 tests=[AWL=1.120, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, HOST_MISMATCH_NET=0.311, RCVD_NUMERIC_HELO=2.067]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id acqY46nu115s; Thu, 29 Jul 2010 06:35:50 -0700 (PDT)
Received: from cable.comcast.com (copdcimo01.potomac.co.ndcwest.comcast.net [76.96.32.251]) by core3.amsl.com (Postfix) with ESMTP id 98BEE3A67EF; Thu, 29 Jul 2010 06:35:46 -0700 (PDT)
Received: from ([147.191.124.12]) by copdcimo01.cable.comcast.com with ESMTP with TLS id 5503630.5144736; Thu, 29 Jul 2010 07:40:45 -0600
Received: from PAOAKEXCSMTP01.cable.comcast.com (10.52.116.30) by copdcexhub01.cable.comcast.com (147.191.124.12) with Microsoft SMTP Server id 14.0.702.0; Thu, 29 Jul 2010 07:36:08 -0600
Received: from PACDCEXCMB04.cable.comcast.com ([24.40.15.86]) by PAOAKEXCSMTP01.cable.comcast.com with Microsoft SMTPSVC(6.0.3790.4675); Thu, 29 Jul 2010 09:35:52 -0400
Received: from 92.65.30.74 ([92.65.30.74]) by PACDCEXCMB04.cable.comcast.com ([24.40.15.86]) via Exchange Front-End Server legacywebmail.comcast.com ([24.40.8.154]) with Microsoft Exchange Server HTTP-DAV ; Thu, 29 Jul 2010 13:35:51 +0000
User-Agent: Microsoft-Entourage/12.25.0.100505
Date: Thu, 29 Jul 2010 09:35:50 -0400
From: Jason Livingood <jason_livingood@cable.comcast.com>
To: Tero Kivinen <kivinen@iki.fi>, <iesg@ietf.org>, <secdir@ietf.org>
Message-ID: <C876FBF6.29D84%jason_livingood@cable.comcast.com>
Thread-Topic: Review of draft-livingood-woundy-congestion-mgmt-05
Thread-Index: AcsvIvU8GKpLrhORL0+RRWggSw/W5g==
In-Reply-To: <19526.56446.871198.214543@fireball.kivinen.iki.fi>
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 29 Jul 2010 13:35:52.0037 (UTC) FILETIME=[F673D150:01CB2F22]
X-Mailman-Approved-At: Thu, 29 Jul 2010 08:06:57 -0700
Cc: Rich Woundy <Richard_Woundy@cable.comcast.com>
Subject: Re: [secdir] Review of draft-livingood-woundy-congestion-mgmt-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jul 2010 13:35:55 -0000

Tero --

Tero - Thanks for the review and feedback.  All of this is now fixed in
draft-livingood-woundy-congestion-mgmt-06, which has been uploaded today and
is now available at
http://www.ietf.org/id/draft-livingood-woundy-congestion-mgmt-06.txt.

I've made specific replies inline below, if you are interested, to confirm
and show the changes.

Thank you,
Jason


On 7/21/10 7:39 AM, "Tero Kivinen" <kivinen@iki.fi>; wrote:

> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
> 
> This document describes the congestion management system used by the
> comcast. As such it does not describe any specific protocol, just the
> architecture and management algorithms to manage congestion. The
> security considerations section says
> 
> ----------------------------------------------------------------------
> 12.  Security Considerations
> 
>    It is important that an ISP secure access to the Congestion
>    Management Servers and the QoS Servers, as well as QoS signaling to
>    the CMTSes, so that unauthorized users and/or hosts cannot make
>    unauthorized changes to QoS settings in the network.  It is also
>    important to secure access to the Statistics Collection Server since
>    this contains ISP-proprietary traffic data.
> ----------------------------------------------------------------------
> 
> and as such it seems to list the most obvious security threats i.e.
> the actual protocols run between the different nodes and that those
> protocols needs to be secured, altought I would not consider
> protecting the ISP-proprietary traffic data as the most important
> reason why statistics collection server access needs to be secured.
> The privacy issues (i.e from that statistics data it might be possible
> to find out who is making connections to where) and ability to protect
> against feeding false statistics information is more important than
> protecting ISP-proprietary traffic data.

That is a very good point and was an oversight on my part.  I have revised
the section as follows at the bottom of this email.  I have also explained
in there what the IPDR record stores, which is just bytes sent and bytes
received, over a given interval of time.  Thus there is not
source/destination data, etc.

> There is no description what happens to the statistics data after the
> inspection interval, i.e. whether it is stored for long time or
> whether it is immediately deleted. Getting access to statistics data
> later might allow all kind of traffic analysis etc and the document
> does not describe on what granularity the actual statistics are
> collected so the traffic analysis done afterwards might offer quite
> lot information. It should be enough to collect only per "cable modem"
> statistics, i.e. remove actual TCP flow or connection information from
> the statistics (not sure if that is done or not), and for the
> congestion management reasons it should be enough to keep only the
> last n minutes worth of statistics.

This is correct and is fact what IPDR data is restricted to collecting (in
the stats collection server).

Here's what I now have.  Please do advise if you wish additional changes or
clarifications and I will make them ASAP.

<start>

Security Considerations:

It is important that an ISP secure access to the Congestion Management
Servers and the QoS Servers, as well as QoS signaling to the CMTSes, so that
unauthorized users and/or hosts cannot make unauthorized changes to QoS
settings in the network.

It is also important to secure access to the Statistics Collection Server
since this contains IPDR-based byte transfer data which considered private
by end users on an individual basis. In addition this data is considered
ISP-proprietary traffic data on an aggregate basis. Access to the Statistics
Collection Server should also be secured so that false usage statistics
cannot be fed into the system. It is important to note that IPDR data
contain a count of bytes sent and bytes received, by cable modem MAC
address, over a given interval of time. This data does not contain things
such as the source and/or destination Internet address of that data, nor
does it contain the protocols used, ports used, etc.

<end>