[secdir] Security directorate review of draft-ietf-homenet-naming-architecture-dhc-options-21
Hilarie Orman <hilarie@purplestreak.com> Sat, 08 October 2022 14:45 UTC
Return-Path: <hilarie@purplestreak.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2A53C14F72C; Sat, 8 Oct 2022 07:45:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.61
X-Spam-Level:
X-Spam-Status: No, score=-2.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wssogQCl4s2J; Sat, 8 Oct 2022 07:45:20 -0700 (PDT)
Received: from out03.mta.xmission.com (out03.mta.xmission.com [166.70.13.233]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B337EC14F692; Sat, 8 Oct 2022 07:45:20 -0700 (PDT)
Received: from in02.mta.xmission.com ([166.70.13.52]:58420) by out03.mta.xmission.com with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from <hilarie@purplestreak.com>) id 1ohB4p-009Jxx-5S; Sat, 08 Oct 2022 08:45:19 -0600
Received: from [166.70.232.207] (port=32551 helo=rumpleteazer.rhmr.com) by in02.mta.xmission.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from <hilarie@purplestreak.com>) id 1ohB4n-003UoA-Vk; Sat, 08 Oct 2022 08:45:18 -0600
Received: from rumpleteazer.rhmr.com (localhost [127.0.0.1]) by rumpleteazer.rhmr.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id 298Ehph3011611; Sat, 8 Oct 2022 08:43:51 -0600
Received: (from hilarie@localhost) by rumpleteazer.rhmr.com (8.14.4/8.14.4/Submit) id 298EhppA011610; Sat, 8 Oct 2022 08:43:51 -0600
Date: Sat, 08 Oct 2022 08:43:51 -0600
Message-Id: <202210081443.298EhppA011610@rumpleteazer.rhmr.com>
From: Hilarie Orman <hilarie@purplestreak.com>
Reply-To: Hilarie Orman <hilarie@purplestreak.com>
To: iesg@ietf.org, secdir@ietf.org
Cc: draft-ietf-homenet-naming-architecture-dhc-options.all@ietf.org
X-XM-SPF: eid=1ohB4n-003UoA-Vk; ; ; mid=<202210081443.298EhppA011610@rumpleteazer.rhmr.com>; ; ; hst=in02.mta.xmission.com; ; ; ip=166.70.232.207; ; ; frm=hilarie@purplestreak.com; ; ; spf=pass
X-XM-AID: U2FsdGVkX1/K0abbEgZS34Vuo4LLK5hk
X-SA-Exim-Connect-IP: 166.70.232.207
X-SA-Exim-Mail-From: hilarie@purplestreak.com
X-Spam-Virus: No
X-Spam-DCC: XMission; sa02 1397; Body=1 Fuz1=1 Fuz2=1
X-Spam-Combo: ****;iesg@ietf.org, secdir@ietf.org
X-Spam-Relay-Country:
X-Spam-Timing: total 617 ms - load_scoreonly_sql: 0.04 (0.0%), signal_user_changed: 4.7 (0.8%), b_tie_ro: 3.2 (0.5%), parse: 1.43 (0.2%), extract_message_metadata: 7 (1.1%), get_uri_detail_list: 3.8 (0.6%), tests_pri_-1000: 2.4 (0.4%), tests_pri_-950: 1.36 (0.2%), tests_pri_-900: 1.02 (0.2%), tests_pri_-90: 88 (14.3%), check_bayes: 86 (14.0%), b_tokenize: 10 (1.6%), b_tok_get_all: 12 (1.9%), b_comp_prob: 4.2 (0.7%), b_tok_touch_all: 57 (9.2%), b_finish: 0.67 (0.1%), tests_pri_0: 500 (81.1%), check_dkim_signature: 0.44 (0.1%), check_dkim_adsp: 19 (3.1%), poll_dns_idle: 14 (2.3%), tests_pri_10: 1.82 (0.3%), tests_pri_500: 6 (1.0%), rewrite_mail: 0.00 (0.0%)
X-SA-Exim-Version: 4.2.1 (built Sat, 08 Feb 2020 21:53:50 +0000)
X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/zPTRJwrZqoii0tPyJGSegAvNaVU>
Subject: [secdir] Security directorate review of draft-ietf-homenet-naming-architecture-dhc-options-21
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Oct 2022 14:45:21 -0000
Security review of
DHCPv6 Options for Home Network Naming Authority
draft-ietf-homenet-naming-architecture-dhc-options-21
Do not be alarmed. I generated this review of this document as part
of the security directorate's ongoing effort to review all IETF
documents being processed by the IESG. These comments were written
with the intent of improving security requirements and considerations
in IETF drafts. Comments not addressed in last call may be included
in AD reviews during the IESG review. Document editors and WG chairs
should treat these comments just like any other last call comments.
This seems like a simple protocol for communicating a few parameters
between a home network and an ISP. As a result of the exchange, the
home network can configure its DNS data with the IPv6 data from its
ISP and communicate it to outsourcing data managers (forward and
reverse). These managers might be provided by the ISP or by a
third-party chosen by the home network.
