[secdir] secdir Review of draft-ietf-pcp-nat64-prefix64-04
Stephen Hanna <shanna@juniper.net> Tue, 21 January 2014 23:46 UTC
Return-Path: <shanna@juniper.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16FED1A0263; Tue, 21 Jan 2014 15:46:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZVqJSBC9GQzV; Tue, 21 Jan 2014 15:46:23 -0800 (PST)
Received: from co9outboundpool.messaging.microsoft.com (co9ehsobe004.messaging.microsoft.com [207.46.163.27]) by ietfa.amsl.com (Postfix) with ESMTP id E8BCD1A0260; Tue, 21 Jan 2014 15:46:22 -0800 (PST)
Received: from mail134-co9-R.bigfish.com (10.236.132.252) by CO9EHSOBE025.bigfish.com (10.236.130.88) with Microsoft SMTP Server id 14.1.225.22; Tue, 21 Jan 2014 23:46:22 +0000
Received: from mail134-co9 (localhost [127.0.0.1]) by mail134-co9-R.bigfish.com (Postfix) with ESMTP id 6A7132A0251; Tue, 21 Jan 2014 23:46:22 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:157.56.240.101; KIP:(null); UIP:(null); IPV:NLI; H:BL2PRD0510HT003.namprd05.prod.outlook.com; RD:none; EFVD:NLI
X-SpamScore: 1
X-BigFish: VPS1(zz4015Izz1f42h2148h208ch1ee6h1de0h1fdah2073h2146h1202h1e76h2189h1d1ah1d2ah21bch1fc6hzzz2fh109h2a8h839h944hd24hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah224fh1d07h1d0ch1d2eh1d3fh1dc1h1de9h1dfeh1dffh1fe8h1ff5h2216h22d0h2336h2461h2487h9a9j1155h)
Received-SPF: pass (mail134-co9: domain of juniper.net designates 157.56.240.101 as permitted sender) client-ip=157.56.240.101; envelope-from=shanna@juniper.net; helo=BL2PRD0510HT003.namprd05.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009001)(6009001)(189002)(199002)(164054003)(83072002)(79102001)(74876001)(93136001)(81342001)(74662001)(74502001)(54356001)(31966008)(81816001)(63696002)(47446002)(76176001)(76786001)(92566001)(65816001)(81542001)(53806001)(93516002)(2656002)(86362001)(81686001)(69226001)(87936001)(66066001)(76796001)(85852003)(90146001)(46102001)(56816005)(54316002)(33646001)(85306002)(74366001)(74706001)(74316001)(49866001)(77982001)(87266001)(80022001)(56776001)(76576001)(47736001)(83322001)(51856001)(76482001)(47976001)(80976001)(59766001)(4396001)(50986001)(24736002); DIR:OUT; SFP:1101; SCL:1; SRVR:BLUPR05MB740; H:BLUPR05MB737.namprd05.prod.outlook.com; CLIP:66.129.239.13; FPR:; RD:InfoNoRecords; MX:1; A:1; LANG:en;
Received: from mail134-co9 (localhost.localdomain [127.0.0.1]) by mail134-co9 (MessageSwitch) id 1390347980469991_16598; Tue, 21 Jan 2014 23:46:20 +0000 (UTC)
Received: from CO9EHSMHS011.bigfish.com (unknown [10.236.132.229]) by mail134-co9.bigfish.com (Postfix) with ESMTP id 6DCE8E0048; Tue, 21 Jan 2014 23:46:20 +0000 (UTC)
Received: from BL2PRD0510HT003.namprd05.prod.outlook.com (157.56.240.101) by CO9EHSMHS011.bigfish.com (10.236.130.21) with Microsoft SMTP Server (TLS) id 14.16.227.3; Tue, 21 Jan 2014 23:46:20 +0000
Received: from BLUPR05MB740.namprd05.prod.outlook.com (10.141.208.28) by BL2PRD0510HT003.namprd05.prod.outlook.com (10.255.100.38) with Microsoft SMTP Server (TLS) id 14.16.395.1; Tue, 21 Jan 2014 23:46:19 +0000
Received: from BLUPR05MB737.namprd05.prod.outlook.com (10.141.208.17) by BLUPR05MB740.namprd05.prod.outlook.com (10.141.208.28) with Microsoft SMTP Server (TLS) id 15.0.851.15; Tue, 21 Jan 2014 23:46:18 +0000
Received: from BLUPR05MB737.namprd05.prod.outlook.com ([10.141.208.17]) by BLUPR05MB737.namprd05.prod.outlook.com ([10.141.208.17]) with mapi id 15.00.0851.011; Tue, 21 Jan 2014 23:46:18 +0000
From: Stephen Hanna <shanna@juniper.net>
To: "secdir@ietf.org" <secdir@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-pcp-nat64-prefix64.all@tools.ietf.org" <draft-ietf-pcp-nat64-prefix64.all@tools.ietf.org>
Thread-Topic: secdir Review of draft-ietf-pcp-nat64-prefix64-04
Thread-Index: Ac8XAvhsFQvpZlpNT8uP4E8QAIyyLQ==
Date: Tue, 21 Jan 2014 23:46:17 +0000
Message-ID: <1f794d77ca95458d9d7cf06e20950090@BLUPR05MB737.namprd05.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [66.129.239.13]
x-forefront-prvs: 0098BA6C6C
