Internet Engineering Task Force Nam-Seok. Ko Internet-Draft ETRI Intended status: Informational C. Williams Expires: April 22, 2010 Consultant J. Qin ZTE October 19, 2009 Preliminary MIF Threat Analysis draft-ko-mif-threat-analysis-00.txt Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on April 22, 2010. Copyright Notice Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents in effect on the date of publication of this document (http://trustee.ietf.org/license-info). Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Ko, et al. Expires April 22, 2010 [Page 1] Internet-Draft Preliminary MIF Threat Analysis October 2009 Abstract MIF is working to describe the issues of attaching to multiple networks on hosts and document existing practice. The group is also expected to analyze the impacts and effectiveness of these existing mechanisms. This document identifies the threats to such scenarios that are under consideration in the MIF working group. 1. Introduction A host attached to multiple networks has to make decisions about default router selection, address selection, DNS server selection, choice of interface for packet transmission, and the treatment of configuration information received from the various networks. The interfaces may be physical or virtual. The communications over such interfaces may be with the same or different network domain. Configuration parameters for the enablement of such communication may be specific to an interface or global. Communications may be simultaneous with each interface. MIF is dealing with issues of attaching to multiple networks on hosts. This document will identify security threats with respect to MIF nodes for the scenarios defined in the MIF problem statement [I-D.blanchet-mif-problem-statement]. A separate document will be prepared to analyze the impacts and effectiveness with respect to security on current practices and solutions. Here we start with identification of security attacks. This document discusses the threats for MIF without discussing any solutions. The requirements arising out of these threats will be used as input to the MIF Working Group. The working group is considering both IPv4 and IPv6 and such security threat analysis will be done with this in mind. 2. MIF Threats This first revision of the draft will identify the MIF threats. As MIF progresses with proposals a section may be added later for security implications of current MIF practices and solutions. As is defined in [I-D.blanchet-mif-problem-statement] a MIF host is defined to be configured with more than one IP addresses and those addresses may be from different administrative domains. Communications using these IP addresses will happen independently and may occur simultaneously. In essence, each of the multiple connections that define a MIF node is actually a group of configuration objects that define the characteristics of a connection. As such, most of the threat attacks for MIF focus on the Ko, et al. Expires April 22, 2010 [Page 2] Internet-Draft Preliminary MIF Threat Analysis October 2009 security and integrity of MIF configuration objects. MIF security attacks relating to this specific definition are identified: One such attack is directed at the ability of MIF node to communicate either on one or more of its interfaces. Such an attack is initiated by preventing the specific configuration objects from being delivered. An attacker could launch a flooding attack on the entities that provide the intelligence to deal with configuration and policy information for the interfaces. By preventing the MIF node from delivering the configuration as well as the address selection policy information to nodes, the MIF node is kept from properly communicating either on one or more interfaces. Another attack that a MIF node is vulnerable to is that it may be hijacked by malicious injection of illegitimate configuration object information of one interface via another interface. In this threat the attacker injects malicious policy information that could redirect packets and attack the remote network via one of the other interfaces of the MIF node. Malicious nodes may also tap to collect the network policy information of one interface from another interface and leak it to unauthorized parties. The threat could also allow a malicious node to obtain access to security policy information of one interface from other interfaces. Protection against hijacking attacks, flooding attacks (DOS), and leakage of confidential information for MIF nodes have implications on the MIF problem statement security requirements. A major thrust for the design of MIF components is design for independence. By keeping interfaces truly separate, security independence among the interfaces can be achieved. The next section covers these MIF security requirements. 3. MIF Security Requirements The security requirements are enumerated as: o MIF must not allow the unwanted injection of configuration objects targeted to specific interface(s) to other interfaces. o MIF must prevent the usage of one interface to hijack the network connection of another interface. Such a hijack could lead to attacks on remote networks that the interface is providing communication over. Ko, et al. Expires April 22, 2010 [Page 3] Internet-Draft Preliminary MIF Threat Analysis October 2009 o MIF must provide for security independence among the interfaces. o MIF must prevent the access of security policy information of one interface from other interfaces. o MIF must prevent the leakage of confidential information from one interface to other interfaces. o MIF must prevent attacks by malicious nodes to use an interface to block legitimate configuration objects from reaching other interfaces or preventing those interfaces from executing on the configuration objects. o MIF should provide for the integrity of the network configuration objects it receives for the respective interfaces. o MIF should provide for the authentication and authorization of the sources of network configuration objects for the respective interfaces. o A MIF node should not be more vulnerable to security breaches than a traditionally non-MIF node (one that has a single interface with single network connection). The enablement of additional interfaces (virtual or physical) should not cause the other network connections to become more vulnerable to security breaches. Through the study of the security implications of existing MIF practices and the realization of these security goals, the MIF configured node will be better prepared to resist a large class of DOS, privacy and integrity attacks. 4. Security Considerations This document identifies the MIF threats in general. MIF must have the security capabilities to protect MIF node from any malicious attempts caused by security holes such as denial of service attacks. The MIF solution must not compromise the security architecture of the basic IPv4/IPv6 networks. 5. IANA Considerations This document makes no requests to IANA. Ko, et al. Expires April 22, 2010 [Page 4] Internet-Draft Preliminary MIF Threat Analysis October 2009 6. Informative References [I-D.blanchet-mif-problem-statement] Blanchet, M. and P. Seite, "Multiple Interfaces Problem Statement", draft-blanchet-mif-problem-statement-01 (work in progress), June 2009. [I-D.chown-addr-select-considerations] Chown, T., "Considerations for IPv6 Address Selection Policy Changes", draft-chown-addr-select-considerations-02 (work in progress), March 2009. [I-D.savolainen-6man-fqdn-based-if-selection] Savolainen, T., "Domain name based network interface selection", draft-savolainen-6man-fqdn-based-if-selection-00 (work in progress), October 2008. [I-D.savolainen-mif-dns-server-selection] Savolainen, T., "DNS Server Selection on Multi-Homed Hosts", draft-savolainen-mif-dns-server-selection-00 (work in progress), February 2009. [RFC1122] Braden, R., "Requirements for Internet Hosts - Communication Layers", STD 3, RFC 1122, October 1989. [RFC1661] Simpson, W., "The Point-to-Point Protocol (PPP)", STD 51, RFC 1661, July 1994. [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, March 1997. [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and M. Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003. [RFC3484] Draves, R., "Default Address Selection for Internet Protocol version 6 (IPv6)", RFC 3484, February 2003. [RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed Networks", BCP 84, RFC 3704, March 2004. [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing Architecture", RFC 4291, February 2006. [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, September 2007. Ko, et al. Expires April 22, 2010 [Page 5] Internet-Draft Preliminary MIF Threat Analysis October 2009 [RFC5113] Arkko, J., Aboba, B., Korhonen, J., and F. Bari, "Network Discovery and Selection Problem", RFC 5113, January 2008. [RFC5221] Matsumoto, A., Fujisaki, T., Hiromi, R., and K. Kanayama, "Requirements for Address Selection Mechanisms", RFC 5221, July 2008. Authors' Addresses Nam-Seok Ko ETRI FMC Technology Research Team, ETRI, 161 Gajeong-don, Yuseong-gu, Daejeon, Korea 305-350 +82 42 860 5560 Email: nsko@etri.re.kr Carl Williams Consultant Palo Alto, California 94306 United States Email: carl.williams@mcsr-labs.org Jacni Qin ZTE Shanghai, Pudong District China Email: jacniq@gmail.com Ko, et al. Expires April 22, 2010 [Page 6]