Re: [secdir] SecDir review of draft-ietf-manet-dlep
"Christian Huitema" <huitema@huitema.net> Tue, 29 November 2016 03:04 UTC
Return-Path: <huitema@huitema.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 115AF12A259 for <secdir@ietfa.amsl.com>; Mon, 28 Nov 2016 19:04:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.621
X-Spam-Level:
X-Spam-Status: No, score=-2.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vQ1SiAGNl13E for <secdir@ietfa.amsl.com>; Mon, 28 Nov 2016 19:04:44 -0800 (PST)
Received: from mx36-42.antispamcloud.com (mx36-42.antispamcloud.com [209.126.121.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 104A51293DC for <secdir@ietf.org>; Mon, 28 Nov 2016 19:04:44 -0800 (PST)
Received: from xsmtp01.mail2web.com ([168.144.250.230]) by mx36.antispamcloud.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.86) (envelope-from <huitema@huitema.net>) id 1cBYio-0002lx-75 for secdir@ietf.org; Tue, 29 Nov 2016 04:04:43 +0100
Received: from [10.5.2.15] (helo=xmail05.myhosting.com) by xsmtp01.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1cBYiI-0008L9-G7 for secdir@ietf.org; Mon, 28 Nov 2016 22:04:41 -0500
Received: (qmail 2593 invoked from network); 29 Nov 2016 03:04:07 -0000
Received: from unknown (HELO icebox) (Authenticated-user:_huitema@huitema.net@[72.235.151.78]) (envelope-sender <huitema@huitema.net>) by xmail05.myhosting.com (qmail-ldap-1.03) with ESMTPA for <draft-ietf-manet-dlep.all@ietf.org>; 29 Nov 2016 03:04:06 -0000
From: Christian Huitema <huitema@huitema.net>
To: 'Paul Hoffman' <paul.hoffman@vpnc.org>, "'Taylor, Rick'" <rick.taylor.external@airbus.com>
References: <30706_1479279750_582C0485_30706_8297_7_C7F1D029-C067-4AF6-9F40-436F7BA54311@vpnc.org> <B177F831FB91F242972D0C35F6A0733163AD92C3@SUCNPTEXM01.com.ad.uk.ds.corp> <0AE7C2DE-B316-4675-B7BE-EB9AC50ED955@vpnc.org>
In-Reply-To: <0AE7C2DE-B316-4675-B7BE-EB9AC50ED955@vpnc.org>
Date: Mon, 28 Nov 2016 17:04:03 -1000
Message-ID: <003b01d249ed$3f003260$bd009720$@huitema.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQJO58gflm7yviVf6/Cfvo0tY/H6ngJp8YIyAbfck2mf1Pcy0A==
Content-Language: en-us
X-Filter-ID: s0sct1PQhAABKnZB5plbIVbU93hg6Kq00BjAzYBqWlUcW8ntawmIBRrYFzUH2lbvx1wTMkEUUoeb KIhkyzl2dHEJL963yvZzofOAehTafloeD9ey9972JZ1Xcr1RWHu8UvfgoE7Tx8PYIcekOty5V3kY Ddr3TKXRcZQ4mEJmoSfmEQNc4kwsLgs13IMp2rYbUV8ShebT8U8Xw9HTDfreWQUhw0NOE6GJ4h1S yx3SVxxTMqX0PJmjOEykuntPB0mTf015vFX3Mr/p2bub/7pcobsBNjjE5Aa2bYPF/Ljub7D1nvJs XtU2nZ7nPOLF/Wn1ZymEi4ZQojpeZ03k33R0rsoAtgTaADGmLikT3swaYT40dKFOE3BfZETw255u BppYPVOv5BtNTjcagkYTbQLRBa8CWlWJ/Z52Y2lK4wxs0NlmM8dmYMoX9zl4nXWYGnFn3yzO1sNI xVAhudRU4os+nEeuHaHQ+7nQfs3MfDo0rdXACQIHPYrCd4PY+G/nx7QL+MTObVKxHy/dols381l9 ryOIyTwXkV5v9rYnjJeS/R+I6BZ65nwq5J5jOi1sCFUVVgW9/bktU41htiJ8fk7NkHtzJzDXtW19 p+oSJq/sPNS7pOEbN+JMueFd2wBL5ko+03rd0MueqeqFzadSbJ8EWv48M3dEN/L6l2KS1xSjSzJ8 mVtlmHTW6t+XF13aDiVUE2hrO9QGiyz48bSlEFaPeA==
X-Report-Abuse-To: spam@quarantine5.antispamcloud.com
X-Originating-IP: 168.144.250.230
X-SpamExperts-Domain: xsmtpout.mail2web.com
X-SpamExperts-Username: 168.144.250.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com
X-SpamExperts-Outgoing-Class: unsure
X-SpamExperts-Outgoing-Evidence: Combined (0.24)
X-Classification: unsure/combined
X-Recommended-Action: accept
