Internet DRAFT - draft-kline-default-perimeter

draft-kline-default-perimeter






Home Networking                                                 E. Kline
Internet-Draft                                              Google Japan
Intended status: Informational                          November 6, 2012
Expires: May 10, 2013


                       Default Border Definition
                    draft-kline-default-perimeter-01

Abstract

   Automatic, simple identification of when traffic is crossing a
   perimeter is highly desirable for a variety of home network uses.
   This document describes how to use homenet routing protocol
   adjacencies as the primary signal of a common administrative domain
   (e.g. "the home").  Classification of interfaces et cetera as
   internal or external follow from this, as do various policy and
   implementation implications.  One fundamental implication is that the
   active definition of a home network's interior is no more secure than
   its policy for forming homenet routing protocol adjacencies.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on May 10, 2013.

Copyright Notice

   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect



Kline                     Expires May 10, 2013                  [Page 1]

Internet-Draft          Default Border Definition          November 2012


   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
     1.1.  Requirements Language  . . . . . . . . . . . . . . . . . .  3
   2.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  3
   3.  Dynamically determining the border . . . . . . . . . . . . . .  4
     3.1.  Collect information about neighboring routers  . . . . . .  5
     3.2.  Classify next hops . . . . . . . . . . . . . . . . . . . .  5
     3.3.  Classify interfaces  . . . . . . . . . . . . . . . . . . .  6
       3.3.1.  Mixed mode . . . . . . . . . . . . . . . . . . . . . .  6
     3.4.  State changes and logging  . . . . . . . . . . . . . . . .  6
   4.  Fixed-category interfaces  . . . . . . . . . . . . . . . . . .  6
     4.1.  Examples . . . . . . . . . . . . . . . . . . . . . . . . .  7
   5.  Security Considerations  . . . . . . . . . . . . . . . . . . .  7
     5.1.  Disclamatory remarks . . . . . . . . . . . . . . . . . . .  7
     5.2.  Security of adjacency formation  . . . . . . . . . . . . .  8
       5.2.1.  Secure links and authenticated adjacency formation . .  8
       5.2.2.  Unsecure links . . . . . . . . . . . . . . . . . . . .  8
       5.2.3.  Recommendations  . . . . . . . . . . . . . . . . . . .  9
     5.3.  Example border-aware filtering policies  . . . . . . . . .  9
       5.3.1.  Anti-spoofing on internal interfaces . . . . . . . . .  9
       5.3.2.  Stateful filtering on external interfaces  . . . . . . 10
       5.3.3.  Mixed-mode interface filtering . . . . . . . . . . . . 10
   6.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 11
   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 11
   8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
     8.1.  Normative References . . . . . . . . . . . . . . . . . . . 11
     8.2.  Informative References . . . . . . . . . . . . . . . . . . 11
   Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 12
















Kline                     Expires May 10, 2013                  [Page 2]

Internet-Draft          Default Border Definition          November 2012


1.  Introduction

   Automatic, simple identification of when traffic is crossing the
   homenet perimeter is highly desirable for a variety of home network
   uses.  This is a non-trivial task as it is tantamount to automated
   discovery of administrative boundaries.

   Many architectures make it difficult or impossible (by design) to
   detect administrative boundaries and rely on various mechanisms of
   user or administrator invention to create or modify such boundaries.
   Other hints about administrative boundaries can be insecure,
   unreliable, operationally impractical, or may place arbitrary
   requirements upon the architecture where previously no such
   requirement existed.

   This document describes how to use homenet routing protocol
   adjacencies as the primary signal of a common administrative domain
   (e.g. "the home").  Classification of interfaces et cetera as
   internal or external follow from this, as do various policy and
   implementation implications.  One fundamental implication is that the
   active definition of a home network's interior is no more secure than
   its policy for forming homenet routing protocol adjacencies.

1.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].


