Re: [secdir] sectdir review of draft-ietf-isis-node-admin-tag-08
Hannes Gredler <hannes@gredler.at> Fri, 22 April 2016 07:34 UTC
Return-Path: <hannes@gredler.at>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49DC012DA0B; Fri, 22 Apr 2016 00:34:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.896
X-Spam-Level:
X-Spam-Status: No, score=-2.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.996] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fvhkGaQKlb-W; Fri, 22 Apr 2016 00:34:53 -0700 (PDT)
Received: from gilfert.gredler.at (gilfert.gredler.at [87.106.222.165]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2C8612D791; Fri, 22 Apr 2016 00:34:52 -0700 (PDT)
Received: from hannes-mba.local (193-81-152-183.adsl.highway.telekom.at [::ffff:193.81.152.183]) (AUTH: PLAIN hannes, SSL: TLSv1/SSLv3,128bits,AES128-SHA) by gilfert.gredler.at with ESMTPSA; Fri, 22 Apr 2016 09:34:48 +0200 id 00000000033308D9.000000005719D419.00000CD2
To: Catherine Meadows <catherine.meadows@nrl.navy.mil>, secdir@ietf.org, iesg@ietf.org, draft-ietf-isis-node-admin-tag.all@ietf.org
References: <A72D09E9-4622-41DB-8EA0-62518AA9CA7A@nrl.navy.mil>
From: Hannes Gredler <hannes@gredler.at>
Message-ID: <5719D3FA.4070402@gredler.at>
Date: Fri, 22 Apr 2016 09:34:18 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <A72D09E9-4622-41DB-8EA0-62518AA9CA7A@nrl.navy.mil>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/diywwOC8JjOwsej_QI85R3JjrJQ>
Subject: Re: [secdir] sectdir review of draft-ietf-isis-node-admin-tag-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Apr 2016 07:34:55 -0000
catherine,
i fail to see how this does introduce *new* security concerns.
background:
we have in IS-IS two existing tagging mechanism's:
1) admin-groups for links
https://tools.ietf.org/html/rfc5305#section-3.1
2) prefix-tags for prefixes
https://tools.ietf.org/html/rfc5130#section-3.1
both "tagging-spaces" are local administered and have
no global significance.
the purpose of draft-ietf-isis-node-admin-tag-08 is to
add support for a third tagging method which allows tagging
of an entire node using local administered tagging space.
(same operational spirit as in 1) and 2) )
now my question(s):
- why is adding of an local-administered tag with no implied
semantics considered to be security relevant ?
- what specific (apparently mis-)wording in
draft-ietf-isis-node-admin-tag makes you think
it is security relevant ?
/hannes
On 4/21/16 19:36, Catherine Meadows wrote:
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all
> IETF documents being processed by the IESG. These comments were written
> primarily for the
> benefit of the security area directors. Document editors and WG chairs
> should treat these comments
> just like any other last call comments.
>
> This draft describes an extension to the IS-IS routing protocol, that
> allows tagging and grouping of nodes
> in an IS-IS domain. This makes it possible to increase the efficiency
> of route and path selection, since the tags
> give information about a router’s capabilities.
>
> The Security Considerations section correctly identifies one of the main
> security risks of using such tags: they may leak
> sensitive information about, e.g., geographical location. However, I’m
> confused by the statement following that:
>
> “This document does not introduce any new security concerns. Security
> concerns for IS-IS are already addressed in
> [ISO10589], [RFC5304], and [RFC5310] are are applicable to the
> mechanisms described in this document.”
>
> As far as I can tell, this document *does* introduce new security
> concerns, because the tags may reveal sensitive
> information that may not have been made available otherwise. Moreover,
> RFCs 5304 and 5310 concern authentication, not
> secrecy, and so do not address information leakage at all. My own
> suggestion
> for a recommendation would be that implementors should weigh the
> benefits of putting certain kinds of information on tags
> versus the risk of its being used by an attacker, and make their
> decisions accordingly. This would not be a SHOULD a MUST
> recommendation by the way, but simply advisory.
>
> I’m not sure what is meant by the last sentence in this paragraph:
>
> Extended authentication mechanisms described in [RFC5304] or [RFC5310]
> SHOULD be used in
> deployments where attackers have access to the physical networks and
> nodes included in the IS-IS domain are vulnerable.
>
> Is this addressing the problem of sensitive information on tags? If so,
> you need to say how. If it is addressing
> spoofing of tags, it should be given its own paragraph, and the threat
> you are talking about should be made clear.
>
> In the last paragraph, on the misattribution of tags from different
> domains, what would you recommend for mitigating against
> this problem? Also, since this is in the security considerations
> section, you should say something about how an attacker
> could take advantage of it.
>
> In my opinion, the Security Considerations section needs a major
> revision. However,
> I consider this document Almost Ready, because the purpose of the
> revision would be mainly to make the section more clear, not to address
> any overlooked security problems.
>
>
>
>
> Catherine Meadows
> Naval Research Laboratory
> Code 5543
> 4555 Overlook Ave., S.W.
> Washington DC, 20375
> phone: 202-767-3490
> fax: 202-404-7942
> email: catherine.meadows@nrl.navy.mil
> <mailto:catherine.meadows@nrl.navy.mil>
>
- [secdir] sectdir review of draft-ietf-isis-node-a… Catherine Meadows
- Re: [secdir] sectdir review of draft-ietf-isis-no… Hannes Gredler
- Re: [secdir] sectdir review of draft-ietf-isis-no… Catherine Meadows
- Re: [secdir] sectdir review of draft-ietf-isis-no… Pushpasis Sarkar
- Re: [secdir] sectdir review of draft-ietf-isis-no… Pushpasis Sarkar