[secdir] Secdir review of draft-ietf-pcp-upnp-igd-interworking-07

Vincent Roca <vincent.roca@inria.fr> Thu, 25 April 2013 09:01 UTC

Return-Path: <vincent.roca@inria.fr>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id B35F421F93EE; Thu, 25 Apr 2013 02:01:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -109.449
X-Spam-Status: No, score=-109.449 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, SARE_SUB_RAND_LETTRS4=0.799, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id YZlT5VsBjacK; Thu, 25 Apr 2013 02:01:06 -0700 (PDT)
Received: from mail3-relais-sop.national.inria.fr (mail3-relais-sop.national.inria.fr []) by ietfa.amsl.com (Postfix) with ESMTP id B6B4521F86CA; Thu, 25 Apr 2013 02:01:05 -0700 (PDT)
X-IronPort-AV: E=Sophos; i="4.87,548,1363129200"; d="scan'208,217"; a="12155568"
Received: from dom38-1-82-236-155-50.fbx.proxad.net (HELO []) ([]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/AES128-SHA; 25 Apr 2013 11:01:04 +0200
From: Vincent Roca <vincent.roca@inria.fr>
Content-Type: multipart/alternative; boundary=Apple-Mail-3--121276503
Date: Thu, 25 Apr 2013 11:01:03 +0200
Message-Id: <D06277F3-FFB3-4CD9-95AB-A1D843AD88DF@inria.fr>
To: IESG <iesg@ietf.org>, secdir@ietf.org, draft-ietf-pcp-upnp-igd-interworking.all@tools.ietf.org
Mime-Version: 1.0 (Apple Message framework v1085)
X-Mailer: Apple Mail (2.1085)
Subject: [secdir] Secdir review of draft-ietf-pcp-upnp-igd-interworking-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Apr 2013 09:01:07 -0000


I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.


1- Authors refer to [IGD2] (which is produced by UPnP), saying that the authorization framework
defined there SHOULD be used. However I haven't found the description of such a framework
in [IGD2] (I've looked at the Content Table and searched "Authorization" keyword). Can you be
more explicit in your reference?

Additionally  [IGD2] says (p.10):
        "IGD 2 introduces access control features. [IGD2] RECOMMENDS access control requirements
        and authorization levels to be applied by default. However, devices MAY choose a different
        security policy,"
I do not understand the consequences of devices choosing a different security policy, and how it
relates to your I-D.

then, same page:
        "In the 2-box model, where the control point is in the same device that desires to receive
        communication through the NAT, [IGD2] RECOMMENDS that access control is not needed. But in
        the 3-box model, where the control point is configuring NAT port mappings for a third device,
        [IGD2] RECOMMENDS that authentication and authorization is used."
It's not clear to me in which case of [IGD2] your I-D corresponds to.

2- It is said:
"Means to prevent a malicious user from creating mappings on behalf of a third party must be enabled
as discussed in Section 13.1 of [I-D.ietf-pcp-base]."
What are the means mentioned? If I look at 13.1 of this reference, I see that the THIRD_PARTY option
"MUST NOT be implemented or used" unless the network is trusted, and the example of trusted network
is the case where there's an ACL on PCP client/PCP server/network. 
Can you be more explicit in your recommendations?

3- You reference [Sec-DCP] but do not provide the URL, nor version number. Since this is an external
document, it would be great.
Also, the one I found (http://upnp.org/specs/gw/UPnP-gw-DeviceProtection-v1-Service.pdf
accessible from page http://upnp.org/specs/gw/deviceprotection1/) is from Feb. 2011, not 2009.

4- I don't see any threat model in this Security Discussions section.
There's good one in [I-D.ietf-pcp-base], but this is a different protocol, deployed differently.
What can we say for the IWF itself?
There are some elements in this section, some pointers, but I don't get any clear idea of the


Otherwise, regardless of any security consideration:

5- Fig. 1 mentions UPnP control point. Other figures of Section 3 mention IGD control point.
Is it the same? If yes, can you harmonize?
This figure also remains somewhat mysterious to me. Can you add some more text at the end of
the first paragraph of Introduction. And why does this figure appear after the "two configurations"

6- Introduction: you mention that two configurations are possible. Do you consider both of them?
What are the consequences of these two configurations on IWF?

As such, reading this introduction did not help me so much understanding the proposal. Section 3
is much better from that point of view.