2.  Terminology

   In order to address border determination at a manageable scale the
   scope has been limited to discussing concepts of "interior",
   "exterior", and "border".  Documents may reference any of the terms
   "internal", "interior", "external", or "exterior" as required by
   grammar (adjective versus noun use cases).  Definitions in use by
   this document are as follows.

   Internal/Interior

       The interior is broadly defined to include the collection of
       interfaces (physical or virtual), nodes, and forwarding next hops
       collectively under the control of a single logical administrative
       domain.  This document uses the homenet routing protocol
       adjacencies as a indicator of membership in the same logical
       administrative domain.




Kline                     Expires May 10, 2013                  [Page 3]

Internet-Draft          Default Border Definition          November 2012


   External/Exterior

       The exterior is broadly defined to include all interfaces
       (physical or virtual), nodes, and forwarding next hops
       collectively NOT under the control of any single logical
       administrative domain and specifically NOT under the control of
       the administrative domain which defines the interior.

   Border/Perimeter

       The border is taken to be the collection of all ephemeral
       demarcations within the collection of interior nodes which
       forward traffic such that any IP packet transiting that
       demarcation can be said to be crossing either from the interior
       toward the exterior or from the exterior toward the interior.
       This is independent of whether or not such traffic is permitted
       by policy to complete its transiting from one zone to the other.

   Additionally, some implementations MAY choose to support handling
   questionable home network configurations which result in an interface
   qualifying for both interior and exterior classification
   simultaneously.  Requirements for this are discussed further below.

   Expressly not considered by this document are architectures having
   multiple interior networks, nor the relationships between them as
   separate from their relationship to their common exterior or any
   common border (e.g. a hierarchy of internal networks).  This document
   is solely concerned with a single interior, a single exterior, and a
   single logical perimeter between the two.


3.  Dynamically determining the border

   Homenet routers may support interfaces which attempt to learn the
   nature of their relationship to neighboring routers, and determine
   where the border between the "interior" and the "exterior" lies.

   Interfaces which have not yet determined their categorization may
   consider themselves to be in a "learning" state, where no traffic is
   routed but probing continues.  Once nodes of any kind (e.g. either
   routers or hosts) are detected, classification takes place and the
   router exits the "learning" state.

   The classification algorithm documented here is roughly:

   1.  Continously collect information on all interfaces about
       neighboring routers (including manually configured routers).




Kline                     Expires May 10, 2013                  [Page 4]

Internet-Draft          Default Border Definition          November 2012


   2.  Classify next hops as either "internal" or "external" primarily
       by homenet router protocol adjacency status.

   3.  Classify interfaces according to the nature of their next hops.

   Manually configured next hops MUST also have their classification as
   either "internal" or "external" explicitly specified.  As such, they
   can be considered to be of a fixed category, and on-going evaluation
   is NOT required.

   Policies of various sorts can be applied and updated as appropriate
   based on these classifications, as and when they are determined.

3.1.  Collect information about neighboring routers

   An interface (physical or virtual) which is configured to dynamically
   assess its internal or external classification MUST periodically
   probe for routing information on the link.  This includes sending
   Router Solicitations, DHCPv6 Prefix Delegation requests, and probing
   for homenet routing protocol-capable nodes.

   Probing for routing information MUST be performed whenever the
   interface is logically up.  The periodicity of probes is protocol-
   dependent (e.g. subject to Router Advertisement lifetimes, DHCPv6
   lease timers, or homenet routing protocol timers).  Wherever
   possible, implementations SHOULD limit the impact of probing by
   implementing mechanisms like exponential back-off.

   Homenet routers MUST be able to identify loops, e.g. when two (or
   more) of the router's own interfaces are connected on the same link.
   Compliant routers MUST administratively log this misconfiguration,
   and SHOULD implement a mechanism that permits maximum continued
   homenet functionality if possible.  For example, implementations MAY
   administratively disable all but one of looped interfaces.

3.2.  Classify next hops

   Routing information is used to categorize next hops as either
   "internal" or "external".

   Routers with which a homenet routing protocol adjacency is
   successfully established MUST be considered "internal".

