Internet Engineering Task Force                                     NSIS Working Group
Internet Draft                                     Hannes Tschofenig
   Document: draft-ietf-nsis-threats-00.txt                             H. Tschofenig, D. Kroeselberg
                                                              Siemens AG
draft-ietf-nsis-threats-01.txt
23 January 2003
Expires: April August 2003                                     October 2002

                               NSIS

                       Security Threats
                     <draft-ietf-nsis-threats-00.txt>

  Status of this Memo for NSIS

STATUS OF THIS MEMO

   This document is an Internet-Draft and is in full conformance with
   all provisions of Section 10 of RFC2026.

Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups.  Note that other groups
may also distribute working documents as Internet-
  Drafts. Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time.  It is inappropriate to use Internet-Drafts as reference material
or to cite them other than as "work in progress".

The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
  The

To view the list of Internet-Draft Shadow Directories can be accessed at Directories, see
http://www.ietf.org/shadow.html.

                  Informational - Expires April 2003                 1 
                             NSIS Threats                 October 2002

Abstract

This threats document provides a starting point to detailed analysis of the security
  discussions at
threats relevant for the NSIS working group. It therefore tries to help the
  NSIS interested reader motivates and helps to
understand various security considerations in the NSIS Requirements,
Framework and Protocol proposals. This document does not describe
vulnerabilities of specific NSIS related protocols.

1 Introduction

Section 1.1 tries to introduce the reader into introduces the overall process of addressing the security of
work done in the NSIS working group. Section 1.2 gives a big high-level
picture about of the different network parts parts, which are traversed by a signaling protocol. NSIS
signaling. Each part is characterized by a different set of requirements
and different trust relationships. The threats described in Section 2
can be assigned to
  the these individual parts.

  Note that this document tries to use the terminology introduced and
  used in the NSIS Framework document [5]. Some of the terms which
  demand additional clarifications are briefly explained introduced in
  Section 1.3

1.1 NSIS Security Process

Whenever a new protocol has to be developed or existing protocols have
to be modified potential their security threats should be evaluated. The process
of securing protocols in separated into individual steps. To address
security in the NSIS working group a number of documents have been
produced:

          +----------------------------------------------+
          |            NSIS Analysis Activities          |
          |         (e.g. RSVP Security Properties)      |
          +----------------------------------------------+
          +----------------------------------------------+
          |                  NSIS            Security Threats for NSIS         |
          |                                              |
          +----------------------------------------------+
          +----------------------------------------------+
          |               NSIS Requirements              |
          |                                              |
          +----------------------------------------------+
          +----------------------------------------------+
          |               NSIS Framework Activities                 |
          |                                              |
          +----------------------------------------------+
          +----------------------------------------------+
          |                   Published                                              |
          |             NSIS Protocol Proposals          |
          +----------------------------------------------+

Figure 1: NSIS Security related Documents

   Tschofenig     Informational - Expires April 2003                 2 
                             NSIS Threats                 October 2002

  In order to reach a satisfactory security protection for a NSIS
  protocol a number of steps are necessary. The relevant information is
  distributed over a number of

All the documents as depicted in Figure 1. 1 contribute to the NSIS security
approach. The purpose of each of these documents is briefly described
below to give the reader a more insights insight into the development process.

     NSIS Analysis Activities:

          The primary goal of the NSIS analysis activity is the
          investigation of existing approaches in the area of quality of
          service signaling protocols. Several of the published
          approaches contain directly identify security relevant descriptions threats and
          requirements, whereas other threats and requirements can be
          derived from different protocol behavior or the different scenarios in which such a protocol is these protocols
          are used. Document [8] For instance, [1] points to the reduced complexity
          if RSVP is used without multicast support. This modification
          also comes with some simplifications for results in simplified security
  handling. requirements. In [10] [2],
          security issues raised by in some example configurations are given. In [9]
          [3], the security properties of RSVP are described. There are, however, a number
          Furthermore an analysis of other the interaction between RSVP and
          Mobile IP is provided by Michael Thomas in [4] and an analysis documents
  available but they do not directly
          of existing QoS protocols is described in [5].

     NSIS Requirements:

          To address the security issues.

  Threats threats relevant for NSIS are discussed in this document.

  To address threats described in
          this document document, security requirements were have been specified in as
          part of the NSIS Requirements document [1]. [6]. In addition to the
          these requirements the document [6] describes some basic scenarios where a QoS the
          NSIS signaling protocol might be deployed.

     NSIS Framework:

          Signaling information to a number of devices located in
          different parts in the network with different trust
          assumptions and possible interactions with a large number of
          other protocols require some framework thoughts. A few proposals were submitted and a few authors
  cooperatively produced a NSIS framework document [5], thoughts, which also
  address is
          especially true for security. In [7] a security issues.

  Finally framework is
          provided for NSIS.

     NSIS Protocol:

          Finally there are documents describing concrete protocol
          proposals. These proposals either rely on existing security
          mechanisms or develop their own if the existing mechanisms
          cannot be solve counter all relevant security threats or if they are
          inappropriate for other reasons. In
  practice practice, a protocol
          proposal might use existing established security mechanisms or
          protocols for basic protection, but is likely to require some
          additional protection mechanisms mechanisms, or to
  combine them in a specific manner. combination of both for
          enhanced security.

          Note that the process of developing the above-mentioned
          documents is not linear. Instead it takes various iterations are required
          to reach a satisfactory final status. NSIS security solution.

     Security Threats for NSIS:

          This document tries to identify identifies the basic threats that need to be
          addressed by the NSIS signaling protocol design. Although In addition,
          although the base protocol might be secure, some extensions
          may cause problems when used in a particular environment.
          Furthermore it is necessary to investigate the context in
          which a signaling protocol is used and the architecture where
          it is integrated. As an example of such an interaction accounting
          and charging is often mentioned are taken into account in
  relationship with QoS signaling protocols. Without this document, since
          without an appropriate integration of the two there it is no good incentive for network

   Tschofenig     Informational - Expires April 2003                 3 
                             NSIS Threats                 October 2002

  operators difficult
          to deploy QoS signaling protocols. any NSIS solution. This interaction is also subject
          of a the NSIS framework and some aspects are discussed in [5]. [7].

1.2  Involved Network Parts Relevant communication models

Independent of the threat scenarios described in Section 2 end-to-end signaling
messages traverse different network parts, which demand different
security mechanisms means. The difference in security protection is mainly caused
by the difference in fact that the NSIS signaling messages cross trust
  relationships. The sub-parts are: access network part, intra boundaries
where different trust relationships are prevalent. Often a
categorization into first-peer/last-peer, intra-domain and inter-domain part, and finally
communication is applicable (see Figure 2). Depending on the concrete
security requirements end-to-end communication. These security protection across trust
boundaries might be required for certain scenarios but is usually not
easily addressable by standard means.  The main properties of the listed
network parts are briefly described in this section and the threat
scenarios of Section 2 can be assigned to the individual parts.

  a) Access Network (or First-Peer) Communication

  The term access network is fuzzy but in this context we refer to the are classified accordingly. Figure 2 depicts a
typical end-to-end communication between scenario including an access part
between the NSIS end host entities and the first nearest NSIS aware entity hops, respectively.
This "first-peer communication" commonly comes with specific security
requirements, especially important for properly addressing security in
  the network to which this host is attached. Therefore threats are
  addressed where an NSIS Initiator (NI) transmits and receives
  signaling messages to some entity
mobile scenarios. Differences in the access network. In many
  mobility environments it is difficult to assume the existence of a
  pre-established trust relationship between a user and the access
  network.

  Threat scenarios dealing with initial required
security association setup,
  replay attacks, lack for first-peer communication, compared to other parts of confidentiality, denial of service, integrity
  violation, identity spoofing and fraud are applicable. From a
  security point of view this part of the network causes the largest
  number of problems.

  b) Intra-Domain Communication

  After receiving a NSIS
signaling message path, might exist.

