Re: [secdir] Secdir review of draft-ietf-nsis-rmd-19

Sean Turner <turners@ieca.com> Wed, 05 May 2010 22:22 UTC

Return-Path: <turners@ieca.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1B1F53A6CE6 for <secdir@core3.amsl.com>; Wed, 5 May 2010 15:22:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.039
X-Spam-Level:
X-Spam-Status: No, score=-2.039 tagged_above=-999 required=5 tests=[AWL=0.559, BAYES_00=-2.599, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4EHyqj13kKT9 for <secdir@core3.amsl.com>; Wed, 5 May 2010 15:22:06 -0700 (PDT)
Received: from smtp112.biz.mail.re2.yahoo.com (smtp112.biz.mail.re2.yahoo.com [66.196.116.97]) by core3.amsl.com (Postfix) with SMTP id 2BEE03A6CD2 for <secdir@ietf.org>; Wed, 5 May 2010 15:22:05 -0700 (PDT)
Received: (qmail 25612 invoked from network); 5 May 2010 22:21:49 -0000
Received: from thunderfish.local (turners@71.191.5.111 with plain) by smtp112.biz.mail.re2.yahoo.com with SMTP; 05 May 2010 15:21:47 -0700 PDT
X-Yahoo-SMTP: ZrP3VLSswBDL75pF8ymZHDSu9B.vcMfDPgLJ
X-YMail-OSG: q0CV9_IVM1m7Lc8L65LcFk8kC6Hk6UmbcgQl0zBqabaFvvB6UUqHjpIWhkf.rwLBJUXy0rLa.9zS2sYCDIzZHMeOasX9Ev_0DVxIMf5h5cxoFv6KzzQ3S010.LbVe74QNF8l4D3AsqWDYtWAgR1MN63Y.0SFl6UldZqMhLmMjhYXP.D3zzDx02luxq5qVQOhA3y2yuKU7txo2JOb5IiSqIA2FkHZcr3vKAKXeWrXepZP1qF_iNUlbYinoZZU5jF3gGeLLpMo5FWTzSTZ.x6kcE6zVeAYRx4MaeuZjC33n1Dqkg9HbiKPcFH5h79Pv.flW3jJO9II0bRaepJs1ihXiYeLhZhISmm0WjU88OXPFIKgRK_OrMypXndu8O.9NuheFTh1NA0.0YQbQLnZLW_tzeEHC_NLTCSa.lX3LsR8dBZJ4hI-
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4BE1EF7A.60802@ieca.com>
Date: Wed, 05 May 2010 18:21:46 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228)
MIME-Version: 1.0
To: draft-ietf-nsis-rmd@tools.ietf.org, iesg@ietf.org
References: <4CCE7D8C-DECC-479D-89F6-FCA316050ADC@cisco.com> <4BDC0A38.20507@gmx.net> <C4D24A64-D9A8-433A-9F7C-E809824FB227@cisco.com> <4BE1B678.8020805@gmx.net> <BC319CB1-8B68-4D4B-BCB0-94132FF43838@cisco.com> <4BE1EAE3.6030304@gmx.net> <A9D92877-BDDC-4C7B-A5A2-1BC1A7E2C2C9@cisco.com>
In-Reply-To: <A9D92877-BDDC-4C7B-A5A2-1BC1A7E2C2C9@cisco.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
Cc: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, nsis-chairs@tools.ietf.org, secdir@ietf.org
Subject: Re: [secdir] Secdir review of draft-ietf-nsis-rmd-19
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 May 2010 22:22:11 -0000

I will clear my DISCUSS.

spt

Brian Weis wrote:
> Hi Hannes,
> 
> You new wording looks good to me. I have no further comments.
> 
> Thanks,
> Brian
> 
> On May 5, 2010, at 3:02 PM, Hannes Tschofenig wrote:
> 
>> Hi Brian,
>>
>>
>> Brian Weis wrote:
>>> Hi Hannes,
>>>
>>> The expanded authorization paragraph is very clear to me, thanks.
>>>
>>> Regarding protection of the RESERVE` and RESPONSE` hop-by-hop security:
>>>
>>>>> Don't interior nodes protect RESERVE` and RESPONSE` messages using 
>>>>> hop-by-hop security, or is that just  RESERVE and RESPONSE 
>>>>> messages? It seems like that would be a simple measure to  mitigate 
>>>>> threats (4) and (5).
>>>>>
>>>> RESERVE and RESPONSE messages use hop-by-hop security. Keep in mind 
>>>> that for these two messages the "hop" are ingress and egress; for 
>>>> the interior nodes these messages cannot be modified.