   Routers of which this homenet router has knowledge but with which no
   homenet routing protocol adjacency is successfully establish AND from
   which no routing information is learned SHOULD be considered
   "internal".  This includes "downstream" routers for which the homenet
   router is acting as the Delegating Router via a DHCPv6 Prefix



Kline                     Expires May 10, 2013                  [Page 5]

Internet-Draft          Default Border Definition          November 2012


   Delegation exchange.

   All other routers with which no homenet routing protocol adjacency is
   successfully established MUST be considered "external".

3.3.  Classify interfaces

   An interface with no "external" next hops SHOULD be categorized as
   "internal".  This includes interfaces serving leaf networks
   consisting only of hosts, an interface which has "downstream" routers
   for which this router is a Delegating Router, an interface with only
   homenet routing protocol adjacent peers, or any combination thereof.

   An interface with next hops all of which are categorized as
   "external" MUST be categorized as "external".

3.3.1.  Mixed mode

   Some devices MAY choose to support handling questionable home network
   configurations which result in an interface having both interior and
   exterior next hops simultaneously.  This can happen if, for example,
   two homenet routers form an adjacency with each other over the same
   interface they use for communicating to "upstream" ISP routers.

   All homenet routers, whether this configuration is considered
   supported or not, MUST administratively log and provide product-
   relevant notification of this configuration, preferably with
   recommendations for resolution.

3.4.  State changes and logging

   Home routers performing dynamic border discovery MUST continuously
   evaluate the interior and exterior classifications of interfaces.
   These may change at any time, for example if new devices are added
   into the network or a power event causes all equipment to reset, and
   specific ordering of device bring-up within a homenet network MAY NOT
   be assumed.

   Homenet routers performing dynamic border discovery SHOULD
   administratively log the perimeter classification of all interfaces
   (physical and virtual), the reason(s) for such classification, and
   times at which such classifications are made or changed.


4.  Fixed-category interfaces

   Interfaces (physical or virtual) which have product-defined purposes
   or are otherwise permanently categorized by the homenet router



Kline                     Expires May 10, 2013                  [Page 6]

Internet-Draft          Default Border Definition          November 2012


   implementation as exclusively "internal" or exclusively "external" do
   not require any algorithm to determine their categorization.

   Homenet routers MUST restrict relevant traffic on fixed-category
   interfaces according to their categorizations.  Specifically, they
   MUST NOT originate traffic which could result in re-categorizing the
   interface IF the interface were dynamically attempting to learn its
   categorization.  For example, a fixed "external" interface MUST NOT
   attempt to participate in the homenet routing protocol.  Similarly,
   fixed "internal" interfaces must not issue DHCPv6 Prefix Delegation
   requests.

4.1.  Examples

   Examples of product-defined interfaces include home router interfaces
   which are labeled for their intended use, e.g.  RJ-45 ports labeled
   "WAN" and "LAN" or symbols indicating "The Internet" and "inside the
   home".  Other examples include wireless routers with defined separate
   WLAN "home" and "guest" ESSIDs.

   Another set of examples of product-defined, fixed category interfaces
   are those which require subscriber credentials in order for that
   interface to successfully pass general purpose traffic.  These
   include authenticated PPPoE sessions and 3G/LTE PDP contexts (e.g.
   requiring a SIM card associated with a valid customer account).
   These SHOULD be classified as "exterior".

   Similarly, an implementation may consider the interface a mobile
   device uses to provide service to "tethering" clients to be a fixed-
   category interface.  Such interfaces SHOULD be classified as
   "interior".


5.  Security Considerations

   A key motivation for border identification is the application of
   security policies which can take into account classifications of
   interior, exterior, and the transition from one the other.  General
   remarks, comments on the security of the adjacencies which form the
   basis of border identification, and examples of potential policies
   which might be applied follow.

