Re: [secdir] Secdir review of draft-ietf-pcp-upnp-igd-interworking-07

<mohamed.boucadair@orange.com> Fri, 26 April 2013 08:43 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9737F21F97E0; Fri, 26 Apr 2013 01:43:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.448
X-Spam-Level:
X-Spam-Status: No, score=-1.448 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001, SARE_SUB_RAND_LETTRS4=0.799, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 90POjy6GPXtk; Fri, 26 Apr 2013 01:43:46 -0700 (PDT)
Received: from relais-inet.francetelecom.com (relais-ias92.francetelecom.com [193.251.215.92]) by ietfa.amsl.com (Postfix) with ESMTP id 07B6421F96A8; Fri, 26 Apr 2013 01:43:45 -0700 (PDT)
Received: from omfedm07.si.francetelecom.fr (unknown [xx.xx.xx.3]) by omfedm13.si.francetelecom.fr (ESMTP service) with ESMTP id B05BE324762; Fri, 26 Apr 2013 10:43:44 +0200 (CEST)
Received: from PUEXCH11.nanterre.francetelecom.fr (unknown [10.101.44.27]) by omfedm07.si.francetelecom.fr (ESMTP service) with ESMTP id 904824C017; Fri, 26 Apr 2013 10:43:44 +0200 (CEST)
Received: from PUEXCB1B.nanterre.francetelecom.fr ([10.101.44.12]) by PUEXCH11.nanterre.francetelecom.fr ([10.101.44.27]) with mapi; Fri, 26 Apr 2013 10:43:44 +0200
From: <mohamed.boucadair@orange.com>
To: Vincent Roca <vincent.roca@inria.fr>, IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-pcp-upnp-igd-interworking.all@tools.ietf.org" <draft-ietf-pcp-upnp-igd-interworking.all@tools.ietf.org>
Date: Fri, 26 Apr 2013 10:43:41 +0200
Thread-Topic: Secdir review of draft-ietf-pcp-upnp-igd-interworking-07
Thread-Index: Ac5Bk3OFDBA0LMDhTwis8wX5lfVuFwAw5dvg
Message-ID: <94C682931C08B048B7A8645303FDC9F36EC9B4978E@PUEXCB1B.nanterre.francetelecom.fr>
References: <D06277F3-FFB3-4CD9-95AB-A1D843AD88DF@inria.fr>
In-Reply-To: <D06277F3-FFB3-4CD9-95AB-A1D843AD88DF@inria.fr>
Accept-Language: fr-FR
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: fr-FR
Content-Type: multipart/alternative; boundary="_000_94C682931C08B048B7A8645303FDC9F36EC9B4978EPUEXCB1Bnante_"
MIME-Version: 1.0
X-PMX-Version: 5.6.1.2065439, Antispam-Engine: 2.7.2.376379, Antispam-Data: 2013.4.25.35414
Subject: Re: [secdir] Secdir review of draft-ietf-pcp-upnp-igd-interworking-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Apr 2013 08:43:50 -0000

Dear Vincent,

Thank you for the review.

Please see inline.
Cheers,
Med

De : Vincent Roca [mailto:vincent.roca@inria.fr]
Envoyé : jeudi 25 avril 2013 11:01
À : IESG; secdir@ietf.org; draft-ietf-pcp-upnp-igd-interworking.all@tools.ietf.org
Cc : Vincent Roca
Objet : Secdir review of draft-ietf-pcp-upnp-igd-interworking-07

Hello,

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.

--

1- Authors refer to [IGD2] (which is produced by UPnP), saying that the authorization framework
defined there SHOULD be used. However I haven't found the description of such a framework
in [IGD2] (I've looked at the Content Table and searched "Authorization" keyword). Can you be
more explicit in your reference?


[Med] This basically refers to access and authorization levels discussed in [IGD2]. Perhaps, "Framework" is confusing here. What about tis change:



OLD:

 "The IGD:2 authorization framework SHOULD be used [IGD2<http://tools.ietf.org/html/draft-ietf-pcp-upnp-igd-interworking-08#ref-IGD2>]."



NEW:

"The IGD:2 access and authorization considerations discussed in [IGD2<http://tools.ietf.org/html/draft-ietf-pcp-upnp-igd-interworking-08#ref-IGD2>;] SHOULD be taken into account."

