Re: tunnel protocols (draft-ietf-v6ops-cpe-simple-security-03)
james woodyatt <jhw@apple.com> Tue, 02 September 2008 21:12 UTC
Return-Path: <owner-v6ops@ops.ietf.org>
X-Original-To: ietfarch-v6ops-archive@core3.amsl.com
Delivered-To: ietfarch-v6ops-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id CC58A3A6918 for <ietfarch-v6ops-archive@core3.amsl.com>; Tue, 2 Sep 2008 14:12:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.495
X-Spam-Level:
X-Spam-Status: No, score=-104.495 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4, RDNS_NONE=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tgp3RcRYcfyX for <ietfarch-v6ops-archive@core3.amsl.com>; Tue, 2 Sep 2008 14:12:10 -0700 (PDT)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 3B09D3A6AB2 for <v6ops-archive@lists.ietf.org>; Tue, 2 Sep 2008 14:12:10 -0700 (PDT)
Received: from majordom by psg.com with local (Exim 4.69 (FreeBSD)) (envelope-from <owner-v6ops@ops.ietf.org>) id 1Kacsb-000Heh-VY for v6ops-data@psg.com; Tue, 02 Sep 2008 20:53:37 +0000
Received: from [17.254.13.23] (helo=mail-out4.apple.com) by psg.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <jhw@apple.com>) id 1KacsJ-000Hcq-Dj for v6ops@ops.ietf.org; Tue, 02 Sep 2008 20:53:28 +0000
Received: from relay14.apple.com (relay14.apple.com [17.128.113.52]) by mail-out4.apple.com (Postfix) with ESMTP id B92FA3AF1D64 for <v6ops@ops.ietf.org>; Tue, 2 Sep 2008 13:53:11 -0700 (PDT)
Received: from relay14.apple.com (unknown [127.0.0.1]) by relay14.apple.com (Symantec Mail Security) with ESMTP id 3670D2808E for <v6ops@ops.ietf.org>; Tue, 2 Sep 2008 13:53:11 -0700 (PDT)
X-AuditID: 11807134-a8560bb000000ece-3f-48bda7b6b2d3
Received: from il0602f-dhcp90.apple.com (il0602f-dhcp90.apple.com [17.206.50.90]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by relay14.apple.com (Apple SCV relay) with ESMTP id DEA9928092 for <v6ops@ops.ietf.org>; Tue, 2 Sep 2008 13:53:10 -0700 (PDT)
Message-Id: <31CAFDB4-ACCB-428B-8949-1D247F7B3CB1@apple.com>
From: james woodyatt <jhw@apple.com>
To: IPv6 Operations <v6ops@ops.ietf.org>
In-Reply-To: <20080902070719.79b27288.ipng@69706e6720323030352d30312d31340a.nosense.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Apple Message framework v928.1)
Subject: Re: tunnel protocols (draft-ietf-v6ops-cpe-simple-security-03)
Date: Tue, 02 Sep 2008 13:53:10 -0700
References: <20080824204553.08131c65.ipng@69706e6720323030352d30312d31340a.nosense.org> <48B1CCE8.1070305@gmail.com> <01af01c9065b$b4602440$c2f0200a@cisco.com> <48B23391.1090503@gmail.com> <01cd01c90672$a57c8790$c2f0200a@cisco.com> <48B31DA3.6080001@gmail.com> <07d201c906f7$50a85e30$c2f0200a@cisco.com> <48B32B43.5010103@gmail.com> <084c01c906fe$f9bf1840$c2f0200a@cisco.com> <48B33430.40704@gmail.com> <A31EB889-2BD9-4283-A408-AB6DCC1D568A@suspicious.org> <08be01c90712$d876cd40$c2f0200a@cisco.com> <20080827194713.23271bd1.ipng@69706e6720323030352d30312d31340a.nosense.org> <CD947C45-58F7-47F1-807F-A276490B1E39@apple.com> <20080828071200.212c7910.ipng@69706e6720323030352d30312d31340a.nosense.org> <0a778520d314db21a197b978a43b8644@chewa.net> <20080902070719.79b27288.ipng@69706e6720323030352d30312d31340a.nosense.org>
X-Mailer: Apple Mail (2.928.1)
X-Brightmail-Tracker: AAAAAA==
Sender: owner-v6ops@ops.ietf.org
Precedence: bulk
List-ID: <v6ops.ops.ietf.org>
On Sep 1, 2008, at 14:37, Mark Smith wrote: > [...] > Note the text doesn't specify a direction for these tunnelled > protocols: > > "Therefore, this document recommends the > DEFAULT operating mode for residential IPv6 simple security is to > permit all virtual private networking tunnel protocols to pass > through the stateful filtering function. These include IPsec > transport and tunnel modes as well as other IP-in-IP protocols." > [...] This is the informative text in Section 2.2 of the Overview, whereas the Detailed Recommendations are split between sections 3.2.4 and 3.2.5. I think it would be more helpful if you were to address your concerns about sections 3.2.4 first, and 3.2.5 separately if necessary. > [...] > This would seem to me to allow unsolicited inbound tunnel > encapsulated traffic from any source, via any of the stateless over- > IPv6 tunnelling protocols or methods. I don't think that's very good > security at all, going slightly higher level than my earlier > example, here's the attack: > > (1) purchase a banner add on a popular webpage, with the > advertisement image coming from your server, and use that to record > valid and current global unicast IPv6 addresses. > > (2) attack those recorded addresses. Bypass all the v6 CPE security > measures specified in this draft by sending your malicious packets > inside an IPv6 in IPv6 or GRE in IPv6 tunnel. > > With luck, the end-node has its own firewalling, and I think that is > fairly