[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: ISATAP vs alternatives in 3GPP [Re: comments on draft-ietf-v6 ops-3gpp-analysis-09.txt]

To: Pekka Savola <pekkas@netcore.fi>, "Karim El-Malki \(HF/EAB\)" <karim.el-malki@ericsson.com>
Subject: RE: ISATAP vs alternatives in 3GPP [Re: comments on draft-ietf-v6 ops-3gpp-analysis-09.txt]
From: Fred Templin <osprey67@yahoo.com>
Date: Fri, 26 Mar 2004 09:57:14 -0800 (PST)
Cc: v6ops@ops.ietf.org
In-reply-to: <Pine.LNX.4.44.0403261904430.12540-100000@netcore.fi>

I couldn't quite tell from your mesasge since you didn't state it;
was this a "WG chair hat on" message or a "bozo on the bus" message?

Fred
osprey67@yahoo.com


--- Pekka Savola <pekkas@netcore.fi> wrote:
> On Fri, 26 Mar 2004, Karim El-Malki (HF/EAB) wrote:
> >  > ISATAP uses a pseudo-interface (this is especially problematic if the
> >  > implementation also has a 6to4 pseudo-interface, and one big reason
> >  > why ISATAP should be avoided).  ISATAP accepts proto-41 packets from
> >  > anyone.
> > 
> > Just like an IPv6 host accepts IPv6 packets from anyone right?
> > By using appropriate security (incl. ingress filtering) you limit
> > the risks. But this is not a problem of ISATAP.
> 
> No, ISATAP opens a (semi-)trusted conduit, a virtual link, to everyone
> in the Internet (or everyone in the ISATAP site, if the border
> security is done properly).  Specifically, the ISATAP
> pseudo-interface, with its link local addresses and functionality
> using link-local addresses is placed at risk. This is not possible
> with just any IPv6 host.
> 
> This is completely different from any IPv6 host accepting IPv6
> packets.  To say it differently, a regular IPv6 host cannot receive
> packets with a link-local source address and TTL=255 from practically
> anyone out there, from completely untrusted source.  ISATAP allows --
> no, even stronger, requires! -- this.
> 
> (There are other problems with the ISATAP router spoofing as well, but 
> they are probably not as relevant compared to this.)
> 
> >  > ISATAP does direct tunneling between the nodes (even if they
> >  > aren't in the same admin domain, if deployed as you propose).  ISATAP
> >  > relies that the site has made appropriate protections at its
> >  > perimeter, or else its security properties fall apart.  ISATAP was
> >  > devised to be used inside a site, not across the sites.
> > 
> > And that's exactly what is proposed, it is always inside a site
> > from the IP viewpoint.
> 
> You do not understand the the concept of "administrative domain".  UEs 
> do not belong to the same AD as the 3GPP operator.
>  
> >  > I do not know which specific simplified subset of ISATAP you have in
> >  > mind, but these are fundamental issues with ISATAP as it is 
> >  > (and as it
> >  > always has been).  Some of these have been made worse (or new ones
> >  > introduced) along the lifetime of ISATAP, so depending on what's
> >  > implemented, it could be worse as well.
> > 
> > It has been implemented and used widely. You may claim that only a
> > subset was used and I would be happy to agree. Still that is a reason
> > for the ISATAP document to be modified to reflect what is deployed and
> > any limitations but not a reason to discard it. I am certainly in favour
> > of this and had already sent come comments to Fred Templin about this
> > to share with the authors.
> 
> It would help in this discussion if the specific features (and
> security protections) implemented and used was explicitly spelled out.
>  
> > By ignoring the reality of what is out there this will make it harder
> > for IPv6 to be deployed. Also you are just turning the tables since the
> > text you wanted in that spec is specifically pushing for STEP. So if there
> > is someone pushing for their solution which the WG has not adopted yet it's
> > not me unlike what you seem to be hinting. I would like ISATAP to be
> > given fair consideration, since it is anyway used today and a likely candidate
> > for more deployment in the short run. 
> 
> I fail to see what's unfair about the current text.  Moreover, no 
> objections were raised.
> 
> It just lists ISATAP as a proposal, mentions a few problems which have
> been raised about it, and describes a few alternatives in case these
> problems are considered to be a problem -- and says more work is
> needed.
> 
> > Creating an ISATAP vs. STEP competiton
> > as you are doing will just leave us with nothing to deploy since STEP is
> > too new.
> 
> So, are you saying, "we must get ISATAP, otherwise there is nothing we
> can deploy"?
> 
> FWIW, I certainly don't want to push for STEP.  There's work in
> progress to create a more unified tunnel server solution.  But IMHO
> ISATAP seems to have way too many drawbacks to go for it blindfolded.
> And don't say this comes as a late surprise.  I think I've been
> complaining about this at least a year or two now, but folks don't
> seem to care or don't seem to have sufficient security expertise to