>>>
>>> Thanks for the clarification of what constitutes a "hop". So if I 
>>> understand correctly, only Ingress and Egress routers share a 
>>> security association for protecting RESERVE and RESPONSE messages.
>> Yes.
>>
>>>
>>>> Using hop-by-hop security for RESERVE` and RESPONSE` messages does 
>>>> not help since the adversary model assumes that one of the interior 
>>>> nodes is acting maliciously.
>>>>
>>>> Does this make sense to you?
>>>
>>>
>>> My point was that transport security of RESERVE` and RESPONSE` 
>>> messages between Interior nodes would also be helpful to protect each 
>>> Interior node from on-path attackers between themselves. I assume 
>>> they may have adversaries between them.
>> Well. There is actually no other entity between the participating 
>> interior nodes. In RMD all the nodes in the domain have to participate.
>>
>>>
>>> But I think I understand now that the Security Considerations section 
>>> is written assuming that only Ingress and Egress devices participate 
>>> in any kind of security association.
>>
>> Yes.
>>
>>> You're not trusting the Interior nodes at all, so they themselves 
>>> have no security considerations.
>> Normally, with a QoS signaling protocol you have to essentially trust 
>> every node that understands the protocol. In RMD I thought that it 
>> would be interesting to exploit the fact that you can do better than 
>> that.
>>
>>> Could you please clarify the following points in the INTRODUCTION, 
>>> which would make that clearer?
>>> - What is a "hop" with respect to security associations
>>> - The security of RMD-QOSM does not depend on interior nodes. (It 
>>> does say "The focus on intra-domain QoS signaling simplifies trust 
>>> management and reduces overall complexity." but that's doesn't really 
>>> go far enough.)
>>> - Because the security of RMD-QOSM does not depend on interior nodes, 
>>> protection of RESERVE` and RESPONSE` messages is not specified.
>>>
>> Sure. Makes sense. Here is my proposal:
>>
>> I. INTRODUCTION
>>
>>  A design goal of the RMD-QOSM protocol is to be "lightweight" in terms
>>  of the number of exchanged signaling message and the amount of state
>>  established at involved signaling nodes (with and without reduced
>>  state operation). A side-effect of this design decision is to introduce
>>  second-class signaling nodes, namely QNE Interior nodes, that are 
>> restricted
>>  in their ability to perform QoS signaling actions. Only the QNE 
>> Ingress and
>>  the QNE Egress nodes are allowed to initiate certain signaling messages.
>>  Moreover, RMD focuses on an intra-domain deployment only.
>>   The above description has the following implications for security:
>>
>>  1) QNE Ingress and QNE Egress nodes require more security and fault 
>> protection
>>     than QNE Interior nodes because their uncontrolled behavior has 
>> larger
>>     implications for the overall stability of the network. QNE Ingress 
>> and
>>     QNE Egress nodes share a security association and utlize GIST 
>> security
>>     for protection of their signaling messages. Intra-domain signaling
>>     messages used for RMD signaling do not use GIST security and 
>> therefore
>>     they do not store security associations.
>>
>>  2) The focus on intra-domain QoS signaling simplifies trust 
>> management and
>>     reduces overall complexity. See Section 2 of RFC 4081 for a more 
>> detailed
>>     discussion about the complete set of communication models 
>> available for
>>     end-to-end QoS signaling protocols. The security of RMD-QOSM does not
>>     depend on interior nodes and hence the cryptographic protection of
>>     intra-domain messages via GIST is not utilized.
>>
>>  It is important to highlight that RMD always uses the message exchange
>>  shown in Figure 24
>>  even if there is no end-to-end signaling session. If the RMD-QOSM is
>>  triggered based on an E2E signaling exchange then the RESERVE message
>>  is created by a node outside the RMD domain and will subsequently
>>  travel further on (e.g., to the data receiver). Such an exchange is
>>  shown in Figure 3. As such, an evaluation of RMD's security
>>  always has to be seen as a combination of the two signaling sessions, 
>> (1)
>>  and (2) of Figure 24. Note that for the E2E message, such as
>>  the RESERVE and the RESPONSE message, a single "hop" refers to
>>  the communication between the QNE Ingress and the QNE Egress
>>  since QNE Interior nodes do not participate in the exchange.
>>
>> Ciao
>> Hannes
>>
>>> Thanks,
>>> Brian
>>>
>>> On May 5, 2010, at 11:18 AM, Hannes Tschofenig wrote:
>>>
>>>> Hi Brian,
>>>>
>>>> thanks for the quick response.