likely. The concern I have is that the CPE devices that will > be built to this draft will have a big "security" sticker on the > box, and yet it is so easy to bypass if we continue to permit all > unsolicited inbound stateless tunnelling protocols. If people see a > big "security" sticker on their CPE they may turn off their end-node > security, "because they don't need it anymore." > [...] Having thought long and hard about the problem, I confess to not viewing VPN protocols as a particularly important attack surface to guard for residential networks. I think interior nodes configured as vulnerable tunnel endpoints can be expected to be uncommon on residential networks and limited only to those nodes where an administrator has solicited inbound flows by some out-of-band method invisible to any CPE firewall gateway. They are not very likely to be present as a result of naïve user misconfiguration or the deployment of ubiquitous-and-buggy legacy applications. Requiring applications using tunnel protocols to use authentication where it otherwise isn't needed adds complexity without providing any *real* additional security. Some peer-to-peer applications, i.e. those which do not require parties to authenticate with one another until some time after unauthenticated communications have been ongoing, will be given a perverse incentive to initiate with with contrived anonymous credentials just to recover the transparency lost to residential CPE filters that block unauthenticated inbound tunnel flows. At this point, what have you done? You've just shifted the attack scenario above so that it looks like this: (1) purchase a banner add on a popular webpage, with the advertisement image coming from your server, and use that to record valid and current global unicast IPv6 addresses. (2) attack those recorded addresses. Bypass all the v6 CPE security measures specified in this draft by sending your malicious packets inside a tunnel using the well-known anonymous credentials widely used by P2P applications for legitimately bypassing CPE simple security measures. In considering the recommendations in section 3.2.5, the IPv6 residential CPE simple security design team considered DEFAULT limits on inbound IPsec and IKE flows, e.g. allowing only authenticated flows or denying all inbound tunnel flows altogether, and came to rough consensus that it couldn't be done in a way that A) would be sufficiently simple for residential users, i.e. zero configuration, and B) would provide any real improvement in the minimum baseline security for the lowest common denominator of residential users, without C) gravely damaging the utility of the public Internet for everyone. Do you agree with the design team that breaking IKE and IPsec altogether by DEFAULT isn't acceptable? If you don't break authenticated IKE and IPsec by DEFAULT, then a specialization of the attack I describe above will still be possible, and CPE router firewalls will not be in any position to guard against it. Conversely, *unless* you break authenticated IKE and IPsec by DEFAULT, then restricting all other flows will only serve as a perverse incentive to use a contrived anonymous authentication in IKE and IPsec (instead of the more appropriate and standards track BTNS) when bypassing CPE simple security, because that's the only reliable and legitimate way to initiate secure communications with residential endpoints. In fact, as BTNS is currently specified, limiting inbound flows only to IPsec and authenticated IKE might still not reduce the attack surface significantly. You'd have to specifically recommend breaking BTNS with an IKE-layer filter, and even that would only stop the *standard* method of anonymous authentication, not any of the non- standard ones that would surely arise as legitimate methods of bypassing CPE simple security. In simple terms: it may turn out that the attack scenario under discussion here cannot be addressed effectively in the long term except by blocking inbound tunnel protocols *altogether*, including IPsec and IKE, yet the price to pay for any mechanisms we recommend now is a recurring one stretching indefinitely into the future for as long as a significant fraction of the residential networks have CPE deployed that follows the practice in this draft. Is preserving the utility of inbound IKE and IPsec across residential site boundaries really a controversial idea? Does the working group believe that IKE and IPsec are flawed because they don't rely on middleboxes to allow only "trustworthy" exterior nodes to initiate key exchange and security associations with interior nodes? The design team didn't believe so. The design team also considered leaving inbound IKE and IPsec unrestricted by DEFAULT while recommending stricter limits