5.1.  Disclamatory remarks

   By default all network nodes SHOULD follow best current security
   practices.  Any node may at times find itself in a hostile
   environment.  This is obviously true of mobile nodes, for example,
   when connecting to any public "Wi-Fi" network.  This is, of course,



Kline                     Expires May 10, 2013                  [Page 7]

Internet-Draft          Default Border Definition          November 2012


   equally true of more traditionally "fixed" nodes.  Any compromised
   neighbor node ("fixed" or mobile) may be used as a conduit for
   further compromise.  Indeed, one study of a captured "botnet"
   ([TORPIG], section 5.2.4) found that roughly 78.9% of infected hosts
   had RFC 1918 [RFC1918] addresses, commonly used in IPv4 NAT
   deployments.

   Though it goes without saying, at all times homenet implementers MUST
   remain mindful of best current security practices, including but not
   limited to RFC 4864 [RFC4864], RFC 4890 [RFC4890], RFC 6092
   [RFC6092], and others.

5.2.  Security of adjacency formation

   The security of the border definition is limited by the security
   applied to the formation of homenet routing protocol adjacencies: the
   next hops with which a homenet router forms adjacencies are the next
   hops the router trusts with the application of interior policies.

5.2.1.  Secure links and authenticated adjacency formation

   The trustworthiness of next hops during adjacency formation can be
   improved if the security of the link connecting them can be trusted.
   Using encrypted link technologies like 802.1x or secured "Wi-Fi"
   ESSIDS when forming homenet adjacencies, or authenticating homenet
   next hops by physical or cryptographic mechanisms limits the ability
   of malicious nodes to join the homenet interior.

5.2.2.  Unsecure links

   In general IP over Ethernet connections, common to residential
   Internet (and countless other places like some in-room hotel network)
   service provider deployments, create the possibility of malicious
   nodes attempting to join the homenet interior.

   In a broad variety of circumstances users already implicitly trust
   unsecured links.  Residential subscribers generally trust that their
   ISP has properly isolated their connection from any neighbors; few if
   any subscribers validate the ISP's DHCP server in order to thwart a
   malicious neighbor intervening.

   In the event of a network with a single upstream where an interior
   next hop is formed instead of an external next hop, the homenet
   network as a whole would have detected no external next hops.
   Homenet router networks in which there are no external next hops
   SHOULD administratively log this configuration and SHOULD provide a
   means to alert the user to this condition.  Note that for isolated
   networks of homenet routers (e.g. a lab network) this configuration



Kline                     Expires May 10, 2013                  [Page 8]

Internet-Draft          Default Border Definition          November 2012


   is entirely valid.

   User notification alone is not sufficient protection for the homenet
   user, and will not correctly alert the user of a homenet with two
   upstream connections, one of which has mistakenly not categorized a
   next hop as external.  To better serve the homenet user, homenet
   routers are SHOULD follow one or more of the recommendations in
   Section 5.2.3.

5.2.3.  Recommendations

   Homenet router implementations that support dynamic discovery of the
   border (i.e. have interfaces on which the dynamic border detection
   described in Section 3 can be configured to operate) SHOULD support
   restricting homenet routing protocol adjacency formation to only next
   hops which meet some user-defined or user-verified authentication
   mechanism (including examples described in Section 5.2.1).

   Alternatively, implementations MAY incorporate a mechanism (possibly
   physical) whereby a homenet user can disable border detection on an
   interface which the user wishes to force into either an interior or
   exterior classification (e.g. a button to force an interface to be
   "external" only).

5.3.  Example border-aware filtering policies

   As a homenet router forms adjacencies and learns internal aggregate
   prefixes it could dynamically maintain a single logical entity
   encompassing all current internal prefixes in use that can be treated
   as a whole (e.g. an access list).  Below are example filtering
   policies that might be applied by homenet routers with knowledge of
   both this prefix set and the interior or exterior classification of
   all interfaces.

   The examples below use the string "{interior_nets}" for refer to the
   grouping of all internal aggregate prefixes.  The sample filtering
   policy rules are written in configuration pseudo-syntax that should
   hopefully be intuitive.

