Internet Engineering Task Force Nam-Seok. Ko Internet-Draft ETRI Intended status: Informational C. Williams Expires: September 9, 2010 Consultant J. Qin ZTE March 8, 2010 Preliminary MIF Threat Analysis draft-ko-mif-threat-analysis-01.txt Abstract MIF is working to describe the issues of attaching to multiple networks on hosts and document existing practice. The group is also expected to analyze the impacts and effectiveness of these existing mechanisms. This document identifies the threats to such scenarios that are under consideration in the MIF working group. Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on September 9, 2010. Copyright Notice Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved. Ko, et al. Expires September 9, 2010 [Page 1] Internet-Draft Preliminary MIF Threat Analysis March 2010 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the BSD License. 1. Introduction A host attached to multiple networks has to make decisions about default router selection, address selection, DNS server selection, choice of interface for packet transmission, and the treatment of configuration information received from the various networks. The interfaces may be physical or virtual. The communications over such interfaces may be with the same or different network domain. Configuration parameters for the enablement of such communication may be specific to an interface or global. Communications may be simultaneous with each interface. MIF is dealing with issues of attaching to multiple networks on hosts. This document will identify security threats with respect to MIF nodes for the scenarios defined in the MIF problem statement [I-D.blanchet-mif-problem-statement]. A separate document will be prepared to analyze the impacts and effectiveness with respect to security on current practices and solutions. Here we start with identification of security attacks. In [I-D.blanchet-mif-problem-statement] the MIF problem area is to be split into five categories: 1) Configuration 2) DNS resolution 3) Routing 4) Address selection and 5) connexion management. Security impacts with respect to threats is required to determine the proper security considerations. This document discusses the threats for MIF without discussing any solutions. The requirements arising out of these threats will be used as input to the MIF Working Group. The working group is considering both IPv4 and IPv6 and such security threat analysis will be done with this in mind. 2. MIF Threats This first revision of the draft will identify the MIF threats. As MIF progresses with proposals a section may be added later for security implications of current MIF practices and solutions. As is defined in [I-D.blanchet-mif-problem-statement] a MIF host is Ko, et al. Expires September 9, 2010 [Page 2] Internet-Draft Preliminary MIF Threat Analysis March 2010 defined to be configured with more than one IP addresses and those addresses may be from different administrative domains. Communications using these IP addresses will happen independently and may occur simultaneously. In essence, each of the multiple connections that define a MIF node is actually a group of configuration objects that define the characteristics of a connection. As such, most of the threat attacks for MIF focus on the security and integrity of MIF configuration objects. MIF security attacks relating to this specific definition are identified: One such attack is directed at the ability of MIF node to communicate either on one or more of its interfaces. Such an attack is initiated by preventing the specific configuration objects from being delivered. An attacker could launch a flooding attack on the entities that provide the intelligence to deal with configuration and policy information for the interfaces. By preventing the MIF node from delivering the configuration as well as the address selection policy information to nodes, the MIF node is kept from properly communicating either on one or more interfaces. Another attack that a MIF node is vulnerable to is that it may be hijacked by malicious injection of illegitimate configuration object information of one interface via another interface. In this threat the attacker injects malicious policy information that could redirect packets and attack the remote network via one of the other interfaces of the MIF node. Malicious nodes may also tap to collect the network policy information of one interface from another interface and leak it to unauthorized parties. The threat could also allow a malicious node to obtain access to security policy information of one interface from other interfaces. The undetermined behavior of IP stacks in the multihomed context bring additional threats where an interface on a multihomed host might be used to conduct attacks targeted to the networks connected by the other interfaces. Protection against hijacking attacks, flooding attacks (DOS), and leakage of confidential information