If signaling messages are not exchanged end-to-end and verifying the request
  somewhere in the access network only parts of the
signaling message traverses the
  network within the same administrative domain. Since the request has
  already been authenticated and authorized threats path are different
  compared to those described in the previous section. affected, some threats may not be relevant.

To differentiate further refine the end-node-to-access above differentiation based on network interface with the intra-domain
  communication we assume parts that no user hosts are logically attached
NSIS signaling may traverse, we consider trust relationships between
  +------------------+   +---------------+   +------------------+
  |                  |   |               |   |                  |
  |  Administrative  |   | Intermediate  |   |  Administrative  |
  |     Domain A     |   |   Domains     |   |     Domain B     |
  |                  |   |               |   |                  |
  |                 (Inter-domain Communication)                |
  |        +---------+---+---------------+---+---------+        |
  |  (Intra-domain   |   |               |   | (Intra-domain    |
  |   Communication) |   |               |   |  Communication)  |
  |        |         |   |               |   |         |        |
  |        |         |   |               |   |         |        |
  +--------+---------+   +---------------+   +---------+--------+
           ^                                           v
           |                                           |
  First Peer Communication               Last Peer Communication
           |                                           |
     +-----+-----+                               +-----+-----+
     |   NSIS    |                               |   NSIS    |
     | Initiator |                               | Responder |
     +-----------+                               +-----------+

Figure 2: Involved Network Parts

NSIS hops.  Additional threats may apply to NSIS communication where one
entity involved is an end-entity (initiator or responder) and the core-network. (That is: the interface between other
entity is any host and intermediate hop not being the first router peer. This is part
typically called end-to-middle scenario. The motivation for including
this configuration stems for example from the SIP [8] protocol. Any
intermediate SIP proxy may request a SIP end entity (UA) to
authenticate, countering a number of specific security threats. Such
functionality in general seems to be useful for intermediaries at the access network). We furthermore assume
borders of trust domains that nodes within one administrative domain signaling messages need to traverse.
Intermediate NSIS hops as well may have a stronger trust
  relationship between each other.

  c) Inter-Domain Communication

  The threat assumptions between the borders of different
  administrative domains largely depends on how accounting is done. If
  one domain transmits forged QoS reservations to next domain then it
  is likely deal with specific security
threats that the originating network domain has also has do not (directly) relate to pay for
  the reservation. Hence end-entities. Between such
intermediate hops, other such NSIS hops will typically be in this case, there is no real benefit for the
  first network domain to forge a QoS reservation. But if an end-node
signaling path. This scenario is directly charged by intermediate domains then this kind called middle-to-middle. A generic
example are two NSIS hops at the border of attack
  may be reasonable.  Security protection their respective trust
domains with some form of messages transmitted

   Tschofenig     Informational - Expires April 2003                 4 trust relation. NSIS Threats                 October 2002 messages between different administrative domains is still necessary these
hops may have to tackle
  attacks like spoofing, integrity violation, denial of service etc. traverse one or more intermediate untrusted hops.
Figure 3 illustrates these additional scenarios. The lower number of networks and higher first-peer case
discussed further above is covered by the peer-to-peer trust relationship (compared
  in
relationships between end entity and closest hop, respectively.

              ****************************************
              *                                      *
         +----+-----+       +----------+        +----+-----+
   +-----+  NSIS    +-------+  NSIS    +--------+  NSIS    +-----+
   |     |  Node 1  |       |  Node 2  |        |  Node 3  |     |
   |     +----------+       +----+-----+        +----------+     |
   |                             ~                               |
   |  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~                               |
   |  ~                                                          |
+--+--+-----+                                          +---------+-+
|   NSIS    +//////////////////////////////////////////+   NSIS    |
| Initiator |                                          | Responder |
+-----------+                                          +-----------+

