Re: [secdir] SecDir review of draft-ietf-manet-dlep
"Taylor, Rick (External)" <rick.taylor.external@airbus.com> Tue, 29 November 2016 12:14 UTC
Return-Path: <rick.taylor.external@airbus.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E2D21299EF; Tue, 29 Nov 2016 04:14:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mI6Rs9Ui8v-h; Tue, 29 Nov 2016 04:14:37 -0800 (PST)
Received: from mail-dotnet4.eads.net (mail-dotnet4.eads.net [193.56.40.77]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6DB6E1296DB; Tue, 29 Nov 2016 04:08:44 -0800 (PST)
Received: from unknown (HELO fr-gate1.mailhub.intra.corp) ([53.154.16.33]) by mail-dotnet4.eads.net with ESMTP; 29 Nov 2016 13:08:42 +0100
Received: from f8562vs5.main.fr.ds.corp ([10.37.8.22]) by fr-gate1.mailhub.intra.corp with Microsoft SMTPSVC(5.0.2195.7381); Tue, 29 Nov 2016 13:08:41 +0100
Received: from f8561vs4.main.fr.ds.corp ([10.37.8.21]) by f8562vs5.main.fr.ds.corp with Microsoft SMTPSVC(6.0.3790.4675); Tue, 29 Nov 2016 13:08:41 +0100
Received: from SUCNPTEXC01.com.ad.uk.ds.corp ([10.80.73.70]) by f8561vs4.main.fr.ds.corp with Microsoft SMTPSVC(6.0.3790.4675); Tue, 29 Nov 2016 13:08:41 +0100
Received: from SUCNPTEXM01.COM.AD.UK.DS.CORP ([fe80::2543:10a0:fd02:b894]) by SUCNPTEXC01.com.ad.uk.ds.corp ([::1]) with mapi id 14.03.0279.002; Tue, 29 Nov 2016 12:08:40 +0000
From: "Taylor, Rick (External)" <rick.taylor.external@airbus.com>
To: Christian Huitema <huitema@huitema.net>, 'Paul Hoffman' <paul.hoffman@vpnc.org>
Thread-Topic: [secdir] SecDir review of draft-ietf-manet-dlep
Thread-Index: AQHSP9dxooq1deGLb0CN9D0fTSXK8AJp8YIyAbfck2mf1Pcy0ID54YMA
Date: Tue, 29 Nov 2016 12:08:40 +0000
Message-ID: <B177F831FB91F242972D0C35F6A0733163AE0516@SUCNPTEXM01.com.ad.uk.ds.corp>
References: <30706_1479279750_582C0485_30706_8297_7_C7F1D029-C067-4AF6-9F40-436F7BA54311@vpnc.org> <B177F831FB91F242972D0C35F6A0733163AD92C3@SUCNPTEXM01.com.ad.uk.ds.corp> <0AE7C2DE-B316-4675-B7BE-EB9AC50ED955@vpnc.org> <4035_1480388659_583CF032_4035_1030_1_003b01d249ed$3f003260$bd009720$@huitema.net>
In-Reply-To: <4035_1480388659_583CF032_4035_1030_1_003b01d249ed$3f003260$bd009720$@huitema.net>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.80.22.46]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 29 Nov 2016 12:08:41.0303 (UTC) FILETIME=[52FC6670:01D24A39]
X-TM-AS-Product-Ver: SMEX-8.0.0.4194-7.500.1017-22728.006
X-TM-AS-Result: No--28.847800-0.000000-31
X-TM-AS-User-Approved-Sender: Yes
X-TM-AS-User-Blocked-Sender: No
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/wgCO6tDO6sSLKmLpn6Z0mKU3OYY>
Cc: "draft-ietf-manet-dlep.all@ietf.org" <draft-ietf-manet-dlep.all@ietf.org>, 'secdir' <secdir@ietf.org>
Subject: Re: [secdir] SecDir review of draft-ietf-manet-dlep
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Nov 2016 12:14:39 -0000
Hi All, Thank you both for your reviews and further comments. I'm not the author of draft-ietf-manet-credit-window-07, but am one of the authors of draft-ietf-manet-dlep-25. However, as the security of the credit windowing extension relies on the underlying security considerations of DLEP, I feel I can respond. A few comments inline... > -----Original Message----- > From: Christian Huitema [mailto:huitema@huitema.net] > Sent: 29 November 2016 03:04 > To: 'Paul Hoffman'; Taylor, Rick (External) > Cc: 'secdir'; draft-ietf-manet-dlep.all@ietf.org > Subject: RE: [secdir] SecDir review of draft-ietf-manet-dlep > > On Tuesday, November 22, 2016 5:46 AM, Paul Hoffman wrote: > > On 22 Nov 2016, at 3:34, Taylor, Rick (External) wrote: > > > >> Thank you for the review. A couple of quick comments: > >> > >> Did you review draft-ietf-manet-dlep-15 or draft-ietf-manet-dlep-25 > >> (the latest)? As we have attempted to address the security comments > >> raised by the WG and AD review. > > > > I reviewed -25; sorry for the typo in my report. > > I was asked to review draft-ietf-manet-credit-window-07, whose security > properties are inherited from draft-ietf-manet-dlep-25, so I also