[secdir] Secdir review of draft-ietf-babel-rfc6126bis-10
Charlie Kaufman <charliekaufman@outlook.com> Tue, 25 June 2019 06:36 UTC
Return-Path: <charliekaufman@outlook.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E05951200E9; Mon, 24 Jun 2019 23:36:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=outlook.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I_vJDhjLeLPh; Mon, 24 Jun 2019 23:36:44 -0700 (PDT)
Received: from NAM04-CO1-obe.outbound.protection.outlook.com (mail-oln040092010088.outbound.protection.outlook.com [40.92.10.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 713A8120058; Mon, 24 Jun 2019 23:36:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zxImLkGPboD1+cVtgVSA+AECxw59IGqifs7bUSR22AY=; b=sPfkqWUg+VV9kDZ6SvME0vB9QZC4cyhrML5zYxpjkZifllNZ7gekv50s7v29DedG1XSdGsrmUCShiFK0cfu2Zag3n0C3zX9Zdu/DHfAlIDIWRHQ1R5LOxLD8R2ADSMELt23ZgJCIcIml89AmhJF6aWEEPPCBZoEstaTviwRDwNtF1ytOep5/+0CYMe0Auzu+5zWA3fO5v/Vj2BLHvxDyylICBTsZpXWUKzr9Pk7fetnzaGw7EgmGPCpL29QqlXhDUYUesn0XneFzaOiit2oZwShrlmDItsvIto4Q2OKokrVY++dKhOw7xtZysxDClgZjkIH8eKOfXtZzlcfipeeSBw==
Received: from CO1NAM04FT017.eop-NAM04.prod.protection.outlook.com (10.152.90.58) by CO1NAM04HT236.eop-NAM04.prod.protection.outlook.com (10.152.91.216) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1987.11; Tue, 25 Jun 2019 06:36:43 +0000
Received: from MWHPR04MB0367.namprd04.prod.outlook.com (10.152.90.57) by CO1NAM04FT017.mail.protection.outlook.com (10.152.90.127) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2008.13 via Frontend Transport; Tue, 25 Jun 2019 06:36:43 +0000
Received: from MWHPR04MB0367.namprd04.prod.outlook.com ([fe80::d065:4f8e:21ae:a5cb]) by MWHPR04MB0367.namprd04.prod.outlook.com ([fe80::d065:4f8e:21ae:a5cb%7]) with mapi id 15.20.2008.014; Tue, 25 Jun 2019 06:36:43 +0000
From: Charlie Kaufman <charliekaufman@outlook.com>
To: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-babel-rfc6126.all@ietf.org" <draft-ietf-babel-rfc6126.all@ietf.org>
Thread-Topic: Secdir review of draft-ietf-babel-rfc6126bis-10
Thread-Index: AQHVKyAba4vbfAj2M0OH8XFeSZSYGg==
Date: Tue, 25 Jun 2019 06:36:43 +0000
Message-ID: <MWHPR04MB036703F78E8A43D6BD456605DFE30@MWHPR04MB0367.namprd04.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-incomingtopheadermarker: OriginalChecksum:A2EE77A2688B2E800CE0D05A3E88374AC938A6BCD9093F52771C1F24D3E518CB; UpperCasedChecksum:C3CA495343B70FD40285B79D221E98415EC064C44930188522DF94DD44D78213; SizeAsReceived:6788; Count:40
x-tmn: [9RjHdfIBdXYm0ukjP+qxlpn/fMgHZBefhXiKcjfM2uuOG1dZfPcExPeZRk2ODYoC]
x-ms-publictraffictype: Email
x-incomingheadercount: 40
x-eopattributedmessage: 0
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(5050001)(7020095)(20181119110)(201702061078)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031322404)(2017031323274)(2017031324274)(1601125500)(1603101475)(1701031045); SRVR:CO1NAM04HT236;
x-ms-traffictypediagnostic: CO1NAM04HT236:
x-microsoft-antispam-message-info: aBxBF1VCa7ACPNsYMo+KB61ntOZ6vl2ijT8xPBbqEA4D48CTf5IToRDUDFGUHxYcNdI1hMNaIdCne9+6vn1uF+zKzmOJDLzZebwLDTMwXPtjgH2TYzvdUJ4PHtLduI3SvR6g7IUwkwFEmMbQSJlAhhgCFrLlll6W5mFWpignzy6SHWLsi6NKVq7Y51qhi8+p
Content-Type: multipart/alternative; boundary="_000_MWHPR04MB036703F78E8A43D6BD456605DFE30MWHPR04MB0367namp_"
MIME-Version: 1.0
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 8541116f-96ab-4fe9-cd95-08d6f9377cc5
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jun 2019 06:36:43.0949 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1NAM04HT236
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/YiUUmWlDlmIGpMoo8cMHu1k8WaM>
Subject: [secdir] Secdir review of draft-ietf-babel-rfc6126bis-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jun 2019 06:36:47 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document defines the Babel Routing Protocol, a distance vector protocol designed for use in networks with a high degree of mobility and fast-changing connectivity such as an ad-hoc wireless network with no fixed connection points. As a procedural matter, I don't know whether rfc6126bis is the right name for this thing. RFC6126 specifies Babel as an experimental protocol, and I would assume this I-D is an update to that document, probably still as an experimental protocol. Or perhaps it is now going to be a proposed standard, though without including a viable security mechanism (see below) that seems problematic. As noted in the Security Considerations, as specified Babel is a completely insecure protocol. It appears that any hostile node within the network can cause essentially all connectivity to fail. It even appears that when using IPv4, if the network is connected to the Internet then any hostile node anywhere on the Internet can cause essentially all connectivity to fail. That's because security depends on the use of link-local IP addresses, a concept that does not exist in IPv4. I would think that this protocol could specify that that routers participating in this protocol maintain a list of IP addresses associated with the subnet that are considered link local for purposes of running this protocol. There are two proposals (currently Internet Drafts) to improve security: draft-ietf-babel-dtls-04 and draft-ietf-babel-hmac-04. I have not reviewed those proposals, but would note that there recursion challenges using DTLS when neither end is connected to services like DNS and OCSP. Babel users multicast, so this protocol would probably be best secured using a single key shared by all nodes participating in the subnet with some facility to periodically roll it over. Even with the proposed security enhancements, the protocol provides no protection against a hostile "insider". It only protects against rogue nodes that happen to share the same physical link (likely wireless, so that is important). Adding protection against insider threats would be difficult and perhaps impossible given the distance vector nature of the protocol. It could not use the sort of layered digital signatures that is proposed for use with BGP. That limits the scalability of the system. The Security Considerations section notes that connectivity in a wireless space can reveal physical location, and that for privacy reasons nodes might want to use randomly chosen IP addresses and change them periodically. That is almost certainly not realistic with IPv4 given the growing shortage of addresses. There is no mention of whether this protocol could somehow interact with DHCP in a useful way. It would certainly introduce new challenges. --Charlie
- [secdir] Secdir review of draft-ietf-babel-rfc612… Charlie Kaufman