Re: [secdir] sector review of draft-ietf-pcp-server-selection-07

<mohamed.boucadair@orange.com> Mon, 05 January 2015 07:34 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E9B11A1DFA; Sun, 4 Jan 2015 23:34:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uEa4d5JR3PfY; Sun, 4 Jan 2015 23:34:51 -0800 (PST)
Received: from relais-inet.francetelecom.com (relais-ias243.francetelecom.com [80.12.204.243]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 841391A1BED; Sun, 4 Jan 2015 23:34:51 -0800 (PST)
Received: from omfeda06.si.francetelecom.fr (unknown [xx.xx.xx.199]) by omfeda09.si.francetelecom.fr (ESMTP service) with ESMTP id 56EBBC0106; Mon, 5 Jan 2015 08:34:49 +0100 (CET)
Received: from Exchangemail-eme2.itn.ftgroup (unknown [10.114.31.5]) by omfeda06.si.francetelecom.fr (ESMTP service) with ESMTP id 2EC12C807C; Mon, 5 Jan 2015 08:34:49 +0100 (CET)
Received: from OPEXCLILM23.corporate.adroot.infra.ftgroup ([169.254.2.56]) by OPEXCLILH01.corporate.adroot.infra.ftgroup ([::1]) with mapi id 14.03.0210.002; Mon, 5 Jan 2015 08:34:49 +0100
From: <mohamed.boucadair@orange.com>
To: Chris Inacio <inacio@cert.org>, "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-pcp-server-selection.all@tools.ietf.org" <draft-ietf-pcp-server-selection.all@tools.ietf.org>
Thread-Topic: sector review of draft-ietf-pcp-server-selection-07
Thread-Index: AQHQJ+uaAUxKUQpnyUK05uEkCW52tJyxIxpQ
Date: Mon, 5 Jan 2015 07:34:47 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B9330048DEF48@OPEXCLILM23.corporate.adroot.infra.ftgroup>
References: <0FD1DF78-8EEC-44F2-B715-9CD7405C07D6@cert.org>
In-Reply-To: <0FD1DF78-8EEC-44F2-B715-9CD7405C07D6@cert.org>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.168.234.1]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-PMX-Version: 6.0.3.2322014, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2014.12.22.201820
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/vPwe6DSpat39pO7Q13Guxo_dMZ8
Subject: Re: [secdir] sector review of draft-ietf-pcp-server-selection-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Jan 2015 07:34:54 -0000

Dear Chris,

Thank you for the review. 

Nonce validation checks are used when operating in the simple threat model as discussed in RFC6887. Adding a reference to section 18.1 of RFC6887 would be sufficient IMHO. PCP authentication will be needed if operating in the Advanced Threat Model. 

OLD:
For efficiency, the PCP client SHOULD use the same Mapping Nonce for requests sent to all IP addresses belonging to the same PCP server. 

NEW:
 For efficiency, the PCP client SHOULD use the same Mapping Nonce for requests sent to all IP addresses belonging to the same PCP server. As a reminder, nonce validation checks are performed when operating in the Simple Threat Model (Section 18.1 of [RFC6887]) to defend against some off-path attacks.  

Better?

I already fixed the nits in my local copy.

Thank you.

Cheers,
Med

-----Message d'origine-----
De : Chris Inacio [mailto:inacio@cert.org] 
Envoyé : dimanche 4 janvier 2015 07:57
À : secdir@ietf.org; iesg@ietf.org; draft-ietf-pcp-server-selection.all@tools.ietf.org
Objet : sector review of draft-ietf-pcp-server-selection-07



I have reviewed this document as part of the security directorate’s ongoing effort to review all IETF documents being processed by the IESG.  These comments were written with the intent of improving security requirements and considerations in IETF drafts.  Comments not addressed in last call may be included in AD reviews during the IESG review.  Document editors and WG chairs should treat these comments just like any other last call comments.

Generally the document is in good shape, and I would like to see one minor issue at least commented upon.

I have a single security related comment on this draft; the last sentence of section 3:

> For efficiency, the PCP client SHOULD use the same Mapping Nonce for
>   requests sent to all IP addresses belonging to the same PCP server.

Normally, I would simply say this is a crazy recommendation.  But after looking a little into what the Nonce is used for in the PCP protocol, I am slightly less distraught.  This Nonce does not appear to necessarily provide any huge amount of security except allowing the client to generate a unique token per PCP server.  Presumably there is a general MITM attack on the PCP protocol related to the Nonce as a transaction ID which is prevented by using other security protocols, TLS, etc.  (And another well known attack with the THIRD_PARTY option and lack of authentication…) Therefore, this Nonce is critical as a synchronization point between the client and the potential PCP server.  It would be nice (assuming all that is correct) to make that clear in the document, especially with a recommendation to reuse the Nonce.


Nits:

In Figure 1, the lines are not aligned to the “+” on the diagrams.

In Figure 3, “rtr1” is missing a “+” on the right side connection from the top.


--
Chris Inacio
inacio@cert.org