[secdir] Secdir review of draft-ietf-dime-diameter-qos-11.txt

Brian Weis <bew@cisco.com> Wed, 12 August 2009 01:31 UTC

Return-Path: <bew@cisco.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id D215E3A68AF; Tue, 11 Aug 2009 18:31:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id D-7ztyCMR6Bg; Tue, 11 Aug 2009 18:31:08 -0700 (PDT)
Received: from sj-iport-1.cisco.com (sj-iport-1.cisco.com []) by core3.amsl.com (Postfix) with ESMTP id 984223A6782; Tue, 11 Aug 2009 18:31:08 -0700 (PDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApoEADK4gUqrR7MV/2dsb2JhbAC6S4grNQEBBgGQLQWCMw0MAQGBSw
X-IronPort-AV: E=Sophos;i="4.43,364,1246838400"; d="scan'208";a="226690502"
Received: from sj-dkim-1.cisco.com ([]) by sj-iport-1.cisco.com with ESMTP; 12 Aug 2009 01:29:27 +0000
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com []) by sj-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id n7C1TRnl001683; Tue, 11 Aug 2009 18:29:27 -0700
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com []) by sj-core-2.cisco.com (8.13.8/8.14.3) with ESMTP id n7C1TRFQ029075; Wed, 12 Aug 2009 01:29:27 GMT
Received: from xfe-sjc-212.amer.cisco.com ([]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 11 Aug 2009 18:29:26 -0700
Received: from dhcp-128-107-163-100.cisco.com ([]) by xfe-sjc-212.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 11 Aug 2009 18:29:26 -0700
Message-Id: <8A566855-FDC1-4907-BCBB-55871F805374@cisco.com>
From: Brian Weis <bew@cisco.com>
To: secdir@ietf.org, iesg@ietf.org
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v935.3)
Date: Tue, 11 Aug 2009 18:29:24 -0700
X-Mailer: Apple Mail (2.935.3)
X-OriginalArrivalTime: 12 Aug 2009 01:29:26.0644 (UTC) FILETIME=[548A6340:01CA1AEC]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=5968; t=1250040567; x=1250904567; c=relaxed/simple; s=sjdkim1004; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=bew@cisco.com; z=From:=20Brian=20Weis=20<bew@cisco.com> |Subject:=20Secdir=20review=20of=20draft-ietf-dime-diameter -qos-11.txt |Sender:=20; bh=iglckixita6xpO9mOge4GoNqb5OPfTZruEl9tnxywS0=; b=PAlGpmndedK0VSCzeuhpT/815KP4wILJB7bznissGEdNgGkNsPlk6zOpxv y2TGyd/5fgGHupKqFlpkm0Ll8LyqGkmolfHuOlPM5qLRhHnk8/MKK9M/sRdt XEUVa0e9RQWc2YprtV7EWTxoUiHtZyHwfV8Gm3QhNsf93TqQIIkz4=;
Authentication-Results: sj-dkim-1; header.From=bew@cisco.com; dkim=pass ( sig from cisco.com/sjdkim1004 verified; );
Cc: dime-chairs@tools.ietf.org, draft-ietf-dime-diameter-qos@tools.ietf.org
Subject: [secdir] Secdir review of draft-ietf-dime-diameter-qos-11.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2009 01:31:09 -0000

I have reviewed this document as part of the security directorate's  
ongoing effort to review all IETF documents being processed by the  
IESG. These comments were written primarily for the benefit of the  
security area directors. Document editors and WG chairs should treat  
these comments just like any other last call comments.

This document describes a Diameter Quality of Service (QoS)  
application, which allows network elements to interact with Diameter  
servers when allocating QoS resources in the network. It re-uses the  
Diameter Base Protocol (RFC 3588) packet formats for this new  
application. New message flows between Network Elements (acting as  
Diameter Clients) and Authorizing Entities (acting as Diameter  
Servers) are defined. Examples are given as to how the new flows fit  
into various QoS methods.