>>>>
>>>> Brian Weis wrote:
>>>>> Hi Hannes,
>>>>>
>>>>> On May 1, 2010, at 4:02 AM, Hannes Tschofenig wrote:
>>>>>
>>>>>> Hey Brian,
>>>>>>
>>>>>> thanks for your detailed review.
>>>>>>
>>>>>> I have updated the security consideration section based on your 
>>>>>> comments. I have added text to describe security threats in more 
>>>>>> detail, discuss what the assumptions are (trust model), provide 
>>>>>> security requirements, and updated the part that talks about the 
>>>>>> specific solution mechanisms.
>>>>>
>>>>> Thanks! Your re-written security considerations section is very 
>>>>> much improved. I do have a couple of comments/questions inline below.
>>>>>
>>>>>>
>>>>>> I also added a sentence about the authorization aspect you 
>>>>>> mentioned. There is nothing special about RMD that would require 
>>>>>> additional description beyond what is covered in the QoS NSLP and 
>>>>>> the solutions we had worked on in the context of the Diameter QoS 
>>>>>> application. The authorizatoin aspect largely happens before RMD 
>>>>>> signaling is actually triggered.
>>>>>>
>>>>>> My proposed text can be found below (before Georgios adds it to 
>>>>>> the draft itself).
>>>>>>
>>>>>> Ciao
>>>>>> Hannes
>>>>>>
>>>>>> ---------------
>>>>>>
>>>>>>
>>>>>> 5. Security Considerations
>>>>>>
>>>>>> I. INTRODUCTION
>>>>>>
>>>>>> A design goal of the RMD-QOSM protocol is to be "lightweight" in 
>>>>>> terms
>>>>>> of the number of exchanged signaling message and the amount of state
>>>>>> established at involved signaling nodes (with and without reduced
>>>>>> state operation). A side-effect of this design decision is to 
>>>>>> introduce
>>>>>> second-class signaling nodes, namely QNE Interior nodes, that are 
>>>>>> restricted
>>>>>> in their ability to perform QoS signaling actions. Only the QNE 
>>>>>> Ingress and
>>>>>> the QNE Egress nodes are allowed to initiate certain signaling 
>>>>>> messages.
>>>>>> Moreover, RMD focuses on an intra-domain deployment only.
>>>>>>
>>>>>> The above description has the following implications for security:
>>>>>>
>>>>>> 1) QNE Ingress and QNE Egress nodes require more security and 
>>>>>> fault protection
>>>>>> than QNE Interior nodes because their uncontrolled behavior has 
>>>>>> larger
>>>>>> implications for the overall stability of the network.
>>>>>>
>>>>>> 2) The focus on intra-domain QoS signaling simplifies trust 
>>>>>> management and
>>>>>> reduces overall complexity. See Section 2 of RFC 4081 for a more 
>>>>>> detailed
>>>>>> discussion about the complete set of communication models 
>>>>>> available for
>>>>>> end-to-end QoS signaling protocols.
>>>>>>
>>>>>> It is important to highlight that RMD always uses the message 
>>>>>> exchange
>>>>>> shown in Figure 24
>>>>>> even if there is no end-to-end signaling session. If the RMD-QOSM is
>>>>>> triggered based on an E2E signaling exchange then the RESERVE message
>>>>>> is created by a node outside the RMD domain and will subsequently
>>>>>> travel further on (e.g., to the data receiver). Such an exchange is
>>>>>> shown in Figure 3. As such, an evaluation of RMD's security
>>>>>> always has to be seen as a combination of the two signaling 
>>>>>> sessions, (1)
>>>>>> and (2) of Figure 24.
>>>>>>
>>>>>> QNE QNE QNE QNE
>>>>>> Ingress Interior Interior Egress
>>>>>> NTLP stateful NTLP stateless NTLP stateless NTLP stateful
>>>>>> | | | |
>>>>>> | RESERVE (1) | | |
>>>>>> +--------------------------------------------->|
>>>>>> | RESERVE` (2) | | |
>>>>>> +-------------->| | |
>>>>>> | | RESERVE` | |
>>>>>> | +-------------->| |
>>>>>> | | | RESERVE` |
>>>>>> | | +------------->|
>>>>>> | | | RESPONSE` (2)|
>>>>>> |<---------------------------------------------+
>>>>>> | | | RESPONSE (1) |
>>>>>> |<---------------------------------------------+
>>>>>>
>>>>>> Figure 24: RMD Message Exchange.
>>>>>>
>>>>>> Authorizing quality of service reservations is accomplished
>>>>>> using the AAA framework and the functionality is inherited from
>>>>>> the underlying NSIS QoS NSLP, see [I-D.ietf-nsis-qos-nslp],
>>>>>> and not described again in this document. As a technical
>>>>>> solution mechanism Diameter QoS application
>>>>>> [I-D.ietf-dime-diameter-qos] may be used.
