IETF Logo Mail Archive

Re: [secdir] Security review of draft-ietf-tsvwg-behave-requirements-update-06

<mohamed.boucadair@orange.com> Mon, 15 February 2016 13:28 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B19FE1B2EC9; Mon, 15 Feb 2016 05:28:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.102
X-Spam-Level:
X-Spam-Status: No, score=0.102 tagged_above=-999 required=5 tests=[BAYES_50=0.8, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZBqoiJQUr-jA; Mon, 15 Feb 2016 05:28:48 -0800 (PST)
Received: from relais-inet.francetelecom.com (relais-ias92.francetelecom.com [193.251.215.92]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 137961B325E; Mon, 15 Feb 2016 05:28:48 -0800 (PST)
Received: from omfedm06.si.francetelecom.fr (unknown [xx.xx.xx.2]) by omfedm13.si.francetelecom.fr (ESMTP service) with ESMTP id 38ABE3242EF; Mon, 15 Feb 2016 14:28:46 +0100 (CET)
Received: from Exchangemail-eme2.itn.ftgroup (unknown [10.114.31.18]) by omfedm06.si.francetelecom.fr (ESMTP service) with ESMTP id 110D827C058; Mon, 15 Feb 2016 14:28:46 +0100 (CET)
Received: from OPEXCLILMA3.corporate.adroot.infra.ftgroup ([fe80::60a9:abc3:86e6:2541]) by OPEXCLILM34.corporate.adroot.infra.ftgroup ([fe80::cba:56d0:a732:ef5a%19]) with mapi id 14.03.0279.002; Mon, 15 Feb 2016 14:28:45 +0100
From: mohamed.boucadair@orange.com
To: Ben Laurie <benl@google.com>, The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-tsvwg-behave-requirements-update.all@tools.ietf.org" <draft-ietf-tsvwg-behave-requirements-update.all@tools.ietf.org>
Thread-Topic: Security review of draft-ietf-tsvwg-behave-requirements-update-06
Thread-Index: AQHRZ+6YVmjLE+hYIUaR5uBFpHiQ7p8tD9Ng
Date: Mon, 15 Feb 2016 13:28:45 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B933008CE2A9E@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
References: <CABrd9SRpKZhxufKAFd331r6t9DAHS7XPVKerUoUeHKZPJqh3JA@mail.gmail.com> <CABrd9SSB3GU_KPJ=ucdzgsy13A+4Sk30f7ddMLEGm9mKHN4CFA@mail.gmail.com>
In-Reply-To: <CABrd9SSB3GU_KPJ=ucdzgsy13A+4Sk30f7ddMLEGm9mKHN4CFA@mail.gmail.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.168.234.5]
Content-Type: multipart/alternative; boundary="_000_787AE7BB302AE849A7480A190F8B933008CE2A9EOPEXCLILMA3corp_"
MIME-Version: 1.0
X-PMX-Version: 6.2.1.2478543, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2016.2.8.153315
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/S4WJwJ2gCk-kz-_lya0H6pz29bE>
Subject: Re: [secdir] Security review of draft-ietf-tsvwg-behave-requirements-update-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Feb 2016 13:28:50 -0000

Dear Ben,

Thank you for the review.

Please see inline.

Cheers,
Med

De : Ben Laurie [mailto:benl@google.com]
Envoyé : lundi 15 février 2016 13:44
À : The IESG; secdir@ietf.org; draft-ietf-tsvwg-behave-requirements-update.all@tools.ietf.org
Objet : Re: Security review of draft-ietf-tsvwg-behave-requirements-update-06

Resending to correct address:

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.

Summary: ready with issues

This document updates the behavioural requirements for NAT, and as noted in the very comprehensive (thankyou!) security considerations section,  introduces at least two requirements that might have security consequences.

The ADs should probably consider whether these new requirements are worth the additional risk.

Also, "Hosts which require a restricted filtering behavior should enable security-dedicated features (e.g., access control list (ACL)) either locally or by soliciting a dedicated security device (e.g., firewall)." is concerning - how will hosts know that they need to update their policies?

[Med] The text does not discuss this point because it is implementation and deployment-specific. This can be, for example, set by an application, a user, a global system parameter, etc. We can add this NEW sentence if you think it is helpful:

NEW:
How a host updates its filtering is implementation-specific.

"security-dedicate features" is not very informative - it would be helpful to explain what new behaviour may need to be counteracted. Looking at sections 5 and 6, to which this text refers, they appear to make NAT more restrictive, not less, so its unclear why there might be security impact.

[Med] It is true that the update in this draft is more restrictive compared to RFC4787 but still this is EIF. Because some may argue filtering is desired, hosts that need more restricted filtering should enforce some policies either locally or by interacting with an in-path device. What about changing “security-dedicated features” to “dedicated policies”?

BTW, small typo: "only if packets are to be sen to distinct destination addresses."
sen -> sent
[Med] Thank you for catching it. Fixed in my local copy.

v2.23.0 | Report a Bug | By Email