Re: [secdir] secdir review of draft-ietf-dhc-access-network-identifier-08

"Bernie Volz (volz)" <volz@cisco.com> Fri, 10 July 2015 16:27 UTC

Return-Path: <volz@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3B6A1A9174; Fri, 10 Jul 2015 09:27:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rtoaVyISbTGr; Fri, 10 Jul 2015 09:27:24 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E1721A90D2; Fri, 10 Jul 2015 09:27:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=25456; q=dns/txt; s=iport; t=1436545644; x=1437755244; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=3mItTEoIW0nWb9FPQI7/J1PLjrr4fq4eQExT/Jy4nmY=; b=Ar3PNk7TkIYnlti8Z7E0V/JfXlnymMJjAry/pwQjVvFNoKZLN4zYaAc/ zPer48i6sq4xu6xCB8IM1nYWZeO5ddFWP1oSZE/nOIlCuFa5E5Oze/Viy 1U4u80BRcbnvGfa/mMpJskiA6cSm30yLYW5pcw0E3Kzk/MEI41WT8DYM8 o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BgAwAy8Z9V/4kNJK1SBgOCRU1UUw0Guy0Jh2gCgUo4FAEBAQEBAQGBCoQjAQEBAwEtOhIFCQICAQgRAwEBAQsWBwcbFxQJCAIEDgUIiB4I0CkBAQEBAQEBAQEBAQEBAQEBAQEBAQEXBItHhCMHCgEGGgUbAQsFBgEGC4MGgRQFjCyFHIJpAaRuJoIHgXRvAYEMOoEEAQEB
X-IronPort-AV: E=Sophos; i="5.15,447,1432598400"; d="scan'208,217"; a="14377470"
Received: from alln-core-4.cisco.com ([173.36.13.137]) by rcdn-iport-3.cisco.com with ESMTP; 10 Jul 2015 16:27:22 +0000
Received: from xhc-aln-x14.cisco.com (xhc-aln-x14.cisco.com [173.36.12.88]) by alln-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id t6AGRLLG012331 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 10 Jul 2015 16:27:21 GMT
Received: from xmb-rcd-x04.cisco.com ([169.254.8.177]) by xhc-aln-x14.cisco.com ([173.36.12.88]) with mapi id 14.03.0195.001; Fri, 10 Jul 2015 11:27:21 -0500
From: "Bernie Volz (volz)" <volz@cisco.com>
To: "Sri Gundavelli (sgundave)" <sgundave@cisco.com>
Thread-Topic: secdir review of draft-ietf-dhc-access-network-identifier-08
Thread-Index: AQHQr1cxQKLuwYkBPkiaZWo79FHtqZ3VTZGA//+s30A=
Date: Fri, 10 Jul 2015 16:27:20 +0000
Message-ID: <489D13FBFA9B3E41812EA89F188F018E1CB6B149@xmb-rcd-x04.cisco.com>
References: <D2D64A55-212E-4EED-8545-F0E3ACF8F0CD@nrl.navy.mil> <D1C53A5B.1CA8B1%sgundave@cisco.com>
In-Reply-To: <D1C53A5B.1CA8B1%sgundave@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.98.1.196]
Content-Type: multipart/alternative; boundary="_000_489D13FBFA9B3E41812EA89F188F018E1CB6B149xmbrcdx04ciscoc_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/XCimnZCqhZH-F6YgrNbt_5QK3us>
Cc: "draft-ietf-dhc-access-network-identifier.all@tools.ietf.org" <draft-ietf-dhc-access-network-identifier.all@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] secdir review of draft-ietf-dhc-access-network-identifier-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jul 2015 16:27:29 -0000

Something happened at "elements to  has no".

The IETF is a strange place these days with all of the pervasive monitoring concerns :). If people can capture relay traffic (since we're only adding this now there), there's a lot more that they can monitor. Ah well.

And, actually the RFC 3315 IPsec requirements for relay traffic can apply here:

21.1. Security of Messages Sent Between Servers and Relay Agents

   Relay agents and servers that exchange messages securely use the
   IPsec mechanisms for IPv6 [7].  If a client message is relayed

IPsec should also hide this information from pervasive monitoring (though how much IPsec is in use is an open question). Note also that as this is relay to server (or relay to relay) communication, one would hope that most SPs have taken measures to 'secure' this traffic either by using IPsec or VPNs.


