Internet DRAFT - draft-wallstrom-epp-registrant-problem-statement
draft-wallstrom-epp-registrant-problem-statement
Network Working Group P. Wallstrom, Ed.
Internet-Draft .SE
Intended status: Informational January 20, 2014
Expires: July 24, 2014
EPP Registrant Security Problem Statement
draft-wallstrom-epp-registrant-problem-statement-00.txt
Abstract
This document collects a number of requirements on securing the
provisioning of DNS data between a Registrant and a Registry. The
most common attack in the chain of Registrant-Registrar-Registry is
to inject false information into the Registrar system, which in turn
forwards the injected data to the Registry using EPP, the Extensible
Provisioning Protocol.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 24, 2014.
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
Wallstrom Expires July 24, 2014 [Page 1]
�
Internet-Draft EPP Security January 2014
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. The role of the Registry . . . . . . . . . . . . . . . . . . 3
3. Improving the protocol for the Registrant . . . . . . . . . . 3
4. Bootstrapping . . . . . . . . . . . . . . . . . . . . . . . . 4
5. Multiple tokens or keys . . . . . . . . . . . . . . . . . . . 5
6. Key algorithms . . . . . . . . . . . . . . . . . . . . . . . 5
7. Registrant interfaces . . . . . . . . . . . . . . . . . . . . 5
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
10. Security Considerations . . . . . . . . . . . . . . . . . . . 6
11. Informative References . . . . . . . . . . . . . . . . . . . 6
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6
1. Introduction
The most common attack on DNS today is to somehow force a DNS
Registrar to change any DNS related information by sending an EPP
change ([RFC5730]) for a domain to its parent Registry. The attack
could be performed at the Registrar level due to bad password
handling, weak web security or any customer service being vulnerable
to social engineering. Not only could DNS records be changed, but
also other information about a domain name, such as the e-mail
address used, the holder of the domain, or any other data needed in
order to take some sort of control over the domain. There is clearly
a need to protect the Registrant from this type of attack.
The standard way of shareing a DNS registry today is using the model
described in [RFC3375]. This model describes the terms Registry,
Registrar and Registrant (also called RRR) which will be used in this
document to describe the provisioning of DNS related data.
A new somewhat new solution to protect the Registrant from any non-
authorized change is for the Registry to offer the Registrant a
"Registry Lock". The idea of the lock is to forbid the Registrar to
provision any change to the Registry without the Registry (without
any confirmation from the Registrant or the Registrar either manually
or outside of the EPP protocol) temporarily removing the lock for any
cheing being requested. This method has not been standardized, and
there is no coherent way this locks are being implemented by a
Registry, making it harder for a Registrar or a Registrant to have a
single process for doing changes to all their domains. The lock can
be provisioned by either the Registrar, or in direct communication
Wallstrom Expires July 24, 2014 [Page 2]
�
Internet-Draft EPP Security January 2014
between the Registrant and the Registry. The latter completely
bypasses the EPP model.
2. The role of the Registry
When using EPP to provision DNS data, the role of the Registry is to
allow authenticated Registrars to publish DNS data typically coming
from a Registrant. Normally the only interface available to the
Registrar is the EPP interface. In some cases there might be other
interfaces available that has a different feature set than EPP, this
draft does only cover EPP.
The authentication is handled by The PLAIN Simple Authentication and
Security Layer (SASL) mechanism presented in [RFC4616] using a a user
identifier, an authorization identifier, and a password as part of a
single plain-text string as documented in [RFC5730]. This document
does not intend to require a change of this layer of authentication.
When the Registrar submits a transformation request to the EPP
service run by a Registry, the EPP service can handle the request in
a number of ways. The result can be negative, where the request is
denied by the EPP service. For successful transformation commands,
the command can be immediately processed by the server, or the server
can acknowledge the request and postpone the action and perform it
after some other action has been performed on the server side. When
the change has been accepted in the Registry, any DNS change can be
pushed out to the parent DNS zone, or any other data can be viewed in
Whois.
The Registrant has no role in this Registrar-Registry communication
at all.
In the current EPP model the AUTH data type has a special function.
It is normally used for initiating a transfer of an object between
Registrars. Any Registrar that has access to the AUTH data can
initiate a transfer of the object, meaning that the receiving
Registrar can move an object from another Registrar.
3. Improving the protocol for the Registrant
Since the Registrar in plain EPP has full control over any domain
name that it is authoritative for, there is a need to improve this
protocol in order to avoid attacks on the domain name through the
Registrar. The Registrant wants protection against any unauthorized
changes coming from the Registrar. One possible way to do this is to
extend the EPP protocol in order to have a piece of data in the
Registry database that authorizes any transformation request coming
from the Registrar.
Wallstrom Expires July 24, 2014 [Page 3]
�
Internet-Draft EPP Security January 2014
In order to add a control mechanism at the Registry level so that the
Registrar cannot perform any changes without confirmation by the
Registrar, the Registry could have a shared secret with the
Registrant. This shared secret can be a token that must be present
in any request sent to the Registry.
One such token can be published in the DNS zone for the domain being
changed, as well as in the EPP request. The Registry can then
validate the token coming from EPP by looking up the token in the
current DNS zone for the domain, with extra validation from DNSSEC.
