[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SECDIR review: draft-ietf-v6ops-tunnel-concerns-00
Hi Kurt,
Thank you very much for your detailed review and sorry for the long
delay in our response. We have modified the draft to address some of
your concerns. We also had a few questions for you. Please find our
responses inline.
Kurt Zeilenga wrote:
I have reviewed this document as part of the security directorate's
ongoing review efforts. These comments were written primarily for the
benefit of the security area directors. Document editors and WG chairs
should treat these comments just like they would treat comments from any
other IETF contributor.
This document discusses "Security Concerns with [IP] Tunnels".
I suggest the Security AD pay particular attention to this I-D. Given
it purports to discuss security concerns applicable to a wide range of
[IP] tunneling solutions, it may be appropriate for this I-D to be
assigned to additional secdir reviewers.
Comments:
The title and abstract apply this document discusses a wide range of
tunnel technologies, but the text seems focused on IP Tunnels (though I
guess some of the concerns might apply to various non-IP network
tunnels). It might be appropriate to change the title to "Security
Concerns with IP Tunneling", and to clarify the abstract.
We have changed the title to "Security Concerns With IP Tunneling" as
you suggested.
My comments assume "IP tunneling" was meant.
It's not clear what track this I-D is targeted for. I will assume
Informational.
Yes. This is meant to be informational
The abstract seems a bit short.
The abstract starts off with:
A number of security concerns with tunnels are documented.
where? In this document or elsewhere? If elsewhere, I would hope the
body will detail and provide references to where these concerns are
documented.
In this document. We have fixed the abstract to say this. The new
abstract is attached below
The abstract ends with:
The
primary intent of this document is to raise the awareness regarding
the security issues with tunnels as deployed today.
It's not clear who the intended audience is of this document.
Implementors? Network Operators? Deployers? Etc. But it does say "as
deployed today", which I take as meaning that this document focuses on
security issues in existing IP tunneling solutions.
The intended audience is network admins and future protocol developers.
We have changed the abstract to read:
" A number of security concerns with IP tunnels are documented in this
document. The intended audience of this document includes network
administrators and future protocol developers. The primary intent of
this document is to raise the awareness regarding the security issues
with IP tunnels as deployed today. "
The Introduction says:
The primary intent of this document is to provide information that can
be used in any new or updated tunnel protocol specification.
I don't read either of these 'primary intent' statements as being
equivalent to the other.
2.1.2 says,
Evasion by tunneling is often a problem for network-based security
devices such as network firewalls, intrusion detection and prevention
systems, and router controls.
which leads to 2.1.3 recommendation:
Security administrators who do not consider tunneling an acceptable
risk should disable tunnel functionality unless their network-based
security controls adequately recognize the tunneled traffic.
If the network-based security controls don't have adequate ability to
recognize tunneled traffic, how does the security administrator go about
disabling tunneled traffic? Is the administrator to turn off everything
that might carry a tunnel? If so, wouldn't that be just about everything?
One way to go about doing this is to disable the specific tunneling
method on the end-hosts. We have added the following text
" Security administrators who do not consider tunneling an acceptable
risk should disable tunnel functionality either on the end-nodes
(hosts) or on the network nodes."
to mention this possibility.
In 2.1.3 says:
To minimize security exposure due to tunnels, we recommend that a
tunnel be an interface of last resort, independent of IP version.
Specifically, we suggest that when both native and tunneled access to
a remote host is available, that the native-based access be used in
preference to tunneled access. This should also promote greater
efficiency and reliability.
This recommendation appears to ignore cases where the tunnel offers data
protective services not available natively.
We have changed
" Specifically, we suggest that when both native and tunneled access to
a remote host is available, that the native access be used in
preference to tunneled access."
to
" Specifically, we suggest that when both native and tunneled access to
a remote host is available, that the native access be used in
preference to tunneled access except when the tunnel endpoint is
known to not bypass security (e.g., an IPsec tunnel to a gateway
provided by the security administrator of the network)."
in order to allow tunnels offering protective service to still be preferred.
Given concerns about tunnel security or a network's lack of
preparedness for tunnels, a network administrator may wish to simply
block all use of tunnels. He or she may wish to do so using network
controls; this could be either due to not having confidence in the
ability to disable it on all hosts attached to the network or due to
wanting an extra layer of prevention.
It may be appropriate to note here that by "simply blocking all use of
tunnels", the network administrator hinders the ability of users from
taking steps to gain security benefit provided by use of tunnels.
We have added the phrase "that subvert security" to the end of this
sentence so that it reads
" Given concerns about tunnel security or a network's lack of
preparedness for tunnels, a network administrator may wish to simply
block all use of tunnels that subvert security."
