[secdir] secdir review of draft-ietf-manet-olsrv2-15

Tom Yu <tlyu@MIT.EDU> Thu, 23 August 2012 00:14 UTC

Return-Path: <tlyu@mit.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F95521F8564; Wed, 22 Aug 2012 17:14:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.282
X-Spam-Level:
X-Spam-Status: No, score=-104.282 tagged_above=-999 required=5 tests=[AWL=-0.683, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2eNXOH4J9fZn; Wed, 22 Aug 2012 17:14:17 -0700 (PDT)
Received: from dmz-mailsec-scanner-5.mit.edu (DMZ-MAILSEC-SCANNER-5.MIT.EDU [18.7.68.34]) by ietfa.amsl.com (Postfix) with ESMTP id 7429C21F855E; Wed, 22 Aug 2012 17:14:17 -0700 (PDT)
X-AuditID: 12074422-b7f1f6d00000090b-22-503575d883d0
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP id 17.8B.02315.8D575305; Wed, 22 Aug 2012 20:14:16 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id q7N0EG6l012340; Wed, 22 Aug 2012 20:14:16 -0400
Received: from cathode-dark-space.mit.edu (CATHODE-DARK-SPACE.MIT.EDU [18.18.1.96]) (authenticated bits=56) (User authenticated as tlyu@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id q7N0ECc9012541 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 22 Aug 2012 20:14:14 -0400 (EDT)
Received: (from tlyu@localhost) by cathode-dark-space.mit.edu (8.12.9.20060308) id q7N0EC6O008914; Wed, 22 Aug 2012 20:14:12 -0400 (EDT)
To: secdir@ietf.org, iesg@ietf.org, draft-ietf-manet-olsrv2.all@tools.ietf.org
From: Tom Yu <tlyu@MIT.EDU>
Date: Wed, 22 Aug 2012 20:14:12 -0400
Message-ID: <ldvharu4g8b.fsf@cathode-dark-space.mit.edu>
Lines: 42
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrNIsWRmVeSWpSXmKPExsUixG6nonuj1DTA4NprA4tn3X/YLGb8mchs 8WHhQxYHZo8lS34yeXy5/JktgCmKyyYlNSezLLVI3y6BK+PJ839MBU8FKm4//sPSwNjA18XI ySEhYCJx5/pEdghbTOLCvfVsILaQwD5GiWtLuCDsDYwSp08ZdjFyAdlXmCRedxxjgXC6GCXe f/vK2sXIwSEi4CfR+zcapEEYaOj5d9cZQcJsAtISRxeXgYRZBFQl7h9/ALaLV8BC4sj0fmYQ m0eAU2L6jVusEHFBiZMzn7CA2MwCWhI3/r1kmsDINwtJahaS1AJGplWMsim5Vbq5iZk5xanJ usXJiXl5qUW6pnq5mSV6qSmlmxjBYeaitIPx50GlQ4wCHIxKPLwvzE0DhFgTy4orcw8xSnIw KYnyrikBCvEl5adUZiQWZ8QXleakFh9ilOBgVhLh7SoCyvGmJFZWpRblw6SkOViUxHmvpdz0 FxJITyxJzU5NLUgtgsnKcHAoSfDeBRkqWJSanlqRlplTgpBm4uAEGc4DNPw8SA1vcUFibnFm OkT+FKOilDjvR5CEAEgiozQPrheWBl4xigO9Isx7CaSKB5hC4LpfAQ1mAhqsdtUYZHBJIkJK qoHRIJLjmqT1Q5Ps33uiq2X3TvO9VJPXU7bj6f73s989fmu0W3Q+64x/6hrFWVdjeVh3fV2y ni+5x+H6idPNV5IePn85h0vUrZH/jzBPjDvvgmIf87kO19/8zruc7iQgmelSXrLo09frWf7x 26Sm2om++7gzPsNd5EqVh4Fy/9mTPz+XPNphOmG3EktxRqKhFnNRcSIAObQXVN4CAAA=
Subject: [secdir] secdir review of draft-ietf-manet-olsrv2-15
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Aug 2012 00:14:18 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This document's Security Considerations section (Section 23) analyzes
some of the protocol's vulnerabilities, but provides no concrete
actionable advice.  The overall wording in that section suggests
directions for future work, but the document does not describe actual
protocol elements that are capable of providing the needed
protections.

Section 23.1 describes confidentiality considerations for the
protocol, but does not explain what situations merit confidentiality
protection for the network topology.  It mentions the possibility of
protecting confidentiality in OLSRv2 by using PGP or shared key
encryption, but provides no indication of how to do so, nor does it
indicate how participants should conduct key management.

Section 23.2 describes integrity considerations.  The text presents
several examples where invalid control traffic may disrupt the
network, and distinguishes the situations where data origin
authentication for the control message is sufficient from situations
that require additional authentication of link states, for example.

Authentication of link states seems potentially complicated, because
it seems that both ends of a link would have to authenticate the
validity of the link between them in a way that third parties could
verify.  This document does not detail how such link validity
authentication would work.

Section 23.2 also mentions thwarting replay attacks using temporal
information, but there are no obvious places for the protocol to carry
such information.

Section 23.2 mentions using IPsec authentication headers for
authenticating entire control packets, but offers no suggestions about
how to perform key distribution.

Section 23.3 describes interactions with external routing domains, and
makes reasonable suggestions.