 Legend:
  -----: Peer-to-Peer Trust Relationship
  /////: End-to-End Trust Relationship
  *****: Middle-to-Middle Trust Relationship
  ~~~~~: End-to-Middle Trust Relationship

Figure 3: Trust Relationships

     First-Peer Communication:

          First peer communication refers to the access network case), peer-to-peer
          interaction between a signaling message originator, the fewer problems for key management
  arise.

  d) End-to-End Communication

  In our opinion end-to-end security for NSIS signaling messages (in
  addition to hop-by-hop security) is rarely required if we assume that
  end-to-end issues like charging
          Initiator (NI), and the selection which user has to
  pay for a reservation is already securely negotiated by preceding
  upper layer protocols (for example SIP). Information carried within a first NSIS signaling protocol for aware entity along the purpose of charging is therefore
  assumed opaque to
          path. Assumptions about the NSIS protocol itself threats, security requirements and appropriately
  protected as part of the AAA interaction. Note however that this
  assumption strongly depends on
          the chosen solution of a protocol
  interaction with AAA, QoS and application layer protocol. It available trust relationships may be difficult here.  To
          illustrate this, in many mobility environments it is
  however possible difficult
          to select a charging solution that requires end-to-
  end protection of information delivered within assume the QoS signaling
  protocol.

  The following example requires some sort existence of end-to-end protection:
  Alice wants Bob to pay a pre-established security
          association directly available for the QoS reservation (reverse charging).
  Bob wants to NSIS peers involved in
          first-peer communication, as these peers cannot be assured that assumed to
          have any relation between each other in advance. For
          enterprise networks, in contrast, the QoS signaling message he receives
  was transmitted by Alice because he situation is only willing to pay for
  particular users and not for everyone. Hence Bob requires Alice different.
          Usually there is a fairly strong (pre-established) trust
          relationship between the peers. Enterprise network
          administrators usually have some degree of freedom to
  protect select
          the reservation request.

  Regarding end-to-end appropriate security one additional issue needs to be
  clarified. Whenever a signaling protocol travels end-to-end protection and to enforce it. The
          choice of selecting a
  node along security mechanism is therefore often
          influenced by the path acts on behalf already available infrastructure. Per-
          session negotiation of the other endpoint then further
  investigation security mechanisms is therefore often
          not required how to solve this issues.

  1.3  Clarification

  Some threat scenarios (which, in this document use the term user instead of
  NSIS Initiator. This contrast, is mainly due to required for the fact that mobility
          case).

          For first-peer communication, especially threats related to
          initial security
  protocols allow a differentiation between entities being hosts association setup, replay attacks, lack of
          confidentiality, denial of service, integrity violation,
          identity spoofing and
  users (based on fraud are applicable.

     End-to-Middle Communication:

          End-to-middle interaction in signaling may be required to e.g.
          grant end-entities access to, or specific services in trust
          domains different from the identities used). Since one the NSIS Initiator as
  used first peer belongs to.
          Threats, in [5] also allows to act on behalf of various entities
  including a network it is reasonable addition to distinguish between these
  identities.

  The term access network is used already discussed for networks to which a mobile node
  is attached. Other terms often used in this context first-hop
          communication, may be untrusted intermediate NSIS hops that
          maliciously alter NSIS signaling. These threats are foreign or
  visited network. The missing direct trust relationship still
          relevant if security mechanisms are in place between the
  mobile node and NSIS
          hops, but terminate at each hop (e.g. IPsec hop-by-hop
          protection).

     Intra-Domain Communication:

          After having been verified at the first peer, an NSIS
          signaling message traverses the access network complicates authentication and key
  agreement. Usually AAA protocols (like Radius or Diameter) are used
  to provide within the initial authentication and key establishment. These
  protocols take advantage of same
          administrative domain the AAA infrastructure (AAAL, AAAH,
  Broker, etc.) first peer belongs to. Since the
          request has already been authenticated and trust relationships between authorized threats
          are different to those described above in a). To differentiate
          first-peer communication with the intra-domain communication
          (i.e. communication internally within one administrative
          domain) we assume that no end hosts have direct access to the
          internal network and nodes, except the users home network. This trust relationship is usually based on first peer. We furthermore
          assume that NSIS peers within the same administrative domain
          have at least some sort of business contract. The trust relationship relationship.

     Inter-Domain Communication:

          The threat assumptions between the

   Tschofenig     Informational - Expires April 2003                 5 
                             NSIS Threats                 October 2002

  two networks borders of different
          administrative domains largely depend on accounting procedures
          (and therefore business relationships) in case of QoS
          signaling, which is considered an important example application of NSIS
          signaling. If one domain transmits forged QoS reservations
          (for example stating a higher QoS reservation than a
          aggregated number of user did) to be symmetric (network A trusts network
  B and vice versa) whereas the dynamically established trust
  relationship between next domain then the mobile node and
          originating domain may also have to pay for the access network reservation.
          Hence in this case, there is often
  asymmetric. In today's network a mobile node has to trust no real benefit for the access first
          network with regard domain to collection and processing of accounting data.
  The access network usually does not trust attached end-hosts.

  The term security association forge a QoS reservation. If an end host is used
          directly charged by domains different to describe established
  security-relevant data structure between two entities. This data
  structure consists of keys, algorithms including their parameters,
  values used for replay the first peer's
          domain, then such an attack may be quite a reasonable threat.
          However, security protection etc. Using this information two (or
  more) nodes are able to protect signaling messages.

  2    Threat Scenarios

  This section provides threat scenarios that are applicable to
  signaling protocols.

  2.1  Lack of Authentication and Man-in-the-Middle Attacks

  This section describes man-in-the-middle messages transmitted between
          different administrative domains is still necessary to tackle
          attacks like spoofing, integrity violation, or denial of the following
  type: During the process
          service between these domains, e.g. to allow for proper
          accounting. In case of establishing a security association an
  adversary fools the securing signaling message initiator with respect to messages between
          administrative domains, the
  entity number of domains is usually
          rather limited (compared to first-peer communication) which it has to authenticate. The man-in-the-middle
  adversary is able to modify
          causes fewer problems for the key management.

          Signaling information other than QoS service parameters such
          as policy rules in case of middlebox communication demands
          different assumptions for inter-domain communication. Trust
          assumptions and business relationships are of particular
          importance for their communication.

          If signaling messages to mount DoS attacks.
  The signaling message initiator wrongly believes that it talks to are transparent in the
  ˘real÷ core network whereas it is actually attached to an adversary.
  For this attack to be successful, pre-conditions have to hold which
          (i.e. the are described with not intercepted and processed in the following two cases:
  a) Missing Authentication

  The first case addresses missing authentication between core
          network) then the
  neighboring peers: Without authentication a NI, NR or NF is unable to
  detect an adversary. However in some cases protection available signaling message communication effectively
          takes place between access networks. This might
  be difficult to accomplish in place a practical environment either because
  the other peer of burden
          on the communication is unknown or key management infrastructure because of
  misbelieved trust relationships in parts of the network. If one of the communication endpoints is unknown then for some security
  protocols global PKI
          requirements. Hence this can be seen as a serious deployment
          threat since it is not possible or difficult to select the appropriate
  security association. Sometimes might be unacceptable for an access network administrators refuse
          service provider to
  consider security protection of intra-domain perform processing (QoS reservations,
          policy rule installation at firewalls) due to unprotected
          incoming signaling messages. Such
  a configuration

     End-to-End Communication:

          Providing end-to-end signaling message protection for NSIS
          would then allow an adversary cause difficulties for authentication and key
          establishment procedures. It would furthermore limit the
          flexibility of a signaling protocol in general. Functionality
          such as terminating at an arbitrary location along the path,
          delegating a compromised node signaling message exchange to cause security problems. Even if there was no intention that this
  compromised node actively participates other nodes, etc.
          would be difficult to achieve in the a secure fashion. Protecting
          signaling message
  exchange its interference cannot be prevented.

  b) Unilateral Authentication

  In case of only unilateral authentication the NI is not able messages end-to-end (in addition to
  discover peer-to-peer
          security) is in our opinion rarely required. This is based on
          the man-in-the-middle adversary. Although authentication observation that end-to-end issues like charging and
          payment selection (i.e. which user has to pay for which part
          of a QoS reservation) are already securely negotiated by
          preceding upper layer protocols (for example SIP). Information
          carried within an NSIS signaling message should take place between each peer participating
  in the protocol operation special focus for the purpose of
