[pcp] [Sam Hartman] draft-ietf-pcp-base-27: objection to security considerations change; ietf last call requested
Sam Hartman <hartmans@painless-security.com> Tue, 25 September 2012 00:10 UTC
Return-Path: <hartmans@mit.edu>
X-Original-To: pcp@ietfa.amsl.com
Delivered-To: pcp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BBA9B21F8862 for <pcp@ietfa.amsl.com>; Mon, 24 Sep 2012 17:10:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 4.388
X-Spam-Level: ****
X-Spam-Status: No, score=4.388 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, RDNS_DYNAMIC=0.1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AnYqHT7hYdAm for <pcp@ietfa.amsl.com>; Mon, 24 Sep 2012 17:10:50 -0700 (PDT)
Received: from ec2-23-21-227-93.compute-1.amazonaws.com (ec2-23-21-227-93.compute-1.amazonaws.com [23.21.227.93]) by ietfa.amsl.com (Postfix) with ESMTP id 3A4B021F885D for <pcp@ietf.org>; Mon, 24 Sep 2012 17:10:49 -0700 (PDT)
Received: from carter-zimmerman.suchdamage.org (c-98-217-126-210.hsd1.ma.comcast.net [98.217.126.210]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "laptop", Issuer "laptop" (not verified)) by mail.suchdamage.org (Postfix) with ESMTPS id A940820155 for <pcp@ietf.org>; Mon, 24 Sep 2012 20:10:37 -0400 (EDT)
Received: by carter-zimmerman.suchdamage.org (Postfix, from userid 8042) id E408D414A; Mon, 24 Sep 2012 20:10:09 -0400 (EDT)
From: Sam Hartman <hartmans@painless-security.com>
To: pcp@ietf.org
Date: Mon, 24 Sep 2012 20:10:09 -0400
Message-ID: <tsl7grj3qu6.fsf@mit.edu>
User-Agent: Gnus/5.110009 (No Gnus v0.9) Emacs/22.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
Subject: [pcp] [Sam Hartman] draft-ietf-pcp-base-27: objection to security considerations change; ietf last call requested
X-BeenThere: pcp@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: PCP wg discussion list <pcp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pcp>, <mailto:pcp-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pcp>
List-Post: <mailto:pcp@ietf.org>
List-Help: <mailto:pcp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pcp>, <mailto:pcp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Sep 2012 00:10:52 -0000
I noticed that my original message never seems to have hit the list. Let's see if this goes better.
--- Begin Message ---Hi. draft-ietf-pcp-base-27 relaxes restrictions in the simple threat model (section 18.1). In particular, it permits the lifetime of a mapping to be reduced or a mapping to be deleted. I understand that reducing the lifetime of mappings is useful, and think that many deployments that implement a security mechanism (and thus fall under the advanced threat model) will choose to have a relaxed authorization policy about deleting mappings. I think the mapping nonce changes introduced in pcp-base-27 will help make that possible. However, for the simple threat model our goal is not to decrease the security of the Internet by deploying a PCP server. We fail to accomplish that. Here's an example of an attack where enabling PCP decreases the security of a network. N1 is a NAT with PCP capability. N2 is a NAT without PCP capability. H1 and H2 are hosts behind N2.; N2 is behind N1. That is, the path from H1 or H2 to the Internet looks like {H1,H2}->N2->N1. > From the standpoint of N1, H1 and H2 have the same internal address. That permits H1 and H2 to create mappings on each others' behalf. However, H1 and H2 cannot spoof each others' IP addresses from the standpoint of N2. For example, H1 and H2 might be on different internal subnets or address spoofing prevention may be in use. H1 is a host that either does not support PCP or follows the spec recommendation not to use PCP through a NAT that does not support PCP. H2 would like to capture H1's traffic. H2 guesses that some traffic will be sent from H1 towards x. H2 guesses that port P will be used as the external port on N2 (the internal port from N1's standpoint). So, N1 will see traffic from <N2, P> towards x. Before H1 sends this traffic, H2 requests a PCP mapping for <N2,P>; it could use either the map or peer opcode. This traffic is mapped to appear to come from <N1, Q>. Later, H2 wants to capture the reply traffic; because H2 created the mapping, H2 knows the mapping nonce and can delete the mapping. Now, H2 needs to convince N1 to allocate Q such that traffic to <N1,Q> will eventually make its way to H2. That depends on attacking N1's port allocation algorithm. This is probably not an attack H2 can mount with 100% chance of success. However by using multiple mappings to amplify the attack, trying to exploit any races in N1, etc. This is the kind of attack that looks hard until someone has it working, then becomes very easy. If N1 disables PCP, the attack is impossible if H1 sends traffic often enough to keep the mapping alive. This is just one attack I found while not looking very hard. I don't have time to perform detailed security analysis on this change, but I have fairly high confidence that it does introduce harm. I suspect that if we look we'll find other attacks. If I end up in the rough within the working group and we send this change to the IESG, I believe a new IETF last call is required. Typically a protocol like PCP would be required to have a mandatory-to-implement security mechanism according to BCP 61. We have tried to strike a compromise to permit PCP to move forward more quickly than the security mechanism work. Many people have reviewed PCP; this has been discussed widely in the security community and elsewhere. If the working group is going to change this compromise after IESG review, the IETF needs to be given a change to re-review and to suggest balancing changes and debate questions like whether PCP should be required to have a BCP 61 security mechanism.--- End Message ---
- Re: [pcp] draft-ietf-pcp-base-27: objection to se… Stephen Farrell
- [pcp] [Sam Hartman] draft-ietf-pcp-base-27: objec… Sam Hartman
- Re: [pcp] [Sam Hartman] draft-ietf-pcp-base-27: o… Simon Perreault
- Re: [pcp] [Sam Hartman] draft-ietf-pcp-base-27: o… Simon Perreault
- Re: [pcp] [Sam Hartman] draft-ietf-pcp-base-27: o… Sam Hartman
- Re: [pcp] [Sam Hartman] draft-ietf-pcp-base-27: o… Simon Perreault
- Re: [pcp] [Sam Hartman] draft-ietf-pcp-base-27: o… Sam Hartman
- Re: [pcp] [Sam Hartman] draft-ietf-pcp-base-27: o… Dan Wing
- Re: [pcp] [Sam Hartman] draft-ietf-pcp-base-27: o… Simon Perreault
- Re: [pcp] [Sam Hartman] draft-ietf-pcp-base-27: o… Dan Wing
- Re: [pcp] draft-ietf-pcp-base-27: objection to se… Dan Wing
- Re: [pcp] draft-ietf-pcp-base-27: objection to se… Tirumaleswar Reddy (tireddy)