>>>>>
>>>>> I assume that it is implied that this authorization is done by the 
>>>>> Ingress router, as opposed to each Interior node in the path. It 
>>>>> would be helpful to say this.
>>>>
>>>> That's true. I extended the paragraph to:
>>>>
>>>> "
>>>> Authorizing quality of service reservations is accomplished
>>>> using the AAA framework and the functionality is inherited from
>>>> the underlying NSIS QoS NSLP, see [I-D.ietf-nsis-qos-nslp],
>>>> and not described again in this document. As a technical
>>>> solution mechanism Diameter QoS application
>>>> [I-D.ietf-dime-diameter-qos] may be used. The end-to-end
>>>> reservation request arriving at the ingress node will
>>>> trigger the authorization procedure with the backend AAA
>>>> infrastructure. The end-to-end reservation is typically
>>>> triggered by a human interaction with a software application,
>>>> such as a voice-over-IP client when making a call. When
>>>> authorization is successful then no further user initiated
>>>> QoS authorization check is expected to be performed within
>>>> the RMD domain for the intra-domain reservation.
>>>> "
>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>> II. SECURITY THREATS
>>>>>>
>>>>>> In the RMD-QOSM, the ingress node constructs both end-to-
>>>>>> end and intra-domain signaling messages based on the
>>>>>> end-to-end message initiated by the sender end node. The
>>>>>> Interior nodes within the RMD network ignore the end-to-end
>>>>>> signaling message, but process, modify, and forward the intra-domain
>>>>>> signaling messages towards the egress node. In the
>>>>>> meantime, resource reservation states are installed, modified
>>>>>> or deleted at each interior node along the data path according
>>>>>> to the content of each intra-domain signaling message. The
>>>>>> edge nodes of an RMD network are critical components
>>>>>> that require strong security protection. Therefore, they act
>>>>>> as security gateways for incoming and outgoing signaling
>>>>>> messages. Moreover, a certain degree of trust has to be placed
>>>>>> into Interior nodes within the RMD-QOSM network, such that
>>>>>> these nodes can perform signaling message processing and
>>>>>> take the necessary actions.
>>>>>>
>>>>>> With the RMD-QOSM we assume that the
>>>>>> ingress and the egress nodes are not controlled by an adversary
>>>>>> and the communication between the ingress and the egress
>>>>>> nodes is secured using standard GIST security mechanisms
>>>>>
>>>>> Is there a reference for these security mechanisms?
>>>>>
>>>> I added a reference to the security consideration section of GIST 
>>>> (Section 6 of [I-D.ietf-nsis-ntlp])..
>>>>
>>>>>> and experiences integrity, replay and confidentiality protection.
>>>>>> Note that this only affects messages directly addressed by
>>>>>> these two nodes and not any other message that needs to
>>>>>> be processed by intermediaries. The SESSION ID object
>>>>>> of the end-to-end communication is visible, via GIST, to the
>>>>>> Interior nodes.
>>>>>> In order to define the security threats that are associated
>>>>>> with the RMD-QOSM we consider that an adversary that may be located
>>>>>> inside the RMD domain and could
>>>>>> drop, delay, duplicate, inject, or modify signaling packets.
>>>>>> Depending on location of adversary, we speak about an on-path
>>>>>> adversary or an off-path adversary, see also RFC 4081 [RFC4081].
>>>>>>
>>>>>>
>>>>>> II-A. On-path Adversary
>>>>>>
>>>>>> The on-path adversary is a node, which supports RMD-QOSM
>>>>>> and is able to observe RMD-QOSM signaling message
>>>>>> exchanges.
>>>>>>
>>>>>> 1) Dropping signaling messages
>>>>>>
>>>>>> An adversary could drop any signaling messages after
>>>>>> receiving them. This will cause a failure of reservation
>>>>>> request for new sessions or deletion of resource units
>>>>>> (bandwidth) for on-going sessions due to states timeout.
>>>>>> It may trigger the ingress node to retransmit the
>>>>>> lost signaling messages. In this scenario the adversary
>>>>>> drops selected signaling messages, for example intra-domain reserve
>>>>>> messages. In the RMD-QOSM, the retransmission
>>>>>> mechanism can be provided at the ingress node
>>>>>> to make sure that signaling messages can reach the
>>>>>> egress node. However, the retransmissions triggered by
>>>>>> the adversary dropping messages may cause certain
>>>>>> problems. Therefore, it is recommended to disable the use
>>>>>> of retransmissions in the RMD-QOSM aware network.
