[secdir] SecDir review of draft-ietf-nsis-tunnel-11
Yaron Sheffer <yaronf.ietf@gmail.com> Sun, 13 June 2010 07:58 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8970A3A68B2; Sun, 13 Jun 2010 00:58:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Level:
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lCpxVoo-KC9s; Sun, 13 Jun 2010 00:58:46 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com [74.125.82.172]) by core3.amsl.com (Postfix) with ESMTP id AA9593A6452; Sun, 13 Jun 2010 00:58:45 -0700 (PDT)
Received: by wyi11 with SMTP id 11so1869342wyi.31 for <multiple recipients>; Sun, 13 Jun 2010 00:58:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:content-type :content-transfer-encoding; bh=z4fC6wcCWK2qZ4QMKWk/6PcBWAL2Q5OBl4/Ix+muQYs=; b=UlPIAYvpTt6RTKsoRUJ+yH00Fv1bje4rdu/nHuB255tzHl+LYHGFwuwnWch1CBbx/W DkQb3YgUq8GhLE+gZD7Q9cZeL7dvmccRVPGO+ch2D9yHFnQBlDP5GJ5UQxfPfjZuoZHM scIxQ6vF/t+hdvVjJfkAg5snHMQHYULDoSw9Y=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; b=PrTxvR/Pnhf3NeW9ob5cj9NhB9DbsrG9LtNeI7Z15QGc4FMMPY03lbkwb4AZmU3QE2 hwnWkIY1swWD5MzIRSrj4d0fkq3OW9flYhEpO+QtYttSV320ZGWzVHzlhpXGTo66FCJr Qt0qGZ03vw9GbI0d6QRwOeqErmPePqOZcD+d4=
Received: by 10.227.155.71 with SMTP id r7mr4126501wbw.102.1276415925446; Sun, 13 Jun 2010 00:58:45 -0700 (PDT)
Received: from [10.0.0.2] (bzq-79-178-30-177.red.bezeqint.net [79.178.30.177]) by mx.google.com with ESMTPS id y31sm25666643wby.16.2010.06.13.00.58.43 (version=SSLv3 cipher=RC4-MD5); Sun, 13 Jun 2010 00:58:44 -0700 (PDT)
Message-ID: <4C148FB1.8060709@gmail.com>
Date: Sun, 13 Jun 2010 10:58:41 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100423 Lightning/1.0b1 Thunderbird/3.0.4
MIME-Version: 1.0
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-nsis-tunnel.all@tools.ietf.org
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: [secdir] SecDir review of draft-ietf-nsis-tunnel-11
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Jun 2010 07:58:47 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This draft discusses the problem of NSIS messages (particularly, QoS reservation flows) being encapsulated into various IP tunneling protocols, which prevent the correct QoS setup from being performed. The draft proposes a solution for NSIS tunnel-aware tunnel endpoints, which basically adds an NSIS signaling flow between the tunnel endpoints, but outside of the tunnel. General The draft presents the problem, and the solution, reasonably well. The draft goes for the "no new security issues" approach. I think this is incorrect, and in fact a number of security issues should be analyzed and possibly resolved. In addition, as a complete outsider to NSIS, I have identified one major unspecified piece, leading me to believe that the draft has not had enough review. Security The main security issue is that the draft fails to consider security-oriented tunnels. IPsec tunnels (and the commonly used GRE-over-IPsec) provide security services: normally encryption and integrity protection with ESP, less commonly integrity-protection only with AH, ESP with null encryption, or the new WESP (RFC 5840). The proposed solution raises at least three major security issues related to these tunnels: 1. A so-called covert channel that results from NSIS flows in the protected networks directly triggering NSIS protocol exchanges in an unprotected network (i.e. between the tunnel endpoints). Please see Appendix B.1 of draft-ietf-tsvwg-ecn-tunnel-08 for treatment of a similar issue. 2. A more serious interaction in the other direction: unprotected NSIS flows outside the tunnel interact with NSIS flows in the protected networks and inside the tunnel, and so, an attacker in the unprotected network can possibly influence QoS behavior in protected networks. 3. A practical result of (2) is that the NSIS protocol stack on the tunnel endpoint is now exposed to unprotected networks and therefore suddenly becomes security-critical. Non-Security The draft defines extra UDP encapsulation in some cases ("the tunnel entry-point inserts an additional UDP header"), but the format (specifically, the port number) is not specified. This omission is strange, because the protocol cannot be implemented in the absence of this information!
- [secdir] SecDir review of draft-ietf-nsis-tunnel-… Yaron Sheffer
- Re: [secdir] SecDir review of draft-ietf-nsis-tun… Yaron Sheffer
- Re: [secdir] SecDir review of draft-ietf-nsis-tun… Charles Shen
- Re: [secdir] SecDir review of draft-ietf-nsis-tun… Charles Shen
- Re: [secdir] SecDir review of draft-ietf-nsis-tun… Yaron Sheffer
- Re: [secdir] SecDir review of draft-ietf-nsis-tun… Yaron Sheffer
- Re: [secdir] SecDir review of draft-ietf-nsis-tun… Charles Shen