IETF Logo Mail Archive

Re: [secdir] [v6ops] Secdir telechat review of draft-ietf-v6ops-transition-ipv4aas-12

Christian Huitema <huitema@huitema.net> Tue, 08 January 2019 04:14 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4522A1310A6 for <secdir@ietfa.amsl.com>; Mon, 7 Jan 2019 20:14:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zSiaT4i3uUmV for <secdir@ietfa.amsl.com>; Mon, 7 Jan 2019 20:14:08 -0800 (PST)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E89512D4E7 for <secdir@ietf.org>; Mon, 7 Jan 2019 20:14:08 -0800 (PST)
Received: from xsmtp01.mail2web.com ([168.144.250.230]) by mx66.antispamcloud.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.89) (envelope-from <huitema@huitema.net>) id 1ggimD-000Cb9-LY for secdir@ietf.org; Tue, 08 Jan 2019 05:14:06 +0100
Received: from [10.5.2.17] (helo=xmail07.myhosting.com) by xsmtp01.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1ggimA-0002rj-BU for secdir@ietf.org; Mon, 07 Jan 2019 23:14:03 -0500
Received: (qmail 7258 invoked from network); 8 Jan 2019 04:14:00 -0000
Received: from unknown (HELO [192.168.1.103]) (Authenticated-user:_huitema@huitema.net@[172.56.42.39]) (envelope-sender <huitema@huitema.net>) by xmail07.myhosting.com (qmail-ldap-1.03) with ESMTPA for <secdir@ietf.org>; 8 Jan 2019 04:14:00 -0000
To: JORDI PALET MARTINEZ <jordi.palet=40consulintel.es@dmarc.ietf.org>, "STARK, BARBARA H" <bs7652@att.com>
Cc: "v6ops@ietf.org" <v6ops@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
References: <154684244329.17044.2866311660755291596@ietfa.amsl.com> <CD5A6FC1-77A1-42F8-83F6-86581F11E838@consulintel.es> <8E63971A-FEB2-4AB4-BED5-0FEBC8D6949D@consulintel.es> <B0031737-005E-4AF9-9C0C-4A2A5774F73C@huitema.net> <2D09D61DDFA73D4C884805CC7865E6114DF86BB4@GAALPA1MSGUSRBF.ITServices.sbc.com> <F3B1CC63-AF3F-4E13-B03B-FD596113CC44@consulintel.es>
From: Christian Huitema <huitema@huitema.net>
Openpgp: preference=signencrypt
Autocrypt: addr=huitema@huitema.net; prefer-encrypt=mutual; keydata= mQENBFIRX8gBCAC26usy/Ya38IqaLBSu33vKD6hP5Yw390XsWLaAZTeQR64OJEkoOdXpvcOS HWfMIlD5s5+oHfLe8jjmErFAXYJ8yytPj1fD2OdSKAe1TccUBiOXT8wdVxSr5d0alExVv/LO I/vA2aU1TwOkVHKSapD7j8/HZBrqIWRrXUSj2f5n9tY2nJzG9KRzSG0giaJWBfUFiGb4lvsy IaCaIU0YpfkDDk6PtK5YYzuCeF0B+O7N9LhDu/foUUc4MNq4K3EKDPb2FL1Hrv0XHpkXeMRZ olpH8SUFUJbmi+zYRuUgcXgMZRmZFL1tu6z9h6gY4/KPyF9aYot6zG28Qk/BFQRtj7V1ABEB AAG0J0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PokBOQQTAQIAIwUC UhFfyAIbLwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEJNDCbJVyA1yhbYH/1ud6x6m VqGIp0JcZUfSQO8w+TjugqxCyGNn+w/6Qb5O/xENxNQ4HaMQ5uSRK9n8WKKDDRSzwZ4syKKf wbkfj05vgFxrjCynVbm1zs2X2aGXh+PxPL/WHUaxzEP7KjYbLtCUZDRzOOrm+0LMktngT/k3 6+EZoLEM52hwwpIAzJoscyEz7QfqMOZtFm6xQnlvDQeIrHx0KUvwo/vgDLK3SuruG1CSHcR0 D24kEEUa044AIUKBS3b0b8AR7f6mP2NcnLpdsibtpabi9BzqAidcY/EjTaoea46HXALk/eJd 6OLkLE6UQe1PPzQC4jB7rErX2BxnSkHDw50xMgLRcl5/b1a5AQ0EUhFfyAEIAKp7Cp8lqKTV