Opinion: Not Ready
"7. Security Considerations
The security considerations in [RFC8415] are to be considered. The
use of DHCPv6 options provides a similar level of trust as the one
used to provide the IP prefix."
I can almost believe this is true, but I would like some additional
discussion. First, the "use of the options" does not "provide a level of
trust". One might say that the trust relationships are the same
because the home network must rely on the IP prefix to configure its
DNS data and no additional security relevant data is communicated?
I'm not sure, but I am sure that "Security Considerations" need more
... consideration.
The section in Appendix B that speaks of the DHCPv6 server presenting
credentials to the DM and RDM should be amplified, as well.
The grammar in the document is rough, and as a result I found it very
difficult to read. I wish there were an IETF "grammar ready" review
before passing a document on the content reviewers. My notes below
are mostly meant to clarify content and they address only a few of the
subject/verb mismatches.
---------
In section 2 Introduction:
Confusing sentence:
"This document describes DHCPv6 options that enable an ISP to provide
the necessary parameters to the HNA, to proceed. More specifically,"
Possible rewrite:
An ISP can use the DHCPv6 options described in this document to
communicate parameters to the HNA. Specifically, ...
---------
In addition, ISPs often identify the line of the home network with a
name. Such name is used for their internal network management
operations and is not a name the home network owner has registered
to. ISPs may leverage such infrastructure ...
I think this verbiage is unneccesary and confusing. What is a "line"
and why do we need to know that it has a name that can't be used?
---------
and provide the homenet
with a specific domain name designated as per
[I-D.ietf-homenet-front-end-naming-delegation] a Homenet Registered
Domain.
(should be "Registered Homenet Domain")
---------
This
document does not ignore scenarios where the DHCPv6 server does not
have privileged relations with the DM or RDM. These cases are
discussed in Appendix A.
Possible rewrite:
Appendix A of this
document addresses scenarios where the DHCPv6 server does not
have privileged relations with the DM or RDM.
---------
The "Procedure Overview" has a 3 step procedure with steps numbered "1, 2, 1".
The third step states:
The HNA may complement the configurations with additional
parameters via means not yet defined.
I suppose that is always the case, but why "specify" something
so vague, and might these unknown things relevant to security?
--------
In "4.2. Forward Distribution Manager Option" there is a badly
garbled sentence that I cannot unwind.
Then the FQDN can reasonably be seen as a more stable identifier as
well as a pointer to additional information than the IP addresses may
be useful to in the future to establish the communication between the
HNA and the DM.
This sentence
"It is worth noticing that the Supported Transport field does not
enable to specify a port and the used port is defined by standard."
might be better stated as
"Note that the Supported Transport field specifies a protocol but
there is no option for defining a port number. The port number is
defined by other RFCs. In the case of DNS over TLS [RFC7858], the
port is defined by [RFC7858] to be 853."
---------
5.1. DHCPv6 Server Behavior
This paragraph is particularly confusing:
In particular, when configured the DHCPv6 server sends the Registered
Homenet Domain Option, Distribution Manager Option, the Reverse
Distribution Manager Option when requested by the DHCPv6 client by
including necessary option codes in its ORO.
Possible rewrite:
Upon receiving a request from a DHCPv6 client that includes the
necessary option codes in its ORO, a configured DHCPv6 server will send
the Registered Homenet Domain Option, Distribution Manager Option,
and the Reverse Distribution Manager Option.
------------
Appendix A
"This section details various scenarios and discuss their impact on
^ discusses
the end user. This section is not normative and limits the
description of a limited scope of scenarios that are assumed to be
representative."
How does it "limit the description"? Confusing.
It is also confusing that Appendix A does not have any discussion of
scenarios. Maybe Appendix A is an introduction to Appendix B?
I've never seen a document organized in this way.
------------
"The end user subscribes to the ISP (foo) ..." Previously "foo"
was used as an option. Too fooey. How about "the ISP
(exampleISP)"?
------------
"In this scenario, the DHCPv6 server, DM and RDM are managed by the
ISP so the DHCPv6 server and as such can provide authentication
credentials of the HNA to enable secure authenticated transaction
with the DM and the Reverse DM."
In this scenario, the DHCPv6 server, DM and RDM are managed by the
ISP. The DHCPv6 server can provide the authentication credentials of
the HNA to the DM and Reverse DM to enable secure authenticated
transactions.
Authenticated transactions between the HNA and the DM (or RDM)? Is
the HNA a party to this authentication? How?
------------
B.1. Third Party Registered Homenet Domain
This section still considers the ISP
^ assumes?
manages the home network and still provides foo.example as a
Registered Homenet Domain.
------------
B.2. Third Party DNS Infrastructure
"Again, this configuration update is done once-for-
ever."
??? Again? What was the first time? "Forever" ... really?
------------
With the configuration described in Appendix B.1, the HNA is expect
^^ expected
to be able to handle multiple Homenet Registered Domain,
---------
The drawback of this scenario may be that the
end user still rely on the ISP naming infrastructure. Note that the
^^ relies
only case this may be inconvenient is when the DNS servers provided
^^ where
by the ISPs results in high latency.
^^ result
---------
Hilarie
- [secdir] Security directorate review of draft-iet… Hilarie Orman