>>>>>>
>>>>>> 2) Delaying Signaling Messages
>>>>>>
>>>>>> Any signaling message could be delayed by an adversary.
>>>>>> For example, if RESERVE` messages
>>>>>> are delayed over the duration of the refresh period then the 
>>>>>> resource units
>>>>>> (bandwidth) reserved along the nodes for corresponding
>>>>>> sessions will be removed. In this situation, the ingress
>>>>>> node does not receive the RESPONSE within a certain
>>>>>> period, and considers that the signaling message is
>>>>>> failed, which may cause a retransmission of the ’failed’
>>>>>> message. The egress node may distinguish between the
>>>>>> two messages, i.e., the delayed message and the retransmitted
>>>>>> message, and it could take a proper response.
>>>>>> However, interior nodes suffer from this retransmission
>>>>>> and they may reserve twice the resource units (bandwidth)
>>>>>> requested by the ingress node.
>>>>>
>>>>> Can this threat be generalized from "twice" to "N times", if the 
>>>>> message is retransmitted N times?
>>>>> If so, it seems like a serious threat. Can the mitigation for 
>>>>> Replayed Signaling Messages (i.e., storing values) be used here. 
>>>>> Actually, from the description a retransmitted signaling message 
>>>>> seems indistinguishable from a replayed signaling message.
>>>>>
>>>> For interior nodes it is not possible to distinguish replays. The 
>>>> only entities that detect the replays are edge devices. So, my 
>>>> proposal is to let the egress detect and to alert about the 
>>>> potential problem.
>>>>
>>>>
>>>>>>
>>>>>> 3) Replaying Signaling Messages
>>>>>>
>>>>>> An adversary may want to replay signaling messages.
>>>>>> It first stores the
>>>>>> received messages and decides when to replay these
>>>>>> message and at what rate (packets/per seconds).
>>>>>> When the RESERVE` message
>>>>>> carried a RII object, the egress will reply with a
>>>>>> RESPONSE` message towards the ingress node. The ingress
>>>>>> node can then detect replays by comparing the value of
>>>>>> RII in the RESPONSE` messages with the stored value.
>>>>>>
>>>>>> 4) Injecting Signaling Messages
>>>>>>
>>>>>> Similar to the replay-attack scenario, the adversary may
>>>>>> store a part of the information carried by signaling
>>>>>> messages, for example, the RSN object. When the
>>>>>> adversary injects signaling messages, it puts the stored
>>>>>> information together with its own generated parameters
>>>>>> (Bandwidth, RII, etc.) into the injected messages and
>>>>>> then sends them out. Interior nodes will process these
>>>>>> messages by default, reserve the requested resource units
>>>>>> (bandwidth) and pass them to downstream nodes. It
>>>>>> may happen that the resource units (bandwidth) on the
>>>>>> Interior nodes are exhausted if these injected messages
>>>>>> consume much bandwidth.
>>>>>>
>>>>>> 5) Modifying Signaling Messages
>>>>>>
>>>>>> On-path adversaries are capable of modifying any part
>>>>>> of the signaling message. For example, the adversary
>>>>>> can modify the <M>, <S> and <Overload %> parameters
>>>>>> of the RMD-QSPEC messages. The egress node
>>>>>> will then use the SESSION ID and subsequently the
>>>>>> BOUND SESSION ID objects to refer to that flow
>>>>>> to be terminated or set to lower priority. It is also
>>>>>> possible for the adversary to modify the <Bandwidth>
>>>>>> and/or <PHB Class> parameter, which could cause
>>>>>> a modification of an amount of the requested resource
>>>>>> units (bandwidth) changes.
>>>>>
>>>>> Don't interior nodes protect RESERVE` and RESPONSE` messages using 
>>>>> hop-by-hop security, or is that just  RESERVE and RESPONSE 
>>>>> messages? It seems like that would be a simple measure to  mitigate 
>>>>> threats (4) and (5).
>>>>>
>>>> RESERVE and RESPONSE messages use hop-by-hop security. Keep in mind 
>>>> that for these two messages the "hop" are ingress and egress; for 
>>>> the interior nodes these messages cannot be modified.
>>>>
>>>> Using hop-by-hop security for RESERVE` and RESPONSE` messages does 
>>>> not help since the adversary model assumes that one of the interior 
>>>> nodes is acting maliciously.
>>>>
>>>> Does this make sense to you?
