Re: [secdir] secdir review of draft-ietf-roll-admin-local-policy-02

peter van der Stok <stokcons@xs4all.nl> Wed, 14 January 2015 08:17 UTC

Return-Path: <stokcons@xs4all.nl>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 936D81A9107; Wed, 14 Jan 2015 00:17:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.55
X-Spam-Level:
X-Spam-Status: No, score=-1.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fUgs73EElVnd; Wed, 14 Jan 2015 00:17:55 -0800 (PST)
Received: from lb1-smtp-cloud3.xs4all.net (lb1-smtp-cloud3.xs4all.net [194.109.24.22]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0AEC41A90F7; Wed, 14 Jan 2015 00:17:54 -0800 (PST)
Received: from roundcube.xs4all.nl ([194.109.20.208]) by smtp-cloud3.xs4all.net with ESMTP id fkHq1p00U4VN29601kHqfj; Wed, 14 Jan 2015 09:17:51 +0100
Received: from AMontpellier-654-1-171-51.w92-145.abo.wanadoo.fr ([92.145.38.51]) by roundcube.xs4all.nl with HTTP (HTTP/1.1 POST); Wed, 14 Jan 2015 09:17:50 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Content-Transfer-Encoding: 7bit
Date: Wed, 14 Jan 2015 09:17:50 +0100
From: peter van der Stok <stokcons@xs4all.nl>
To: robert.cragie@gridmerge.com
Organization: vanderstok consultancy
Mail-Reply-To: consultancy@vanderstok.org
In-Reply-To: <54AD33DA.5080006@gridmerge.com>
References: <7e9a24ab8a294586bc19f23673551c24@KLUSE610.infineon.com> <5e5cc9fe445de45d78bc05604a308da6@xs4all.nl> <75d052c652b043c88c3ecc3c469b6bcb@KLUSE610.infineon.com> <54AD33DA.5080006@gridmerge.com>
Message-ID: <453df83f266b93c62a0eba7a871fbec8@xs4all.nl>
X-Sender: stokcons@xs4all.nl (q1rd0nXiJi9stxs0iwKHBlJF1R8+bCWL)
User-Agent: XS4ALL Webmail
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/TixmgqHMax0Sl20gjVtzuVTiEwI>
Cc: draft-ietf-roll-admin-local-policy.all@tools.ietf.org, iesg@ietf.org, consultancy@vanderstok.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-roll-admin-local-policy-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: consultancy@vanderstok.org
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jan 2015 08:17:58 -0000

Hi all,

I propose the following additions to the draft:

-   Add a section 4.3 Encryption rules
With content:
Incoming MPL4 messages, encrypted at layer 2, MUST be encrypted at layer 
2 at all outgoing interfaces. This is done either by decrypting at the 
incoming interface and encrypting at the outgoing interface with the 
appropriate keys and encryption algorithm, or by sending the MPL4 
message unmodified at the outgoing interface. Incoming MPL4 messages 
which are not encrypted at layer 2 MUST not be encrypted at layer 2 at 
the outgoing interfaces.

- Add text to section 7
An attacker can send an MPL4 message with the effect that MPL4 messages 
are sent to the connected link or mesh. This possibly unwanted extension 
of the MPL4 zone is limited to the enveloping zone. Its duration is 
limited by MPL_CHECK_INT parameter. A manager of the MPL4 router can set 
MPL_enabled to FALSE on certain interfaces to restrict this misuse even 
more. In the worst case the attacker is located on an open wifi link 
where the IEEE802.11 interface is connected to a MPL4 router connected 
to other mesh interfaces. The rules of section 4.3 protect the integrity 
of the MPL4 messages, and prevent that MPL4 messages from the attacker 
are accepted by nodes that are part of a mesh protected at layer 2.

I think this covers the cases coming forward in the discussion.
Looking forward to improvements on the proposed text.