reviewed > draft-ietf-manet-dlep-25. Like Paul, I find the security of DLEP pretty weak. > DLEP "requires that security of the implementations (e.g., authentication of > stations, encryption of traffic, or both) is dealt with by utilizing Layer 2 > security techniques." > > This layer 2 security model is effectively an implementation of "perimeter > security", and has all the known issues with perimeter security. Two classic > attacks are "finding a way to send packets through the perimeter" and > "subvert a node already installed inside the perimeter". The draft attempts > to mitigate the first class of attacks by using the mechanism of RFC 5082, > although it does not actually use it correctly. There is no mitigation for the > "subverted node" attack. There has been extensive discussion within the WG on this topic, and we do fully understand the concerns. The security of DLEP has always been a major worry for the authors/WG as we are being pulled in two directions: The sticking point is the situation where an implementer has the modem and router as two separate modules in a single chassis (or secured perimeter), and wants to avoid the perceived complexity/annoyance of implementing TLS. The authors have received off-the-record comment from major radio vendors stating that they will not adopt DLEP if it requires TLS. However, I agree that both your comments are absolutely valid. The question is how to reconcile the difference? We are searching for some mechanism that would allow the protocol to: a) Specify how to secure the session correctly. b) Secure the session by default. c) Allow either peer to waive the requirement for security in a way that cannot be maliciously downgraded. Is a STARTTLS style approach acceptable? Or is an http/https style two port approach preferred? I'm not asking for the solution, but trying to avoid wasting your and our time. > > >> One area we have worked hard on addressing is mandating use of > >> RFC5082 (Generalized TTL Security) on the link between router and > >> modem (See Section 3.1). > > Not quite. RFC5082 suggests setting the TTL to 255 and checking the value on > the received message. Your draft suggests setting the TTL value to 1, and > checking the received value in the message. You need to fix that. TTL 1 is required for the discovery mechanism (UDP mcast) in an attempt to restrict packets to a single hop (particularly for IPv4), but the TCP connection for the session must use TTL 255 as per RFC5082 (The paragraph above). We might consider re-ordering the paragraphs if you think it is unclear. * snip * Many thanks, Rick Taylor The information contained within this e-mail and any files attached to this e-mail is private and in addition may include commercially sensitive information. The contents of this e-mail are for the intended recipient only and therefore if you wish to disclose the information contained within this e-mail or attached files, please contact the sender prior to any such disclosure. If you are not the intended recipient, any disclosure, copying or distribution is prohibited. Please also contact the sender and inform them of the error and delete the e-mail, including any attached files from your system. Emails to Airbus Defence and Space Limited may be processed, recorded and monitored anywhere in the European Community. Airbus Defence and Space Limited Registered Office: Gunnels Wood Road, Stevenage, Hertfordshire, SG1 2AS. Registered in England and Wales under company number 02449259.
- [secdir] SecDir review of draft-ietf-manet-dlep Paul Hoffman
- Re: [secdir] SecDir review of draft-ietf-manet-dl… Taylor, Rick (External)
- Re: [secdir] SecDir review of draft-ietf-manet-dl… Paul Hoffman
- Re: [secdir] SecDir review of draft-ietf-manet-dl… Christian Huitema
- Re: [secdir] SecDir review of draft-ietf-manet-dl… Taylor, Rick (External)
- Re: [secdir] SecDir review of draft-ietf-manet-dl… Christian Huitema
- Re: [secdir] SecDir review of draft-ietf-manet-dl… Ratliff, Stanley