Re: [secdir] SecDir review of draft-ietf-6man-dns-options-bis-03

Vincent Roca <vincent.roca@inrialpes.fr> Tue, 20 July 2010 10:25 UTC

Return-Path: <secdir-bounces@mit.edu>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9A34B3A6C5F for <secdir@core3.amsl.com>; Tue, 20 Jul 2010 03:25:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.505
X-Spam-Level:
X-Spam-Status: No, score=-5.505 tagged_above=-999 required=5 tests=[AWL=-0.744, BAYES_05=-1.11, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hbauYYbMxESj for <secdir@core3.amsl.com>; Tue, 20 Jul 2010 03:25:13 -0700 (PDT)
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by core3.amsl.com (Postfix) with ESMTP id B803A3A6C6B for <secdir@ietf.org>; Tue, 20 Jul 2010 03:25:11 -0700 (PDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o6KAPQfm017364 for <secdir@ietf.org>; Tue, 20 Jul 2010 06:25:26 -0400
Received: from mailhub-dmz-2.mit.edu (MAILHUB-DMZ-2.MIT.EDU [18.7.62.37]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id o6KAPNd3017358 for <secdir@PCH.mit.edu>; Tue, 20 Jul 2010 06:25:24 -0400
Received: from dmz-mailsec-scanner-2.mit.edu (DMZ-MAILSEC-SCANNER-2.MIT.EDU [18.9.25.13]) by mailhub-dmz-2.mit.edu (8.13.8/8.9.2) with ESMTP id o6KAPFf5001663 for <secdir@mit.edu>; Tue, 20 Jul 2010 06:25:23 -0400
X-AuditID: 1209190d-b7c82ae000000a16-af-4c45799488a1
Received: from mail1-relais-roc.national.inria.fr (mail1-relais-roc.national.inria.fr [192.134.164.82]) by dmz-mailsec-scanner-2.mit.edu (Symantec Brightmail Gateway) with SMTP id 68.E7.02582.599754C4; Tue, 20 Jul 2010 06:25:25 -0400 (EDT)
X-IronPort-AV: E=Sophos;i="4.55,231,1278280800"; d="scan'208";a="64118082"
Received: from zmbs1.inria.fr ([128.93.142.14]) by mail1-relais-roc.national.inria.fr with ESMTP; 20 Jul 2010 12:25:22 +0200
Date: Tue, 20 Jul 2010 12:24:28 +0200 (CEST)
From: Vincent Roca <vincent.roca@inrialpes.fr>
To: Jaehoon Jeong <pjeong@Brocade.com>
Message-ID: <2060945452.10380.1279621468787.JavaMail.root@zmbs1.inria.fr>
In-Reply-To: <5A6980BCAE9E6D438D4D8A05540F6FB70115649BE6@BRM-EXCH-3.corp.brocade.com>
MIME-Version: 1.0
X-Originating-IP: [194.199.24.116]
X-Mailer: Zimbra 6.0.7_GA_2470.RHEL5_64 (ZimbraWebClient - SAF3 (Mac)/6.0.7_GA_2470.RHEL5_64)
X-Brightmail-Tracker: AAAAAhUrKiQVLCSW
X-MIME-Autoconverted: from quoted-printable to 8bit by pch.mit.edu id o6KAPNd3017358
X-BeenThere: secdir@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Sender: secdir-bounces@mit.edu
Errors-To: secdir-bounces@mit.edu
Cc: 6man Chairs <6man-chairs@tools.ietf.org>, secdir@mit.edu, draft-ietf-6man-dns-options-bis all <draft-ietf-6man-dns-options-bis.all@tools.ietf.org>, Jari Arkko <jari.arkko@piuha.net>, IESG <iesg@ietf.org>
Subject: Re: [secdir] SecDir review of draft-ietf-6man-dns-options-bis-03
X-BeenThere: secdir@ietf.org
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jul 2010 10:25:15 -0000

Dear authors,

First of all, sorry for this late answer.

Otherwise I read -06 version and I'm now happy with modifications
made in Section 5.3.

Concerning Section 7 "Security Considerations", I still find the
current text confusing (sorry):

- there is no clear discussion of what are the additional
  threats specific to the proposed RDNSS/DNSSL. 
  Instead I see a discussion explaining that the situation is
  not worse than before because an attacker can launch other
  types of attacks on ND. You're right and you can mention this
  quickly, but do not limit yourself to such a discussion.

- the new text on SEND is much better. However there is no
  explicit recommendation (no RECOMMENDED/SHOULD keyword).
  How should I understand this? Is it deliberate? Why?


So I suggest that you add two subsections (with a suggested
structure):
    7.1. Security threats
         <specific attacks on RDNSS/DNSSL>
         <how to launch them (rogue router or forged packets)>
         <in fact the situation is not worse than ND or DHCP
          attacks>
    7.2. Recommendations
         <port filtering in case of wired networks is RECOMMENDED>
         <mitigation at the DNS resolver is RECOMMENDED>
         <SEND is RECOMMENDED>

NB: In paragraph discussing filtering on switches:
"is recommended" -> "is RECOMMENDED"

NB2: I wouldn't like to give you the feeling that I set myself
against you, this is not my goal.