-          Bernie

From: Sri Gundavelli (sgundave)
Sent: Friday, July 10, 2015 12:20 PM
To: Catherine Meadows; draft-ietf-dhc-access-network-identifier.all@tools.ietf.org; secdir@ietf.org; iesg@ietf.org
Subject: Re: secdir review of draft-ietf-dhc-access-network-identifier-08

Hi Catherine,

Thanks for the review.

> However, what needs to be go in the Security Considerations Section is a discussion of the security risks raised by *this* document and possible mitigation.  The information about DHCP security risks is useful, but not of primary importance.

Agree with this comment. The  draft is defining some new information elements that are carried between the DHCP entities and any new security considerations are around exposing that data to third parties.


"The information elements that this draft is exposing is the client's access-network information. These pertains to the access network to which the client is attached, such as Access Technology Type (Ex: WLAN, Ethernet...etc), Access Point Identity (Name, BSSID), Operator Id/Realm. Exposing these information elements to  has no implication on the end-user security. But, in deployments where this information is considered secure and when such threat cannot be mitigated using the currently available security tools, then the administrators have to consider disabling this capability on the DHCP entities."


Is this sufficient ?


Regards
Sri




From: Catherine Meadows <catherine.meadows@nrl.navy.mil<mailto:catherine.meadows@nrl.navy.mil>>
Date: Thursday, June 25, 2015 at 7:56 AM
To: "draft-ietf-dhc-access-network-identifier.all@tools.ietf.org<mailto:draft-ietf-dhc-access-network-identifier.all@tools.ietf.org>" <draft-ietf-dhc-access-network-identifier.all@tools.ietf.org<mailto:draft-ietf-dhc-access-network-identifier.all@tools.ietf.org>>, "secdir@ietf.org<mailto:secdir@ietf.org>" <secdir@ietf.org<mailto:secdir@ietf.org>>, "iesg@ietf.org<mailto:iesg@ietf.org>" <iesg@ietf.org<mailto:iesg@ietf.org>>
Cc: Catherine Meadows <catherine.meadows@nrl.navy.mil<mailto:catherine.meadows@nrl.navy.mil>>
Subject: secdir review of draft-ietf-dhc-access-network-identifier-08
Resent-From: <catherine.meadows@nrl.navy.mil<mailto:catherine.meadows@nrl.navy.mil>>
Resent-To: <draft-ietf-dhc-access-network-identifier.all@ietf.org<mailto:draft-ietf-dhc-access-network-identifier.all@ietf.org>>
Resent-Date: Thursday, June 25, 2015 at 7:56 AM

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.


This draft specifies the format and mechanisms used for encoding network identifiers in DHCPv4 and DHCPv6 by defining new access identifier options and sub-options.
The Security Considerations section gives a discussion of the security risks in using DHCP and their mitigation.  However, what needs to be go in the Security Considerations
Section is a discussion of the security risks raised by *this* document and possible mitigation.  The information about DHCP security risks is useful, but not of primary importance.

My impression is that this document gives formats for presenting fields whose use is already discussed in previous RFC's, e.g. RFC3315, in which case there are no new
security considerations.  If that is so, then the Security Considerations Section should
include (preferably begin with) a statement to the effect that, since this document only gives instructions for formatting and encoding fields whose use has already been specified
in these previous RFC's, it presents no additional security considerations beyond what is covered in those RFCs.  If that is not the case, you should say what new security risks are introduced
by *this* draft, e.g. does it enable a use of DHCP that was not possible before and could cause a new type of security risk if DHCP was used without authentication?

Recommendation:  Ready With Issues

Cathy Meadows


Catherine Meadows
Naval Research Laboratory
Code 5543
4555 Overlook Ave., S.W.
Washington DC, 20375
phone: 202-767-3490
fax: 202-404-7942
email: catherine.meadows@nrl.navy.mil<mailto:catherine.meadows@nrl.navy.mil>