          charging is given therefore assumed opaque to the communication
  in NSIS protocol
          itself. Note that this observation makes some assumptions
          about the end host charging model and about the access network.

   Tschofenig     Informational - Expires April 2003                 6 
                             NSIS Threats                 October 2002

  The two threats described above are a general problem existence of network
  access without appropriate authentication, not only for a protocol
          interaction with AAA, QoS and an NSIS
  signaling application layer protocol. Obviously there

          It is a strong need however possible to correctly
  address them in imagine a future charging solution that
          requires end-to-end protection of information delivered within
          the NSIS protocol. The signaling protocols
  addressed by NSIS are different to other protocols where only two
  entities are involved. protocol. The impacts following example requires
          some sort of end-to-end protection: Alice wants Bob to pay for
          a security breach likely reach
  beyond the directly involved entities (or even beyond a local
  network).

  Finally it should QoS reservation (reverse charging). Bob wants to be noted assured
          that the QoS signaling protocol should be
  considered as a peer-to-peer protocol where the roles of initiator
  and responder can be reversed at any time. This leads to the
  conclusion that unilateral authentication message he receives was transmitted by
          Alice because he is only willing to pay for particular users
          and not very useful for such
  a protocol. However there might be a need everyone. Hence Bob requires Alice to have some form of
  asymmetry in protect the authentication process whereby
          reservation request.

          Regarding end-to-end security one entity uses additional issue needs to be
          addressed - delegation. Whenever a
  different authentication mechanism than the other one. As signaling is addressed end-
          to-end and an example arbitrary node along the combination of symmetric and asymmetric cryptography should be
  mentioned.

  2.2  Missing Authorization

  Authentication path acts as described in Section 2.1 is a very important step
  for providing proxy on
          behalf of the foundation for authorization and accounting. Unlike
  some other protocols where authorization can be verified without huge
  difficulties NSIS protocols might experience some difficulties. First
  there endpoint a delegation mechanism is the question what authorization means
          required to provide secure interaction. This obviously leads
          to additional complexity in the context area of NSIS
  signaling and particularly for quality end-to-end security,
          as an additional set of service and middlebox
  communication. The possible range threats becomes relevant.

     Middle-to-middle:

          We do not explicitly consider the middle-to-middle case here,
          as this is broad and could range from pure
  monetary policies already covered by either intra- or inter-domain
          communication depending on the location of the involved
          entities.

2 Threat Scenarios

This section provides threat scenarios that are applicable to traditional role-based access control policies.
  Second there signaling
protocols. Note that some threat scenarios use the term user instead of
NSIS Initiator. This is mainly because security protocols allow a question where this authorization data can be
  retrieved. Especially in a mobile environment this might be more
  complicated to securely exchange this information
differentiation between different
  network domains. Finally there is an issue entities being hosts and users (based on the
identities used).

2.1 MITM Attacks

Security protection of representing
  authorization information if it has protocols is often separated into two steps. The
first step provides entity authentication and key establishment whereas
the second step provides message protection using the previously
established security association. The first step usually tends to be shared between a number of
  network domains.

  Currently
more expensive than the above-mentioned issues have not been appropriately
  addressed and might cause obstacles second which is also the main reason for deployment.
  In
separation. If messages are transmitted very infrequently then these two
steps are collapsed into a discovery phase single and usually rather costly step. One
such example is e-mail protection via S/MIME. A good example for an additional issue of authorization was raised.
  Whenever a node wants
efficient two-step approach is provided by IPsec [9]. We use this
separation to discover the next NSIS aware node then
  authentication might not be sufficient. In many cases cover the IP address
  or FQDN of a particular router different threats in an unknown network does more detail.  The first
paragraph describes security threats where two peers do not add too
  much trust. An end host for example might want some assurance that
  this node belongs to already
share a network with which some sort of business
  relationship (directly security association, or indirectly) is available.

  2.3  Missing Cost Control

  This type of threat addresses a deployment problem of QoS signaling
  in do not use security mechanisms at all.
The next paragraph describes threats which are applicable when a real-world environment. It
security association is not already established. Finally a particular attack. A large
  number denial of service providers with complex roaming agreements create a
  non-transparent cost-structure. Using AAA protocols in
attack is described which is applicable to a
  subscription-based scenario. In signaling message when no

separation between SA establishment and signaling protection takes
place.

Various security threat are caused by a traditional subscription-based

   Tschofenig     Informational - Expires April 2003                 7 
                             NSIS Threats                 October 2002

  scenario users protocol performing dynamic node
discovery. These threats include Denial of Service attacks, which are registered with their home networks and use this
  trust relationship to dynamically establish
among other security
  associations. In these scenarios users do not learn threats described in Section 2.9. Note that the identity threats are
largely independently of the access network as part discovery procedure (path discovery, next
peer discovery or topology discovery).

     1.   Attacks during NSIS SA Establishment

          During the process of establishing a regular security association an
          adversary fools the signaling message exchange. The user is
  therefore only authenticated initiator with respect
          to the home network (and hopefully vice
  versa). entity to which it has to authenticate. The identity man-in-the-
          middle adversary is able to modify signaling messages to mount
          e.g. DoS attacks. In addition, it may be able to terminate
          NSIS messages of the access network is possibly not revealed.
  When issuing a reservation request Initiator and inject messages to an entity in a peer
          itself, therefore acting as the access network peer to the end-user does not know initiator and as
          the cost of such a reservation.
  Furthermore due initiator to mobility and route changes along the path peer. This results in the
  costs for an end-to-end QoS reservation might not be transparent or
  unacceptable.

  Today there is no protocol available which allows users to
  communicate cost limits, initiator
          wrongly believing that it talks to request costs for the "real" network resources or whereas
          it is actually attached to an adversary.  For this attack to
  learn the currently accumulated costs for a particular reservation.

  Especially in mobility environments where many networks might
          be
  contacted in a short period of time cost control is even more
  complicated.

  Some proposals which try successful, pre-conditions have to merge mobility protocols hold which are described
          with QoS
  signaling probe the access network (towards the cross-over router or
  the MAP) for the possibility making a QoS reservation (without
  actually making following two cases:

          - Missing Authentication

            The first case addresses missing authentication between the reservation itself).
            neighboring peers: Without authentication a query mechanism a
  user cannot take reservation costs into account when choosing between
  different access networks. Hence the user might not be NI, NR or NF is
            unable to
  refuse the more expensive service provider. To allow a user to choose
  different providers detect an adversary. However in some cases
            protection available might be required not only difficult to accomplish in a
            practical environment either because of the
  availability next peer is
            unknown, because of misbelieved trust relationships in parts
            of different access technologies (either using a WLAN
  card to access the local network or to use UMTS/UTRAN based
  technology) and the different service quality offered but also for
  cost reasons.

  Although real-time notifications of quality because of service reservation
  costs (cost control) to the user are outside the scope inability to establish
            proper security protection (inter-domain signaling messages,
            dynamic establishment of a quality security association, etc.). If
            one of service signaling protocol itself the communication endpoints is unknown then for some interactions might be
  required. Note that payment issues should be discussed independently
  of cost-control since other
            security mechanisms are required to negotiate
  which involved party actually has to pay the costs (and how).

  2.4  Eavesdropping and Traffic Analysis

  This section covers two threats: The first it is related to privacy
  concerns whereas the second addresses problems caused by weak
  authentication mechanisms and the increased risk of eavesdropping on
  the wireless link in absence of either not possible or very
            difficult to apply appropriate confidentiality security protection.

  The first threat case covers adversaries which are able to eavesdrop
            Sometimes network administrators use intra-domain signaling
            messages but are unable to actively participate in the QoS
  signaling (i.e. passive adversary). The collected signaling packets
  may serve for the purpose of traffic analysis or to later mount
  replay attacks as described in the next section. By eavesdropping without proper security. Such a configuration would
            then allow an adversary might violate on a user's privacy preference. Especially QoS

   Tschofenig     Informational - Expires April 2003                 8 compromised non-NSIS aware node
            to interfere with nodes running an NSIS Threats                 October 2002 signaling messages provide information protocol.
            Note that may be interesting for an
  adversary since the messages reveal user and/or application
  identities, policy information, information about the desired QoS
  reservation, etc. The information gathered this type of threat goes beyond a threat caused by an adversary can be
  used to learn communication patterns
            malicious NSIS nodes (described in Section 2.8).