for MIF nodes have implications on the MIF problem statement security requirements. A major thrust for the design of MIF components is design for independence. By keeping interfaces truly separate, security independence among the interfaces can be achieved. The next section covers these MIF security requirements. Ko, et al. Expires September 9, 2010 [Page 3] Internet-Draft Preliminary MIF Threat Analysis March 2010 3. MIF Security Requirements The security requirements are enumerated as: o MIF must not allow the unwanted injection of configuration objects targeted to specific interface(s) to other interfaces. o MIF must prevent the usage of one interface to hijack the network connection of another interface. Such a hijack could lead to attacks on remote networks that the interface is providing communication over. o MIF must provide for security independence among the interfaces. o MIF must prevent the access of security policy information of one interface from other interfaces. o MIF must prevent the leakage of confidential information from one interface to other interfaces. o MIF must prevent attacks by malicious nodes to use an interface to block legitimate configuration objects from reaching other interfaces or preventing those interfaces from executing on the configuration objects. o MIF should provide for the integrity of the network configuration objects it receives for the respective interfaces. o MIF should provide for the authentication and authorization of the sources of network configuration objects for the respective interfaces. o A MIF node should not be more vulnerable to security breaches than a traditionally non-MIF node (one that has a single interface with single network connection). The enablement of additional interfaces (virtual or physical) should not cause the other network connections to become more vulnerable to security breaches. Through the study of the security implications of existing MIF practices and the realization of these security goals, the MIF configured node will be better prepared to resist a large class of DOS, privacy and integrity attacks. 4. Security Considerations This document identifies the MIF threats in general. MIF must have Ko, et al. Expires September 9, 2010 [Page 4] Internet-Draft Preliminary MIF Threat Analysis March 2010 the security capabilities to protect MIF node from any malicious attempts caused by security holes such as denial of service attacks. The MIF solution must not compromise the security architecture of the basic IPv4/IPv6 networks. 5. IANA Considerations This document makes no requests to IANA. 6. Informative References [I-D.blanchet-mif-problem-statement] Blanchet, M. and P. Seite, "Multiple Interfaces Problem Statement", draft-blanchet-mif-problem-statement-01 (work in progress), June 2009. [I-D.chown-addr-select-considerations] Chown, T., "Considerations for IPv6 Address Selection Policy Changes", draft-chown-addr-select-considerations-02 (work in progress), March 2009. [I-D.savolainen-6man-fqdn-based-if-selection] Savolainen, T., "Domain name based network interface selection", draft-savolainen-6man-fqdn-based-if-selection-00 (work in progress), October 2008. [I-D.savolainen-mif-dns-server-selection] Savolainen, T., "DNS Server Selection on Multi-Homed Hosts", draft-savolainen-mif-dns-server-selection-00 (work in progress), February 2009. [RFC1122] Braden, R., "Requirements for Internet Hosts - Communication Layers", STD 3, RFC 1122, October 1989. [RFC1661] Simpson, W., "The Point-to-Point Protocol (PPP)", STD 51, RFC 1661, July 1994. [RFC2131] Droms, R., "Dynamic Host Configuration Protocol", RFC 2131, March 1997. [RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C., and M. Carney, "Dynamic Host Configuration Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003. [RFC3484] Draves, R., "Default Address Selection for Internet Ko, et al. Expires September 9, 2010 [Page 5] Internet-Draft Preliminary MIF Threat Analysis March 2010 Protocol version 6 (IPv6)", RFC 3484, February 2003. [RFC3704] Baker, F. and P. Savola, "Ingress Filtering for Multihomed Networks", BCP 84, RFC 3704, March 2004. [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing Architecture", RFC 4291, February 2006. [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, September 2007. [RFC5113] Arkko, J., Aboba, B., Korhonen, J., and F. Bari, "Network Discovery and Selection Problem", RFC 5113, January 2008. [RFC5221] Matsumoto, A., Fujisaki, T., Hiromi, R., and K. Kanayama, "Requirements for Address Selection Mechanisms", RFC 5221, July 2008. Authors' Addresses Nam-Seok Ko ETRI FMC Technology Research Team, ETRI, 161 Gajeong-don, Yuseong-gu, Daejeon, Korea 305-350 +82 42 860 5560 Email: nsko@etri.re.kr Carl Williams Consultant Palo Alto, California 94306 United States Email: carl.williams@mcsr-labs.org Jacni Qin ZTE Shanghai, Pudong District China Email: jacniq@gmail.com Ko, et al. Expires September 9, 2010 [Page 6]