When using the token in this way, it should also reflect the change
being made, so that the Registrar cannot perform any other change by
looking at the token available in DNS. However, the operation of
doing DNS lookups in the Registry level for a large EPP operator is
expensive since it adds some overhead. The Registry must also have
some sort of indication that any change in its database must be
protected by doing this extra operation, since not all domains for a
Registrar can be locked at the same time.
Another method is to use an assymetric cryptographic key to indicate
a Registry lock. A public key can be stored in the Registry
database. Any change coming over EPP can then either be signed or
encrypted (or both) with the private key. The Registry can verify
the change by using the public key, and perform the change if the
validation is succesful. If the incoming EPP request does not
contain the change signed or encrypted (or both) using any existing
public key for the domain, the request is denied. Using this model,
either the Registrar or Registrant can have access to the private
key, depending on the model of trust.
4. Bootstrapping
So how does this token or key end up in the Registry? There is still
a need to keep the RRR model intact. One way to do this is to trust
the Registrar completely to bootstrap the Registry and relay the
token or key from the Registrant unprotected. And this is also the
problem we want to avoid.
One way to bootstrap this extra security is to use DNS, since the
Registrant already have control over DNS. Extra security for DNS is
added with DNSSEC. Prior to sending the token or key to the
Registrar for the Registry database is to publish the same data in
DNS. For keys there is already a record type that can be used, TLSA.
For tokens we might have to use TXT, or define a new record type.
Wallstrom Expires July 24, 2014 [Page 4]
�
Internet-Draft EPP Security January 2014
5. Multiple tokens or keys
A private key can be lost or even compromised. In these cases you
must be able to change key at the Registry. Any such change must be
authorized by using a key that is already in the Registry. To avoid
a situation where the Registrant has a compromised key and this leads
to manual work for the Registry, the Registry should allow for
multiple keys for a Registrant. Adding a new key must be done by
using an already existing key, so to avoid having only a compromised
key in the Registry, a Registrant should probably bootstrap with
multiple keys and have an extra key in a secure backup. This secure
backup key can then be used to remove any lost or compromised keys,
and add new keys when needed. However, when the last key is removed,
there is no Registry Lock left, and the domain is insecure.
6. Key algorithms
Since the IETF mandates algorithm agility, there must be support for
multiple key algorithms. However, there will probably not be a need
for protecting against downgrading attacks. But it will become a
problem when new algorithms are defined since not all Registries will
have support for the same algorithms. Some sort of signalling
mechanism must therefore be in place.
7. Registrant interfaces
For the registrant to sign or encrypt any EPP change request, it is
preferred if the Registrant can operate on the exact command being
sent to the Registry. This means that the Registrant must be able to
create the EPP command, encrypt and/or sign it, and send this command
to the Registrar for re-distribution to the Registry. Some
Registrars offer the Registrant an API for performing changes in
bulk, but it is still most common for the Registrant to use any web
interface offered by the Registrar. Any such API has still not been
standardized by the IETF, or any other body. To solve this API
problem the Registrant might offer an EPP service to the Registrant,
and the Registrar becomes an EPP proxy for any secure changes.
However, this does probably not make life easier for the Registrant,
since the multitude of different EPP extensions in use by the
different Registries (a problem Registrars already have). Perhaps a
subset of EPP can be used instead. This might also give better
control of any mechanism used for proxying and validating changes in
XML.
Wallstrom Expires July 24, 2014 [Page 5]
�
Internet-Draft EPP Security January 2014
8. Acknowledgements
This document is a result of many discussions with several collegues,
in no special order: Einar Lonn, Ulrich Wisser, Jan Saell, Jakob
Schlyter, Fredrik Ljungren and Leif Johansson.
9. IANA Considerations
This document has no actions for IANA.
10. Security Considerations
The current implementations of EPP lacks any end-to-end security from
the Registrant to the Registry. This document describes a way to
improve on the current model. For this mechanism to work there is a
need for the Registrant to protect the private key, and the
provisioning system in use. There are attacks directly targeted at
the Registrar such as social engineering, spear phishing and other
techniques. These are issues that are outside the scope of this
document. Since XML is used in EPP, you can use XMLsig to implement
cryptographic signatures directly in XML. Using signatures in XML is
hard, and any implementor at either end of the system to construct
and validate XML signatures.
11. Informative References
[RFC3375] Hollenbeck, S., "Generic Registry-Registrar Protocol
Requirements", RFC 3375, September 2002.
[RFC3552] Rescorla, E. and B. Korver, "Guidelines for Writing RFC
Text on Security Considerations", BCP 72, RFC 3552, July
2003.
[RFC4616] Zeilenga, K., "The PLAIN Simple Authentication and
Security Layer (SASL) Mechanism", RFC 4616, August 2006.
[RFC5730] Hollenbeck, S., "Extensible Provisioning Protocol (EPP)",
STD 69, RFC 5730, August 2009.
Author's Address
Patrik Wallstrom (editor)
.SE
Stockholm
SE
Phone: +46 733 173 956
Email: pawal@iis.se
Wallstrom Expires July 24, 2014 [Page 6]
