[secdir] SecDir review of draft-ietf-nsis-tunnel-11

Yaron Sheffer <yaronf.ietf@gmail.com> Sun, 13 June 2010 07:58 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 8970A3A68B2; Sun, 13 Jun 2010 00:58:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.001
X-Spam-Status: No, score=0.001 tagged_above=-999 required=5 tests=[BAYES_50=0.001]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id lCpxVoo-KC9s; Sun, 13 Jun 2010 00:58:46 -0700 (PDT)
Received: from mail-wy0-f172.google.com (mail-wy0-f172.google.com []) by core3.amsl.com (Postfix) with ESMTP id AA9593A6452; Sun, 13 Jun 2010 00:58:45 -0700 (PDT)
Received: by wyi11 with SMTP id 11so1869342wyi.31 for <multiple recipients>; Sun, 13 Jun 2010 00:58:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:content-type :content-transfer-encoding; bh=z4fC6wcCWK2qZ4QMKWk/6PcBWAL2Q5OBl4/Ix+muQYs=; b=UlPIAYvpTt6RTKsoRUJ+yH00Fv1bje4rdu/nHuB255tzHl+LYHGFwuwnWch1CBbx/W DkQb3YgUq8GhLE+gZD7Q9cZeL7dvmccRVPGO+ch2D9yHFnQBlDP5GJ5UQxfPfjZuoZHM scIxQ6vF/t+hdvVjJfkAg5snHMQHYULDoSw9Y=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; b=PrTxvR/Pnhf3NeW9ob5cj9NhB9DbsrG9LtNeI7Z15QGc4FMMPY03lbkwb4AZmU3QE2 hwnWkIY1swWD5MzIRSrj4d0fkq3OW9flYhEpO+QtYttSV320ZGWzVHzlhpXGTo66FCJr Qt0qGZ03vw9GbI0d6QRwOeqErmPePqOZcD+d4=
Received: by with SMTP id r7mr4126501wbw.102.1276415925446; Sun, 13 Jun 2010 00:58:45 -0700 (PDT)
Received: from [] (bzq-79-178-30-177.red.bezeqint.net []) by mx.google.com with ESMTPS id y31sm25666643wby.16.2010. (version=SSLv3 cipher=RC4-MD5); Sun, 13 Jun 2010 00:58:44 -0700 (PDT)
Message-ID: <4C148FB1.8060709@gmail.com>
Date: Sun, 13 Jun 2010 10:58:41 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20100423 Lightning/1.0b1 Thunderbird/3.0.4
MIME-Version: 1.0
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-nsis-tunnel.all@tools.ietf.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: [secdir] SecDir review of draft-ietf-nsis-tunnel-11
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Jun 2010 07:58:47 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the security
area directors.  Document editors and WG chairs should treat these
comments just like any other last call comments.

This draft discusses the problem of NSIS messages (particularly, QoS 
reservation flows) being encapsulated into various IP tunneling 
protocols, which prevent the correct QoS setup from being performed. The 
draft proposes a solution for NSIS tunnel-aware tunnel endpoints, which 
basically adds an NSIS signaling flow between the tunnel endpoints, but 
outside of the tunnel.


The draft presents the problem, and the solution, reasonably well.

The draft goes for the "no new security issues" approach. I think this 
is incorrect, and in fact a number of security issues should be analyzed 
and possibly resolved. In addition, as a complete outsider to NSIS, I 
have identified one major unspecified piece, leading me to believe that 
the draft has not had enough review.


The main security issue is that the draft fails to consider 
security-oriented tunnels. IPsec tunnels (and the commonly used 
GRE-over-IPsec) provide security services: normally encryption and 
integrity protection with ESP, less commonly integrity-protection only 
with AH, ESP with null encryption, or the new WESP (RFC 5840). The 
proposed solution raises at least three major security issues related to 
these tunnels:

1. A so-called covert channel that results from NSIS flows in the 
protected networks directly triggering NSIS protocol exchanges in an 
unprotected network (i.e. between the tunnel endpoints). Please see 
Appendix B.1 of draft-ietf-tsvwg-ecn-tunnel-08 for treatment of a 
similar issue.

2. A more serious interaction in the other direction: unprotected NSIS 
flows outside the tunnel interact with NSIS flows in the protected 
networks and inside the tunnel, and so, an attacker in the unprotected 
network can possibly influence QoS behavior in protected networks.

3. A practical result of (2) is that the NSIS protocol stack on the 
tunnel endpoint is now exposed to unprotected networks and therefore 
suddenly becomes security-critical.


The draft defines extra UDP encapsulation in some cases ("the tunnel 
entry-point inserts an additional UDP header"), but the format 
(specifically, the port number) is not specified. This omission is 
strange, because the protocol cannot be implemented in the absence of 
this information!