idnits 2.17.1 draft-ietf-ancp-security-threats-08.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** The document seems to lack a License Notice according IETF Trust Provisions of 28 Dec 2009, Section 6.b.i or Provisions of 12 Sep 2009 Section 6.b -- however, there's a paragraph with a matching beginning. Boilerplate error? (You're using the IETF Trust Provisions' Section 6.b License Notice from 12 Feb 2009 rather than one of the newer Notices. See https://trustee.ietf.org/license-info/.) Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (July 9, 2009) is 5367 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-13) exists of draft-ietf-ancp-framework-10 == Outdated reference: A later version (-12) exists of draft-ietf-ancp-mib-an-03 Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 ANCP Working Group H. Moustafa 3 Internet-Draft France Telecom 4 Intended status: Informational H. Tschofenig 5 Expires: January 10, 2010 Nokia Siemens Networks 6 S. De Cnodder 7 Alcatel-Lucent 8 July 9, 2009 10 Security Threats and Security Requirements for the Access Node Control 11 Protocol (ANCP) 12 draft-ietf-ancp-security-threats-08.txt 14 Status of this Memo 16 This Internet-Draft is submitted to IETF in full conformance with the 17 provisions of BCP 78 and BCP 79. 19 Internet-Drafts are working documents of the Internet Engineering 20 Task Force (IETF), its areas, and its working groups. Note that 21 other groups may also distribute working documents as Internet- 22 Drafts. 24 Internet-Drafts are draft documents valid for a maximum of six months 25 and may be updated, replaced, or obsoleted by other documents at any 26 time. It is inappropriate to use Internet-Drafts as reference 27 material or to cite them other than as "work in progress." 29 The list of current Internet-Drafts can be accessed at 30 http://www.ietf.org/ietf/1id-abstracts.txt. 32 The list of Internet-Draft Shadow Directories can be accessed at 33 http://www.ietf.org/shadow.html. 35 This Internet-Draft will expire on January 10, 2010. 37 Copyright Notice 39 Copyright (c) 2009 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents in effect on the date of 44 publication of this document (http://trustee.ietf.org/license-info). 45 Please review these documents carefully, as they describe your rights 46 and restrictions with respect to this document. 48 Abstract 50 The Access Node Control Protocol (ANCP) aims to communicate QoS- 51 related, service-related and subscriber-related configurations and 52 operations between a Network Access Server (NAS) and an Access Node 53 (e.g., a Digital Subscriber Line Access Multiplexer (DSLAM)). The 54 main goal of this protocol is to allow the NAS to configure, manage 55 and control access equipments including the ability for the access 56 nodes to report information to the NAS. 58 The present document investigates security threats that all ANCP 59 nodes could encounter. This document develops a threat model for 60 ANCP security aiming to decide which security functions are required. 61 Based on this, security requirements regarding the Access Node 62 Control Protocol are defined. 64 Table of Contents 66 1. Specification Requirements . . . . . . . . . . . . . . . . . . 4 68 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 70 3. System Overview and Threat Model . . . . . . . . . . . . . . . 5 72 4. Objectives of Attackers . . . . . . . . . . . . . . . . . . . 7 74 5. Potential Attacks . . . . . . . . . . . . . . . . . . . . . . 8 75 5.1. Denial of Service (DoS) . . . . . . . . . . . . . . . . . 8 76 5.2. Integrity Violation . . . . . . . . . . . . . . . . . . . 8 77 5.3. Downgrading . . . . . . . . . . . . . . . . . . . . . . . 8 78 5.4. Traffic Analysis . . . . . . . . . . . . . . . . . . . . . 9 79 5.5. Management Attacks . . . . . . . . . . . . . . . . . . . . 9 81 6. Attack Forms . . . . . . . . . . . . . . . . . . . . . . . . . 9 83 7. Attacks Against ANCP . . . . . . . . . . . . . . . . . . . . . 11 84 7.1. Dynamic Access Loop Attributes . . . . . . . . . . . . . . 12 85 7.2. Access Loop Configuration . . . . . . . . . . . . . . . . 13 86 7.3. Remote Connectivity Test . . . . . . . . . . . . . . . . . 14 87 7.4. Multicast . . . . . . . . . . . . . . . . . . . . . . . . 14 89 8. Security Requirements . . . . . . . . . . . . . . . . . . . . 16 91 9. Security Considerations . . . . . . . . . . . . . . . . . . . 