One simple method to do that is easy to employ for many tunnel
protocols is to block outbound packets to the UDP or TCP port used
(e.g., UDP port 3544 for Teredo, UDP port 1701 for L2TP, etc.).
The description of this method is not precise. Is the method to block
dest ports, with these source ports, or either, or both?
The method is to block destination ports. We have changed this sentence
to read
(e.g., destination UDP port is 3544 for Teredo, UDP port 1701 for
L2TP, etc.)
It is not known if blocking all traffic to a given outbound port
will interfere with
non-tunneled traffic.
Actually, I think it is generally known that blocking all traffic to a
given outbound port may very well interfere with non-tunnel traffic.
The document statement seems to discount operational experience of
simply blocking all traffic to a given outbound port may be harmful.
We have changed this text to read
" In some cases, however, blocking all traffic to a given outbound port
(e.g., port 80) may interfere with non-tunneled traffic so this
should be used with caution."
In 3.1.3,
Tunneling over UDP or TCP (including HTTP) to reach the Internet is
not recommended as a solution for managed networks.
First, I'm going to read the sentence as if the word 'managed' was not
used as I think all networks on the Internet are 'managed' to some
degree. If the authors had a particular definition of the term 'managed
network' in mind, they should define it.
So reading the sentence without the term 'managed', this is basically a
general applicability statement that use of tunneling over UDP or TCP is
not recommend for use to 'reach the Internet'. I don't see this
recommendation as being appropriate given the issue.
We have changed this text to read
" Tunneling over UDP or TCP (including HTTP) to reach the Internet is
not recommended as a solution for networks that wish to enforce
security polcies on the user traffic. (Windows, for example,
disables Teredo by default if it detects that it is within an
enterprise network that contains a Windows domain controller.)"
In 3.2.3,
As illustrated above, it should be clear that inspecting the contents
of tunneled data packets is highly complex and often impractical.
I would argue that inspecting the contents of non-tunneled data packets
is also highly complex and often impractical.
We agree with you and we are not claiming otherwise.
For this reason, if a network wishes to monitor IP traffic, tunneling
is not recommended.
I think it depends on what kind of IP traffic monitoring one wants to
do. Also, if the user doesn't want there data monitored, recommending
use of tunneling with data confidential protections seems quite
appropriate.
The term "NAT" appears to be used to refer to a device (e.g., "a NAT")
not a process (of address translation). This seems improper given that
NAT expands to Network Address Translation.
We have changed the document to say "NAT device" when we talk about the
device and NAT when we talk about the process, as you stated.
Many acronyms are not spelled out.
Given this document provides only only a high-level discussion, why are
there so many normative references? Why does a reader need to read, for
instance, RFC 1918, to understand this document? Seems RFC 1918 only
provides information in support of an example. Seems there is
significant over use of normative references here. I think most of the
references listed as normative are more appropriately listed as
informative.
Agreed. All the references have been moved to informative.
In the paragraphs:
Protocols that embed an IPv4 address in a tunneled IPv6 address
directly between peers often do filtering based on checking the
correpondence.
Protocols that accept tunneled packets directly from a server or
relay do filtering the same way as it would be done on a native
link with traffic from a router.
the text implies the protocols do filtering. Is this correct? It seems
more likely that the devices implementing the protocol do the filtering.
You are right. We have fixed the text to read
" Implementations of protocols that embed an IPv4 address in a
tunneled IPv6 address directly between peers often do filtering
based on checking the correspondence.
Implementations of protocols that accept tunneled packets directly
from a server or relay do filtering the same way as it would be
done on a native link with traffic from a router."
To do host-based filtering with protocols that allow both other
hosts and a router over a common tunnel (e.g., 6to4 [RFC3056],
Teredo, ISATAP [RFC4214], and 6over4 [RFC2529]), hosts would need
to be able to know the outer IP address of all routers from which
it could receive traffic.
I am having a hard time parsing this sentence.
We have split this sentence into two parts and reworded it. The new text
reads
" Some protocols such as 6to4 [RFC3056], Teredo, ISATAP [RFC4214],
and 6over4 [RFC2529] allow both other hosts and a router over a
common tunnel To perform host-based filtering with such protocols
a host would need to know the outer IP address of each router from
which it could receive traffic, so that packets from hosts beyond
the router will be accepted even though the source address would
not embed the router's IP address. Router addresses might be
learned via Secure Neighbor Discovery (SEND) [RFC3971] or some
other mechanism (e.g., [RFC4214] section 8.3.2)."
Thanks
Suresh