Return-Path: <ynir.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1])
 by ietfa.amsl.com (Postfix) with ESMTP id 36CA81B2E82;
 Mon,  8 Jun 2015 08:00:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.7
X-Spam-Level: 
X-Spam-Status: No, score=0.7 tagged_above=-999 required=5 tests=[BAYES_50=0.8, 
 DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1,
 FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44])
 by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id xznKBK0JsXD0; Mon,  8 Jun 2015 08:00:43 -0700 (PDT)
Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com
 [IPv6:2a00:1450:400c:c05::229])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by ietfa.amsl.com (Postfix) with ESMTPS id 892071A88F1;
 Mon,  8 Jun 2015 08:00:43 -0700 (PDT)
Received: by wibut5 with SMTP id ut5so89394954wib.1;
 Mon, 08 Jun 2015 08:00:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; 
 h=from:content-type:content-transfer-encoding:subject:message-id:date
 :to:mime-version;
 bh=47pTolTck1pYsje1fV2tH/85tW/Ntm6VcZOb8OTuEjk=;
 b=tmLfdveXMClQjcbD4zz242JzcZiP6lVeN7MtQXf8TJ13ZxJoNN6EauycQ0yIFAzvMq
 qpxKZcXuSSLG9sVMqzdtZLLaq1VRAr/3RSgHmqng3rU3zpOErjeEAVk26eYoeOHSQMzL
 dgMKWuOhEM/fY8TRQ4Npzejr5EPH6mSRBKNnb/5Zi8h8Plo3lXfjUTRt9SD50pHXcfDk
 Url52UAJsCTbORc1Amtg4yZHybn65SGsXPwcegAdLP2cTOsTNNQah9Yndxm+hjsKv4zy
 oqNbQk1QH3seBy7nLqJXa42Grown9VO8Jn49vl3SPvtM/gnppTrDbMgIbmTGA8vsa+OU
 E6Wg==
X-Received: by 10.194.240.8 with SMTP id vw8mr31672157wjc.114.1433775642304;
 Mon, 08 Jun 2015 08:00:42 -0700 (PDT)
Received: from [172.24.251.11] (dyn32-131.checkpoint.com. [194.29.32.131])
 by mx.google.com with ESMTPSA id cd9sm4704031wjc.34.2015.06.08.08.00.40
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Mon, 08 Jun 2015 08:00:41 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Message-Id: <06A85300-7DD9-4AC4-A5F5-EE9FE77F7466@gmail.com>
Date: Mon, 8 Jun 2015 18:00:38 +0300
To: secdir <secdir@ietf.org>, The IESG <iesg@ietf.org>,
 draft-ietf-pcp-anycast.all@tools.ietf.org
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/_-l5jzR8gcG_3D3FUvoE0A5bH80>
Subject: [secdir] SecDir Review of draft-ietf-pcp-anycast-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>,
 <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>,
 <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jun 2015 15:00:45 -0000

Hi.

I have reviewed this document as part of the security directorate's =
ongoing effort to review all IETF documents being processed by the IESG. =
 These comments were written primarily for the benefit of the security =
area directors.  Document editors and WG chairs should treat these =
comments just like any other last call comments.

TL;DR: Ready (with a question)

The document describes an alternative method for nodes behind a =
middlebox (such as NAT device or firewall) to contact the middlebox in =
order to manage port allocation. Existing methods (described in RFC 6887 =
and 7291 respectively) are to either assume that the default router is =
the device (suitable for small networks) or specify the middlebox =
address in a DHCP option (suitable for larger networks).

This document proposes a third alternative: use of a well-known anycast =
address. Sending a request to that anycast address will ensure delivery =
to the closest service address (which may or may not be co-located with =
the middlebox) by the routing on the network, supported by either BGP or =
IGP.

There are two specific concerns about this method (other than the usual =
anycast or pcp concerns). The first is that information about the =
internal network might leak to a PCP service outside the network. =
Whereas a failure of a service whose address is given in DHCP will =
result in black-holed packets, failure of a service with an anycast =
address will cause the packets to be forwarded to some random PCP server =
on the Internet. Section 5.1 discusses this and recommends filtering in =
perimeter gateways and reduced TTL. I believe this addresses that threat =
adequately.

The other specific concern is that a rogue machine would push routes to =
advertise itself as a PCP service, hijacking PCP traffic and causing =
network outages. Section 5.2 deals with this issue. The section makes =
the claim that within the first network segment, the nodes do not use =
dynamic routing protocols, so an attack there is equivalent to =
impersonating the default router. Outside the first segment, routing =
protocols are used, and there is a need for routing security anyway. In =
both cases an attacker capable of conducting these attacks can do a lot =
worse than impersonating a PCP service.

I find this argument almost convincing. What is still bothering me is =
the question of whether the more damaging attacks would be discovered =
immediately, whereas simply advertising a route to the anycast address =
can =E2=80=9Cfly under the radar=E2=80=9D so that the attacker can =
become the PCP server undetected. I don=E2=80=99t have a firm attack in =
mind, just a mild concern.

Yoav