IETF Logo Mail Archive

[secdir] Fwd: Re: SecDIR review of draft-holmberg-dispatch-received-realm-10

Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 01 December 2016 13:04 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7259E1294FE; Thu, 1 Dec 2016 05:04:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.197
X-Spam-Level:
X-Spam-Status: No, score=-7.197 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-2.896, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AdFPMfrwn4LF; Thu, 1 Dec 2016 05:04:10 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1A3B129498; Thu, 1 Dec 2016 05:04:09 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id CFE0DBE2C; Thu, 1 Dec 2016 13:04:06 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F2EExNX3XAM8; Thu, 1 Dec 2016 13:04:04 +0000 (GMT)
Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id C0519BECA; Thu, 1 Dec 2016 13:03:58 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1480597439; bh=WbX4A/EWEjSS+DkI8SkwBayTBDuisa+HNkj55kUN53E=; h=Subject:References:To:Cc:From:Date:In-Reply-To:From; b=Av99dTCZnFKpE3cUIcQdtowQYIkj4D7kF2eC0v6YX/HVJy5GiwcFhF5kIj+OPRWNf wA8SYdCLA7j0zacu6xJyyDgxZTwu+tys/otwxeSnMP9WT17oYkp/EqkTxd9dtysDr+ b+FoAIYb+vL+RfCmRN6RVwjAbAteL0nHpXDdrG2o=
References: <D465AE4A.13EFF%christer.holmberg@ericsson.com>
To: "secdir@ietf.org" <secdir@ietf.org>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
X-Forwarded-Message-Id: <D465AE4A.13EFF%christer.holmberg@ericsson.com>
Message-ID: <d14d8741-157c-2ab6-b45f-71907dde114c@cs.tcd.ie>
Date: Thu, 01 Dec 2016 13:03:58 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1
MIME-Version: 1.0
In-Reply-To: <D465AE4A.13EFF%christer.holmberg@ericsson.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms090203020201040703090200"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/s7AoJfRUB2wcFVg_CMMlAPndlh8>
Cc: Phillip Hallam-Baker <phill@hallambaker.com>, draft-holmberg-dispatch-received-realm@ietf.org
Subject: [secdir] Fwd: Re: SecDIR review of draft-holmberg-dispatch-received-realm-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Dec 2016 13:04:13 -0000

(Just forwarding this here as it the list wasn't cc'd on the discussion
but I wanted to be able to point at this in the archive in my ballot.)

S


-------- Forwarded Message --------
Subject: Re: SecDIR review of draft-holmberg-dispatch-received-realm-10
Date: Thu, 1 Dec 2016 08:52:10 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Phillip Hallam-Baker <phill@hallambaker.com>
CC: draft-holmberg-dispatch-received-realm@ietf.org
<draft-holmberg-dispatch-received-realm@ietf.org>, The IESG <iesg@ietf.org>

Hi,

>>>>I have reviewed this document as part of the security directorate's
>>>>ongoing effort to review all IETF documents being processed by the
>>>>IESG. These comments were written primarily for the benefit of the
>>>>security area directors. Document editors and WG chairs should treat
>>>>these comments just like any other last call comments.
>>>
>>>Summary: Needs some additional explanation
>>>
>>>The basic mechanisms look fine. What I am less happy with are the security considerations.
>>>
>>>>The security challenge in SIP is trying to introduce security into a legacy infrastructure that has none. As such, there is inevitably an element of attempting to nail jello to a wall: the nails
>>>>are strong enough but the jello is not. I think there needs to be more discussion of the potential shortcomings of the input data.
>>>
>>>I am not sure I understand. Is your comment related to the SIP information used to create the signature, or?

​>>Yes, how is the interpreter meant to interpret the signed data? Just
because data is signed does not make it trustworthy. All that is known
is who signed it. There are two main sources of concern:
>>
>>1) The signer may be malicious
>>
>>2) The signer may be signing data received from an untrustworthy source.
>>
>>The second is the bigger concern as it may well be inevitable. But it is a concern that needs to be explained.​
>>
>>Note that the received realm parameter value is inserted, signed, verified and consumed within the same operator network. It is not received from elsewhere.
>>
>>The other SIP information elements that are used when calculating the signature will be forwarded anyway (which is the reason we use Annex F).
>>
>>In the initial versions of the draft, the information wasn’t even signed. The operator network entry node simply inserted the received-realm parameter in the SIP request unsigned.
>>
​>>That was not apparent when I read the draft. I think it needs to be
made explicit in the security considerations section. ​
>>
​>>Intra-organization trust is easier to manage than inter-organization
trust.​
>
>What about adding the following paragraph to the Security Considerations?
>
>"The received-realm Via header field parameter is inserted, signed, verified and consumed within an operator network.
>The operator MUST discard parameters received >from another network, and the parameter MUST only be inserted by
>SIP entities that are able to verify from which adjacent upstream network a SIP request is received."

​>That helps a lot​

Great! I will add it.


>>>>The other issue I had was with the requirements for administration of keys. There is a MUST here: "The operator MUST change the key on a frequent basis."
>>>>
>>>>What is the security concern driving this requirement? Changing keys has security costs as well as benefits. It is not something that should be done for the sake of it.
>>>
>>>I think the concern is the same as for keys in general: to avoid a valid key getting into the "wrong hands".
>>>
​>>> Every security control should have a reason.
>>>
>>> Key rollover limits the damage that a single key compromise can cause but introduces an additional point of vulnerability. So it is not to be done just because
​​
it is assumed to be good practice. ​
>>>
​>>> Rather than introducing a MUST here, it would be more appropriate
to point to a document on key management. I think EKR wrote one. I will
look it up.
>>
​>> Given the previous comment, I think it would be rather more useful
to adopt an approach where every signing device has its own key, the key
is bound to the device using hardware techniques that resist extraction
and any expiry mechanism is driven by the system for tracking​

​the devices.​
>
> In today’s world of clouds, virtualisation etc, where users have little or no influence/access to the hardware, I think it would be difficult to mandate such thing.
>
​> True, but right now you have a MUST in the security considerations
that cuts against that approach.
>
> I suggest you drop the MUST - which isn't actually enforceable as I see it and instead state the considerations that should drive key management.​


Ok, I will drop the MUST.

Regarding “state the considerations that should drive key management”,
does the following text help?

“The operator MUST use a key management policy that protects agains
unauthorised access to the stored keys within nodes where they keys are
stored, and that protects against crypto analysis attacks using captured
data sent on the wire.”

I am sure there is LOTS more details that could be said about key
management, but in that case it would probably be better to add a
reference rather than copy/paste everything :)

Regards,

Christer

v2.23.0 | Report a Bug | By Email