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Subject: [secdir] secdir Review of draft-ietf-pcp-nat64-prefix64-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jan 2014 23:46:25 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document defines a new PCP (Port Control Protocol) option to learn the IPv6 prefix(es) used by a PCP-controlled NAT64 device to build IPv4-converted IPv6 addresses (known as "Pref64::/n"). The Security Considerations for this draft are a good start but they are missing some key information. 1) The second paragraph of the Security Considerations section points out that if an attacker can fool a host into using the wrong value for Pref64::/n, the traffic generated using that value will be delivered to the wrong location. That's right but not all the implications are mentioned. A MITM (Man In The Middle) attack can be performed in this manner, permitting alterations to the traffic (not just eavesdropping). This should be mentioned. 2) The next paragraph of the Security Considerations section suggests defenses to prevent the attacker from substituting the wrong value for Pref64::/n. However, the defense that is suggested (IP-based ACLs on the PCP server, client, or network) won't help much. Attackers can just place the PCP server's IP address in the source address of the fake PCP response packet sent by the attack. The nonce in the MAP or PEER response means that the attacker must capture or predict this value but no nonce is present in the ANNOUNCE response so that would probably be the preferred attack method, especially since ANNOUNCE responses can be sent out via multicast at any time. I suggest that the spec prohibit sending the PREFIX64 option in a multicast ANNOUNCE response, unless effective countermeasures for this attack are found. In addition to these security issues, I found some other issues that are not related to security: 1) You should explain that RFC 6146 defines Pref64::/n. Otherwise, that term is quite cryptic. 2) Several places in the document, you say that PREFIX64 is a PCP "extension". The PCP spec doesn't define what a PCP extension is. Say "PCP option" instead. 3) In section 3.2.1, say "synthesize" not "synthesizes". 4) In section 4.1 and several other places, the field Pref64 is also called Prefix64. Come up with one name for the field and stick with it. 5) Split section 4.2 into Client Behavior and Server Behavior. The current text is too confusing. For example, the text at the bottom of page 7 is a confusing mishmash of server and client handling of multiple PREFIX64 options. 6) Text near the top of page 8 says "The PCP server can be configured with a customized IPv6 prefix list" but that won't work when PREFIX64 is added to a multicast ANNOUNCE response. That's another reason not to permit this, in addition to security issue 2) above. 7) When IPv4 prefix lists are configured and multiple IPv6 prefix lists are also configured, the first PREFIX64 option includes the IPv4 prefix lists. Can the later PREFIX64 options also include their own IPv4 prefix lists? If one or more of those later PREFIX64 options does NOT have its own IPv4 prefix list, what does that mean? Does it inherit the IPv4 prefix list of the previous PREFIX64 option? The current text is not clear. 8) The example in section 5.1 says that it "depicts a typical usage of the PREFIX64 option when a DNS64 capability is embedded in the host." Did you mean "is not embedded"? I don't see how DNS64 is being used in this example. 9) Is this document still relevant? RFC 7051 says: Our conclusion is to recommend publishing the Well-Known DNS Name heuristic discovery-based method as a Standards Track IETF document for applications and host implementors to implement as-is. With that, is there still a need for this document? I hope that you find these comments useful. Thanks, Steve
- [secdir] secdir Review of draft-ietf-pcp-nat64-pr… Stephen Hanna
- Re: [secdir] secdir Review of draft-ietf-pcp-nat6… mohamed.boucadair
- Re: [secdir] secdir Review of draft-ietf-pcp-nat6… Stephen Hanna
- Re: [secdir] secdir Review of draft-ietf-pcp-nat6… mohamed.boucadair
- Re: [secdir] secdir Review of draft-ietf-pcp-nat6… Stephen Hanna
- Re: [secdir] secdir Review of draft-ietf-pcp-nat6… mohamed.boucadair
- Re: [secdir] secdir Review of draft-ietf-pcp-nat6… Ted Lemon