>>>>
>>>>>> II-B. Off-path Adversary
>>>>>>
>>>>>> In this case the adversary is not located on-path and it
>>>>>> does not participate in the exchange of RMD-QOSM signaling
>>>>>> messages, and therefore is unable to eavesdrop signaling
>>>>>> messages. Hence, the adversary does not know valid RIIs,
>>>>>> RSNs, SESSION IDs. Hence, the adversary has to generate
>>>>>> new parameters and constructs new signaling messages. Since
>>>>>> Interior nodes operate in reduced state mode,
>>>>>> injected signaling messages are treated as new once, which
>>>>>> causes Interior nodes to allocate additional reservation state.
>>>>>>
>>>>>>
>>>>>> III. SECURITY REQUIREMENTS
>>>>>>
>>>>>> The following security requirements are set as goals for the
>>>>>> intra-domain communication, namely:
>>>>>>
>>>>>> * Nodes, which are never supposed to participate in the NSIS 
>>>>>> signaling
>>>>>> exchange, must not interfere with QNE Interior nodes. Off-path
>>>>>> nodes (off-path with regard to the path taken by a particular
>>>>>> signaling message exchange) must not be able to interfere with
>>>>>> other on-path signaling nodes.
>>>>>>
>>>>>> * The actions allowed by a QNE Interior node should be minimal (i.e.,
>>>>>> only those specified by the RMD-QOSM). For example, only the QNE
>>>>>> Ingress and the QNE Egress nodes are allowed to initiate certain
>>>>>> signaling messages. QNE Interior nodes are, for example, allowed to
>>>>>> modify certain signaling message payloads.
>>>>>>
>>>>>> Note that the term `interfere` refers to all sorts of security
>>>>>> threats, such as denial of service, spoofing, replay, signaling
>>>>>> message injection, etc.
>>>>>>
>>>>>> III. SECURITY MECHANISMS
>>>>>
>>>>> Nit: should be "IV."
>>>> Yup.
>>>>
>>>>>
>>>>>>
>>>>>> An important security mechanism that was
>>>>>> built into RMD-QOSM was the ability to tie the end-to-end
>>>>>> RESERVE and the RESERVE` messages
>>>>>> together using the BOUND SESSION ID and to allow the
>>>>>> ingress node to match the RESERVE`
>>>>>> with the RESPONSE` by using the
>>>>>> RII. These mechanisms enable the edge nodes to detect unexpected
>>>>>> signaling messages.
>>>>>>
>>>>>> We assume that the RESERVE/RESPONSE is sent with hop-by-hop
>>>>>> channel security provided by GIST and protected between the QNE
>>>>>> Ingress and the QNE Egress.
>>>>>
>>>>> If the RESERVE/RESPONSE messages are protected hop-by-hop, why 
>>>>> can't RESERVE`/RESPONSE` messages? Or does hop-by-hop mean that 
>>>>> only the ingress and egress devices are "hops" and share keys?
>>>>>
>>>> See response above.
>>>>
>>>> Ciao
>>>> Hannes
>>>>
>>>>> Thanks,
>>>>> Brian
>>>>>
>>>>>> GIST security mechanisms MUST be used
>>>>>> to offer authentication,
>>>>>> integrity, and replay protection. Furthermore, encryption MUST be 
>>>>>> used
>>>>>> to
>>>>>> prevent an adversary located along the path of the RESERVE
>>>>>> message to learn information about the session that can later be used
>>>>>> to inject a RESERVE` message.
>>>>>>
>>>>>> The following messages need to be mapped to
>>>>>> each other to make sure that the occurrence of one message is not
>>>>>> without the other one:
>>>>>>
>>>>>> a) the RESERVE and the RESERVE` relate to each other at the QNE
>>>>>> Egress and
>>>>>>
>>>>>> b) the RESPONSE and the RESERVE relate to each other at the QNE
>>>>>> Ingress and
>>>>>>
>>>>>> c) the RESERVE` and the RESPONSE` relate to each other. The RII is
>>>>>> carried in the RESERVE` message and the RESPONSE` message that is
>>>>>> generated by the QNE Egress node contains the same RII as the
>>>>>> RESERVE`. The RII can be used by the QNE Ingress to match the
>>>>>> RESERVE` with the RESPONSE`. The QNE Egress is able to determine
>>>>>> whether the RESERVE` was created by the QNE Ingress node since the
>>>>>> intra-domain session, which sent the RESERVE`, is bound to an end-to-
>>>>>> end session via the BOUND_SESSION_ID value included in the intra-
>>>>>> domain QoS-NSLP operational state maintained at the QNE Egress.