Cheers,

   Vincent


----- Original Message -----
> From: "Jaehoon Jeong" <pjeong@Brocade.com>;
> To: "Jari Arkko" <jari.arkko@piuha.net>;
> Cc: "Vincent Roca" <vincent.roca@inrialpes.fr>;, "draft-ietf-6man-dns-options-bis all"
> <draft-ietf-6man-dns-options-bis.all@tools.ietf.org>;, secdir@mit.edu, "IESG" <iesg@ietf.org>;, "6man Chairs"
> <6man-chairs@tools.ietf.org>;
> Sent: Tuesday, July 6, 2010 4:37:06 PM
> Subject: RE: SecDir review of draft-ietf-6man-dns-options-bis-03
> Hi Jari,
> Is this update fine to you along with Section 5.3.2 (Warnings for DNS
> Options Configuration)?
> 
> The difference between 05-version and 06-version is located at:
> http://www-users.cs.umn.edu/~jjeong/publications/ietf-internet-draft/wdiff%20draft-ietf-6man-dns-options-bis-05_txt%20draft-ietf-6man-dns-options-bis-06_txt.htm
> 
> If so, I will submit the version 06-ID today.
> 
> Thanks.
> 
> Best Regards,
> Paul
> 
> -----Original Message-----
> From: Jaehoon Jeong [mailto:pjeong@Brocade.com]
> Sent: Saturday, July 03, 2010 12:33 PM
> To: Vincent Roca
> Cc: Jari Arkko; draft-ietf-6man-dns-options-bis.all@tools.ietf.org;
> secdir@mit.edu; IESG; 6man Chairs
> Subject: RE: SecDir review of draft-ietf-6man-dns-options-bis-03
> 
> Hi Vincent,
> I would like to address your comments as below.
> 
> The updated I-D is located in the following link:
> http://www-users.cs.umn.edu/~jjeong/publications/ietf-internet-draft/draft-ietf-6man-dns-options-bis-06.txt
> 
> On Sat, Jul 3, 2010 at 11:31 AM, Jaehoon Jeong <pjeong@brocade.com>;
> wrote:
> >
> >
> > -----Original Message-----
> > From: Vincent Roca [mailto:vincent.roca@inrialpes.fr]
> > Sent: Saturday, July 03, 2010 8:04 AM
> > To: Jaehoon Jeong
> > Cc: Jari Arkko; draft-ietf-6man-dns-options-bis.all@tools.ietf.org;
> > secdir@mit.edu; IESG; 6man Chairs; vincent.roca@inrialpes.fr
> > Subject: Re: SecDir review of draft-ietf-6man-dns-options-bis-03
> >
> > Dear authors,
> >
> > Thanks for your prompt reply. A few additional comments (it's my
> > role
> > ;-))
> >
> > ** new "Security Considerations" section says:
> >>    This attack
> >>    is similar to Neighbor Discovery attacks that use Redirect or
> >>    Neighbor Advertisement messages to redirect traffic to
> >>    individual
> >>    addresses to malicious parties. In general, the attacks related
> >>    to
> >>    RDNSS and DNSSL are similar to both Neighbor Discovery attacks
> >>    and
> >>    attacks against unauthenticated DHCP, as both can be used for
> >>    both
> >>    "wholesale" traffic redirection and more specific attacks.
> >>
> > You're right, other attacks are possible that lead to the same
> > result. ND and unauthenticated DHCP are such possibilities. However,
> > IMHO this is not a sufficient reason not to RECOMMEND a security
> > solution for RA.
> > Indeed, if ND / DHCP are made robust but nothing is done for RA,
> > then the threat remains.
> >
> > So the updated text does not fully satisfies me, even if the new
> > paragraph is more clear than the old one.
> 
> I reorganize the text such that the description for SEND (as a
> security solution for RA) follows the above paragraph:
> ...
> In general, the attacks related to RDNSS and DNSSL are similar to both
> Neighbor Discovery attacks and attacks against unauthenticated DHCP,
> as both can be used for both "wholesale" traffic redirection and more
> specific attacks.
> 
> If the Secure Neighbor Discovery (SEND) protocol [RFC3971] is used as
> a security mechanism for ND, all the ND options including the RDNSS
> and DNSSL options are automatically included in the signatures, so
> the transport for the RA options is integrity-protected; that is,
> SEND can prevent the spoofing of these DNS options with signatures.
> Also, SEND enables an IPv6 host to verify that the sender of an RA is
> actually a router authorized to act as a router. However, since any
> valid SEND router can still insert RDNSS and DNSSL options, SEND
> cannot verify which one is or is not authorized to send the options.
> 
> >
> >>> ** Section 7:
> >>> Another point... the authors explain than network devices like
> >>> switches can be configured in such a way to disable ND/DHCP from
> >>> some ports. That's great and I agree it helps preventing attacks.
> >>> However this is limited to wired networks. Nothing is said
> >>> concerning ND configurations in wireless networks. The situation
> >>> is
> >>> rather different since any host can issue ND/DHCP traffic as if it
> >>> were a legitimate server if I understand correctly. The document
> >>> MUST include this kind of discussion.
> >>>
> >>>
> >> But this is generic issue with spoofing RAs and I am not sure it is
> >> the task of this document to specify the solutions. One solution
> >> exists in SEND (RFC 3791).
> >>
> > Once again I agree. You don't have to specify technical solutions.
> > However you need to provide a good security analysis, perhaps
> > inherited from that of the base RA document for the generic RA
> > threats, with some text describing the additional threats added by