          - Unilateral Authentication
            In case of users requesting resources
  (QoS, firewall, NAT, etc.).

  An adversary might be able to use a unilateral authentication the signaling protocol NSIS entity that
            does not authenticate its peer is unable to discover the topology
            man-in-the-middle adversary. Although authentication of a network (e.g. using record route). Additionally it
  might be possible to obtain diagnostic information usually used for
  network monitoring and administration. Other options might allow an
  adversary to route
            signaling messages specifically along a particular
  route similar to source routing.

  The second threat case addresses weak authentication mechanisms
  whereby information transmitted within should take place between each peer
            participating in the QoS signaling protocol may
  leak passwords and may allow offline dictionary attacks. This threat operation special attention is not specific
            given here to QoS signaling protocols but may also be applicable first-peer communication. Unilateral
            authentication between end hosts and countermeasures must be taken.

  2.5  Adversary being able to replay signaling messages

  This threat scenario covers the case where first peer is still
            common today, but certainly opens up many possibilities for
            MITM attackers impersonating either the end host or the
            (administrative domain represented by the) first peer.

            The two threats described above are a general problem of
            network access without appropriate authentication, not only
            for an adversary eavesdrops
  and collects NSIS signaling messages and replays them at a latter point in
  time (or at protocol. Obviously there is a different place, or uses parts of strong
            need to correctly address them at a different
  place or in a future NSIS protocol.
            The signaling protocols addressed by NSIS are different way ű e.g. cut and paste attacks). Without
  proper replay protection an adversary might be able to mount denial
  and/or theft of service attacks.

  A more difficult attack
            other protocols where only two entities are involved. Note,
            that may cause problems even in case of
  replay protection requires especially first-peer authentication is important, as
            the adversary to crash impacts of a NSIS aware node
  to loose state information (sequence numbers, security associations,
  etc.) and to be able to replay old signaling messages.

  Additionally breach likely reach beyond the
            directly involved entities (or even beyond a local network).

            Finally it should be mentioned noted that the interaction between
  different protocols based on authorization tokens requires some care.
  Using such an authorization token it is possible to link state
  information between different protocols. Returning an authorization
  token to signaling protocol
            should be considered as a peer-to-peer protocol where the end host might allow an adversary to steal resources
  without proper protection
            roles of initiator and responder can be reversed at any
            time. This leads to the token delivery or without proper
  verification conclusion that unilateral
            authentication is not very useful for such a protocol.
            However there might be a need to have some form of asymmetry
            in the hopefully protected content of authentication process whereby one entity uses a
            different authentication mechanism than the token. The
  functionality and structure of such an authorization token for RSVP
  is described in [3] and in [4].

  2.6  Identity Spoofing

  The following paragraph gives other one. As an
            example of an adversary using
  identity spoofing:

  Eve, acting as an adversary, claims to be the registered user Alice
  by spoofing the identity combination of Alice. Thereby Eve causes symmetric and asymmetric
            cryptography should be mentioned.

          - Weak Authentication

            This threat addresses weak authentication mechanisms whereby
            information transmitted during the network NSIS SA establishment
            process may leak passwords and/or may allow offline
            dictionary attacks. This threat is not specific to
  charge Alice for the consumed network resources. Using unprotected NSIS
            signaling messages Eve protocols but may experience no particular problems in
  succeeding. This attack can also be classified as theft of service.

   Tschofenig     Informational - Expires April 2003                 9 applicable and
            countermeasures must be taken.

     2.   Attacks during NSIS Threats                 October 2002

  If SA Usage

          Once a signaling message is properly protected the adversary security association is unlike establish (and used to succeed.

  A non-traditional identity spoofing attack exploits flow
  classification (required for QoS and Midcom specific protect
          signaling
  protocols). Some identifiers such as IP addresses, transport protocol
  identifiers, port numbers, flow labels [6, 7] and others messages) basic attacks are
  communicated prevented. However, a
          malicious NSIS node is still able to perform various attacks
          as described in these protocols and represent Section 2.8. Replay attacks, which can be a
          problem when a NSIS node crashes, restarts and performs state
          re-establishment. Proper re-synchronization capability of the
          security mechanism must therefore address this problem.

     3.   Combining Signaling and SA Establishment

          This threat covers an attractive target
  for attack which allows an adversary. Modification of these flow identifiers adversary to
          flood an NSIS node with bogus signaling messages to cause
  quality a
          denial of service reservations or policy rules attack.

          When a signaling message arrives at middleboxes a NSIS aware network
          element some processing is required. If this message contains
          security objects such as digital signatures and not security
          association is already available then some processing is
          required for the cryptographic verification. Since NSIS
          signaling should not require several roundtrips between two
          NSIS peers it is difficult to provide DoS protection
          mechanisms commonly found in authentication and key agreement
          protocols. If signaling messages furthermore aim to be
  either ineffective or beneficial for adversaries.

  Additional concerns might occur if end hosts perform traffic marking
          idempotent and no security association should be created then
          some cryptographic mechanisms should be used with precaution
          (for example by using a DSCP). Whenever public key cryptography).

          Additionally to the threat described above an ingress router uses only
  marked incoming data traffic for admission control procedures then
  various attacks are possible. These problems are known in the
  DiffServ community for a long
          signaling message might require time consuming processing
          (computations, state maintenance, timer setting, etc) and documented in various DiffServ
  related documents. The IPSec protection of DiffServ Code Points
          communication with third-party nodes including policy servers,
          LDAP servers, etc. If an adversary is
  described in Section 6.2 able to transmit a large
          number of [11]. Related security issues signaling message (for example denial of service attacks) are described in Section 6.1 of with QoS reservation
          requests) with invalid credentials then the same document.

  The following paragraph describes a possible threat caused by
  identity spoofing of transmitted data traffic. The spoofed identity
  is thereby the source IP addresses. Assume that accounting records
  are collected based on the source IP address and verifying node may
          not on a SPI due be able to
  IPSec protection. After the network receives a properly protected process further reservation request, transmitted messages by the
          legitimate user Alice,
  Traffic Selectors are installed at the corresponding devices (for
  example edge router). These users.

2.2 Eavesdropping and Traffic Selectors Analysis

This threat cases covers adversaries which are used for flow
  identification and allow to match data traffic originated from a
  given source address able to be assigned eavesdrop
signaling messages but are unable to a particular QoS reservation. actively participate in signaling
message exchange (i.e. passive adversary). The adversary Eve now spoofs collected signaling
packets may serve for the IP address purpose of traffic analysis or to later mount
replay attacks as described in the Alice.
  Additionally AliceĂs host may be subject of a DoS attack by Section 2.3. The eavesdropper might
learn QoS parameters, communication patterns, policy rules for firewall
traversal, policy information, application identifiers, user identities,
NAT bindings and by
  the adversary. If both nodes are located at more.

2.3 Adversary being able to replay signaling messages

This threat scenario covers the same link case where an adversary eavesdrops and use the
  same IP address then obviously
collects signaling messages and replays them at a duplicate IP address will be
  detected. Assuming that only Eve is present latter point in time
(or at the link then she is
  able to receive and transmit data (for example RTP data traffic),
  which receives preferential QoS treatment based on the previous
  reservation. Depending on the installed Traffic Selector granularity
  Eve might have more possibilities to exploit the QoS reservation a different place, or uses parts of them at a
  pin-holed firewall. Assuming the soft state paradigm, where
  periodical refresh messages are required, the absence different place or

in a different way - e.g. cut and paste attacks). Without proper replay
protection an adversary might mount man-in-the-middle, denial of Alice will
  not be detected until the next signaling message appears service
and forces
  Eve to respond with a protected signaling message. Again this issue
  is not only applicable to QoS traffic but the existence theft of QoS
  reservation causes service attacks.

A more difficulties since this type difficult attack that may cause problems even in case of traffic is
  more expensive. The same procedure is also applicable replay
protection requires the adversary to a Middlebox
  communication protocol.

  2.7  Adversary being crash an NSIS aware node to loose
state information (sequence numbers, security associations, etc.) and to
be able to inject/modify messages

   Tschofenig     Informational - Expires April 2003                10 
                             NSIS Threats                 October 2002

  The next type of threat replay old signaling messages. This attack addresses re-
synchronization deficiencies.

2.4 Missing Protection of Authorization Information

Authorization is an integrity violations: An
  adversary modifies signaling messages (e.g. by acting important step for providing resources such as QoS
reservations, NAT bindings and pin-holed firewalls. Authorization
information might be delivered to the NSIS participating entities in a man-in-
  the-middle)
number of ways.

One such approach is to cause an unexpected network behavior with use a bogus