on other inbound tunnels, but we were unpersuaded that the substantial loss of network transparency would be an acceptable price to pay for the meager reduction in attack surface area associated with them. Others may disagree with the design team on that decision, and their opinions are welcome in the working group discussion. We don't believe we have been chartered to challenge the utility of IPsec and IKE for exterior nodes initiating secure communications with interior nodes protected by residential CPE simple security, and we have taken care not to do so. The rest of our decisions relevant to this discussion follow from that one. To summarize, what you see above is the line of reasoning that led the design team to specify sections 3.2.4 and 3.2.5 as they are in the current draft. Are there objections to the detailed recommendations? -- james woodyatt <jhw@apple.com> member of technical staff, communications engineering
- Fwd: Some suggestions for draft-ietf-v6ops-cpe-si… Fred Baker
- Some suggestions for draft-ietf-v6ops-cpe-simple-… Mark Smith
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Brian E Carpenter
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Dan Wing
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Brian E Carpenter
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Dan Wing
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Mark Smith
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… EricLKlein
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Brian E Carpenter
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Dan Wing
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Brian E Carpenter
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Dan Wing
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Brian E Carpenter
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Dan Wing
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Truman Boyes
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Dan Wing
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Brian E Carpenter
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Gert Doering
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Dan Wing
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Rémi Després
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Rémi Després
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Gert Doering
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Rémi Denis-Courmont
- But are we talking IPv6 only? That's how I read t… Mark Smith
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… teemu.savolainen
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Rémi Després
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Rémi Denis-Courmont
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… Rémi Denis-Courmont
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Dan Wing
- RE: But are we talking IPv6 only? That's how I re… Dan Wing
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… james woodyatt
- Re: Some suggestions for draft-ietf-v6ops-cpe-sim… james woodyatt
- Re: But are we talking IPv6 only? That's how I re… james woodyatt
- RE: Some suggestions for draft-ietf-v6ops-cpe-sim… Dan Wing
- Re: But are we talking IPv6 only? That's how I re… Mark Smith
- Purpose of ALD (was Re: Some suggestions for draf… james woodyatt
- Re: But are we talking IPv6 only? That's how I re… james woodyatt
- RE: Purpose of ALD (was Re: Some suggestions for … Dan Wing
- RE: But are we talking IPv6 only? That's how I re… Dan Wing
- Re: But are we talking IPv6 only? That's how I re… james woodyatt
- RE: But are we talking IPv6 only? That's how I re… Dan Wing
- Re: But are we talking IPv6 only? That's how I re… Rémi Denis-Courmont
- RE: But are we talking IPv6 only? That's how I re… Templin, Fred L
- RE: But are we talking IPv6 only? That's how I re… Dan Wing
- RE: But are we talking IPv6 only? That's how I re… Templin, Fred L
- Re: But are we talking IPv6 only? That's how I re… james woodyatt
- RE: But are we talking IPv6 only? That's how I re… Templin, Fred L
- Re: But are we talking IPv6 only? That's how I re… james woodyatt
- RE: But are we talking IPv6 only? That's how I re… Templin, Fred L
- Re: But are we talking IPv6 only? That's how I re… Rémi Després
- RE: But are we talking IPv6 only? That's how I re… Dan Wing
- RE: But are we talking IPv6 only? That's how I re… Templin, Fred L
- Re: But are we talking IPv6 only? That's how I re… Rémi Després
- RE: But are we talking IPv6 only? That's how I re… Templin, Fred L
- RE: But are we talking IPv6 only? That's how I re… Dan Wing
- Re: But are we talking IPv6 only? That's how I re… Mark Smith
- Re: But are we talking IPv6 only? That's how I re… Mark Smith
- Re: tunnel protocols (draft-ietf-v6ops-cpe-simple… james woodyatt