> > the proposed extensions. And since security solutions exist
> > elsewhere (SEND), you should recommend their use. That's your
> > responsibility.
> 
> In the following paragraph, we address that SEND can prevent such RA
> DNS option spoofing:
> 
> If the Secure Neighbor Discovery (SEND) protocol [RFC3971] is used as
> a security mechanism for ND, all the ND options including the RDNSS
> and DNSSL options are automatically included in the signatures, so
> the transport for the RA options is integrity-protected; that is,
> SEND can prevent the spoofing of these DNS options with signatures.
> Also, SEND enables an IPv6 host to verify that the sender of an RA is
> actually a router authorized to act as a router. However, since any
> valid SEND router can still insert RDNSS and DNSSL options, SEND
> cannot verify which one is or is not authorized to send the options.
> 
> >
> >>> ** Section 7:
> >>> Yet another remark: SEND is listed as one potential solution to
> >>> add
> >>> signatures in ND packets issued from servers.
> >>> I don't know SEND at all, so may be my remarks are flawed (but in
> >>> that case the text should be at least clarified).
> >>> - Shouldn't the use of SEND be RECOMMENDED as a solution to
> >>> mitigate
> >>> attacks? Current document is not clear.
> >>> - Does SEND enable an authentication of the sender (the document
> >>> only mentions integrity protection)? If there's no sender
> >>> authentication, then I agree that the added value of SEND would be
> >>> limited. I'd like the authors to clarify this as well.
> >>>
> >>>
> >> The details are in RFC 3791 and its companion documents. SEND does
> >> enable a host to verify that the sender of an RA is actually a
> >> router
> >> authorized to act as a router.
> >>
> >
> > The text in your proposed I-D update does not reflect this. Can you
> > add it? Being able to authenticate the sender is as important as
> > being able to check the packet integrity.
> 
> According to the comments, the checking for valid router is mentioned
> in the middle:
> 
> If the Secure Neighbor Discovery (SEND) protocol [RFC3971] is used as
> a security mechanism for ND, all the ND options including the RDNSS
> and DNSSL options are automatically included in the signatures, so
> the transport for the RA options is integrity-protected; that is,
> SEND can prevent the spoofing of these DNS options with signatures.
> Also, SEND enables an IPv6 host to verify that the sender of an RA is
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> actually a router authorized to act as a router. However, since any
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> valid SEND router can still insert RDNSS and DNSSL options, SEND
> cannot verify which one is or is not authorized to send the options.
> 
> >
> > ** I'm coming back to a comment I made earlier and that has not been
> > answered.
> >
> > In the updated I-D, section 5.3.1, I read:
> >
> >  "In the case where the DNS options of RDNSS and DNSSL can be
> >  obtained
> >   from multiple sources, such as RA and DHCP, the IPv6 host SHOULD
> >   keep
> >   some DNS options from all sources. "
> >
> > I don't see (but I read very quickly so I may have missed
> > something) that secured RA/RDNSS/DNSSL messages be preferred in the
> > choice. If some RA use SEND, they must be preferred over others.
> >
> 
> In Section 5.3.1, the considerations on SEND is mentioned as follows:
> 
> In the case where the DNS options of RDNSS and DNSSL can be obtained
> from multiple sources, such as RA and DHCP, the IPv6 host SHOULD keep
> some DNS options from all sources. Unless explicitly specified for
> the discovery mechanism, the exact number of addresses and domain
> names to keep is a matter of local policy and implementation choice.
> However, it is RECOMMENDED that at least three RDNSS addresses (or
> DNSSL domain names) can be stored from at least two different
> sources. The DNS options from Router Advertisements and DHCP SHOULD
> be stored into DNS Repository and Resolver Repository so that
> information from DHCP appears there first and therefore takes
> precedence. Thus, the DNS information from DHCP takes precedence
> over that from RA for DNS queries. On the other hand, for DNS
> ^^^^^^^^^^^^^^^^^^^^^^^^^
> options announced by RA, if some RAs use the Secure Neighbor
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Discovery (SEND) protocol [RFC3971] for RA security, they MUST be
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> preferred over those which do not use SEND. Refer to Section 7 for
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> the detailed discussion on SEND for RA DNS options.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> 
> > I hope my comments are useful.
> > Cheers,
> >
> >    Vincent
> >
> 
> Thanks for your efforts on the improvement for this document.
> 
> Best Regards,
> Paul

_______________________________________________
secdir mailing list
secdir@mit.edu
https://mailman.mit.edu/mailman/listinfo/secdir