  signaling message. Possible actions are reordering, delaying,
  dropping, injecting and modifying.

  An adversary may inject successful authorization step done by a
different protocol in a later NSIS signaling message requesting a large amount
  of resources (using a by providing some
sort of token. The functionality and structure of such an authorization
token for RSVP is described in [10] and in [11].

The interaction between different user identity). If granted protocols based on authorization
tokens, however, requires some care. Using such an authorization token
it causes
  other user's resource-request not is possible to be successful and a link state information between different
  initiator protocols.
Returning an unprotected authorization token to the end host might allow
an adversary (for example a user) an eavesdropper) to pay for steal resources. An
adversary might also use the QoS reservation. This
  attack is only successful in absence token to learn communication patters. An
untrustworthy end host might also modify the token content.

Other authorization mechanisms might depend on availability of
sufficient funds and therefore real-time information. Deployment threats
of signaling message protection.

  2.8  Missing Non-Repudiation

  Repudiation in this context refers to a problem where one party later
  denies to have made a reservation. This issue comes kind are described in two flavors:

  From a service provider point-of-view the following threat may Section 2.14. The Session/Reservation
Ownership problem can also be
  worth considered as an investigation. A user may deny to have issued reservation
  request for which it was charged. A service provider may then like authorization problem.
Details are described in Section 2.11. In enterprise networks
authorization is often coupled with membership to
  prove that a particular class
user issued reservation requests.

  The same threat of users/groups. This type of information can either be interpreted from the users point-of-view. A
  service provider claims to have received a number delivered
as part of reservation
  requests. The user in question thinks that he never issued those
  requests the authentication and wants key agreement procedure or has to have a proof for correct service usage for a
  given set of be
retrieved via separate protocols from other entities. If an adversary
manages to modify information relevant for determining authorization or
the outcome of the authorization process itself then theft of service
might be the consequence.

2.5 Identity Spoofing

Identity spoofing relevant for NSIS appears in two flavors: First,
identity spoofing can appear during the establishment of a security
association if based on a weak authentication mechanism.

Eve, acting as an adversary, claims to be the registered user Alice by
spoofing the identity of Alice. Thereby Eve causes the network to charge
Alice for the consumed network resources. This type of attack is
possible if authentication is done based on a simple username identifier
(i.e. in absence of cryptographic authentication) or if authentication
is provided for hosts and multiple users have access to a single host.
This attack could also be classified as theft of service.

Second, an adversary is able to perform identity spoofing on transmitted
data packets. This type of attack is often labeled as IP spoofing. Since
most NSIS signaling messages contain some sort of flow identifier for
which a certain behavior is performed (e.g. particular flow experiences
QoS parameters.

  In today's telecommunication networks non-repudiation treatment or is not
  provided. allowed to bypass a firewall, etc.) an adversary
could mount an attack by modifying the flow identifier of a signaling
message. The user has following example tries to trust show an adversary using identity
spoofing of the network operator first category:

An adversary is able to correctly
  meter exploit the traffic, collect established flow identifiers
(required for QoS and merge accounting data Midcom specific signaling protocols). Some
identifiers such as IP addresses, transport protocol identifiers, port
numbers, flow labels (see [12] and [13]) and others are communicated in
these protocols. Modification of these flow identifiers cause quality of
service reservations or policy rules at middleboxes to be either
ineffective or beneficial for adversaries.

The following paragraph describes a possible threat caused by identity
spoofing of transmitted data traffic. The spoofed identity is thereby
the source IP addresses. For this attack to be successful accounting
records are collected based on the source IP address and not on a SPI
due to IPSec protection. After the network receives a properly protected
reservation request, transmitted by the legitimate user Alice, Traffic
Selectors are installed at the corresponding devices (for example edge
router). These Traffic Selectors are used for flow identification and
allow to match data traffic originated from a given source address to be
assigned to a particular QoS reservation. The adversary Eve now spoofs
the IP address of the Alice. Additionally Alice's host may be crashed by
the adversary as a result of a denial of service attack or lost
connectivity for example because of mobility reasons. If both nodes are
located at the same link and use the same IP address then obviously a
duplicate IP address will be detected. Assuming that only Eve is present
at the link then she is able to receive and transmit data (for example
RTP data traffic), which receives preferential QoS treatment based on
the previous reservation. Depending on the installed Traffic Selector
granularity Eve might have more possibilities to exploit the QoS
reservation or a pin-holed firewall. Assuming the soft state paradigm,
where periodical refresh messages are required, the absence of Alice
will not be detected until the next signaling message appears and forces
Eve to respond with a protected signaling message. Again this issue is

not only applicable to QoS traffic but the existence of QoS reservation
causes more difficulties since this type of traffic is more expensive.
The same procedure is also applicable to a Middlebox communication
protocol.

The ability for an adversary to inject data traffic which matches a
certain Traffic Selector established by a legitimate user often requires
the ability to also receive the data traffic. This is, however, only
true if the Traffic Selector consists of values which contain addresses
used for routing. If we imagine to use attributes for a Traffic Selector
where such a property is not required then identity spoofing and
injecting traffic is much easier. An adversary can use a nearly
arbitrary endpoint identifier to experience the desired result.
Obviously the endpoint identifiers are still not irrelevant since the
messages have to travel the same path through the network. DiffServ
marking of IP packets is such an example and others can be constructed
very easily.

Data traffic marking based on DiffServ is such an example. Whenever an
ingress router uses only marked incoming data traffic for admission
control procedures then various attacks are possible. These problems are
known in the DiffServ community for a long time and documented in
various DiffServ related documents. The IPSec protection of DiffServ
Code Points is described in Section 6.2 of [14]. Related security issues
(for example denial of service attacks) are described in Section 6.1 of
the same document.

2.6 Adversary being able to inject/modify messages

This type of threat addresses integrity violations whereby an adversary
modifies signaling messages (e.g. by acting as a man-in-the-middle
attacker) to cause an unexpected network behavior. Possible actions an
adversary might consider for its attack are reordering, delaying,
dropping, injecting and modifying.

An adversary may inject a signaling message requesting a large amount of
resources (possibly using a different user identity). Other resource
requests could then be rejected. In combination with identity spoofing
it is also possible accomplish fraud. This attack is only successful in
absence of signaling message protection.

Some directly related threats are described in Section 2.8, 2.5, 2.8 and
2.9.

2.7 Missing Non-Repudiation

Repudiation in this context refers to a problem where one party later
denies to have requested a certain action (such as a QoS reservation).

The problem of a missing non-repudiation property appears in two
flavors:

>From a service provider point-of-view the following threat may be worth
an investigation. A user may deny to have issued reservation request for
which it was charged. A service provider may then like to prove that a
particular user issued reservation requests.

The same threat can be interpreted from the users point-of-view. A
service provider claims to have received a number of reservation
requests. The user in question thinks that he never issued those
requests and wants to have a proof for correct service usage for a given
set of QoS parameters.

In today's telecommunication networks non-repudiation is not provided.
The user has to trust the network operator to correctly meter the
traffic, collect and merge accounting data and that no unforeseen
problems occur. If a signaling protocol is used to establish QoS
reservations with a higher volume (for example service level agreements)
then it might impact protocol design.

Looking at threats based on missing non-repudiation it must be carefully
considered whether non-repudiation is needed. Non-repudiation poses
additional requirements on the security mechanisms as it can only be
provided through public-key cryptography. As this would often increase
the overall cost for security, threats related to missing non-
repudiation are only considered relevant for certain specific scenarios
but not for the general NSIS scenario.

2.8 Malicious NSIS Entity

Network elements within a domain (intra-domain) experience a different
trust relationship with regard to the security protection of signaling
messages compared to edge routers. We assume that edge routers have the
responsibility to perform cryptographic processing (authentication,
integrity and replay protection, authorization and accounting) for
signaling message arriving from outside. This prevents signaling
messages to appear unprotected within the internal network. If however
an adversary manages to take over an edge router then the security of
the entire network is affected. An adversary is then able to launch a
number of attacks including denial of service, integrity violation,
replay attacks etc. In case of policy rule installation a rogue firewall
can cause harm to other firewalls by modifying the policy rules
accordingly. The chain-of-trust principle applied in the peer-to-peer
security protection cannot provide protection against a malicious NSIS
node. An adversary with access an NSIS router is then also able to get
access to security associations to transmit secured signaling messages.
Note that even non peer-to-peer security protection might not be able to

fully prevent this problem. Since an NSIS node might issue signaling
message on behalf of someone else (by acting as a proxy) additional
problems are the consequence.

An NSIS aware edge router is a critical component that requires strong
security protection. A strong security policy applied at edge does not
imply that all routers within an intra-domain network do not need to
cryptographically verify signaling messages. If the chain-of-trust
principle is deployed then the security protection of the entire path