CC9QiAf6QTIjW+lie5J44Ad++0k8gRgANZVWubQuCQ71gxDWLtxYfFkEXjG4TXV/MUtnOliG 5rc2E+ih6Dg61Y5PQakm9OwPIsOx+2R+iSW325ngln2UQrVPgloO83QiUoi7mBJPbcHlxkhZ bd3+EjFxSLIQogt29sTcg2oSh4oljUpz5niTt69IOfZx21kf29NfDE+Iw56gfrxI2ywZbu5o G+d0ZSp0lsovygpk4jK04fDTq0vxjEU5HjPcsXC4CSZdq5E2DrF4nOh1UHkHzeaXdYR2Bn1Y wTePfaHBFlvQzI+Li/Q6AD/uxbTM0vIcsUxrv3MNHCUAEQEAAYkCPgQYAQIACQUCUhFfyAIb LgEpCRCTQwmyVcgNcsBdIAQZAQIABgUCUhFfyAAKCRC22tOSFDh1UOlBB/94RsCJepNvmi/c YiNmMnm0mKb6vjv43OsHkqrrCqJSfo95KHyl5Up4JEp8tiJMyYT2mp4IsirZHxz/5lqkw9Az tcGAF3GlFsj++xTyD07DXlNeddwTKlqPRi/b8sppjtWur6Pm+wnAHp0mQ7GidhxHccFCl65w uT7S/ocb1MjrTgnAMiz+x87d48n1UJ7yIdI41Wpg2XFZiA9xPBiDuuoPwFj14/nK0elV5Dvq 4/HVgfurb4+fd74PV/CC/dmd7hg0ZRlgnB5rFUcFO7ywb7/TvICIIaLWcI42OJDSZjZ/MAzz BeXm263lHh+kFxkh2LxEHnQGHCHGpTYyi4Z3dv03HtkH/1SI8joQMQq00Bv+RdEbJXfEExrT u4gtdZAihwvy97OPA2nCdTAHm/phkzryMeOaOztI4PS8u2Ce5lUB6P/HcGtK/038KdX5MYST Fn8KUDt4o29bkv0CUXwDzS3oTzPNtGdryBkRMc9b+yn9+AdwFEH4auhiTQXPMnl0+G3nhKr7 jvzVFJCRif3OAhEm4vmBNDE3uuaXFQnbK56GJrnqVN+KX5Z3M7X3fA8UcVCGOEHXRP/aubiw Ngawj0V9x+43kUapFp+nF69R53UI65YtJ95ec4PTO/Edvap8h1UbdEOc4+TiYwY1TBuIKltY 1cnrjgAWUh/Ucvr++/KbD9tD6C8=
Message-ID: <d4b34637-c430-a721-0e8f-93bf6e07dd1a@huitema.net>
Date: Mon, 07 Jan 2019 20:13:58 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.4.0
MIME-Version: 1.0
In-Reply-To: <F3B1CC63-AF3F-4E13-B03B-FD596113CC44@consulintel.es>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
X-Originating-IP: 168.144.250.230
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 168.144.250.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.26)
X-Recommended-Action: accept
X-Filter-ID: EX5BVjFpneJeBchSMxfU5iiHH+MW+amS96XrHYgInOZ602E9L7XzfQH6nu9C/Fh9KJzpNe6xgvOx q3u0UDjvOzniiMFxnOFMHTZqw+apvQzTV/3OdXD2Xdo8CfrY5CQSnj88Owhl1aue+pxa11EFWoyz NJVaeAWax4WOe4pTBX2DwIE7VKe+bqpcdCns72R1myoI6HG8RgZGnUdJnKT7IqXe0Of4jddu9xC8 8+iQ5nb6BRFVjXUbiREH8mlR1JtPfYZ1V10x8j0kNETJD+nyXtcV2Hz37FuQUlYMDMlHwjIJ0464 etNXHOU+5Kb0QuG3bATPP9eeLWC5kDweN7crsXBXvrLBlKCVRjjdPbjQ4HmidG0pg2HLuLsP3mPp isElTs5Ex5aNZlcgVQFtAhrEij3dKxLhoxcmaInYbR5vlqETd+klAX+KFYkIxu6zxdn+1QmdZsu6 kxo/qWEj6Z1d7VIcMSgqtcKbU9La+AHiCFB9vuYMeDoXsMJDD9CZFW2DHXeua4usuyudZl7ZJWmg 5a0jiD6XqsJZtjQxlyCdsewzRmhoeKlCpofGlp99T8RpJ5xYPZNRoOw1IxzkiGadCuy7H5hgdt+5 vcUfEdVaEfxl7B1QQuoPmRqW5R/J2U16th3iHXgtR+Y1L+Zzkg9a2/EwurjXBahe19+jBD7VuIee yrhzWminYO4gRGXn3bDVvCoqfGflxbtjudA02/m3s27IkHT4SMXRhQ/EkhkuGAO4aeVKjbQuc4NX lvv7E2xutplXFSLPWNAde/KcfYA5LyVL/f6KOJaZV6OtAP2Q+QBy2DNwOgV373pfDhBQ21OdM8gu ipSMnc4a1vOLkZpIf7UyEpcn4vR70ZwyprD5IJ34YaYZ30wD+IYKdMuYOSaM5ZxrRnRt4PqMzH3k 7hTkr8kPb2KLnZ2Xht3zA75VehhIcJfl9xjKxh+F8kIXLdZND3rjHB4Yc+TqdazcMI41sA2AfTJ2 5W/vzfaHf3wr2m4mbmeTgFKBgc4kmBS2brusOVZrHRzE6blhEo+mN1j1Fw==
X-Report-Abuse-To: spam@quarantine9.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/_Q2hw1t9dxVBwWug5eO13wyIF6M>
Subject: Re: [secdir] [v6ops] Secdir telechat review of draft-ietf-v6ops-transition-ipv4aas-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jan 2019 04:14:10 -0000