16 93 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 94 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 16 96 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17 97 12.1. Normative References . . . . . . . . . . . . . . . . . . . 17 98 12.2. Informative References . . . . . . . . . . . . . . . . . . 17 100 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 17 102 1. Specification Requirements 104 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 105 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 106 document are to be interpreted as described in [RFC2119], with the 107 qualification that unless otherwise stated they apply to the design 108 of the Access Node Control Protocol (ANCP), not its implementation or 109 application. 111 The relevant components are described in Section 3. 113 2. Introduction 115 The Access Node Control Protocol (ANCP) aims to communicate QoS- 116 related, service-related and subscriber-related configurations and 117 operations between a Network Access Server (NAS) and an Access Node 118 (e.g., a Digital Subscriber Line Access Multiplexer (DSLAM)). 120 [I-D.ietf-ancp-framework] illustrates the framework, usage scenarios 121 and general requirements for ANCP. This document focuses on 122 describing security threats and deriving security requirements for 123 the Access Node Control Protocol, considering the ANCP use cases 124 defined in [I-D.ietf-ancp-framework] as well as the guidelines for 125 IETF protocols' security requirements given in [RFC3365]. Section 5 126 and Section 6 respectively describe the potential attacks and the 127 different attack forms that are liable to take place within ANCP, 128 while Section 7 applies the described potential attacks to ANCP and 129 its different use cases. Security policy negotiation,including 130 authentication and authorization to define the per-subscriber policy 131 at the policy/AAA server, is out of the scope of this work. As a 132 high-level summary, the following aspects need to be considered: 134 Message Protection: 136 Signaling message content can be protected against eavesdropping, 137 modification, injection and replay while in transit. This applies 138 to both ANCP header and payloads. 140 Prevention against Impersonation: 142 It is important that protection be available against a device 143 impersonating an ANCP node (i.e. an unauthorized device generating 144 an ANCP message and pretending it was generated by a valid ANCP 145 node). 147 Prevention of Denial of Service Attacks: 149 ANCP nodes and the network have finite resources (state storage, 150 processing power, bandwidth). Exhaustion attacks against these 151 resources and not allowing ANCP nodes to be used to launch attacks 152 on other network elements is of great importance. 154 3. System Overview and Threat Model 156 As described in [I-D.ietf-ancp-framework] and schematically shown in 157 Figure 1, the Access Node Control system consists of the following 158 components: 160 Network Access Server (NAS): 162 A NAS provides access to a service (e.g., network access) and 163 operates as a client of the AAA protocol. The AAA client is 164 responsible for passing authentication information to designated 165 AAA servers and then acting on the response that is returned. 167 Authentication, Authorization and Accounting (AAA) server: 169 A AAA server is responsible for authenticating users, for 170 authorizing access to services, and for returning authorization 171 information including configuration parameters back to the AAA 172 client to deliver service to the user. As a consequence, service 173 usage accounting might be enabled and information about the user's 174 resource usage will be sent to the AAA server. 176 Access Node (AN): 178 The AN is a network device, usually located at a service provider 179 central office or street cabinet, that terminates access loop 180 connections from subscribers. In case the access loop is a 181 Digital Subscriber Line (DSL), this is often referred to as a DSL 182 Access Multiplexer (DSLAM). 184 Customer Premises Equipment (CPE): 186 A CPE is a device located inside a subscriber's premise that is 187 connected at the LAN side of the HGW. 189 Home Gateway (HGW): 191 The HGW connects the different Customer Premises Equipments (CPE) 192 to the Access Node and the access network. In case of DSL, the 193 HGW is a DSL Network Termination (NT) that could either operate as 194 a layer 2 bridge or as a layer 3 router. In the latter case, such 195 a device is also referred to as a Routing Gateway (RG). 