>>>>>>
>>>>>> The RESERVE and the RESERVE` message are tied together using the
>>>>>> BOUND_SESSION_ID(s) maintained by the intra-domain and end-to-end
>>>>>> QoS-NSLP operational states maintained at the QNE edges, see Section
>>>>>> 4.3.1, 4.3.2, 4.3.3. Hence, there cannot be a RESERVE` without a
>>>>>> corresponding RESERVE. The SESSION_ID can fulfill this purpose quite
>>>>>> well if the aim is to provide protection against off-path adversaries
>>>>>> that do not see the SESSION_ID carried in the RESERVE and the
>>>>>> RESERVE` messages.
>>>>>>
>>>>>> If, however, the path changes (due to re-routing or due to mobility)
>>>>>> then an adversary could inject RESERVE` messages (with a previously
>>>>>> seen SESSION_ID) and could potentially cause harm.
>>>>>>
>>>>>> An off-path adversary can, of course, create RESERVE` messages that
>>>>>> cause intermediate nodes to create some state (and cause other
>>>>>> actions) but the message would finally hit the QNE Egress node. The
>>>>>> QNE Egress node would then be able to determine that there is
>>>>>> something going wrong and generate an error message.
>>>>>>
>>>>>> The severe congestion handling can be triggered by intermediate nodes
>>>>>> (unlike other messages). In many cases, however, intermediate nodes
>>>>>> experiencing congestion use refresh messages modify the <S> and
>>>>>> <O> parameters of the message. These messages are still
>>>>>> initiated by the QNE Ingress node and carry the SESSION_ID. The QNE
>>>>>> Egress node will use the SESSION_ID and subsequently the
>>>>>> BOUND_SESSION_ID, maintained by the intra-domain QoS-NSLP operational
>>>>>> state, to refer to a flow that might be terminated. The
>>>>>> aspect of intermediate nodes initiating messages for severe
>>>>>> congestion handling is for further study.
>>>>>>
>>>>>> QNE Ingress QNE Interior QNE Interior QNE Egress
>>>>>> NTLP stateful NTLP stateless NTLP stateless NTLP stateful
>>>>>> | | | |
>>>>>> | REFRESH RESERVE` | |
>>>>>> +-------------->| REFRESH RESERVE` |
>>>>>> | (+RII) +-------------->| REFRESH RESERVE`
>>>>>> | | (+RII) +------------->|
>>>>>> | | | (+RII) |
>>>>>> | | | |
>>>>>> | | | REFRESH |
>>>>>> | | | RESPONSE`|
>>>>>> |<---------------------------------------------+
>>>>>> | | | (+RII) |
>>>>>>
>>>>>> Figure 25: RMD REFRESH message exchange
>>>>>>
>>>>>> During the refresh procedure a RESERVE` creates a RESPONSE`, see
>>>>>> Figure 25. The RII is carried in the RESERVE` message and the
>>>>>> RESPONSE` message that is generated by the QNE Egress node contains
>>>>>> the same RII as the RESERVE`.
>>>>>>
>>>>>> The RII can be used by the QNE Ingress to match the RESERVE` with the
>>>>>> RESPONSE`.
>>>>>>
>>>>>> A further aspect is marking of data traffic. Data packets can be
>>>>>> modified by an intermediary without any relationship to a signaling
>>>>>> session (and a SESSION_ID). The problem appears if an off-path
>>>>>> adversary injects spoofed data packets.
>>>>>>
>>>>>>
>>>>>> The adversary thereby needs to spoof data packets that relate to the
>>>>>> flow identifier of an existing end-to-end reservation that SHOULD be
>>>>>> terminated. Therefore the question arises how an off-path adversary
>>>>>> SHOULD create a data packet that matches an existing flow identifier
>>>>>> (if a 5-tuple is used). Hence, this might not turn out to be simple
>>>>>> for an adversary unless we assume the previously mentioned
>>>>>> mobility/re-routing case where the path through the network changes
>>>>>> and the set of nodes that are along a path changes over time.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Brian Weis wrote:
>>>>>>> I have reviewed this document as part of the security 
>>>>>>> directorate's ongoing effort to review all IETF documents being 
>>>>>>> processed by the IESG. These comments were written primarily for 
>>>>>>> the benefit of the security area directors. Document editors and 
>>>>>>> WG chairs should treat these comments just like any other last 
>>>>>>> call comments.
>>>>>>>
>>>>>>> This document describes an NSIS QoS Model for networks that use 
>>>>>>> the Resource Management in Diffserv (RMD) concept. It describes 
>>>>>>> RMD-QOSM, which are new payloads sent using the GISP signaling 
>>>>>>> mechanism, where the new payloads request or reserve resources. A 
>>>>>>> number of data flows are discussed, depending on whether nodes 
>>>>>>> within a network boundary participate in the protocol or not.
