Heads Up: Security Requirements for Working Groups
"R.E. (Robert) Moore (254-4436)" <REMOORE@ralvm6.vnet.ibm.com> Tue, 11 March 1997 20:44 UTC
Received: from cnri by ietf.org id aa18988; 11 Mar 97 15:44 EST
Received: from beasley.cisco.com by CNRI.Reston.VA.US id aa17617; 11 Mar 97 15:44 EST
Received: from VNET.IBM.COM (vnet.ibm.com [199.171.26.4]) by beasley.cisco.com (8.8.4-Cisco.1/CISCO.GATE.1.1) with SMTP id MAA19967 for <snanaumib@external.cisco.com>; Tue, 11 Mar 1997 12:39:09 -0800 (PST)
Message-Id: <199703112039.MAA19967@beasley.cisco.com>
Received: from RALVM6 by VNET.IBM.COM (IBM VM SMTP V2R3) with BSMTP id 0129; Tue, 11 Mar 97 15:38:34 EST
Date: Tue, 11 Mar 1997 15:23:10 -0500
From: "R.E. (Robert) Moore (254-4436)" <REMOORE@ralvm6.vnet.ibm.com>
To: aiw-appn-mibs@raleigh.ibm.com, snanaumib@external.cisco.com
Subject: Heads Up: Security Requirements for Working Groups
Subject: Note from SMTP4 at IINUS1
Since Randy is requesting nontrivial Security Considerations for the DLUR and HPR MIBs, I thought I'd forward this along to the SIG / WG. It sounds like what we need is a little boilerplate about SNMP security in general, and then a discussion of the exposures created by the specific contents of the two MIBs. If anybody wants to take a shot at a Security Considerations section for one of these MIBs prior to the AIW, it might expedite our discussions. Bob ----------------------------- Referenced Note --------------------------- Date: Tue, 4 Mar 1997 17:31:20 -0500 To: bofchairs@ietf.org, wgchairs@ietf.org Sender:bofchairs-request@ietf.org From: Fred Baker <fred@cisco.com> Subject: Heads Up: Security Requirements for Working Groups Cc: jte@cert.org For your comment... Some IAB, IESG, and Security folks have been meeting this week to discuss the improvement of security analysis in Internet protocols. Over the past few years, CERT Advisories and the media have made it brutally clear that many protocols and many implementations are subject to various threats, and writing a protocol or implementing a procedure that is naive in this regard is at best silly and at worst a culpable disservice. Section 2.2 of RFC 1603, which indicates that the charter of a working group, and therefore its documents, should address security among other things. We feel that part of this is requirements of working groups in their charter and in their resulting documents. I'd like to run some of the preliminary recommendations by you for your comment. Guidelines on writing Security Considerations in an RFC A "threat" is, by definition, a vulnerability available to a motivated and capable adversary. CERT advisories are quite predictable given a knowledge of the target of the threat; they therefore represent an existence proof, not a threat analysis. The point is to determine what attacks are possible ("capabilities" of a potential attacker) and formulate a defense against the attacks, or convincingly argue that the attack is not realistic in some environment and restrict use of the protocol to that environment. Recommended guidelines: - All RFCs must meaningfully address security in the protocol or procedure it specifies. It must consider that it is giving its data to "the enemy" and asking it to be delivered to its friends and used in the manner it intended. Consideration must be given to the ramifications of the inherent danger of the situation. - Must do "due diligence" to list the threats to which the protocol is vulnerable. Use of legal term does not imply legal liability, but level of responsibility expected to be applied to the analysis. This discussion might occur throughout the document or in the Security Considerations section; if it occurs throughout, it should be summarized and referenced in the Security Considerations section. - Must discuss which of those threats are * Ameliorated by protocol mechanisms (example: SYN attack is ameliorated by clever code that drops sessions randomly when under SYN attack) * Ameliorated by reliance on external mechanisms (example: TCP data confidentiality provided by IPSEC ESP) * Irrelevant ("In most cases, MIBs are not themselves security risks; If SNMP Security is operating as intended, the use of a MIB to change the configuration of a system is a tool, not a threat. For a threat analysis of SNMP Security, see RFC ZZZZ.") * Not addressed by the protocol; results in applicability statement. ("This protocol should not be used in an environment subject to this attack") - Principle: new protocols and practices ought not worsen overall security of the Internet. - Principle: reuse an existing protocol or mechanism if possible... - When cryptographic algorithms are used, enable the substitution of other algorithms in the future - Should discuss implementation hints or guidelines * handle race conditions * handle buffer overflows/off-by-one issues * source code integrity * principle of least privilege * deal with untrustworthy data * deal with untrustworthy peer systems Description of minimal Internet threat environment Implied by the above is that the security folks need to provide an Informational RFC that gives RFC authors a hand in doing the analysis. The idea is not to impose a requirement - the requirement already exists, and is handled today by back pressure during document last call and IESG review - but to provide a tool that will help working groups and independent submitters produce documents that do not result in that particular back pressure. It lists classes of attacks and modes of analysis that the security folks find useful. An initial goal is to post an internet draft in April and deliver an initial RFC by August. - Classes of attacks in current CERT advisories are within the minimal threat environment - Other known classes of attacks may be as well - Should include a taxonomy/glossary of classes of attacks and terminology, with examples. - Republish periodically as IAB/IESG deem appropriate Adding Security Requirements to WG Charters - Each WG is responsible for addressing security in its context - Each WG charter (including old ones, updated during 2Q97) contains at minimum the words "This working group acknowledges the importance of security in the overall internet architecture. Therefore, the protocols developed by this working group will be analyzed relative to RFCs XXXX and YYYY, to identify relevant security characteristics, dependencies on other security technology, and any residual vulnerabilities. This analysis will form the core of the Security Considerations section of the resulting RFC." - Each WG needs to work with "security volunteers" as it progresses its work. - No "Security will be added later"
- Heads Up: Security Requirements for Working Groups R.E. (Robert) Moore (254-4436)