Greetings,

peter

Robert Cragie schreef op 2015-01-07 14:25:
> Steve,
> 
> My comments inline, bracketed by <rcc></rcc>.
> 
> Robert
> 
> On 02/01/2015 18:26, Steve.Hanna@infineon.com wrote:
>> Peter,
>> 
>> Thanks for your prompt response. I have added some more comments 
>> below,
>> delimited with <steve>.
>> 
>> Steve
>> 
>> -----Original Message-----
>> From: peter van der Stok [mailto:stokcons@xs4all.nl]
>> Sent: Friday, January 02, 2015 5:19 AM
>> To: Hanna Steve (IFNA CCS SMD AMR)
>> Cc: secdir@ietf.org; iesg@ietf.org;
>> draft-ietf-roll-admin-local-policy.all@tools.ietf.org
>> Subject: Re: secdir review of draft-ietf-roll-admin-local-policy-02
>> 
>> Dear Steve,
>> 
>> thanks for the comments. I will respond below to the points you raise.
>> 
>> Greetings, Peter
>> 
>> Steve.Hanna@infineon.com schreef op 2014-12-30 13:55:
>> 
>>> This document describes a technique for automatically managing the
>>> boundaries of the admin-local multicast scope in a border router,
>>> using MPL (Multicast Protocol for Low power and Lossy Networks).
>> <peter>
>> Correct
>> </peter>
>>> In my view, this document is Not Ready.
>>> 
>>> The document is hard to understand. For example, the acronyms MPL and
>>> MPL4 are used throughout the document but they are not defined.
>> <peter>
>> You are the third to remark on this point. Adrian did suggestions to
>> improve the document with a definition of MPL, that we will take over.
>> MPL4 concepts are defined in section 1.2.
>> </peter>
>> <steve>
>> I'm happy to see that you'll be adding a definition of MPL. That's 
>> good.
>> 
>> While it's true that section 1.2 defines several terms that include 
>> MPL4
>> (e.g., "MPL4 message"), the term "MPL4" is never defined anywhere.
>> I found that confusing.
>> </steve>
>>> After reading the document several times, I have concluded that
>>> section 3.2 contains the most important part of the document: an
>>> algorithm for automatically defining the boundaries of the 
>>> admin-local
>>> multicast scope using MPL. This section basically says that a border
>>> router should periodically send an MPL message on all interfaces to
>>> the ALL_MPL_FORWARDERS multicast address with admin-local scope. It
>>> should also listen for such messages on all interfaces. If it 
>>> receives
>>> such a message, that interface should be marked as part of the
>>> admin-local scope.
>>> 
>>> This algorithm seems problematic from a security standpoint. Because
>>> any device on a network can send an MPL message to the
>>> ALL_MPL_FORWARDERS multicast address with admin-local scope, the
>>> boundaries of the admin-local multicast scope can be expanded by
>>> attackers fairly easily.
> <rcc>I guess it depends what you mean by "fairly easily". An attacker
> in this case would have interfaces on more than one network and would
> have to be authenticated on all networks in question. The attack
> scenario may be just to attach to one network and then forward into
> other network(s) which would not originally be considered part of the
> admin-local scope (which is I think what you are saying below) but it
> still has to authenticate to the network being attacked and obtain the
> relevant key before its interface on that network can validly receive
> a MPL4 message.</rcc>
>>> Such manipulation may permit nodes that
>>> should be outside a particular administrative domain to join that
>>> domain and participate in receiving and sending multicast traffic
>>> within that domain. The implications of such an attack are not clear
>>> to me because I am not familiar with the protocols and devices that
>>> use admin-local multicast scope. However, it seems likely that
>>> expanding the admin-local multicast scope will permit external
>>> attackers to more easily monitor multicast traffic that should be
>>> private and to inject multicast messages into a relatively trusted
>>> domain.
> <rcc>Again, it has to have been authenticated to one or more networks
> and obtained the relevant key before it can do this.</rcc>
>> <peter>
>> In the discussion with Joel, we came to the conclusion that we were 
>> not
>> very clear with respect to the administrative zone specification.
>> We suggested to limit the mpl admin-local scope within one zone.
>> The text will be extended to include this extra limit on the boundary 
>> of
>> admin-local-scope.
>> The extent of the scope does not specify anything about the contents 
>> of
>> the MPL messages.
>> It is expected that MPL messages are encrypted depending on the wanted
>> security level.
>> Monitoring by an attacker limits itself to counting messages, which is
>> already possible on wireless links any way.
>> To inject messages, the attacker should know the keys necessary to
>> encrypt.
>> When messages are not encrypted they are already readable on the
>> wireless links, and the monitoring by extending the mpl-admin-local
>> scope does not increase the vulnerability to snooping the messages.
>> </peter>
>> <steve>
>> Please send me a copy of your new text limiting the admin-local scope
>> to one zone. I don't see how this will help but maybe the new text 
>> will
>> make it clear.
>> 
>> You just stated that "It is expected that MPL messages are encrypted".
>> However, this is never stated in draft-ietf-roll-trickle-mcast-11.txt 
>> or in
>> draft-ietf-roll-admin-local-policy-02.txt. In fact, there's no mention 
>> of
>> encryption in those documents at all. If the security of your design
>> depends on this encryption, you'd better talk about it somewhere!
>> 
>> Now I'd like to investigate the security provided by this encryption.
>> Are you expecting that application-layer encryption will be used?
>> I suppose not because that would require extensive description
>> And you provided none. Probably you're thinking about link-layer
>> encryption such as that provided by IEEE 802.11i. However, I don't
>> think that such encryption will prevent the attacks that I described.
>> 
>> A border router frequently spans networks that are part of multiple
>> administrative domains. Your current design (even with link 
>> encryption)
>> means that any device connected to any of these networks can dictate
>> the boundaries of the admin-local scope. Is it really desirable to 
>> trust
>> all those devices to that extent? I think not.
>> </steve>
> <rcc>
> The concept of scope, network boundary and security boundary are all
> somewhat orthogonal. RFC7346 acknowledges this with additional text
> and draft-ietf-roll-admin-local-policy explains how automatic
> configuration for realm-local scope occurs in relation to a network
> identifier, which then links network boundary and realm-local scope.
> However, there isn't necessarily a one-to-one correspondence between
> security boundary and network boundary even though it often happens in
> practice, e.g. a WPA2 key for an 802.11 WLAN or network key for ZigBee
> IP WPAN, for example. Assuming this link-layer encryption, I don't
> think the attacks can take place as an attacker would have to
> authenticate itself to the network being attacked first or else it
> would not be able to validly received the MPL4 message.
> 
> It is true that a border router configured with multiple MPL-enabled
> interfaces does indeed by implication expand the admin-local scope,
> however it is not obliged to have all its interfaces MPL-enabled; this
> is part of configuration as well, potentially controllable by some
> superordinate entity.
> 
> Perhaps we need some extra text to explain this.
> </rcc>
>> 
>>> In addition to this fundamental concern, I have a few minor concerns
>>> about the readability of the document. However, I seem to have 
>>> mislaid
>>> my notes during the holidays. Because this review is already late and
>>> I'm on vacation, I will send the review now and follow up with the
>>> minor concerns at a later date if I can find them when I return to 
>>> the
>>> office.
>> <peter>
>> If you find terms which are not defined in this draft,
>> ietf-rol-trickle-mcast or RFC7346, I will be happy to extend the
>> definitions of section 1.2.
>> </peter>
>> <steve>
>> OK, I'll look for my notes. However, the most important aspect of
>> my review is the security issue described above.
>> </steve>
>>