>>>>>>>
>>>>>>> The Security Considerations section covers the following topics:
>>>>>>> - Byzantine adversaries (i.e., participants taken over by an 
>>>>>>> adversary) are a general problem, but this section intends to 
>>>>>>> discuss additional threats as a result of the new protocol. There 
>>>>>>> is an extensive discussion of on-path and off-path adversaries, 
>>>>>>> which seems to intend to be addressing Byzantine adversaries.
>>>>>>> - RMD-QOSM is claimed to be lightweight, with different routers 
>>>>>>> allowed certain operations dependant on the role a router plays 
>>>>>>> in the system. E.g., only Ingress/Egress nodes are allowed to 
>>>>>>> initiate certain signaling messages.
>>>>>>> - RMD-QOSM "relies on the security support that is provided by 
>>>>>>> the bounded end-to-end session, which is running between the 
>>>>>>> boundaries of the RMD domain", but doesn't mandate that security 
>>>>>>> support.
>>>>>>>
>>>>>>> The existing text is helpful, but not sufficient. The following 
>>>>>>> points are suggestions to improve this section.
>>>>>>>
>>>>>>> 1. The statement at the beginning of Security Considerations 
>>>>>>> discusses adversaries taking over a router, but the new threats 
>>>>>>> are not very clear. Are the authors considering that security 
>>>>>>> associations are revealed, that reservation data routed to a 
>>>>>>> particular router can be changed or forged, or something else?
>>>>>>>
>>>>>>> 2. The trust model used by RMD-QOSM is hinted at in the 
>>>>>>> discussion of on-path and off-path adversaries, but a discussion 
>>>>>>> of exactly what devices are trusted and what they're trusted to 
>>>>>>> do would be helpful. For example, is every interior router in the 
>>>>>>> network is trusted to handle any particular RESERVE or RESERVE` 
>>>>>>> message? If not, then how are the paths setup so that only 
>>>>>>> authorized routers will see a particular message? On the other 
>>>>>>> hand, if routing is used to route the messages then it would seem 
>>>>>>> that any router must be authorized to handle messages happened to 
>>>>>>> be routed to them -- but then it isn't clear that there can be a 
>>>>>>> difference between an "on-path" and "off-path" adversary.
>>>>>>>
>>>>>>> 3. Another dimension of trust model is the fact that 
>>>>>>> ingress/egress routers seem to trust each other more than they 
>>>>>>> trust interior nodes. This seems evidenced by the fact that 
>>>>>>> RESERVE messages (Figure 24) don't seem to be intended to be 
>>>>>>> modified by the interior routers. In the case of probes, I would 
>>>>>>> expect that this would be especially important, but probes do not 
>>>>>>> seem to be specifically discussed in this section.
>>>>>>>
>>>>>>> 4. There don't seem to be any actual security requirements or 
>>>>>>> recommendations made on GIST messaging. As such, it isn't clear 
>>>>>>> that attackers that have not taken over a participant (i.e., a 
>>>>>>> man in the middle) are in any way foiled. I would expect to see 
>>>>>>> more MUSTs and SHOULDs in this section regarding message 
>>>>>>> security. There are statements in the I-D such as "In the 
>>>>>>> situation a security association exists" and "If we assume that 
>>>>>>> the RESERVE/RESPONSE is sent with hop-by-hop channel security". 
>>>>>>> There should be some description of the threats to the messaging 
>>>>>>> by a non-participant, and stating what available mechanisms MUST 
>>>>>>> or SHOULD be used.
>>>>>>>
>>>>>>> 5. Since roles seem to be an important part of the security 
>>>>>>> considerations, it would be helpful to see discussion of the 
>>>>>>> different threats & requirements on the ingress/egress routers 
>>>>>>> and the internal routers in their different roles.
>>>>>>>
>>>>>>> 6. An important service of RMD-QOSM is admission control, but 
>>>>>>> there doesn't seem to be any discussion of how the ingress 
>>>>>>> routers determine whether or not reservation requests given to 
>>>>>>> them are valid. I would have thought that is of particular 
>>>>>>> importance, but if it's considered out of scope this section 
>>>>>>> might mention that fact.
>>>>>>
>>>>>>>
>>>>>>> Hope that helps,
>>>>>>> Brian
>>>>>>> _______________________________________________
>>>>>>> secdir mailing list
>>>>>>> secdir@ietf.org
>>>>>>> https://www.ietf.org/mailman/listinfo/secdir
>>>>>>
>>>>>
>>>>>
>>>>
>>>
>>>
>>
> 
>