197 Aggregation Network: 199 The aggregation network provides traffic aggregation from multiple 200 ANs towards the NAS. ATM or Ethernet transport technologies can 201 be used. 203 For the threat analysis, this document focuses on the ANCP protocol 204 communication between the Access Node and the NAS. However, 205 communications with the other components, such as HGW, CPE, AAA 206 server play a role in the understanding of the system architecture 207 and of what triggers ANCP protocol communications. Note that the NAS 208 and the AN might belong to two different administrative realms. The 209 threat model and the security requirments in this draft consider this 210 latter case. 212 +--------+ 213 | AAA | 214 | Server | 215 +--------+ 216 | 217 | 218 +---+ +---+ +------+ +-----------+ +-----+ +--------+ 219 |CPE|---|HGW|---| | |Aggregation| | | | | 220 +---+ +---+ |Access| | Network | | | |Internet| 221 | Node |----| |----| NAS |---| / | 222 +---+ +---+ | (AN) | | | | | |Regional| 223 |CPE|---|HGW|---| | | | | | |Network | 224 +---+ +---+ +------+ +-----------+ +-----+ +--------+ 226 Figure 1: System Overview 228 In the absence of an attack, the NAS receives configuration 229 information from the AAA server related to a CPE attempting to access 230 the network. A number of parameters, including Quality of Service 231 information, need to be conveyed to the Access Node in order to 232 become effective. The Access Node Control Protocol is executed 233 between the NAS and the AN to initiate control requests. The AN 234 returns responses to these control requests and provides information 235 reports. 237 For this to happen, the following individual steps must occur: 239 o The AN discovers the NAS. 240 o The AN needs to start the protocol communication with the NAS to 241 announce its presence. 242 o The AN and the NAS perform a capability exchange. 243 o The NAS sends requests to the AN. 244 o The AN processes these requests, authorizes the actions and 245 responds with the appropriate answer. In order to fulfill the 246 commands it might be necessary for the AN to communicate with the 247 HGW or other nodes, for example as part of a keep alive mechanism. 248 o The AN provides status reports to the NAS. 250 Attackers can be: 252 o off-path, i.e., they cannot see the messages exchange between the 253 AN and the NAS; 254 o on-path, i.e., they can see the messages exchange between the AN 255 and the NAS. 257 Both off-path and on-path attackers can be: 259 o passive, i.e., they do not participate in the network operation 260 but rather listen to all transfers to obtain the maximum possible 261 information; 262 o active, i.e., they participate to the network operation and can 263 inject falsified packets. 265 We assume the following threat model: 266 o An off-path adversary located at the CPE or the HGW. 267 o An off-path adversary located on the Internet or a regional 268 network that connects one or more NASes and associated Access 269 Networks to Network Service Providers (NSPs) and Application 270 Service Providers (ASPs). 271 o An on-path adversary located at network elements between the AN 272 and the NAS. 273 o An on-path adversary taking control over the NAS. 274 o An on-path adversary taking control over the AN. 276 4. Objectives of Attackers 278 Attackers may direct their efforts either against an individual 279 entity or against a large portion of the access network. Attacks 280 fall into three classes: 281 o attacks to disrupt the communication for individual customers. 282 o attacks to disrupt the communication of a large fraction of 283 customers in an access network. These also include attacks to the 284 network itself or a portion of it such as attacks to disrupt the 285 network services or attacks to destruct the network functioning. 287 o attacks to gain profit for the attacker through modifying the QoS 288 settings. Also, through replaying old packets, of another 289 privileged client for instance, an attacker can attempt to 290 configure a better QoS profile on its own DSL line increasing its 291 own benefit. 293 5. Potential Attacks 295 This section discusses the different types of attacks against ANCP, 296 while Section 6 describes the possible means of their occurrence. 