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/l7wmhyHn2u1Ew4kS_y6exNfhUrc>
Cc: draft-ietf-manet-dlep.all@ietf.org, 'secdir' <secdir@ietf.org>
Subject: Re: [secdir] SecDir review of draft-ietf-manet-dlep
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Nov 2016 03:04:45 -0000
On Tuesday, November 22, 2016 5:46 AM, Paul Hoffman wrote: > On 22 Nov 2016, at 3:34, Taylor, Rick (External) wrote: > >> Thank you for the review. A couple of quick comments: >> >> Did you review draft-ietf-manet-dlep-15 or draft-ietf-manet-dlep-25 >> (the latest)? As we have attempted to address the security comments >> raised by the WG and AD review. > > I reviewed -25; sorry for the typo in my report. I was asked to review draft-ietf-manet-credit-window-07, whose security properties are inherited from draft-ietf-manet-dlep-25, so I also reviewed draft-ietf-manet-dlep-25. Like Paul, I find the security of DLEP pretty weak. DLEP “requires that security of the implementations (e.g., authentication of stations, encryption of traffic, or both) is dealt with by utilizing Layer 2 security techniques.” This layer 2 security model is effectively an implementation of “perimeter security”, and has all the known issues with perimeter security. Two classic attacks are “finding a way to send packets through the perimeter” and “subvert a node already installed inside the perimeter”. The draft attempts to mitigate the first class of attacks by using the mechanism of RFC 5082, although it does not actually use it correctly. There is no mitigation for the “subverted node” attack. >> One area we have worked hard on addressing is mandating use of RFC5082 >> (Generalized TTL Security) on the link between router and modem (See >> Section 3.1). Not quite. RFC5082 suggests setting the TTL to 255 and checking the value on the received message. Your draft suggests setting the TTL value to 1, and checking the received value in the message. You need to fix that. >>... As you correctly state, DLEP does not have any inherent >> security mechanisms, and recommends link-layer security, such as >> 802.1X/AE, but we do mandate mechanisms to restrict the protocol to >> run over a single hop. As you point out, DLEP is a control-plane >> protocol and does not carry any user data. > > Noted. However, requiring TTL security doesn't prevent snooping or MITM > attacks. TTL security also does not provide any defense in depth. If the attackers manage to gain access inside the perimeter, all bets are off. And there is a history of such attacks, e.g., what if some test node on the secure link is infected by a virus. Your architecture has zero protection there. Any node can issue a discovery request, establish a DLEP session, and control the radio modem. That was OK in the 90's, but I do not believe that's acceptable now. -- Christian Huitema
- [secdir] SecDir review of draft-ietf-manet-dlep Paul Hoffman
- Re: [secdir] SecDir review of draft-ietf-manet-dl… Taylor, Rick (External)
- Re: [secdir] SecDir review of draft-ietf-manet-dl… Paul Hoffman
- Re: [secdir] SecDir review of draft-ietf-manet-dl… Christian Huitema
- Re: [secdir] SecDir review of draft-ietf-manet-dl… Taylor, Rick (External)
- Re: [secdir] SecDir review of draft-ietf-manet-dl… Christian Huitema
- Re: [secdir] SecDir review of draft-ietf-manet-dl… Ratliff, Stanley