[secdir] Security review of draft-ietf-dmm-mag-multihoming-03.txt
"Hilarie Orman" <hilarie@purplestreak.com> Fri, 16 June 2017 05:39 UTC
Return-Path: <hilarie@purplestreak.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 51AAB1200F3; Thu, 15 Jun 2017 22:39:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JiDu0ejswe8H; Thu, 15 Jun 2017 22:39:44 -0700 (PDT)
Received: from out01.mta.xmission.com (out01.mta.xmission.com [166.70.13.231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF2B21293D9; Thu, 15 Jun 2017 22:39:41 -0700 (PDT)
Received: from in01.mta.xmission.com ([166.70.13.51]) by out01.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from <hilarie@purplestreak.com>) id 1dLjyu-0004Kr-Rb; Thu, 15 Jun 2017 23:39:40 -0600
Received: from [72.250.219.84] (helo=rumpleteazer.rhmr.com) by in01.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.87) (envelope-from <hilarie@purplestreak.com>) id 1dLjyt-00038g-Oa; Thu, 15 Jun 2017 23:39:40 -0600
Received: from rumpleteazer.rhmr.com (localhost [127.0.0.1]) by rumpleteazer.rhmr.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id v5G5dKf4000835; Thu, 15 Jun 2017 23:39:20 -0600
Received: (from hilarie@localhost) by rumpleteazer.rhmr.com (8.14.4/8.14.4/Submit) id v5G5dKjP000834; Thu, 15 Jun 2017 23:39:20 -0600
Date: Thu, 15 Jun 2017 23:39:20 -0600
Message-Id: <201706160539.v5G5dKjP000834@rumpleteazer.rhmr.com>
From: Hilarie Orman <hilarie@purplestreak.com>
Reply-To: Hilarie Orman <hilarie@purplestreak.com>
To: iesg@ietf.org, secdir@ietf.org
Cc: draft-ietf-dmm-mag-multihoming.all@ietf.org
X-XM-SPF: eid=1dLjyt-00038g-Oa; ; ; mid=<201706160539.v5G5dKjP000834@rumpleteazer.rhmr.com>; ; ; hst=in01.mta.xmission.com; ; ; ip=72.250.219.84; ; ; frm=hilarie@purplestreak.com; ; ; spf=none
X-XM-AID: U2FsdGVkX1+nuNg9kR9esVtjDLO+SeXs
X-SA-Exim-Connect-IP: 72.250.219.84
X-SA-Exim-Mail-From: hilarie@purplestreak.com
X-Spam-DCC: XMission; sa04 1397; Body=1 Fuz1=1 Fuz2=1
X-Spam-Combo: ****;iesg@ietf.org, secdir@ietf.org
X-Spam-Relay-Country:
X-Spam-Timing: total 503 ms - load_scoreonly_sql: 0.05 (0.0%), signal_user_changed: 3.6 (0.7%), b_tie_ro: 2.4 (0.5%), parse: 1.22 (0.2%), extract_message_metadata: 6 (1.3%), get_uri_detail_list: 2.9 (0.6%), tests_pri_-1000: 4.3 (0.8%), tests_pri_-950: 1.89 (0.4%), tests_pri_-900: 1.54 (0.3%), tests_pri_-400: 29 (5.7%), check_bayes: 27 (5.4%), b_tokenize: 10 (2.0%), b_tok_get_all: 8 (1.5%), b_comp_prob: 3.5 (0.7%), b_tok_touch_all: 3.5 (0.7%), b_finish: 0.73 (0.1%), tests_pri_0: 449 (89.2%), check_dkim_signature: 0.57 (0.1%), check_dkim_adsp: 4.7 (0.9%), tests_pri_500: 3.4 (0.7%), rewrite_mail: 0.00 (0.0%)
X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600)
X-SA-Exim-Scanned: Yes (on in01.mta.xmission.com)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/XDv_JUPpA0EdYu9D62E_thoNPQ8>
Subject: [secdir] Security review of draft-ietf-dmm-mag-multihoming-03.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Jun 2017 05:39:46 -0000
Security review of MAG Multipath Binding Option draft-ietf-dmm-mag-multihoming-03.txt Do not be alarmed. I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. If you've been frustrated by being limited to only one IP tunnel between a mobile access gateway and a local mobility anchor, then you'll be glad to know that this draft fixes the problem and enables multiple care-of addresses and IP tunnels. Now mobile devices can be assigned to any applicable tunnel between the MAG and the LMA. For security considerations, the authors predictably defer to RFC5213, "Proxy Mobile IPv6", and assert "no impact on the protocol security". However, there is one security issue that is mentioned in RFC5213 that is exacerbated by the current draft. I.e., To address the threat related to a compromised mobile access gateway, the local mobility anchor, before accepting a Proxy Binding Update message for a given mobile node, may ensure that the mobile node is attached to the mobile access gateway that sent the Proxy Binding Update message. The RFC has no recommendation for a solution, but because there are now multiple tunnels, this assurance may be more difficult to obtain. For example, if the LMA expects to contact some kind of trusted entity that is keeping track of the mobile devices that the MAG is sending on a tunnel, then the MAG and LMA may now have to keep track of multiple trusted entities, one for each tunnel. Whether or not this is a realistic scenario is not something that I can judge because RFC5213 punts on what seems to be an important security issue. Is there any reason to worry about reuse of CoAs? Could packets from one tunnel get a CoA that was recently used by another tunnel, and could delayed packets get routed through the wrong tunnel? Just asking. Nits. On page 3 there is a paragraph beginning "In the continuation of c, a Proxy Mobile IPv6 ..." There is no explanation of "c". Is this a remnant of a list of items "a, b, c"? On page 4 there is Figure 1 showing four flows and two tunnels. The text immediately preceding that says that "Flow-1,2 and 3 are distributed either on Tunnel-1 (over LTE) or Tunnel-2 (over WLAN)", but the diagram shows Flow-1 on Tunnel-1 and Flow-2,3 on Tunnel-2. I think the text should indicate that the first three flows are each assigned to a single tunnel. The authors probably meant that either Tunnel-1 or Tunnel-2 could have been assigned, but the choice was to put Flow-1 on Tunnel-1 and the other flows on Tunnel-2. I had to read over the text several times before I was sure of the intent. Hilarie
- [secdir] Security review of draft-ietf-dmm-mag-mu… Hilarie Orman