298 ANCP is mainly susceptible to the following types of attacks: 300 5.1. Denial of Service (DoS) 302 A number of denial of service (DoS) attacks can cause ANCP nodes to 303 malfunction. When state is established or certain functions are 304 performed without requiring prior authorization there is a chance to 305 mount denial of service attacks. An adversary can utilize this fact 306 to transmit a large number of signaling messages to allocate state at 307 nodes and to cause resources' consumption. Also, an adversary, 308 through DoS, can prevent certain subscribers to access certain 309 services.Moreover, DoS can take place at the AN or the NAS 310 themselves, where it is possible for the NAS (or the AN) to 311 intentionally ignore the requests received from the AN (or the NAS) 312 through not replying to them. This causes the sender of the request 313 to retransmit the request, which might allocate additional state at 314 the sender side to process the reply. Allocating more state may 315 result in memory depletion. 317 5.2. Integrity Violation 319 Adversaries gaining illegitimate access on the transferred messages 320 can act on these messages causing integrity violation. Integrity 321 violation can cause unexpected network behavior leading to a 322 disturbance in the network services as well as the network 323 functioning. 325 5.3. Downgrading 327 Protocols may be useful in a variety of scenarios with different 328 security and functional requirements. Different parts of a network 329 (e.g., within a building, across a public carrier's network, or over 330 a private microwave link) may need different levels of protection. 331 It is often difficult to meet these (sometimes conflicting) 332 requirements with a single mechanism or fixed set of parameters, so 333 often a selection of mechanisms and parameters is offered. A 334 protocol is required to agree on certain (security) mechanisms and 335 parameters. An insecure parameter exchange or security negotiation 336 protocol can give the oppurtunity to an adversary to mount a 337 downgrading attack to force selection of mechanisms weaker than those 338 mutually desired. Thus, without binding the negotiation process to 339 the legitimate parties and protecting it, ANCP might only be as 340 secure as the weakest mechanism provided (e.g., weak authentication) 341 and the benefits of defining configuration parameters and a 342 negotiation protocol are lost. 344 5.4. Traffic Analysis 346 An adversary can be placed at the NAS, or the AN, or any other 347 network element capturing all traversing packets. Adversaries can 348 thus have unauthorized information access. As well, they can gather 349 information relevant to the network and then use this information in 350 gaining later unauthorized access. This attack can also help 351 adversaries in other malicious purposes, as for example capturing 352 messages sent from the AN to the NAS announcing that a DSL line is up 353 and containing some information related to the connected client. 354 This could be any form of information about the client and could also 355 be an indicator whether the DSL subscriber is at home or not at a 356 particular moment. 358 5.5. Management Attacks 360 Since the ANCP sessions are configured in the AN and not in the NAS 361 [I-D.ietf-ancp-framework], most configurations of ANCP is done in the 362 AN. Consequently, the management attacks to ANCP mainly concern the 363 AN configuration phase. In this context, the AN MIB module could 364 create disclosure and misconfiguration related attacks. 365 [I-D.ietf-ancp-mib-an] defines the vulnerabilities on the management 366 objects within the AN MIB module. These attacks mainly concern the 367 unauthorized changes of the management objects leading to a number of 368 attacks as session deletion, session using undesired/unsupported 369 protocol, disabling certain ANCP capabilities or enabling undesired 370 capabilities, ANCP packets being sent out to the wrong interface (and 371 thus received by an unintended receiver), harming the synchronization 372 between the AN and the NAS, and impacting other traffic in the 373 network than ANCP. 375 6. Attack Forms 377 The attacks mentioned above in Section 5 can be carried out through 378 the following means: 380 Message Replay: 382 This threat scenario covers the case in which an adversary 383 eavesdrops, collects signaling messages, and replays them at a 384 later time (or at a different place or in a different way; e.g., 385 cut-and-paste attacks). Through replaying of signaling messages, 386 an adversary might mount a denial of service and a theft of 387 service attacks. 