[secdir] Early SecDir review of draft-ietf-trill-channel-tunnel-07
Yaron Sheffer <yaronf.ietf@gmail.com> Sun, 30 August 2015 21:00 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 782871A92AF for <secdir@ietfa.amsl.com>; Sun, 30 Aug 2015 14:00:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VZtlwpC2jDx2 for <secdir@ietfa.amsl.com>; Sun, 30 Aug 2015 14:00:55 -0700 (PDT)
Received: from mail-wi0-x22d.google.com (mail-wi0-x22d.google.com [IPv6:2a00:1450:400c:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 621711A9253 for <secdir@ietf.org>; Sun, 30 Aug 2015 14:00:55 -0700 (PDT)
Received: by wicfv10 with SMTP id fv10so46792546wic.1 for <secdir@ietf.org>; Sun, 30 Aug 2015 14:00:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:subject:to:message-id:date:user-agent:mime-version :content-type:content-transfer-encoding; bh=eYhpkSRzsdtqzfEzWf9KQRWH6wNi5GLmukpGzTnk5QQ=; b=UbsB2rG3xAhUc1wsxlSCyFiQ8LER1Ckt3jT3EgomYNmt2Iaw35YPfTxdHyzocftCix cGHtyp4nENtgsrRCczrB2kCk+IpR16pW+sndNn0LCjW2CWzA8/b55RODVjxvhA6veEkc apXYh38KtrQhymoKDPjVcdLqNX532xzhbh+KWFu726CPf4ORPX7Fro4U/jPAXCCLZo2m KRgPKW3zTCCZCbuQQj+fWo1/sfpzP4/u2+mCxkgUNZVmCekF1e3Qs45Q0BTqGS8jkFjJ ACiM+MgiNwePBtJnFZVG3lFA8HVFvF0zNIcpqlvgIXXsX7kBSibqrCps7iPS2Kp18gvT N3yw==
X-Received: by 10.194.58.130 with SMTP id r2mr23512245wjq.72.1440968454105; Sun, 30 Aug 2015 14:00:54 -0700 (PDT)
Received: from [10.0.0.8] (bzq-79-180-179-66.red.bezeqint.net. [79.180.179.66]) by smtp.googlemail.com with ESMTPSA id d17sm18936294wjs.32.2015.08.30.14.00.50 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 30 Aug 2015 14:00:52 -0700 (PDT)
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: IETF Security Directorate <secdir@ietf.org>, draft-ietf-trill-channel-tunnel.all@tools.ietf.org
Message-ID: <55E36EFC.6000508@gmail.com>
Date: Mon, 31 Aug 2015 00:00:44 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/m5FmN7gxI4OcFHPNiG_eXmaMy7g>
Subject: [secdir] Early SecDir review of draft-ietf-trill-channel-tunnel-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Aug 2015 21:00:57 -0000
This is an early security review, written at the request of the TRILL WG. The document defines a way to tunnel arbitrary frames of related control protocols within the TRILL "channel". Most of the document (and the focus of this review) is about security this tunnel. Summary I believe the draft is not ready for IETF LC in its current form. I assume the original intention was to use DTLS, but the use of DTLS is not well specified and the alternative that's proposed for multicast comes with inferior security. Details • In general, I don't understand why it makes sense to define a whole new security protocol, just for control-plane traffic of one specific protocol, important as it may be. At the very least I would expect an analysis of potential alternatives (IPsec? MACsec?) and why they do not fit this use case. • As a result of the home-brew transport protocol, we also don't get a standard key management protocol. • And from a process POV, the TRILL WG may not be the best place, as far as participants' expertise, to develop a security protocol. An early SecDir review certainly helps, but I'm not sure the current reviewer is capable of detecting every last issue that might be lurking in the protocol. • 4.1: the A and E bits are not guaranteed to be correct? Then why are they here? They describe critical security properties, and therefore someone is bound to use them to make critical policy decisions. If the bits' semantics are not guaranteed, we'd better drop them. • A bit: I think we are confusing authentication with integrity protection. With opportunistic security, you usually don't have authentication, but integrity protection is still worthwhile. • 4.2: Coverage - it would be nice if Fig. 2.1 showed the coverage of authentication (integrity protection!) and encryption. Why is an Ethernet frame's FCS not covered by integrity protection? Is there any non-malicious reason someone would want to modify the FCS in transit? • 4.3: "in some cases" - why not simply say, "When SType is 1 or 3"? • 4.3: why deconstruct HKDF and use HKDF-Expand instead of simply using the whole thing, including HKDF-Extract? • I am confused about 4.1 vs. 4.5, and specifically, what does the Size byte cover. I think this is incorrect in 4.5. • 4.6: this section starts with certificates (presumably, both client and server should authenticate with a cert) and then moves on to PSK. Are both allowed? • 4.6: TLS is rapidly moving toward perfect-forward secrecy. Why require a cipher suite that's being deprecated across all of industry (TLS_RSA_WITH_AES_128_CBC_SHA256)? • 4.6.: I am still unclear on how CT keys are derived from DTLS. • 4.6: Why have a TRILL-level key ID with DTLS-PSK has the notion of key ID? • 4.6: with certificates the frames may be very large. Does the protocol support such sizes? • 4.6: there should be a lot more text about how DTLS is used to wrap L2 frames. • 4.7: if this mode is assumed for multicast, what is the assumed/recommended mode for unicast? • Obviously integrity protection where the MAC key is shared with all peers is very weak. There are various ways to deal with that, starting with RSA signatures but including more efficient methods (TESLA comes to mind). Have you considered any of them? • 4.7.1: if the authentication data is variable length, you must ensure that the field that indicates its size is integrity-protected as well. • Actually, I'm not sure where this size is indicated. • It seems to me that a fully random 128-bit nonce would be both simpler to implement and more secure than the scheme proposed here. • Typo: designed -> designated. • 5: assuming we will have DTLS handshakes nested within CT, how are errors indicated? • General: is there any facility for replay protection? If no, why not? • 7: The more normative parts of the Security Considerations would probably fit nicely into a separate Applicability section. • 7: I think the document should be much more clear (normative) about what message types are allowed within the tunnel, or not. And possibly about required filtering by address.
- [secdir] Early SecDir review of draft-ietf-trill-… Yaron Sheffer
- Re: [secdir] Early SecDir review of draft-ietf-tr… Donald Eastlake
- [secdir] Fwd: Early SecDir review of draft-ietf-t… Donald Eastlake
- Re: [secdir] Early SecDir review of draft-ietf-tr… Donald Eastlake