Re: [secdir] SecDir review of draft-ietf-6man-dns-options-bis-03

Jaehoon Jeong <pjeong@brocade.com> Sun, 27 June 2010 03:29 UTC

Return-Path: <secdir-bounces@mit.edu>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 52B153A6802 for <secdir@core3.amsl.com>; Sat, 26 Jun 2010 20:29:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.432
X-Spam-Level:
X-Spam-Status: No, score=-4.432 tagged_above=-999 required=5 tests=[AWL=2.167, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 313tIqTugiVy for <secdir@core3.amsl.com>; Sat, 26 Jun 2010 20:29:23 -0700 (PDT)
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by core3.amsl.com (Postfix) with ESMTP id E6C5D3A67C2 for <secdir@ietf.org>; Sat, 26 Jun 2010 20:29:22 -0700 (PDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o5R3TVmQ005690 for <secdir@ietf.org>; Sat, 26 Jun 2010 23:29:31 -0400
Received: from mailhub-dmz-3.mit.edu (MAILHUB-DMZ-3.MIT.EDU [18.9.21.42]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o5R3TRBS005687 for <secdir@PCH.mit.edu>; Sat, 26 Jun 2010 23:29:27 -0400
Received: from dmz-mailsec-scanner-6.mit.edu (DMZ-MAILSEC-SCANNER-6.MIT.EDU [18.7.68.35]) by mailhub-dmz-3.mit.edu (8.13.8/8.9.2) with ESMTP id o5R3TNee013512 for <secdir@mit.edu>; Sat, 26 Jun 2010 23:29:26 -0400
X-AuditID: 12074423-b7be0ae000000a83-8d-4c26c5959c53
Received: from mx0b-000f0801.pphosted.com (mx0b-000f0801.pphosted.com [67.231.152.113]) by dmz-mailsec-scanner-6.mit.edu (Symantec Brightmail Gateway) with SMTP id 9E.23.02691.595C62C4; Sat, 26 Jun 2010 23:29:26 -0400 (EDT)
Received: from pps.filterd (m0000700 [127.0.0.1]) by mx0b-000f0801.pphosted.com (8.14.3/8.14.3) with SMTP id o5R3Pt2E030163; Sat, 26 Jun 2010 20:29:20 -0700
Received: from brm-exedge.brocade.com (brm-exedge.brocade.com [144.49.197.8]) by mx0b-000f0801.pphosted.com with ESMTP id pn2mqrgcv-1 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Sat, 26 Jun 2010 20:29:20 -0700
Received: from brm-excashub-2.corp.brocade.com (172.16.72.231) by BRM-EXEDGE-2.corp.brocade.com (172.16.72.249) with Microsoft SMTP Server (TLS) id 8.2.254.0; Sat, 26 Jun 2010 21:29:17 -0600
Received: from brm-exch-3.corp.brocade.com ([169.254.2.126]) by brm-excashub-2.corp.brocade.com ([172.16.72.231]) with mapi; Sat, 26 Jun 2010 21:29:18 -0600
From: Jaehoon Jeong <pjeong@brocade.com>
To: Jari Arkko <jari.arkko@piuha.net>, Vincent Roca <vincent.roca@inrialpes.fr>
Date: Sat, 26 Jun 2010 21:29:03 -0600
Thread-Topic: SecDir review of draft-ietf-6man-dns-options-bis-03
Thread-Index: AcsVEwkoQT0bOfMGRemzrTBs/bZExgAlN+qQ
Message-ID: <5A6980BCAE9E6D438D4D8A05540F6FB70113658855@BRM-EXCH-3.corp.brocade.com>
References: <4C248D9A.5080508@inrialpes.fr> <5A6980BCAE9E6D438D4D8A05540F6FB70113043B9B@BRM-EXCH-3.corp.brocade.com> <4C25CA06.1080809@piuha.net>
In-Reply-To: <4C25CA06.1080809@piuha.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=1.12.8161:2.4.5, 1.2.40, 4.0.166 definitions=2010-06-26_01:2010-02-06, 2010-06-26, 2010-06-26 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx engine=6.0.2-1004200000 definitions=main-1006260186
X-Brightmail-Tracker: AAAAAhTf0JkU4LMb
X-MIME-Autoconverted: from quoted-printable to 8bit by pch.mit.edu id o5R3TRBS005687
X-BeenThere: secdir@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: secdir-bounces@mit.edu
Errors-To: secdir-bounces@mit.edu
X-Mailman-Approved-At: Mon, 28 Jun 2010 09:50:30 -0700
Cc: 6man Chairs <6man-chairs@tools.ietf.org>, "secdir@mit.edu" <secdir@mit.edu>, "draft-ietf-6man-dns-options-bis.all@tools.ietf.org" <draft-ietf-6man-dns-options-bis.all@tools.ietf.org>, IESG <iesg@ietf.org>
Subject: Re: [secdir] SecDir review of draft-ietf-6man-dns-options-bis-03
X-BeenThere: secdir@ietf.org
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Jun 2010 03:29:24 -0000

Hi Vincent,
I updated the security considerations section with Jari's suggest text as follows.