389 Faked Message Injection: 391 An adversary may be able to inject false error or response 392 messages causing unexpected protocol behavior and succeeding with 393 a DoS attack. This could be achieved at the signaling protocol 394 level, at the level of a specific signaling parameters (e.g., QoS 395 information), or at the transport layer. An adversary might, for 396 example, inject a signaling message to request allocation of QoS 397 resources. As a consequence, other user's traffic might be 398 impacted. The discovery protocol, especially, exhibits 399 vulnerabilities with regard to this threat scenario. 401 Messages Modification: 403 This involves integrity violation, where an adversary can modify 404 signaling messages in order to cause unexpected network behavior. 405 Possible related actions an adversary might consider for its 406 attack are reordering and delaying of messages causing a 407 protocol's process failure. 409 Man-in-the-Middle: 411 An adversary might claim to be a NAS or an AN acting as a man-in- 412 the-middle to later cause communication and services disruption. 413 The consequence can range from DoS to fraud. An adversary acting 414 as a man-in-the-middle could modify the intercepted messages 415 causing integrity violation, or could drop or truncate the 416 intercepted messages causing DoS and a protocol's process failure. 417 In addition, a man-in-the-middle adversary can signal information 418 to an illegitimate entity in place of the right destination. In 419 this case the protocol could appear to continue working correctly. 420 This may result in an AN contacting a wrong NAS. For the AN, this 421 could mean that the protocol failed for unknown reasons. A man- 422 in-the-middle adversary can also cause downgrading attacks through 423 initiating faked configuration parameters and through forcing 424 selection of weak security parameters or mechanisms. 426 Eavesdropping: 428 This is related to adversaries that are able to eavesdrop on 429 transferred messages. The collection of the transferred packets 430 by an adversary may allow traffic analysis or be used later to 431 mount replay attacks. The eavesdropper might learn QoS 432 parameters, communication patterns, policy rules for firewall 433 traversal, policy information, application identifiers, user 434 identities, NAT bindings, authorization objects, network 435 configuration and performance information, and more. 437 7. Attacks Against ANCP 439 ANCP is susceptible to security threats, causing disruption/ 440 unauthorized access to network services, manipulation of the 441 transferred data, and interference with network functions. Based on 442 the threat model given in Section 3 and the potential attacks 443 presented in Section 5, this section describes the possible attacks 444 against ANCP, considering the four use cases defined in 445 [I-D.ietf-ancp-framework]. 447 Although ANCP protocol is not involved in the communication between 448 the NAS and the AAA/policy server, the secure communication between 449 the NAS and the AAA/policy server is important for ANCP security. 450 Consequently, this draft considers the attacks that are related to 451 the ANCP operation associated with the communication between the NAS 452 and the AAA/Policy server. In other words, the threat model and 453 security requirements in this draft take into consideration the data 454 transfer between the NAS and the AAA server, when this data is used 455 within the ANCP operation. 457 Besides the attacks against the four ANCP use cases described in the 458 following subsections, ANCP is susceptible to a number of attacks 459 that can take place during the protocol establishment phase. These 460 attacks are mainly on-path attacks, taking the form of DoS or man-in- 461 the-middle attacks, which could be as follows: 462 o Attacks during the session initiation from the AN to the NAS: DoS 463 attacks could take place affecting the session establishment 464 process. Also, Man-in-the-middle attacks could take place, 465 causing message truncation or message modification and leading to 466 session establishment failure. 467 o Attacks during the peering establishment: DoS attacks could take 468 place during states synchronization between the AN and the NAS. 469 Also, man-in-the-middle attack could take place through messages 470 modification during identity discovery that may lead to loss of 471 contact between the AN and the NAS. 473 o Attacks during capabilities negotiation: Messages replay could 474 take place leading to DoS. Also, man-in-the-middle attack could 475 take place leading to message modification, message truncation, or 476 downgrading through advertising lesser capabilities. 