On 1/7/2019 11:58 AM, JORDI PALET MARTINEZ wrote:
> Hi Barbara,
>
> I agree with your regarding the WPA, not sure to understand the point from Christian.
>
> If a local device is compromised, that happens in the LANs and this will only affect the CE, if the "virus" or "bot" or whatever is able to compromise the CE configuration and then replace some of the settings done by the provisioning system.
>
> This is something that may happen regardless of using DHCP in the WAN or other protocols.
>
> I recall having seen some TR-069 mechanism (maybe it was proprietary) to provide something related to access control security, but if it is not standard, I will remove it. Let's see if someone in the list can provide some info and I will also try to recall what was in the case I've in mind.

Maybe I was not clear. I am not overly concerned with what happens on
the WAN side -- I assume that the ISP deploying customer premise devices
will find a way to provision them securely. I am concerned that using
DHCPv6 to provision networking parameters on the local hosts exposes
these hosts to generic DHCP spoofing attacks. To mount the DHCP spoofing
attacks, the attacker will need to either gain connectivity to the local
network, or gain controlled of a local device. Access control protocols
like 802.1x will prevent unauthorized devices from connecting to the
local network; they will not close the second avenue of attack,
something that solutions like DHCP guard would do.

The local router can filter which packets are relayed between Wi-Fi
devices, and can filter out spoofed DHCP packets. That's reasonably easy
to deploy in small networks, where the only authorized DHCP server is
located on the router itself. Of course, the current document is not
meant as a general home router requirement draft -- it just specifies
the narrow problem of how these routers should facilitate deployment of
IPv4 as a service. I do like Jordi's succession to refer to DHCP Guard
as a potential mitigation of DHCPv6 issues, because it can be deployed
simply and it would thwart a series of potential attacks.

I am less enthusiastic about 802.1x, because as I said above it
addresses a fraction of the problem, but not the whole problem. Standard
deployment of 802.1x requires an authentication server, which currently
does not come with small routers. It also requires management of this
authentication server, which is a tall order in these small networks.
There have been attempts to define a simpler profile of 802.1x, in which
all users have the same ID and the same password -- such as what is used
in the IETF Wi-Fi networks. This does improve somewhat over the
residential version of WPA, in which all users share the same "Wi-Fi
password", because it provides better isolation between users. But I
would have a hard time recommending 802.1x deployment in residential
networks "because of DHCPv6 security".

While I do like the "DHCP Guard" class of solutions, I am also concerned
that the DHCP Guard concept is only defined by the commercial literature
of some vendors -- and the same goes for DHCP Snooping, which could have
a variety of meanings. If you want to use that term, then you should add
a reference to the paper where this is defined. Or you could use neutral
language, like:

  Considering that, networks using DHCPv6, depending on their specific
  topologies, should consider using access control mechanisms such as
  those based on IEEE-802.1X, and DHCPv6 filtering mechanisms designed to
  prevent forwarding of spoofed DHCPv6 packets through the router, often
  referred to as "DHCP Guard."

I am also skeptical of the mention of "SME" in the last paragraph, in
"deployment of IPv4aaS in residential, SOHO and SME networks". The
definition of what is a small or medium enterprise varies by countries.
In the European Union, it is up to 250 employees. In the US, it is
defined by revenues and employees limit, typically fewer than 500
employees. In other part of the world, it can be fewer than 50
employees, or maybe it is just defined by a limit on revenues. In any
case, I would personally be reluctant to deploy simple devices like
described in the draft in a network with 100 to 200 people, let alone
500. That would be pushing luck a bit too far.

The introduction of the draft says "This document defines IPv4 service
continuity features over an IPv6-only network, for a residential or
small-office router..." I would suggest using exactly the same language,
as in:

  As stated in the introduction, this document addresses deployment of
  IPv4aaS in residential or small-office networks.  Deployment in more
  challenging environments would require additional security analysis.

-- Christian Huitema

v2.23.0 | Report a Bug | By Email