[secdir] Secdir review of draft-ietf-dime-diameter-qos-11.txt
Brian Weis <bew@cisco.com> Wed, 12 August 2009 01:31 UTC
Return-Path: <bew@cisco.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D215E3A68AF; Tue, 11 Aug 2009 18:31:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D-7ztyCMR6Bg; Tue, 11 Aug 2009 18:31:08 -0700 (PDT)
Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com [171.71.176.70]) by core3.amsl.com (Postfix) with ESMTP id 984223A6782; Tue, 11 Aug 2009 18:31:08 -0700 (PDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApoEADK4gUqrR7MV/2dsb2JhbAC6S4grNQEBBgGQLQWCMw0MAQGBSw
X-IronPort-AV: E=Sophos;i="4.43,364,1246838400"; d="scan'208";a="226690502"
Received: from sj-dkim-1.cisco.com ([171.71.179.21]) by sj-iport-1.cisco.com with ESMTP; 12 Aug 2009 01:29:27 +0000
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254]) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id n7C1TRnl001683; Tue, 11 Aug 2009 18:29:27 -0700
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-2.cisco.com (8.13.8/8.14.3) with ESMTP id n7C1TRFQ029075; Wed, 12 Aug 2009 01:29:27 GMT
Received: from xfe-sjc-212.amer.cisco.com ([171.70.151.187]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 11 Aug 2009 18:29:26 -0700
Received: from dhcp-128-107-163-100.cisco.com ([128.107.163.100]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 11 Aug 2009 18:29:26 -0700
Message-Id: <8A566855-FDC1-4907-BCBB-55871F805374@cisco.com>
From: Brian Weis <bew@cisco.com>
To: secdir@ietf.org, iesg@ietf.org
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v935.3)
Date: Tue, 11 Aug 2009 18:29:24 -0700
X-Mailer: Apple Mail (2.935.3)
X-OriginalArrivalTime: 12 Aug 2009 01:29:26.0644 (UTC) FILETIME=[548A6340:01CA1AEC]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=5968; t=1250040567; x=1250904567; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=bew@cisco.com; z=From:=20Brian=20Weis=20<bew@cisco.com> |Subject:=20Secdir=20review=20of=20draft-ietf-dime-diameter -qos-11.txt |Sender:=20; bh=iglckixita6xpO9mOge4GoNqb5OPfTZruEl9tnxywS0=; b=PAlGpmndedK0VSCzeuhpT/815KP4wILJB7bznissGEdNgGkNsPlk6zOpxv y2TGyd/5fgGHupKqFlpkm0Ll8LyqGkmolfHuOlPM5qLRhHnk8/MKK9M/sRdt XEUVa0e9RQWc2YprtV7EWTxoUiHtZyHwfV8Gm3QhNsf93TqQIIkz4=;
Authentication-Results: sj-dkim-1; header.From=bew@cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; );
Cc: dime-chairs@tools.ietf.org, draft-ietf-dime-diameter-qos@tools.ietf.org
Subject: [secdir] Secdir review of draft-ietf-dime-diameter-qos-11.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2009 01:31:09 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document describes a Diameter Quality of Service (QoS) application, which allows network elements to interact with Diameter servers when allocating QoS resources in the network. It re-uses the Diameter Base Protocol (RFC 3588) packet formats for this new application. New message flows between Network Elements (acting as Diameter Clients) and Authorizing Entities (acting as Diameter Servers) are defined. Examples are given as to how the new flows fit into various QoS methods. This document seems to be mature. I have some detailed comments/ questions, but they are primarily suggesting additional topics for the Security Considerations section and a suggestion to better clarify how "identities" are used. The Security Considerations section of this document describes various threats to Diameter messaging, which are accurate, but more precisely apply to the Base Protocol rather than the use case presented in this I-D. That is, the need for authentication, authorization, integrity and confidentiality is no different for this I-D than for RFC 3588. I see no problem with the existing text, but a statement that the Security Considerations in RFC 3588 also apply would also be appropriate (especially as that document discusses mitigations to the threats described here). I don't believe there is a sufficient discussion in the Security Considerations regarding the threats to the QoS application itself. Let me try to explain. If I'm not mistaken, the traditional Diameter Base Protocol use case consists of a login service on an access port and a Diameter Client that provide no access to the user until the Diameter Server returns positive results. As such, mitigating threats to the messages (using some form of transport security) is the primary consideration to the Base Protocol -- it is understood that the actual device trying to access the network is being denied access by the login service until the Diameter exchange finishes. However, the QoS application brings two new dynamic actors into the solution: the Resource Requesting Entity (RRE) (using unspecified and possibly unsecured QoS request protocols), and a potential man-in-the-middle actor between the RRE and the Network Element. I understand that how those messages are protected between an RRE and a Network Element is outside the scope of this document, but because the Network Element/ Diameter Client acts on those messages there are additional threats to the QoS application that should be described. Here are some threats that occur to me: 1. In some (if not all) cases, the the Diameter Client translates information provided by the RRE (as shown in Figure 3), and includes it in a QoS-Request (described in Section 5.1) sent to the Diameter Server. In particular, the the QoS-Request may include a number of identification fields that, if blindly accepted from an RRE QoS Request message, could be cause the Diameter QoS service to allow authorizations that it should not (or conversely, deny authorizations unnecessarily). Of course, the same is true for the QoS parameters. I would expect the security consideration section to discuss the risks of the Network Element acting on these fields. For example, recommending that adequate transport security be used between the RRE and the Network Element to mitigate the man-in-the-middle threat. 2. A Token-based Three Party Scheme (Figure 4) may mitigate the threat of an RRE lying about its own identity. However, I see no means described by which the Diameter Client can have assurance that the RRE presenting the token was actually the RRE given that particular token. Perhaps there is an assumption that the Network Client will have previously authenticated the RRE and can verify the Username in a token to a Username associated with an access port. A discussion of how the Network Element maps the token to an identity would be useful. Here are a few comments on the rest of the document: 3. Figures 3, 4, and 5 show a "financial settlement" line between an an "Entity authorizing resource request" and a Network Element. It is odd to think of a Network Element (e.g., router) participating in a financial transaction. Wouldn't it be more likely that the "Entity authorizing resource request" would be a proxy device in the home network that speaks back-end protocols for both authorization and financial settlement to a visited network device? 4. Section 3.4 includes requirements titled "Identity-based Routing" and "Associating QoS Reservations and Application State", which essential require that the Diameter Server must be given identities that it trusts. Comments 1 and 2 above really are questioning how this requirement is actually met. Since this is a critical point, it would be worth adding some discussion in the text regarding how accurate identities can be obtained by the Diameter Client. By the way, what identity types does the Diameter QoS application expect to use? Username, IP address, and/or Hostname? Is mapping an IP address to a Username important? This might be valuable discussion to add. 5. Section 4.2.3. The term "Diameter QoS application node" is used exclusively in this section. Does it refer to a Diameter QoS client, server, or both? Clarifying this would be good. Thanks, Brian -- Brian Weis Router/Switch Security Group, ARTG, Cisco Systems Telephone: +1 408 526 4796 Email: bew@cisco.com