478 7.1. Dynamic Access Loop Attributes 480 This use case concerns the communication of access loop attributes 481 for dynamic access line topology discovery. Since the access loop 482 rate may change overtime, advertisement is beneficial to the NAS to 483 gain knowledge about the topology of the access network for QoS 484 scheduling. Besides data rates and access loop links identification, 485 other information may also be transferred from the AN to the NAS 486 (examples in case of DSL access loop are: DSL Type, Maximum 487 achievable data rate, and maximum data rate configured for the access 488 loop). This use case is thus vulnerable to a number of on-path and 489 off-path attacks that can be either active or passive. 491 On-path attacks can take place between the AN and the NAS, on the AN 492 or on the NAS during the access loop attributes transfer. These 493 attacks may be: 494 o Active, acting on the transferred attributes and injecting 495 falsified packets. The main attacks here are: 496 * Man-in-the-middle attack can cause access loop attributes 497 transfer between the AN and a forged NAS or a forged AN and the 498 NAS which can directly cause faked attributes and message 499 modification or truncation. 500 * Signaling replay, by an attacker between the AN and the NAS, on 501 the AN or on the NAS itself, causing DoS. 502 * An adversary acting as man-in-the-middle can cause downgrading 503 through changing the access loop actual data rate, which 504 impacts the downstream shaping from the NAS. 505 o Passive, only learning these attributes. The main attacks here 506 are caused by: 507 * Eavesdropping through learning access loop attributes and 508 learning information about the clients' connection state and 509 thus impacting their privacy protection. 510 * Traffic analysis allowing unauthorized information access, that 511 could allow later unauthorized access to the NAS. 513 Off-path attacks can take place on the Internet affecting the access 514 loop attributes sharing between the NAS and the policy server. These 515 attacks may be: 516 o Active attacks, which are mainly concerning: 517 * DoS through flooding the communication links to the policy 518 server causing service disruption. 520 * Man-in-the-middle, causing access loop configuration retrieval 521 by an illegitimate NAS. 522 o Passive attacks, gaining information on the access loop 523 attributes. The main attacks in this case are: 524 * Eavesdropping through learning access loop attributes and 525 learning information about the clients'connection state and 526 thus impacting their privacy protection. 527 * Traffic analysis allowing unauthorized information access, that 528 could allow later unauthorized access to the NAS. 530 7.2. Access Loop Configuration 532 This use case concerns the dynamic local loop line configuration 533 through allowing the NAS to change the access loop parameters (e.g. 534 rate) in a dynamic fashion. This allows for centralized subcriber- 535 related service data. This dynamic configuration can be achieved for 536 instance through profiles that are pre-configured on ANs. This use 537 case is vulnerable to a number of on-path and off-path attacks. 539 On-path attacks can take place, where the attacker is between the AN 540 and the NAS, is on the AN, or is on the NAS. These can be as 541 follows: 542 o Active attacks, taking the following forms: 543 * DoS attacks of the AN can take place by an attacker, through 544 replaying of the Configure Request messages. 545 * An attacker on the AN can prevent the AN from reacting on the 546 NAS request for the access loop configuration, leading to the 547 NAS continually sending the configure request message and hence 548 allocating additional states. 549 * Damaging clients' profiles at ANs can take place by hackers 550 that gained control on the network through discovery of users 551 information from a previous Traffic Analysis. 552 * An adversary can replay old packets, modify messages, or inject 553 faked messages. Such adversary can also be a man-in-the- 554 middle. These attack forms can be related to a privileged 555 client profile (having more services), so that to configure 556 this profile on the adversary's own DSL line which is less 557 privileged. In order that the attacker does not expose its 558 identity, he may also use these attack forms related to the 559 privileged client profile to configure a number of illegitimate 560 DSL lines. The adversary can also force other configuration 561 parameters than the selected ones leading to for instance 562 downgrading the service for a privileged client. 