Re: [secdir] sectdir review of draft-ietf-isis-node-admin-tag-08
Hannes Gredler <hannes@gredler.at> Fri, 22 April 2016 07:34 UTC
Return-Path: <hannes@gredler.at>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49DC012DA0B; Fri, 22 Apr 2016 00:34:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.896
X-Spam-Level:
X-Spam-Status: No, score=-2.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.996] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fvhkGaQKlb-W; Fri, 22 Apr 2016 00:34:53 -0700 (PDT)
Received: from gilfert.gredler.at (gilfert.gredler.at [87.106.222.165]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2C8612D791; Fri, 22 Apr 2016 00:34:52 -0700 (PDT)
Received: from hannes-mba.local (193-81-152-183.adsl.highway.telekom.at [::ffff:193.81.152.183]) (AUTH: PLAIN hannes, SSL: TLSv1/SSLv3,128bits,AES128-SHA) by gilfert.gredler.at with ESMTPSA; Fri, 22 Apr 2016 09:34:48 +0200 id 00000000033308D9.000000005719D419.00000CD2
To: Catherine Meadows <catherine.meadows@nrl.navy.mil>, secdir@ietf.org, iesg@ietf.org, draft-ietf-isis-node-admin-tag.all@ietf.org
References: <A72D09E9-4622-41DB-8EA0-62518AA9CA7A@nrl.navy.mil>
From: Hannes Gredler <hannes@gredler.at>
Message-ID: <5719D3FA.4070402@gredler.at>
Date: Fri, 22 Apr 2016 09:34:18 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <A72D09E9-4622-41DB-8EA0-62518AA9CA7A@nrl.navy.mil>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/diywwOC8JjOwsej_QI85R3JjrJQ>
Subject: Re: [secdir] sectdir review of draft-ietf-isis-node-admin-tag-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Apr 2016 07:34:55 -0000
catherine, i fail to see how this does introduce *new* security concerns. background: we have in IS-IS two existing tagging mechanism's: 1) admin-groups for links https://tools.ietf.org/html/rfc5305#section-3.1 2) prefix-tags for prefixes https://tools.ietf.org/html/rfc5130#section-3.1 both "tagging-spaces" are local administered and have no global significance. the purpose of draft-ietf-isis-node-admin-tag-08 is to add support for a third tagging method which allows tagging of an entire node using local administered tagging space. (same operational spirit as in 1) and 2) ) now my question(s): - why is adding of an local-administered tag with no implied semantics considered to be security relevant ? - what specific (apparently mis-)wording in draft-ietf-isis-node-admin-tag makes you think it is security relevant ? /hannes On 4/21/16 19:36, Catherine Meadows wrote: > I have reviewed this document as part of the security directorate's > ongoing effort to review all > IETF documents being processed by the IESG. These comments were written > primarily for the > benefit of the security area directors. Document editors and WG chairs > should treat these comments > just like any other last call comments. > > This draft describes an extension to the IS-IS routing protocol, that > allows tagging and grouping of nodes > in an IS-IS domain. This makes it possible to increase the efficiency > of route and path selection, since the tags > give information about a router’s capabilities. > > The Security Considerations section correctly identifies one of the main > security risks of using such tags: they may leak > sensitive information about, e.g., geographical location. However, I’m > confused by the statement following that: > > “This document does not introduce any new security concerns. Security > concerns for IS-IS are already addressed in > [ISO10589], [RFC5304], and [RFC5310] are are applicable to the > mechanisms described in this document.” > > As far as I can tell, this document *does* introduce new security > concerns, because the tags may reveal sensitive > information that may not have been made available otherwise. Moreover, > RFCs 5304 and 5310 concern authentication, not > secrecy, and so do not address information leakage at all. My own > suggestion > for a recommendation would be that implementors should weigh the > benefits of putting certain kinds of information on tags > versus the risk of its being used by an attacker, and make their > decisions accordingly. This would not be a SHOULD a MUST > recommendation by the way, but simply advisory. > > I’m not sure what is meant by the last sentence in this paragraph: > > Extended authentication mechanisms described in [RFC5304] or [RFC5310] > SHOULD be used in > deployments where attackers have access to the physical networks and > nodes included in the IS-IS domain are vulnerable. > > Is this addressing the problem of sensitive information on tags? If so, > you need to say how. If it is addressing > spoofing of tags, it should be given its own paragraph, and the threat > you are talking about should be made clear. > > In the last paragraph, on the misattribution of tags from different > domains, what would you recommend for mitigating against > this problem? Also, since this is in the security considerations > section, you should say something about how an attacker > could take advantage of it. > > In my opinion, the Security Considerations section needs a major > revision. However, > I consider this document Almost Ready, because the purpose of the > revision would be mainly to make the section more clear, not to address > any overlooked security problems. > > > > > Catherine Meadows > Naval Research Laboratory > Code 5543 > 4555 Overlook Ave., S.W. > Washington DC, 20375 > phone: 202-767-3490 > fax: 202-404-7942 > email: catherine.meadows@nrl.navy.mil > <mailto:catherine.meadows@nrl.navy.mil> >
- [secdir] sectdir review of draft-ietf-isis-node-a… Catherine Meadows
- Re: [secdir] sectdir review of draft-ietf-isis-no… Hannes Gredler
- Re: [secdir] sectdir review of draft-ietf-isis-no… Catherine Meadows
- Re: [secdir] sectdir review of draft-ietf-isis-no… Pushpasis Sarkar
- Re: [secdir] sectdir review of draft-ietf-isis-no… Pushpasis Sarkar