This document seems to be mature. I have some detailed comments/ 
questions, but they are primarily suggesting additional topics for the  
Security Considerations section and a suggestion to better clarify how  
"identities" are used.

The Security Considerations section of this document describes various  
threats to Diameter messaging, which are accurate, but more precisely  
apply to the Base Protocol rather than the use case presented in this  
I-D. That is, the need for authentication, authorization, integrity  
and confidentiality is no different for this I-D than for RFC 3588. I  
see no problem with the existing text, but a statement that the  
Security Considerations in RFC 3588 also apply would also be  
appropriate (especially as that document discusses mitigations to the  
threats described here).

I don't believe there is a sufficient discussion in the Security  
Considerations regarding the threats to the QoS application itself.  
Let me try to explain. If I'm not mistaken, the traditional Diameter  
Base Protocol use case consists of a login service on an access port  
and a Diameter Client that provide no access to the user until the  
Diameter Server returns positive results. As such, mitigating threats  
to the messages (using some form of transport security) is the primary  
consideration to the Base Protocol -- it is understood that the actual  
device trying to access the network is being denied access by the  
login service until the Diameter exchange finishes. However, the QoS  
application brings two new dynamic actors into the solution: the  
Resource Requesting Entity (RRE) (using unspecified and possibly  
unsecured QoS request protocols), and a potential man-in-the-middle  
actor between the RRE and the Network Element. I understand that how  
those messages are protected between an RRE and a Network Element is  
outside the scope of this document, but because the Network Element/ 
Diameter Client acts on those messages there are additional threats to  
the QoS application that should be described. Here are some threats  
that occur to me:

1. In some (if not all) cases, the the Diameter Client translates  
information provided by the RRE (as shown in Figure 3), and includes  
it in a QoS-Request (described in Section 5.1) sent to the Diameter  
Server. In particular, the the QoS-Request may include a number of  
identification fields that, if blindly accepted from an RRE QoS  
Request message, could be cause the Diameter QoS service to allow  
authorizations that it should not (or conversely, deny authorizations  
unnecessarily). Of course, the same is true for the QoS parameters. I  
would expect the security consideration section to discuss the risks  
of the Network Element acting on these fields. For example,  
recommending that adequate transport security be used between the RRE  
and the Network Element to mitigate the man-in-the-middle threat.

2. A Token-based Three Party Scheme (Figure 4) may mitigate the threat  
of an RRE lying about its own identity. However, I see no means  
described by which the Diameter Client can have assurance that the RRE  
presenting the token was actually the RRE given that particular  
token.  Perhaps there is an assumption that the Network Client will  
have previously authenticated the RRE and can verify the Username in a  
token to a Username associated with an access port. A discussion of  
how the Network Element maps the token to an identity would be useful.

Here are a few comments on the rest of the document:

3. Figures 3, 4, and 5 show a "financial settlement" line between an  
an "Entity authorizing resource request" and a Network Element. It is  
odd to think of a Network Element (e.g., router) participating in a  
financial transaction. Wouldn't it be more likely that the "Entity  
authorizing resource request" would be a proxy device in the home  
network that speaks back-end protocols for both authorization and  
financial settlement to a visited network device?

4. Section 3.4 includes requirements titled "Identity-based Routing"  
and "Associating QoS Reservations and Application State", which  
essential require that the Diameter Server must be given identities  
that it trusts. Comments 1 and 2 above really are questioning how this  
requirement is actually met. Since this is a critical point, it would  
be worth adding some discussion in the text regarding how accurate   
identities can be obtained by the Diameter Client. By the way, what  
identity types does the Diameter QoS application expect to use?  
Username, IP address, and/or Hostname? Is mapping an IP address to a  
Username important? This might be valuable discussion to add.

5. Section 4.2.3. The term "Diameter QoS application node" is used  
exclusively in this section. Does it refer to a Diameter QoS client,  
server, or both? Clarifying this would be good.


Brian Weis
Router/Switch Security Group, ARTG, Cisco Systems
Telephone: +1 408 526 4796
Email: bew@cisco.com