563 o Passive attacks, where the attacker listens to the ANCP messages. 564 This can take place as follows: 565 * Learning configuration attributes is possible during the update 566 of the access loop configuration. An adversary might profit to 567 see the configuration that someone else gets (e.g. one ISP 568 might be interested to know what the customers of another ISP 569 gets and therefore might break into the AN to see this). 571 Off-path attacks can take place as follows: 572 o Off-path passive adversary on the Internet can exert eavesdropping 573 during the access loop configuration retrieval by the NAS from the 574 policy server. 575 o Off-path active adversary on the Internet can threaten the 576 centralized subscribers-related service data in the policy server, 577 through for instance making subscribers records inaccessible. 579 7.3. Remote Connectivity Test 581 In this use case, the NAS can carryout Remote Connectivity Test using 582 ANCP to initiate an access loop test between the AN and the HGW. 583 Thus, multiple access loop technologies can be supported. This use 584 case is vulnerable to a number of active attacks. Most of the 585 attacks in this use case concern the network operation. 587 On-path active attacks can take place in the following forms: 588 o Man-in-the-middle attack during the NAS triggering to the AN to 589 carryout the test, where an adversary can inject falsified signals 590 or can truncate the triggering. 591 o Message modification can take place during the Subscriber Response 592 message transfer from the AN to the NAS announcing the test 593 results, causing failure of the test operation. 594 o An adversary on the AN can prevent the AN from sending the 595 Subscriber Response message to the NAS announcing the test 596 results, and hence the NAS will continue triggering the AN to 597 carryout the test, which results in more state being allocated at 598 the NAS. This may result in unavailability of the NAS to the ANs. 600 Off-path active attacks can take place as follows: 601 o An adversary can cause DoS during the access loop test, in case of 602 ATM based access loop, when the AN generates loopback cells. This 603 can take place through signal replaying. 604 o Message truncating can take place by an adversary during the 605 access loop test, which can lead to service disruption due to test 606 failures assumption. 608 7.4. Multicast 610 In this use case, ANCP could be used in exchanging information 611 between the AN and the NAS allowing the AN to perform replication 612 inline with the policy and configuration of the subscriber. Also, 613 this allows the NAS to follow subscribers' multicast (source, group) 614 membership and control replication performed by the AN. Four 615 multicast uses cases are expected to take place, making use of ANCP 616 protocol, these are typically: multicast conditional access, 617 multicast admission control, multicast accounting, and multicast 618 termination. This section gives a high-level description of the 619 possible attacks that can take place in this case. Attacks that can 620 occur are mostly active attacks. 622 On-path active attacks can be as follows: 623 o DoS attacks, causing certain subscribers inability to access 624 particular multicast streams, or only access the multicast stream 625 at a reduced bandwidth impacting the quality of the possible video 626 stream. This can take place through messages replay by an 627 attacker between the AN and the NAS, on the AN or on the NAS. 628 Such DoS attacks can also be done by tempering, for instance, with 629 White/Black list configuration or by placing attacks to the 630 bandwidth admission control mechanism. 631 o An adversary on the NAS can prevent the NAS from reacting on the 632 AN requests for white/black/grey lists or for admission control 633 for the access line. The AN in this case would not receive a 634 reply and would continue sending its requests resulting in more 635 states being allocated at the AN. A similar case happens for 636 admission control when the NAS can also send requests to the AN. 637 When the NAS does not receive a response, it could also retransmit 638 requests resulting in more state being allocated at the NAS side 639 to process responses. This may result in unavailability of the 640 NAS to the ANs. 641 o Man-in-the-middle causing messages' exchange between the AN and a 642 forged NAS or a forged AN and the NAS. This can lead to the 643 following: 644 * Messages' modification, which can cause services' downgrading 645 for legitimate subscriber, as for instance, an illegitimate 646 change of a subscriber's policy. 