> even understand the problems.
> 
> >  > Read closer about non-interoperability: it says basically that if we
> >  > wanted to "simplify" or secure ISATAP considerably, that would likely
> >  > require non-interoperable changes to the spec.  It is not trying to
> >  > say that current ISATAP implementations are non-interoperable.
> > 
> > Since current interoperable ISATAP implementations are already a
> > "simplified" version your logic doesn't make sense.
> 
> Then they quite likely aren't yet what was referred to with the
> "simplified" reference in draft-ietf-v6ops-3gpp-analysis-09.
> 
> I.e., such simplified version could be e.g. a variant which would not
> include direct tunneling between ISATAP nodes at all.  This would not 
> be suitable in some other contexts, though.
> 
> >  > > The paragraph above also talks about ISATAP complexity and 
> >  > this does
> >  > > not match the experience with the deployed base. We're 
> >  > talking about
> >  > > supporting RA/RS over a tunnel interface and that doesn't seem like
> >  > > something complex. 
> >  > 
> >  > It has much more to it than just RA/RS over a tunnel interface.
> > 
> > Again, it says deployed base.
> 
> Direct tunneling between ISATAP nodes in the same ISATAP site is in
> the deployed base, right?  Thought so.
> 
> >  > I don't think you understand the issues that come into play when you 
> >  > deploy something to be used across administrative domains.  The 
> >  > interface between domains must be carefully analyzed.  It 
> >  > helps a lot 
> >  > if the interface is simple and easy to understand (IMHO which ISATAP 
> >  > isn't).
> > 
> > Actually I think your logic does not reflect at all how a 3gpp mobile
> > network works. Once again, there is no crossing of administrative domains
> > in the way you mean it.
> 
> Administrative domain as a concept has very little to do with the
> technique used in the network.  I.e., it still holds.
> 
> >  > It is one thing to say that the 3GPP operator has identified the user
> >  > (whether using regular or pre-paid SIM or whatever) -- and
> >  > consequently everything any user does to the operator, the 
> >  > Internet or
> >  > the user would be magically trusted -- and another to consider what
> >  > the user is able to believe.
> >  > That is, 1) can the user trust 
> >  > the other
> >  > 3GPP users who are doing direct tunneling to it, possibly injecting
> >  > malicious packets (which they wouldn't be able to do, unless 
> >  > there was
> >  > ISATAP),
> > 
> > This has nothing to do with ISATAP. With native IPv6 or IPv4 users can
> > just send each other packets and these packets are in no way less likely
> > to be malicious than tunnelled packets.
> 
> Wrong.  See the link-local threat.
>  
> >  or 2) can the user trust that the 3GPP operator has secured
> >  > *all* of its borders properly, so that either other users, or anyone
> >  > in the internet could not inject maliscious packets to the user.  L2
> >  > identification helps with none of this.
> > 
> > It just has to do ingress filtering in the GGSN which from what I know
> > is default. So you should assume it is default and if anything explicitly
> > state this as an assumption/requirement.
> 
> Again, this doesn't help against the link-local threat.
>  
> >  > All of these issues are much simpler with something resembling
> >  > configured tunneling, which is why it's preferable.  STEP 
> >  > and the like
> >  > are just extensions of that model to make the tunnel easier to
> >  > configure, but the security properties are still the same.
> > 
> > I am not saying work should stop on STEP. What I am saying is that
> > ISATAP is already being used and has good reasons for that. 
> 
> And a large number of reasons why this is an incredibly bad idea.
> 
> Tell me why again the IETF should be advocating bad practice, just
> because someone didn't understand the consequences and needed
> something to deploy -- and the first solution that came across seemed
> to fit?
> 
> > So the
> > draft should be quickly adapted to reflect what is deployed and
> > moved on. That will give us a solution which we can use. Otherwise
> > we will continue with this standstill situation.
> 
> Standstill may be better than bad solution.  It might help us to get
> to a good solution.
> 
> -- 
> Pekka Savola                 "You each name yourselves king, yet the
> Netcore Oy                    kingdom bleeds."
> Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings
> 
>

References:
- RE: ISATAP vs alternatives in 3GPP [Re: comments on draft-ietf-v6 ops-3gpp-analysis-09.txt]
  - From: Pekka Savola <pekkas@netcore.fi>

Prev by Date: RE: ISATAP vs alternatives in 3GPP [Re: comments on draft-ietf-v6 ops-3gpp-analysis-09.txt]
Next by Date: RE: ISATAP vs alternatives in 3GPP [Re: comments on draft-ietf-v6 ops-3gpp-analysis-09.txt]
Previous by thread: RE: ISATAP vs alternatives in 3GPP [Re: comments on draft-ietf-v6 ops-3gpp-analysis-09.txt]
Index(es):
- Date
- Thread