Re: [secdir] secdir review of draft-ietf-rohc-rfc4995bis-01
Stephen Hanna <shanna@juniper.net> Sat, 12 December 2009 12:00 UTC
Return-Path: <shanna@juniper.net>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3E4853A68B3; Sat, 12 Dec 2009 04:00:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aIWEPbFcA2jZ; Sat, 12 Dec 2009 04:00:00 -0800 (PST)
Received: from exprod7og117.obsmtp.com (exprod7og117.obsmtp.com [64.18.2.6]) by core3.amsl.com (Postfix) with ESMTP id 63E2D3A67BE; Sat, 12 Dec 2009 03:59:55 -0800 (PST)
Received: from source ([66.129.224.36]) (using TLSv1) by exprod7ob117.postini.com ([64.18.6.12]) with SMTP ID DSNKSyOFrtiDcSVd/Ekz2K2d86JO5gjw3fOc@postini.com; Sat, 12 Dec 2009 03:59:48 PST
Received: from p-emfe01-wf.jnpr.net (172.28.145.24) by P-EMHUB02-HQ.jnpr.net (172.24.192.36) with Microsoft SMTP Server (TLS) id 8.1.393.1; Sat, 12 Dec 2009 03:59:11 -0800
Received: from EMBX01-WF.jnpr.net ([fe80::1914:3299:33d9:e43b]) by p-emfe01-wf.jnpr.net ([fe80::d0d1:653d:5b91:a123%11]) with mapi; Sat, 12 Dec 2009 06:59:10 -0500
From: Stephen Hanna <shanna@juniper.net>
To: "kristofer.sandlund@ericsson.com" <kristofer.sandlund@ericsson.com>, "pele@sm.luth.se" <pele@sm.luth.se>, "lars-erik@lejonsson.com" <lars-erik@lejonsson.com>
Date: Sat, 12 Dec 2009 06:58:45 -0500
Thread-Topic: secdir review of draft-ietf-rohc-rfc4995bis-01
Thread-Index: Acp4MKAIMZ3QHusWS0yAOB7er4hAdgCe2nhgAAsvEsAAElokIA==
Message-ID: <AC6674AB7BC78549BB231821ABF7A9AE8FFA34B821@EMBX01-WF.jnpr.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] secdir review of draft-ietf-rohc-rfc4995bis-01
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Dec 2009 12:00:01 -0000
I see that issue 1) below has been addressed in a new version of the draft posted earlier this week. Never mind on that. Thanks, Steve > -----Original Message----- > From: Stephen Hanna > Sent: Friday, December 11, 2009 10:13 PM > To: 'kristofer.sandlund@ericsson.com'; > 'ghyslain.pelletier@ericsson.com'; 'lars-erik@lejonsson.com' > Subject: FW: secdir review of draft-ietf-rohc-rfc4995bis-01 > > I think that you may not have seen this email so I'm sending > it to you directly. > > Thanks, > > Steve > > -----Original Message----- > From: Stephen Hanna > Sent: Friday, December 11, 2009 5:59 PM > To: secdir@ietf.org; > 'draft-ietf-rohc-rfc4995bis@tools.ietf.org'; iesg@ietf.org > Subject: secdir review of draft-ietf-rohc-rfc4995bis-01 > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors should treat these comments > just like any other last call comments. > > Before providing my review, I will state that I do not have any > substantial experience or expertise with ROHC or with header > compression in general. My comments therefore should be taken > as those of a security expert but not a ROHC expert. > > This document is an updated version of RFC 4995: The RObust Header > Compression (ROHC) Framework. Mainly, it fixes an error in the > definition of the ROHC feedback format. I won't explain the error > here since it's not significant from a security perspective and > the fix looks good to me. I am assuming that the WG participants > have dealt with any compatibility issues introduced by having the > erroneous spec out there for two years or so. > > I have three comments on this document: > > 1) Currently, the document does not actually say what was fixed. > The only reference to the fix is this paragraph in the abstract: > > This specification obsoletes RFC 4995. It fixes one > interoperability > issue that was erroneously introduced in RFC 4995, and adds some > minor clarifications. > > I suggest adding a paragraph somewhere in the Introduction (maybe > at the end) that explains what the issue was and how it was fixed. > Otherwise, readers will be left wondering. They may have to do a > diff, like I did. Unfortunately, the reference format changed > from [1] to [RFC2119] between RFC 4995 and this draft so the diff > is about 30 pages of meaningless differences with one real change. > > 2) Have the editors verified that all contributors to the document > are OK with granting the new rights granted in RFC 5378 on top > of the rights that they originally granted under RFC 3978? This > would include anyone who contributed text that has been held over > from RFC 4995 and RFC 3095 and their employers at the time that > the time of the contribution, or other assignees. I suspect that > the answer is no. If I'm right, the editors should use the text > designed for this situation, which is included in section 6.c.iii > of the IETF Trust Legal Provisions Relating to IETF Documents. > > 3) The Security Considerations of this document are pretty good. > However, I think that they may ignore a particular risk of > using header compression. Namely, it seems to me that using > header compression would substantially increase the complexity > of the devices that perform the compression and decompression > vs. the complexity without header compression. For example, > a switch or router must now maintain per-flow ROHC state and > implement the ROHC protocols, which are a bit complex. This > complexity may result in implementation bugs that could be > exploited by an attacker sending a packet through the system > with a particular format designed to exploit the flaw. If > any device along the packet's path is vulnerable, the flaw > will be exploited. Depending on the nature of the coding > error, such a vulnerability could result in denial of > service or compromise of the vulnerable device. It could > even result in a cascading failure where all the vulnerable > devices on the path are compromised. The fact that ROHC is > a stateful protocol means that testing will be more complex. > And the fact that application layer protocol headers are > compressed introduces the possibility that an untrusted > application allowed to send application layer data could > exploit vulnerabilities in network devices that implement > ROHC. To address these concerns, I propose adding a new > paragraph in the Security Considerations: > > Implementing a ROHC compressor or decompressor is not a > trivial task. It can add vulnerabilities to a device. > Implementors should practice safe coding techniques and > recognize that both compressed and uncompressed packets > can come from malicious or compromised sources that may > send malformed packets and otherwise attempt to exploit > vulnerabilities. Regard all packets with care to protect > your implementation from such attacks. Otherwise, the > compromise of one network element may result in a > cascading sequence of compromises. > > I apologize for sending this review a week after the close > of the IETF Last Call on this document. I hope that this > feedback will still be useful. > > Thanks, > > Steve >
- [secdir] secdir review of draft-ietf-rohc-rfc4995… Stephen Hanna
- Re: [secdir] secdir review of draft-ietf-rohc-rfc… Stephen Hanna
- Re: [secdir] secdir review of draft-ietf-rohc-rfc… Kristofer Sandlund