IETF Logo Mail Archive

[secdir] secdir review of draft-ietf-savi-mix-12

"Scott G. Kelly" <scott@hyperthought.com> Fri, 25 November 2016 16:37 UTC

Return-Path: <scott@hyperthought.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C0CB1294E1 for <secdir@ietfa.amsl.com>; Fri, 25 Nov 2016 08:37:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yDx0JsvtzlH9 for <secdir@ietfa.amsl.com>; Fri, 25 Nov 2016 08:37:56 -0800 (PST)
Received: from smtp74.iad3a.emailsrvr.com (smtp74.iad3a.emailsrvr.com [173.203.187.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 425711293F9 for <secdir@ietf.org>; Fri, 25 Nov 2016 08:37:56 -0800 (PST)
Received: from smtp10.relay.iad3a.emailsrvr.com (localhost [127.0.0.1]) by smtp10.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 5B9335DB6; Fri, 25 Nov 2016 11:37:55 -0500 (EST)
Received: from app15.wa-webapps.iad3a (relay-webapps.rsapps.net [172.27.255.140]) by smtp10.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 4DA8B5DB4; Fri, 25 Nov 2016 11:37:55 -0500 (EST)
X-Sender-Id: scott@hyperthought.com
Received: from app15.wa-webapps.iad3a (relay-webapps.rsapps.net [172.27.255.140]) by 0.0.0.0:25 (trex/5.7.12); Fri, 25 Nov 2016 11:37:55 -0500
Received: from hyperthought.com (localhost [127.0.0.1]) by app15.wa-webapps.iad3a (Postfix) with ESMTP id 3ED7BE0064; Fri, 25 Nov 2016 11:37:55 -0500 (EST)
Received: by apps.rackspace.com (Authenticated sender: scott@hyperthought.com, from: scott@hyperthought.com) with HTTP; Fri, 25 Nov 2016 08:37:55 -0800 (PST)
Date: Fri, 25 Nov 2016 08:37:55 -0800
From: "Scott G. Kelly" <scott@hyperthought.com>
To: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, draft-ietf-savi-mix.all@ietf.org
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Importance: Normal
X-Priority: 3 (Normal)
X-Type: plain
X-Auth-ID: scott@hyperthought.com
Message-ID: <1480091875.2556323@apps.rackspace.com>
X-Mailer: webmail/12.6.2-RC1
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/o6jBKYpaiGO86FDXG9uXlr5b0PM>
Subject: [secdir] secdir review of draft-ietf-savi-mix-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Nov 2016 16:37:57 -0000

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

summary: Ready with issues

This document describes how multiple Source Address Validation Improvement (SAVI) methods can coexist in a single SAVI device and how collisions are resolved when the same binding entry is discovered by two or more methods.

This is my first exposure to SAVI. In reviewing this document, I skimmed RFCs 7219, 7513, 6620, 7039, and 4862.

I have a few comments on the Security Considerations text. The first paragraph says, 

   SAVI MIX does not eliminate the security problems of each SAVI
   method.  Thus, the potential attacks, e.g., the DoS attack against
   the SAVI device resource, can still happen.  In deployment, the
   security threats from each enabled SAVI methods should be prevented
   by the corresponding proposed solutions in each document.

Two comments on this: first, not only does SAVI MIX not improve on or reduce the security concerns for each implemented SAVI method, but in fact, combining methods (as in SAVI MIX) may increase susceptibility to DoS attacks. This is hinted at in the next paragraph, but it would be better to call this out directly. For the 3rd sentence, you might try, “In deployment, security considerations for each enabled SAVI method should be addressed as described in the associated RFC.”

The second paragraph says,

   SAVI MIX is only a binding setup/removal arbitration mechanism.  It
   does not introduce additional security threats if the arbitration is
   reasonable.  However, there is a slight problem.  SAVI MIX is more
   tolerant about binding establishment than each SAVI method alone.  As
   long as one of the enabled SAVI methods generates a binding, the
   binding will be applied.  As a result, the allowed number of SAVI
   bindings or allowed SAVI binding setup rate will be the sum of that
   of all the enabled SAVI methods.  In deployment, whether a SAVI
   device is capable of supporting the resulting resource requirements
   should be evaluated.

What constitutes “reasonable” arbitration? Shouldn’t this document spell that out? The document comments that SAVI is more “tolerant”, but shouldn’t this point out that mixing methods potentially reduces the security level to that of the weakest supported method (because of the FCFS suggestion below) unless additional steps (e.g. requiring non-overlapping address spaces for different methods) are taken?

v2.23.0 | Report a Bug | By Email