(in this case within the network of a single administrative domain) is
as strong as the weakest link. In our case the edge router is the most
critical component of this network that may also act as a security
gateway/firewall for incoming/outgoing traffic. For outgoing traffic
this device has to act according to the security policy of the local
domain to apply the appropriate security protection.

For an adversary to mount this attack either an existing NSIS aware node
along the path has to be successfully attacked or an adversary succeeds
to convince another NSIS node to be the next NSIS peer (man-in-the-
middle attack).

2.9 Denial of Service Attacks

A number of denial of service attacks can cause NSIS nodes to
malfunction. Other attacks that could lead to DoS, such as man-in-the-
middle attacks, replay attacks, injection or modification of signaling
messages etc., are mentioned throughout this document.

     1.   Path Finding

          This threat tries to address potential denial of service
          attacks when the reservation setup is split into two phases
          i.e. path and reservation (as for example used in receiver
          based reservation setup). For this example we assume that the
          node transmitting the path message is not charged for the path
          message itself and is able to issue a high number of
          reservation request (possibly in a distributed fashion).
          Charging is activated only after successful verification of
          the reservation request. The reservations are however never
          intended to be successful because of various reasons: the
          destination node cannot be reached; it is not responding or
          simply rejects the reservation. An adversary can benefit from
          the fact that resources are already consumed along the path
          for various processing tasks including path pinning.

     2.   Discovery Phase
          Signaling information to a large number of entities along a
          data path requires some sort of discovery. This discovery
          process is vulnerable to a number of attacks since it is
          difficult to secure. An adversary can use the discovery
          mechanisms to convince an entity to signal information to
          another entity which is not along the data path or to cause
          the discovery process to fail. In the first case the signaling
          protocol could be correctly continued with the problem that
          policy rules are installed at incorrect firewalls or QoS
          resource reservations take place at the wrong entities. For an
          end host this means that the protocol failed for unknown
          reasons.

     3.   Faked Error/Response messages

          An adversary may be able to use false error/response messages
          as part of a denial of service attack. This could be either at
          the message signaling protocol level, at the level of each
          client layer protocol (QoS, Midcom, etc.) or at the transport
          level protocol. An adversary might cause unexpected protocol
          behavior or produce denial of service attacks. Especially the
          discovery protocol shows vulnerabilities with regard to this
          threat. In case that no
  unforeseen problems occur. If a signaling separate discovery protocol is used by
          addressing signaling messages to
  establish QoS reservations with end hosts only (with a higher volume (for example service
  level agreements) Router
          Alert Option to intercept message as NSIS aware nodes) then it an
          error message might impact protocol design.

  2.9  Malicious NSIS Entity

  Network elements within be used to indicate a domain (intra-domain) experience path change. Such a
  different trust relationship with regard to the security protection
          design is a combination of a discovery protocol together with
          a signaling messages compared message exchange protocol.

2.10 Disclosing the network topology

In some architectures there is a desire not to edge routers. We assume that edge
  routers have reveal the responsibility internal
network structure (or other related information) to perform cryptographic processing
  (authentication, integrity verification, replay protection,
  authorization, etc.). Depending on the protocol functionality every
  NSIS aware router should outside world.
An adversary might be able to issue signaling messages. If
  however an adversary manages use NSIS messages for network mapping
(e.g. discovering which nodes exist, which use NSIS, what version, what
resources are allocated, capabilities of nodes along a paths etc.).
Discovery messages, traceroute, diagnostic messages (see [14] for a
description of diagnostic message functionality for RSVP), query
messages in addition to take over record route and route objects provide the
potential to assist an edge router then adversary. Hence the
  security requirement of the entire not
disclosing a network is affected. An adversary is then able topology might conflict with another requirement to launch a number of attacks including denial
provide means for automatically discovering NSIS aware nodes or to
provide diagnostic facilities (used for network monitoring and
administration).

2.11 Session/Reservation Ownership

Figure 4 shows an NSIS Initiator which established state information at
NSIS nodes along the path as part of service, integrity
  violation, replay attacks etc. Note that this problem is not only
  restricted to QoS the signaling protocols. In case of policy rule
  installation procedure. As a rogue firewall can cause harm to
result the Access Router1 Router 3 and Router 4 (and other firewalls by
  modifying nodes) store
session state information including the policy rules accordingly. Session Identifier SID-x.

                                         Session ID(SID-x)
                                    +--------+
                  +-----------------+ Router +------------>
 Session ID(SID-x)|                 |   4    |
              +---+----+            +--------+
              | Router |
       +------+   3    +*******
       |      +---+----+      *
       |                      *
       | Session ID(SID-x)    * Session ID(SID-x)
   +---+----+             +---+----+
   | Access |             | Access |
   | Router |             | Router |
   |   1    |             |   2    |
   +---+----+             +---+----+
       |                      *
       | Session ID(SID-x)    * Session ID(SID-x)
  +----+------+          +----+------+
  |  NSIS     |          | Adversary |
  | Initiator |          |           |
  +-----------+          +-----------+

Figure 4: Session/Reservation Ownership

The chain-of-trust principle applied Session Identifier is included in the peer-to-peer security
  protection cannot provide proper protection. An adversary with full

   Tschofenig     Informational - Expires April 2003                11 
                             NSIS Threats                 October 2002

  access signaling messages to reference to
the edge router is then also established state.

If an adversary was able to retrieve security
  associations to secure obtain the Session Identifier for example by
eavesdropping signaling messages. Note that even non-peer-
  to-peer security protection might not be messages it is able to fully prevent this
  problem.

  Thus add the edge router is a critical component that requires strong
  security protection. Strong security policy applied at edge routers
  does not imply that intra-domain routers do not need same Session
Identifier SID-x to
  cryptographically verify a new a signaling messages. If message. When the chain-of-trust
  principle is deployed signaling
message hits Router3 (as shown in Figure 3) then existing state
information can be modified. The adversary can then modify or delete the security protection of the path (in
  this case within the network of a single administrative domain) is as
  strong as the weakest link. In our case the edge router is
established reservation causing unexpected behavior for the most
  critical component legitimate
user.

The source of this network the problem is that may also act as a security
  gateway/firewall for incoming/outgoing traffic. For outgoing traffic
  this device has to act according Router3 (cross-over router) is unable
to decide whether the security policy new signaling message was initiated from the owner

of the local
  domain session/reservation.

To make processing even more difficult it must be mentioned that not
only the initial signaling message originator is allowed to apply signal
information during the appropriate security protection.

  2.10 Denial lifetime of Service in a two phase reservation

  This threat tries to address potential denial an established session. As part of service attacks when
  the reservation setup is split into two phases path discovery/path
  pinning and reservation (as for example used in a receiver-initiated
  reservation). For this example we assume that
the protocol any NSIS aware node transmitting along the path message is not charged for (and the path might
change over time) could be involved in the signaling message itself exchange
and is
  able it might be necessary to issue a high number of reservation request (possibly in provide mobility support or to trigger a
  distributed fashion). Charging is activated
local repair procedure. Hence if only after successful
  verification of the reservation request. The reservations are however
  never intended initial signaling message
originator is allowed to trigger signaling message exchange some
protocol behavior will not be successful because of various reasons: the
  destination node cannot be reached; it possible.

In case that this threat is not responding or simply
  rejects the reservation. An addressed an adversary can benefit from the fact that
  resources are already consumed along the path for can launch denial
of service, theft of service, and various processing
  tasks including path pinning.

  2.11 Denial other attacks.

2.12 Security Parameter Exchange/Negotiation

Protocols, which should be useful for a variety of Service scenarios, tend to
have different security requirements. It is often difficult to meet
these (sometimes conflicting requirements) with a bogus signaling request

  With single security
mechanism or a resource reservation request received at fixed security parameter. Hence often a network element
  (for example by the first NSIS aware router) processing few selected
mechanisms/parameters are supported. Therefore some protocol exchange is
required
  for authentication and authorization. Processing by other nodes
  including policy servers, LDAP servers, etc. is also possible
  depending to agree on some security mechanisms/parameters. This protocol
exchanged can be the network infrastructure. Verification requires
  cryptographic computations, state maintenance, setting timers,
  transmitting messages and other processing actions. If misused by an adversary
  is able to transmit mount a large number of reservation request with bogus
  credentials (and assuming that the verification is expensive in terms
  of resource consumption) then downgrading
attack by selecting weaker mechanisms than desired. Hence without
protecting the verifying node may not be able to negotiation process further reservation messages by legitimate users. This
  assumes that verification is expensive (especially cryptographic
  computations).

  2.12 DoS Attack at the Discovery Phase

  Signaling information to a large number security of entities along an NSIS protocol
