[secdir] SecDir Review of draft-ietf-pcp-anycast-06

Yoav Nir <ynir.ietf@gmail.com> Mon, 08 June 2015 15:00 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 36CA81B2E82; Mon, 8 Jun 2015 08:00:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id xznKBK0JsXD0; Mon, 8 Jun 2015 08:00:43 -0700 (PDT)
Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com [IPv6:2a00:1450:400c:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 892071A88F1; Mon, 8 Jun 2015 08:00:43 -0700 (PDT)
Received: by wibut5 with SMTP id ut5so89394954wib.1; Mon, 08 Jun 2015 08:00:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:content-transfer-encoding:subject:message-id:date :to:mime-version; bh=47pTolTck1pYsje1fV2tH/85tW/Ntm6VcZOb8OTuEjk=; b=tmLfdveXMClQjcbD4zz242JzcZiP6lVeN7MtQXf8TJ13ZxJoNN6EauycQ0yIFAzvMq qpxKZcXuSSLG9sVMqzdtZLLaq1VRAr/3RSgHmqng3rU3zpOErjeEAVk26eYoeOHSQMzL dgMKWuOhEM/fY8TRQ4Npzejr5EPH6mSRBKNnb/5Zi8h8Plo3lXfjUTRt9SD50pHXcfDk Url52UAJsCTbORc1Amtg4yZHybn65SGsXPwcegAdLP2cTOsTNNQah9Yndxm+hjsKv4zy oqNbQk1QH3seBy7nLqJXa42Grown9VO8Jn49vl3SPvtM/gnppTrDbMgIbmTGA8vsa+OU E6Wg==
X-Received: by with SMTP id vw8mr31672157wjc.114.1433775642304; Mon, 08 Jun 2015 08:00:42 -0700 (PDT)
Received: from [] (dyn32-131.checkpoint.com. []) by mx.google.com with ESMTPSA id cd9sm4704031wjc.34.2015. (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 08 Jun 2015 08:00:41 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Message-Id: <06A85300-7DD9-4AC4-A5F5-EE9FE77F7466@gmail.com>
Date: Mon, 8 Jun 2015 18:00:38 +0300
To: secdir <secdir@ietf.org>, The IESG <iesg@ietf.org>, draft-ietf-pcp-anycast.all@tools.ietf.org
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/_-l5jzR8gcG_3D3FUvoE0A5bH80>
Subject: [secdir] SecDir Review of draft-ietf-pcp-anycast-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jun 2015 15:00:45 -0000


I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

TL;DR: Ready (with a question)

The document describes an alternative method for nodes behind a middlebox (such as NAT device or firewall) to contact the middlebox in order to manage port allocation. Existing methods (described in RFC 6887 and 7291 respectively) are to either assume that the default router is the device (suitable for small networks) or specify the middlebox address in a DHCP option (suitable for larger networks).

This document proposes a third alternative: use of a well-known anycast address. Sending a request to that anycast address will ensure delivery to the closest service address (which may or may not be co-located with the middlebox) by the routing on the network, supported by either BGP or IGP.

There are two specific concerns about this method (other than the usual anycast or pcp concerns). The first is that information about the internal network might leak to a PCP service outside the network. Whereas a failure of a service whose address is given in DHCP will result in black-holed packets, failure of a service with an anycast address will cause the packets to be forwarded to some random PCP server on the Internet. Section 5.1 discusses this and recommends filtering in perimeter gateways and reduced TTL. I believe this addresses that threat adequately.

The other specific concern is that a rogue machine would push routes to advertise itself as a PCP service, hijacking PCP traffic and causing network outages. Section 5.2 deals with this issue. The section makes the claim that within the first network segment, the nodes do not use dynamic routing protocols, so an attack there is equivalent to impersonating the default router. Outside the first segment, routing protocols are used, and there is a need for routing security anyway. In both cases an attacker capable of conducting these attacks can do a lot worse than impersonating a PCP service.

I find this argument almost convincing. What is still bothering me is the question of whether the more damaging attacks would be discovered immediately, whereas simply advertising a route to the anycast address can “fly under the radar” so that the attacker can become the PCP server undetected. I don’t have a firm attack in mind, just a mild concern.