[secdir] comments on draft-irtf-rrg-recommendation-14

Sandra Murphy <Sandra.Murphy@sparta.com> Thu, 28 October 2010 17:25 UTC

Return-Path: <Sandra.Murphy@cobham.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BD85F3A68EB; Thu, 28 Oct 2010 10:25:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.093
X-Spam-Level:
X-Spam-Status: No, score=-102.093 tagged_above=-999 required=5 tests=[AWL=-0.293, BAYES_00=-2.599, SARE_SUB_RAND_LETTRS4=0.799, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GRrpp2-homoq; Thu, 28 Oct 2010 10:25:39 -0700 (PDT)
Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by core3.amsl.com (Postfix) with ESMTP id B95BE3A6857; Thu, 28 Oct 2010 10:25:38 -0700 (PDT)
Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id o9SHRU5l031690; Thu, 28 Oct 2010 12:27:30 -0500
Received: from mailbin2.ads.sparta.com (mailbin.sparta.com [157.185.85.6]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id o9SHRUgD005720; Thu, 28 Oct 2010 12:27:30 -0500
Received: from SMURPHY-LT.columbia.ads.sparta.com ([157.185.81.119]) by mailbin2.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Thu, 28 Oct 2010 13:27:29 -0400
Date: Thu, 28 Oct 2010 13:27:29 -0400 (Eastern Daylight Time)
From: Sandra Murphy <Sandra.Murphy@sparta.com>
To: secdir@ietf.org, tony.li@tony.li, iesg@ietf.org
Message-ID: <Pine.WNT.4.64.1010281239580.836@SMURPHY-LT.columbia.ads.sparta.com>
X-X-Sender: sandy@mailbin.sparta.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-OriginalArrivalTime: 28 Oct 2010 17:27:30.0005 (UTC) FILETIME=[65E0B050:01CB76C5]
Subject: [secdir] comments on draft-irtf-rrg-recommendation-14
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Oct 2010 17:25:40 -0000

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the IESG. 
These comments were written primarily for the benefit of the security area 
directors.  Document editors and WG chairs should treat these comments 
just like any other last call comments.

I unfortunately was off-net for a few days and got to this assignment 
rather late.  The document is long and covers a broad swath of material 
and I was not able to cover it deeply.

This document is a product of the rrg IRTF working group.  It summarizes 
15 different proposals for a new routing and addressing architecture for 
the Internet, with short summaries, critiques and rebuttals for each, and 
gives a final recommendation to the IETF for future direction.

With the breadth of scope of the document, there is no way for me to 
review each proposal's documents for security considerations.

The security considerations of *this* document itself is quite terse:

20. Security Considerations

    All solutions are required to provide security that is at least as
    strong as the existing Internet routing and addressing architecture.

Given the widely reported weakness of the "existing Internet routing and 
addressing architecture", this is a low bar indeed.  There are attempts in 
progress to attempt to improve the security of the Internet routing and 
addressing architecture.  I do not know what to suggest if these 
improvements leave the Internet with stronger security than is provided by 
these proposals.

The summaries of the different proposals devote little attention to the 
infrastructure security ramifications of the proposal.  Given the stated 
goal, perhaps no attention was necessary.

Many of these proposals include an encapsulation system, presenting the 
expected difficulties with end system authentication, filtering systems at 
boundaries, etc.  Some proposals addressed these concerns.  I am not sure 
if the security considerations section meant that the proposals were 
required to avoid weakening the end-host security protections already 
provided (ipsec, NAT, whatever).

The rrg wg came to consensus that a fundamental architectural feature is 
a separation of locator and identifier for any node.  Many of the 
discussed alternatives include a mapping system that produce a locator for 
a given destination identifier.

The mapping system would seem to be a very likely point of vulnerability, 
permitting traffic redirection for data exposure or blackholing, etc. 
Many proposals suggest a hierarchic architecture of the mapping system for 
scaling purposes.  I would presume that an authorization scheme for the 
mapping system would be essential, and that the hierarchy would be an 
important aspect of that scheme.  Of course, I can't tell much at this 
level of detail about how and if each proposals addresses this.  (One of 
the recommendations suggests communicating mapping info through bgp - I 
can not say at this point whether the SIDR suggestions for improving bgp 
security would be applicable.)

--Sandy

Nits:

    PMTUD  Path Maximum Transmission Unit Discovery: The process or
       mechanism that determines the largest packet that can be sent
       between a given source and destination with being either i)
       fragmented (IPv4 only), or ii) discarded (if not fragmentable)
       because it is too large to be sent down one link in the path from
       the source to the destination.

It should say "*without* being either", right?  A long sentence so I may 
have lost my place.


Several of the comments start using terms that are part of the wg 
deliberations, I'm sure.  But it makes reading the discussions and 
critiques obtuse.  In particular, "Core-Edge Separation" and "Core-Edge 
Elimination" seems to a well understood concept in the wg.  It needs to be 
defined somewhere.  A web search found references in some conference 
papers and in rrg mailing lists.