[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Security issues of Isatap usage in 3GPP networks WAS : RE: mo ving when all the scenarios are not yet complete [RE: DSTM]

To: "Karen E. Nielsen (AH/TED)" <karen.e.nielsen@ericsson.com>, "'Pekka Savola'" <pekkas@netcore.fi>
Subject: RE: Security issues of Isatap usage in 3GPP networks WAS : RE: mo ving when all the scenarios are not yet complete [RE: DSTM]
From: "Karen E. Nielsen (AH/TED)" <karen.e.nielsen@ericsson.com>
Date: Mon, 28 Jun 2004 09:54:31 +0200
Cc: v6ops@ops.ietf.org, "'Fred Templin'" <ftemplin@iprg.nokia.com>, Mohit Talwar <mohitt@windows.microsoft.com>, tgleeson@cisco.com, "'Dave Thaler'" <dthaler@windows.microsoft.com>

Clarification inserted below.

Karen

> -----Original Message-----
> From: owner-v6ops@ops.ietf.org [mailto:owner-v6ops@ops.ietf.org]On
> Behalf Of Karen E. Nielsen (AH/TED)
> Sent: Friday, June 25, 2004 11:47 AM
> To: 'Pekka Savola'
> Cc: v6ops@ops.ietf.org; 'Fred Templin'; Mohit Talwar;
> tgleeson@cisco.com; 'Dave Thaler'
> Subject: Security issues of Isatap usage in 3GPP networks WAS : RE:
> moving when all the scenarios are not yet complete [RE: DSTM]
> 
> 
> Hi Pekka, 
> 
> > There is, however, an argument to be made if a mechanism would be
> > required in multiple scenarios, where one or more of the 
> scenarios was
> > not finished yet -- then the question would be what would 
> be the basis
> > on where to evolve the specification? (for example, let's consider
> > ISATAP in 3GPP: one could remove direct tunneling support, 
> but then it
> > might become useless (at least to some) in Enterprise -- for
> > mechanisms which dependencies it might be worth a bit more of
> > wait-and-see, 
> 
> Although I may agree with the above argument in principle,
> I do not agree with the exemplification.
> 
> Let me try (once more) to address the expressed concerns with
> the direct tunnelling functionality of Isatap. 
> 
> The problem hinted at, I assume, is the SEND security threats
> as detailed in 3756 (....or are there others ?)
> 
> In 3GPP networks it should be possible to assume the following:
> 
> * Intrasite IPv4 source spoofing isn't possible.
> * Site is Protocol-41 perimeter guarded.
> 
> - or it should be acceptable to recommended the above to be 
> enforced by the 3GPP operator as a mechanism to prevent 
> potential SEND security threats of Isatap.
> 
> Given the above, the SEND security threats either do not apply to
> Isatap or can be prevented by careful implementation. In particular
> by implementing the following additional security check on 
> Isatap interfaces:
> 
> * RA messages are only accepted from PRL routers.
> 
> We have implemented this with no problems and I would 
> like to see it recommended for Isatap.
> 

Fred has pointed out that this
is indeed mandated on Isatap interfaces.
So much the better.

> Indeed:
> 
> 4.1.1. Link-layer addresses in potential 
> Neighbour Cache Entries maintained on Isatap Interfaces
> are not relevant. The Link-layer address (IPv4 address) is deduced
> from IPv6 destination address. An implementation that uses a 
> different link-layer address
> than the IPv4 address embedded within the IPv6 destination 
> address isn't compliant.
> 
> DAD sub-clause:
> Why you would ever want to implement DAD on an Isatap 
> Interface I really don't know.
> The uniqueness of the address is inherited from the 
> uniqueness of the IPv4 address.
> The latter which is ensured by the network (at least in 
> enterprise and 3GPP networks).
> 
> 4.1.2: This could be a valid DoS threat.
> This is however only applicable if NUD is performed on the interface.
> NUD over Isatap only really work if carefully implemented anyway -
> Hence it should be reasonable to assume careful behaviour of 
> an implementation which performs
> NUD on an Isatap interface. For example by implementing the 
> following additional validity
> check:
> * Unless sourced from the link-local address of a PRL router 
> (e.g. for proxy ND) the target address
> of the NS message should be identical to the source address 
> of the packet.
> 
> (We haven't implemented the mentioned check as we 
> do not support NUD on isatap interfaces)
> 
> 4.1.3: Non-applicable if DAD is omitted
> 
> 4.2.1: Non-applicable given that a trust worthy PRL population
> mechanism is deployed.
> 
> 4.2.2+4.2.3
> Isn't related to the direct tunnelling functionality of Isatap.
> Is limited by the usage of/and management of 
> a trust worthy PRL population mechanism.
> 
> 4.2.4
> Non-applicable as Isatap's source address checks combined 
> with IPv4 source address
> proof implies IPv6 source address proof. I.e. the IPv6 
> link-local address of
> a PRL router cannot be spoofed.
> 
> 4.2.5+4.2.6+4.2.7:
> Non-applicable given IPv4 source address spoofing prevention,
> if trustworthy PRL population mechanism is deployed.
> 
> 4.3.1:
> Non-applicable by IPv4 source address spoofing prevention.
> 
> 4.3.2 
> Not related to the direct tunnelling functionality of Isatap.
> Not applicable if address resolution is based on static 
> resolution only.
> 
> BR, Karen
>

Prev by Date: Re: ISATAP (Was RE: DSTM)
Next by Date: Fw: draft-palet-v6ops-tun-auto-disc-01.txt
Previous by thread: Issues with draft-huitema-v6ops-teredo-02.txt
Next by thread: RE: Security issues of Isatap usage in 3GPP networks WAS : RE: mo ving when all the scenarios are not yet complete [RE: DSTM]
Index(es):
- Date
- Thread