   Also, this attack can send redirects that tell the hosts to send their traffic somewhere else.
   The malicious node can send unsolicited RA or Neighbor Advertisement
   (NA) replies, answer RS or Neighbor Solicitation (NS) requests, etc.
   Also, an attacker could send an RA with a fraudulent RDNSS address,
   which is presumably an easier avenue of attack than becoming a rogue
   router and having to process all traffic for the subnet.  This attack
   is similar to Neighbor Discovery attacks that use Redirect or
   Neighbor Advertisement messages to redirect traffic to individual
   addresses to malicious parties.  In general, the attacks related to
   RDNSS and DNSSL are similar to both Neighbor Discovery attacks and
   attacks against unauthenticated DHCP, as both can be used for both
   "wholesale" traffic redirection and more specific attacks.

The revised I-D is located at the following link:
http://www-users.cs.umn.edu/~jjeong/publications/ietf-internet-draft/draft-ietf-6man-dns-options-bis-04.txt

The difference between 03-version and 04-version is located:
http://www-users.cs.umn.edu/~jjeong/publications/ietf-internet-draft/wdiff%20draft-ietf-6man-dns-options-bis-03_txt%20draft-ietf-6man-dns-options-bis-04_txt.htm

I believe that Jari addressed your questions and comments.

Could you confirm whether this update is fine with you?

Thanks.

Best Regards,
Paul

-----Original Message-----
From: Jari Arkko [mailto:jari.arkko@piuha.net] 
Sent: Saturday, June 26, 2010 4:36 AM
To: Vincent Roca
Cc: Jaehoon Jeong; draft-ietf-6man-dns-options-bis.all@tools.ietf.org; secdir@mit.edu; IESG; 6man Chairs
Subject: Re: SecDir review of draft-ietf-6man-dns-options-bis-03

Vincent,

Thank you for your review!

I have some comments on the issues that you raise below as well as some 
suggested new text:

> ** Section 7 "Security considerations"
> I don't share all the ideas of the authors. If I understand the point
> of view, the authors say that the situation is not worse than before,
> without these DNS options.
>   "...learning DNS information via the RA options cannot be worse than
>    learning bad router information via the RA options."
>
> Well, it depends on the security level we consider...
> >From the point of view of the ND protocol itself, I agree. But from
> the end user point of view, the situation is quite different, since
> sending forged packets (for instance) and controlling which DNS server
> is trusted by the client opens the way to, for instance, fishing
> attacks. This attack enables an attacker to make a client use a
> compromised DNS server that behaves perfectly except for one particular
> DNS query. If the attacker can send an email to this client, then many
> things can happen. This attack could be launched e.g. during next IETF
> plenary ;-). The attacker knows the email off all participants, so if
> he can control their DNS configuration as well, many things may
> happen... IMHO a serious threat is introduced by this document that
> needs to be seriously discussed.
>   

I agree that in general the ability to redirect specific traffic instead 
of all traffic is an interesting attack. However, in this case the 
specific attack already exists in plain ND. If you want to redirect DNS 
server traffic to a malicious node, this can be done not just with RA 
DNS options, but also with ICMP Redirects or unsolicited Neighbor 
Advertisements.

> ** Section 7:
> Another point... the authors explain than network devices like
> switches can be configured in such a way to disable ND/DHCP from
> some ports.  That's great and I agree it helps preventing attacks.
> However this is limited to wired networks. Nothing is said concerning
> ND configurations in wireless networks. The situation is rather
> different since any host can issue ND/DHCP traffic as if it were a
> legitimate server if I understand correctly. The document MUST
> include this kind of discussion.
>   

But this is generic issue with spoofing RAs and I am not sure it is the 
task of this document to specify the solutions. One solution exists in 
SEND (RFC 3791).

> ** Section 7:
> Yet another remark: SEND is listed as one potential solution to
> add signatures in ND packets issued from servers.
> I don't know SEND at all, so may be my remarks are flawed (but in
> that case the text should be at least clarified).
> - Shouldn't the use of SEND be RECOMMENDED as a solution to
> mitigate attacks? Current document is not clear.
> - Does SEND enable an authentication of the sender (the document
> only mentions integrity protection)? If there's no sender
> authentication, then I agree that the added value of SEND would be
> limited. I'd like the authors to clarify this as well.
>   

The details are in RFC 3791 and its companion documents. SEND does 
enable a host to verify that the sender of an RA is actually a router 
authorized to act as a router.

All this being said I also re-read the Security Considerations section, 
and was not super happy with it myself. I would suggest the following 
change:

OLD:
Also, an attacker could configure a host to send out
an RA with a fraudulent RDNSS address, which is presumably an easier
avenue of attack than becoming a rogue router and having to process
all traffic for the subnet. It is necessary to disable the RA RDNSS
option or DNSSL option in both routers and clients administratively
to avoid this problem. All of this can be done independently of
implementing ND. Therefore, it can be claimed that the RA options
for RDNSS and DNSSL has vulnerabilities similar to those existing in
unauthenticated DHCPv6.
NEW:
Also, an attacker could send
an RA with a fraudulent RDNSS address, which is presumably an easier
avenue of attack than becoming a rogue router and having to process
all traffic for the subnet. This attack is similar to Neighbor Discovery
attacks that use Redirect or Neighbor Advertisement messages to redirect
traffic to individual addresses to malicious parties. In general, the
attacks related to RDNS and DNSSL are similar to both Neighbor Discovery
attacks and attacks against unauthenticated DHCP, as both can be used
for both "wholesale" traffic redirection and more specific attacks.

Jari


_______________________________________________
secdir mailing list
secdir@mit.edu
https://mailman.mit.edu/mailman/listinfo/secdir