Additionally  [IGD2] says (p.10):
        "IGD 2 introduces access control features. [IGD2] RECOMMENDS access control requirements
        and authorization levels to be applied by default. However, devices MAY choose a different
        security policy,"
I do not understand the consequences of devices choosing a different security policy, and how it
relates to your I-D.

then, same page:
        "In the 2-box model, where the control point is in the same device that desires to receive
        communication through the NAT, [IGD2] RECOMMENDS that access control is not needed. But in
        the 3-box model, where the control point is configuring NAT port mappings for a third device,
        [IGD2] RECOMMENDS that authentication and authorization is used."
It's not clear to me in which case of [IGD2] your I-D corresponds to.
[Med] Both cases are covered for IGD:2. For the IGD:1 case, only the 3-box model is recommended:


"When only

   IGD:1 is available, operation on the behalf of a third party SHOULD

   NOT be allowed.
"

2- It is said:
"Means to prevent a malicious user from creating mappings on behalf of a third party must be enabled
as discussed in Section 13.1 of [I-D.ietf-pcp-base]."
What are the means mentioned? If I look at 13.1 of this reference, I see that the THIRD_PARTY option
"MUST NOT be implemented or used" unless the network is trusted, and the example of trusted network
is the case where there's an ACL on PCP client/PCP server/network.
Can you be more explicit in your recommendations?
[Med] I made the following change :

OLD:

   This document defines a procedure to create PCP mappings for third

   party devices belonging to the same subscriber.  Means to prevent a

   malicious user from creating mappings on behalf of a third party must

   be enabled as discussed in Section 13.1 of [I-D.ietf-pcp-base<http://tools.ietf.org/html/draft-ietf-pcp-upnp-igd-interworking-08#ref-I-D.ietf-pcp-base>;].

NEW:

   This document defines a procedure to create PCP mappings for third
   party devices belonging to the same subscriber.  Means to prevent a
   malicious user from creating mappings on behalf of a third party must
   be enabled as discussed in Section 13.1 of [I-D.ietf-pcp-base].  In
   particular, THIRD_PARTY option MUST NOT be enabled unless the network
   on which the PCP messages are to be sent is fully trusted.  For
   example if access control lists are installed on the PCP client, PCP
   server, and the network between them, so those ACLs allow only
   communications from a trusted PCP client to the PCP server.

Better?


3- You reference [Sec-DCP] but do not provide the URL, nor version number. Since this is an external
document, it would be great.
Also, the one I found (http://upnp.org/specs/gw/UPnP-gw-DeviceProtection-v1-Service.pdf
accessible from page http://upnp.org/specs/gw/deviceprotection1/) is from Feb. 2011, not 2009.

[Med] Fixed. Thanks.

4- I don't see any threat model in this Security Discussions section.
There's good one in [I-D.ietf-pcp-base], but this is a different protocol, deployed differently.
What can we say for the IWF itself?
[Med] This document does not define a new protocol. [I-D.ietf-pcp-base] discusses security considerations without any assumption on how PCP messages are triggered: user interface, application, etc. This document focuses on the particular case where PCP messages are triggered by IGD ones. As such this document does not change the threat model discussed in the base PCP specification. For the UPnP IGD leg, we provided some security recommendations defined by the UPnP Forum.

There are some elements in this section, some pointers, but I don't get any clear idea of the
situation.

--

Otherwise, regardless of any security consideration:

5- Fig. 1 mentions UPnP control point. Other figures of Section 3 mention IGD control point.
Is it the same? If yes, can you harmonize?
[Med] Fixed. Only 'IGD Control Point' is used now.

This figure also remains somewhat mysterious to me. Can you add some more text at the end of
the first paragraph of Introduction. And why does this figure appear after the "two configurations"
discussion?
[Med] The figure is now positioned just after the first paragraph.

6- Introduction: you mention that two configurations are possible. Do you consider both of them?
What are the consequences of these two configurations on IWF?
[Med] Both configurations are in scope. I made the following change to make this explicit:

OLD:



   Two configurations are considered:



   o  No NAT function is embedded in the IGD.  This is required for

      instance in DS-Lite or NAT64 deployments;

   o  The IGD embeds a NAT function.

NEW:

   Two configurations are considered within this document:

   o  No NAT function is embedded in the IGD (Section 5.4).  This is
      required for instance in DS-Lite or NAT64 deployments;
   o  The IGD embeds a NAT function (Section 5.5).

As such, reading this introduction did not help me so much understanding the proposal. Section 3
is much better from that point of view.

Cheers,

  Vincent