5.3.1.  Anti-spoofing on internal interfaces

   Given knowledge of all interior network prefixes and the
   categorization of interfaces, all interior interfaces could apply a
   stateless filter designed to prevent devices in the home from
   originating source-address-spoofed traffic.






Kline                     Expires May 10, 2013                  [Page 9]

Internet-Draft          Default Border Definition          November 2012


   Using a filter configuration pseudo-syntax:

       from !{interior_nets} to !{interior_nets} deny
       ... # permit or deny other kinds of traffic

5.3.2.  Stateful filtering on external interfaces

   Given knowledge of all interior network prefixes and the
   categorization of interfaces, all exterior interfaces could apply a
   stateful filter designed to discard traffic without matching state in
   the homenet router.

   Using a filter configuration pseudo-syntax:

       ... # permit other kinds of good traffic first
       from {interior_nets} to !{interior_nets} permit
       from !{interior_nets} to {interior_nets} established permit
       from any to any deny

5.3.3.  Mixed-mode interface filtering

   Given knowledge of all interior network prefixes and the
   categorization of interfaces, all mixed-node interfaces could apply a
   stateful filter designed to discard exterior traffic without matching
   state in the homenet router and still statelessly permit internal
   traffic.

   Using a filter configuration pseudo-syntax:

       ... # permit other kinds of good traffic first
       from {interior_nets} to !{interior_nets} permit
       from !{interior_nets} to {interior_nets} established permit
       from {interior_nets} to {interior_nets} permit
       from any to any deny

   Because routing changes elsewhere in the home may cause traffic to
   shift among interior next hops which may not have state, traffic
   between interior routers may not be well-served by stateful
   filtering.  One consequence for this policy on mixed-mode interfaces
   is that traffic from the exterior with spoofed source addresses from
   the "{interior_nets}" set of prefixes may be mistakenly allowed into
   the home.

   Filter implementations which can incorporate knowledge of the
   previous and next hops and their classifications can design much more
   precise filters.  Such implementations could deny traffic with
   "{interior_nets}" source addresses arriving from an exterior next
   hop, but permit them from an interior next hop on the same mixed-mode



Kline                     Expires May 10, 2013                 [Page 10]

Internet-Draft          Default Border Definition          November 2012


   interface.


6.  Acknowledgements

   Many thanks for the constructive input and criticism of Shwetha
   Bhandari, Lorenzo Colitti, Markus Stenberg, Mark Townsley, and Ole
   Troan.

   Thanks also must go to pleasant, peaceful and productive trips on the
   Japan Rail (JR) Shinkansen ("bullet train").


7.  IANA Considerations

   This memo includes no request to IANA.


8.  References

8.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

8.2.  Informative References

   [RFC1918]  Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and
              E. Lear, "Address Allocation for Private Internets",
              BCP 5, RFC 1918, February 1996.

   [RFC4864]  Van de Velde, G., Hain, T., Droms, R., Carpenter, B., and
              E. Klein, "Local Network Protection for IPv6", RFC 4864,
              May 2007.

   [RFC4890]  Davies, E. and J. Mohacsi, "Recommendations for Filtering
              ICMPv6 Messages in Firewalls", RFC 4890, May 2007.

   [RFC6092]  Woodyatt, J., "Recommended Simple Security Capabilities in
              Customer Premises Equipment (CPE) for Providing
              Residential IPv6 Internet Service", RFC 6092,
              January 2011.

   [TORPIG]   Stone-Gross, B., "Your Botnet is My Botnet: Analysis of a
              Botnet Takeover", 2009, <http://www.cs.ucsb.edu/~seclab/
              projects/torpig/torpig.pdf>.





Kline                     Expires May 10, 2013                 [Page 11]

Internet-Draft          Default Border Definition          November 2012


Author's Address

   Erik Kline
   Google Japan
   Roppongi 6-10-1, 26th Floor
   Minato, Tokyo  106-6126
   JP

   Phone: +81 03 6384 9000
   Email: ek@google.com









































Kline                     Expires May 10, 2013                 [Page 12]