[secdir] SecDir Review of draft-ietf-pcp-anycast-07
Yoav Nir <ynir.ietf@gmail.com> Sun, 06 September 2015 20:48 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A6971B2EA8; Sun, 6 Sep 2015 13:48:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.701
X-Spam-Level:
X-Spam-Status: No, score=0.701 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DhZ5nlMOBlJz; Sun, 6 Sep 2015 13:48:29 -0700 (PDT)
Received: from mail-wi0-x236.google.com (mail-wi0-x236.google.com [IPv6:2a00:1450:400c:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 764E31B2E8D; Sun, 6 Sep 2015 13:48:28 -0700 (PDT)
Received: by wiclk2 with SMTP id lk2so69379597wic.0; Sun, 06 Sep 2015 13:48:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:subject:message-id:date:to:mime-version; bh=ooMorlS8OSAEPUAHNTVMpU/CtTd9NnknkPdUuCrZE8k=; b=ns3e5rJVVXUlINqjM6wKs4zOeT6rXVEd2TQwQHaiQRq41epnrRvlK3uUaSJvLo7VCd 1jXbuUWfvte+ch/LSVPg+a/XBfmeYwoYBSYPgkRB9DB0Um7ZZJBQdXNNasytBtkW0caf K3o+QVAESpkiWyVQoTfTAuJkJHbIfdMJDNGSsRSgqJ7uGerV5W97bRAaKmuK49U4L5HZ inHWjR7vjRNXCUBZsRUkTsxzNP9uKywuhtpbDYHZzZ3hVH3TDNlI67fDYf26UOB8DWPv xChIWIgFDLidU1W8Zdp2ulRNEvs81f3QpGpcWyLpcy3L7JmRUamecB+gxJxOaAoes/2z YIDA==
X-Received: by 10.194.171.4 with SMTP id aq4mr21981807wjc.114.1441572506925; Sun, 06 Sep 2015 13:48:26 -0700 (PDT)
Received: from [192.168.1.12] ([46.120.13.132]) by smtp.gmail.com with ESMTPSA id pe1sm16785715wic.20.2015.09.06.13.48.25 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 06 Sep 2015 13:48:25 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_3B8363FD-2891-4519-9DA2-669293E098E3"
Message-Id: <7E152A69-3AA8-4F30-B1C1-F8A8E2C2BF06@gmail.com>
Date: Sun, 06 Sep 2015 23:48:23 +0300
To: secdir <secdir@ietf.org>, The IESG <iesg@ietf.org>, draft-ietf-pcp-anycast.all@tools.ietf.org
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
X-Mailer: Apple Mail (2.2104)
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/Y96gMl0Oxv9hbyxUClIlZ7rZNUk>
Subject: [secdir] SecDir Review of draft-ietf-pcp-anycast-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Sep 2015 20:48:31 -0000
Hi I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. TL;DR: Ready (with a question) Note that I have already reviewed version -06 of this draft in June. My review and a response by Christian Huitema are attached below. Verstion -07 addresses Christian’s concern about the lack of advice about the proper TTL to set on the packets. I’m not sure it *properly* addresses his concerns, because what they’ve added is “methods for choosing an appropriate TTL value ... is beyond the scope of this document" Regards, Yoav > Begin forwarded message: > > From: "Christian Huitema" <huitema@huitema.net> > Subject: RE: [secdir] SecDir Review of draft-ietf-pcp-anycast-06 > Date: June 10, 2015 at 12:33:30 AM GMT+3 > To: "'Yoav Nir'" <ynir.ietf@gmail.com>, "'secdir'" <secdir@ietf.org>, "'The IESG'" <iesg@ietf.org>, <draft-ietf-pcp-anycast.all@tools.ietf.org> > >> There are two specific concerns about this method (other than the usual >> anycast or pcp concerns). The first is that information about the internal >> network might leak to a PCP service outside the network. > > In fact, it is almost guaranteed to leak outside of the network. In the initial deployments, first hop routers will not be aware of the anycast address... > >> ... Whereas a failure of >> a service whose address is given in DHCP will result in black-holed packets, >> failure of a service with an anycast address will cause the packets to be >> forwarded to some random PCP server on the Internet. Section 5.1 discusses >> this and recommends filtering in perimeter gateways and reduced TTL. I >> believe this addresses that threat adequately. > > I would find the TTL mitigation would be more convincing if the draft actually specified a recommended TTL value. > > -- Christian Huitema > > > > > Begin forwarded message: > > From: Yoav Nir <ynir.ietf@gmail.com> > Subject: SecDir Review of draft-ietf-pcp-anycast-06 > Date: June 8, 2015 at 6:00:38 PM GMT+3 > To: secdir <secdir@ietf.org>, The IESG <iesg@ietf.org>, draft-ietf-pcp-anycast.all@tools.ietf.org > > Hi. > > I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. > > TL;DR: Ready (with a question) > > The document describes an alternative method for nodes behind a middlebox (such as NAT device or firewall) to contact the middlebox in order to manage port allocation. Existing methods (described in RFC 6887 and 7291 respectively) are to either assume that the default router is the device (suitable for small networks) or specify the middlebox address in a DHCP option (suitable for larger networks). > > This document proposes a third alternative: use of a well-known anycast address. Sending a request to that anycast address will ensure delivery to the closest service address (which may or may not be co-located with the middlebox) by the routing on the network, supported by either BGP or IGP. > > There are two specific concerns about this method (other than the usual anycast or pcp concerns). The first is that information about the internal network might leak to a PCP service outside the network. Whereas a failure of a service whose address is given in DHCP will result in black-holed packets, failure of a service with an anycast address will cause the packets to be forwarded to some random PCP server on the Internet. Section 5.1 discusses this and recommends filtering in perimeter gateways and reduced TTL. I believe this addresses that threat adequately. > > The other specific concern is that a rogue machine would push routes to advertise itself as a PCP service, hijacking PCP traffic and causing network outages. Section 5.2 deals with this issue. The section makes the claim that within the first network segment, the nodes do not use dynamic routing protocols, so an attack there is equivalent to impersonating the default router. Outside the first segment, routing protocols are used, and there is a need for routing security anyway. In both cases an attacker capable of conducting these attacks can do a lot worse than impersonating a PCP service. > > I find this argument almost convincing. What is still bothering me is the question of whether the more damaging attacks would be discovered immediately, whereas simply advertising a route to the anycast address can “fly under the radar” so that the attacker can become the PCP server undetected. I don’t have a firm attack in mind, just a mild concern. > > Yoav >