647 * Messages truncation between the AN and the NAS, which can 648 result in service's non continuity. 649 * Messages replay between the AN and the NAS, on the AN or on the 650 NAS leading to a DoS or services' fraud. 651 * Messages' modifications to temper with accounting information, 652 for example in order to avoid service charges or conversely in 653 order to artificially increase service charges on other users. 655 An off-path active attack is as follows: 656 o DoS could take place through message replay of join/leave requests 657 by the HGW or CPE, frequently triggering the ANCP protocol 658 activity between the AN and the NAS. DoS could also result from 659 generating heaps of IGMP join/leaves by the HGW or CPE, leading to 660 very high rate of ANCP query/response. 662 8. Security Requirements 664 This section presents a number of requirements motivated by the 665 different types of attacks defined in the previous section. These 666 requirements are as follows: 667 o The protocol solution MUST offer authentication of the AN to the 668 NAS. 669 o The protocol solution MUST offer authentication of the NAS to the 670 AN. 671 o The protocol solution MUST allow authorization to take place at 672 the NAS and the AN. 673 o The protocol solution MUST offer replay protection. 674 o The protocol solution MUST provide data origin authentication. 675 o The protocol solution MUST be robust against denial of service 676 (DoS) attacks. In this context, the protocol solution MUST 677 consider a specific mechansim for the DoS that the user might 678 create by sending many IGMP messages. 679 o The protocol solution SHOULD offer confidentiality protection. 680 o The protocol solution SHOULD ensure that operations in default 681 configuration guarantees low level of AN/NAS protocol 682 interactions. 683 o The protocol solution SHOULD ensure the access control of the 684 management objects and possibly encrypt the values of these 685 objects when sending them over the networks. 686 o The protocol solution SHOULD ensure the security of the management 687 channels. 689 9. Security Considerations 691 This document focuses on security threats deriving a threat model for 692 ANCP and presenting the security requirements to be considered for 693 the design of ANCP protocol. 695 10. IANA Considerations 697 This document does not require actions by IANA. 699 11. Acknowledgments 701 Many thanks go to Francois Le Faucher for reviewing this draft and 702 for all his useful comments. The authors would also like to thank 703 Philippe Niger, Curtis Sherbo and Michael Busser for reviewing this 704 draft. Other thanks go to Bharat Joshi, Mark Townsley, Wojciech Dec, 705 and Kim Hylgaard who have had valuable comments during the 706 development of this work. 708 12. References 710 12.1. Normative References 712 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 713 Requirement Levels", March 1997. 715 [RFC3365] Schiller, J., "Strong Security Requirements for Internet 716 Engineering Task Force Standard Protocols", August 2002. 718 12.2. Informative References 720 [I-D.ietf-ancp-framework] 721 Ooghe, S., Voigt, N., Platnic, M., Haag, T., and S. 722 Wadhwa, "Framework and Requirements for an Access Node 723 Control Mechanism in Broadband Multi-Service Networks", 724 draft-ietf-ancp-framework-10 (work in progress), May 2009. 726 [I-D.ietf-ancp-mib-an] 727 Cnodder, S. and M. Morgenstern, "Access Node Control 728 Protocol (ANCP) MIB module for Access Nodes", 729 draft-ietf-ancp-mib-an-03 (work in progress), June 2008. 731 Authors' Addresses 733 Hassnaa Moustafa 734 France Telecom 735 38-40 rue du General Leclerc 736 Issy Les Moulineaux, 92794 Cedex 9 737 France 739 Email: hassnaa.moustafa@orange-ftgroup.com 741 Hannes Tschofenig 742 Nokia Siemens Networks 743 Linnoitustie 6 744 Espoo 02600 745 Finland 747 Phone: +358 (50) 4871445 748 Email: Hannes.Tschofenig@gmx.net 749 URI: http://www.tschofenig.priv.at 750 Stefaan De Cnodder 751 Alcatel-Lucent 752 Copernicuslaan 50 753 B-2018 Antwerp, 754 Belgium 756 Phone: +32 3 240 85 15 757 Email: stefaan.de_cnodder@alcatel-lucent.com