might be as secure as the weakest mechanism if no configuration
parameters (for example a data path
  requires some sort of discovery. This discovery process is vulnerable
  to security policy disallowing the weakest
mechanism, etc.) are used otherwise.

2.13 Attacks against the signaling message transport mechanism

In [15] a number of attacks since it two-level architecture is difficult proposed which suggests to secure. An adversary

   Tschofenig     Informational - Expires April 2003                12 split an
NSIS Threats                 October 2002

  can use the discovery mechanisms to convince protocol into layers: a signaling message transport specific layer
and an entity to signal
  information to another entity which application specific layer. This architectural assumptions is not along
also considered within the data path NSIS framework [7]. Most of the threats
described in this document are applicable to the application specific
part for signaling QoS or middlebox specific information. There are,
however, some threats which are applicable to
  cause the discovery process transport of signaling
messages.

Network or transport layer protocols which experience no protected are
vulnerable to fail. certain attacks such as header manipulation, DoS, spoofing
of identities, session hijacking, unexpected aborts etc.

In the first case the signaling
  protocol could be correctly continued with the problem that policy
  rules an existing protocol is used for exchanging NSIS signaling
messages then threats known from these protocols are installed at incorrect firewalls or QoS resource
  reservations take place at relevant.

2.14 Deployment Threats

This section addresses problems which could appear during the wrong entities. For deployment
of an end host this
  means that the NSIS protocol failed in a real-world environment. Although these problems
are theoretically not an obstacle for unknown reasons.

  2.13 Disclosing practical reasons they can
represent threats worth a consideration.

     Missing Authorization:

          Authentication is a very important step for providing the networking structure

  In
          foundation of authorization and accounting. Unlike some architectures other
          protocols (for example HTTPS) where an authorization
          verification step is fairly easy (and efficient) QoS and
          middlebox communication requires more care. First, there is a desire not to reveal
          the internal
  network structure (or other related information) to question what authorization means in the outside
  world. An adversary context of NSIS
          signaling. For quality of service signaling the possible range
          is broad and could range from pure monetary policies to
          traditional role-based access control policies. Second, there
          is a question where this authorization data can be retrieved.
          Especially in a mobile environment this might be able more
          complicated to use NSIS messages for securely exchange this information between
          different network
  mapping (e.g. discovering which nodes exist, which use NSIS, what
  version, what resources are allocated, capabilities domains. Finally there is an issue of nodes along
          authorization representation (i.e. a
  paths etc.). A requirement language describing
          authorization policies). If authorization information is
          exchanged between a large number of not disclosing networks then this issue
          deserves further consideration.

          In the discovery phase an additional issue of authorization
          was raised. Whenever a network structure
  might conflict with another requirement node wants to provide means for
  automatically discovering discover the next NSIS
          aware nodes and to provide diagnostic
  facilities.

  2.14 Modification of Session State Information

  An adversary node then authentication might not be able to modify an existing reservation which
  has already been established within sufficient. In
          many cases the network as a result IP address or FQDN of a
  previous signaling message exchange.
  Hence it particular router in an
          unknown network does not add too much trust. An end host for
          example might be necessary to provide want some assurance for that this node belongs to a secure binding
  between
          network which has some sort of business relationship which is
          known and acceptable (from an owner accounting, charging, security
          and privacy point of the established session state view).

     Missing Cost Control:

          There is a risk that a large number of service providers with
          complex roaming agreements create a non-transparent cost-
          structure. In a traditional subscription-based scenario users
          are registered with their home networks and use this trust
          relationship to dynamically establishment other security
          associations. This is the session
  state information distributed at various entities along the data
  path. The state information created at nodes along typical AAA deployment scenario. In
          these scenarios users do not learn the path created
  by signaling messages is identity of the uniquely identified Session ID access
          network as
  described in [5]. Whenever part of a signaling regular authentication and key exchange
          protocol message has exchange. The identity of the access network
          is possibly never revealed (in a secure fashion). The user is
          therefore only authenticated to refer the home network (and
          hopefully vice versa). When issuing a QoS reservation request
          to
  existing state information the next NSIS peer (for a refresh, modify or delete
  operation) then example in the existing session identifier is used. Hence there access network) the
          end host is typically unaware of the cost of such a requirement that it must
          reservation. Due to mobility and route changes along the path
          the cost for an end-to-end QoS reservation might not be possible
          transparent for someone the end host or even become unacceptable.

          Today there is no standarized protocol available which allows
          users to use an
  existing session identifier communicate cost limits, to modify state request cost information of someone
  else. An adversary might have learned
          for network resources or to learn already accumulated costs
          for a session identifier by
  eavesdropping the signaling messages. particular reservation.

          Especially in a roaming
  scenario mobility environments where an end host is
          likely to have access to a mobile node retransmits signaling messages from a
  different point large number of attachment it must be assured that the routers
  along the path are able to verify whether the entity transmitting the
  signaling messages networks within a
          short time period cost control is allowed to modify the established state.

  To make processing even more difficult it must be mentioned that not
  only the initial complicated.

          Some mobility/QoS protocol proposals try to merge existing
          mobility protocols with QoS signaling message originator is allowed (i.e. to signal
  information during apply in-band
          signaling). Thereby the access network is queried (towards the lifetime of an established session. As part of
          cross-over router or the protocol any node along MAP) for the path (and possibility making a QoS
          reservation (without actually making the path might change over
  time) could be involved in reservation itself).
          Without a query mechanism a user cannot take reservation costs
          into account when choosing between different access networks
          (or different access routers). Hence the signaling message exchange and it user might not be necessary to provide mobility support or
          unable to trigger refuse a local
  repair procedure. Hence if only the initial signaling message
  originator is allowed more expensive service provider. To allow a
          user to trigger signaling message exchange some
  protocol behavior will not choose between different providers might be possible.

  In case that this threat is required
          not addressed an adversary can launch
  denial only because of service, theft the availability of service, different access
          technologies (e.g. IEEE 802.1x, Bluetooth, UTRAN) and various other attacks.

   Tschofenig     Informational - Expires April 2003                13 
                             NSIS Threats                 October 2002

  2.15 Faked Error/Response messages

  An adversary may be able to use false error/response messages as part
  of a denial of service attack. This could be either at the message
  signaling protocol level, at the level
          different service quality offered but also for cost reasons.

          Although real-time notifications of each client layer protocol
  (QoS, Midcom, etc.) or at the transport level protocol. An adversary
  might cause unexpected protocol behavior or produce denial quality of service
  attacks. Especially the discovery protocol shows vulnerabilities with
  regard to this threat. In case that no separate discovery protocol is
  used by addressing signaling messages to end hosts only (with a
  Router Alert Option to intercept message as
          reservation costs (cost control) to the user are outside the
          scope of NSIS aware nodes) then an
  error message some interaction might be used to indicate a path change. Such a design
  is a combination of a discovery protocol together with a signaling
  message exchange protocol. required.

3 Security Considerations

This entire memo discusses security issues in the context of relevant for NSIS.
  Some additional To counter
these threats are applicable for a security requirements have been defined and the framework where an NSIS
  protocol is used. Some other
relevant topics have been described. Some additional threats especially applicable
for end
  hosts to access network first peer communication in mobile environments are described in [2].
[16].

4    Open Issues

  A future version of this draft will experience a minor restructuring
  to add deployment threats, Acknowledgements

We would like to separation between attacks during
  security association setup thank (in alphabetical order) Marcus Brunner, Jorge
Cuellar, Mehmet Ersue, Xiaoming Fu and attacks which aim Robert Hancock for their comments

to attack the
  signaling messages itself, middlebox communication specific threats this draft. Jorge and a discussion Robert gave us an extensive list of threats applicable to the transport level vs. the
  application level (according to a 2-level-architecture). comments
and provided information on additional threats.

5    References Authors' Addresses

Hannes Tschofenig
Siemens AG
Otto-Hahn-Ring 6
81739 Munich
Germany
EMail: Hannes.Tschofenig@siemens.com

Dirk Kroeselberg
Siemens AG
Otto-Hahn-Ring 6
81739 Munich
Germany
EMail: Dirk.Kroeselberg@siemens.com

6 Bibliography

[1] X. Fu, C. Kappler, and H. Tschofenig, "Analysis on RSVP regarding
multicast," Internet Draft, Internet Engineering Task Force, June 2002.
Work in progress.

[2] H. D. Meer et al.  , "Analysis of existing qos solutions," Internet
Draft, Internet Engineering Task Force, July 2002.  Work in progress.

[3] H. Tschofenig, "Rsvp security properties," Internet Draft, Internet
Engineering Task Force, 2002.  Work in progress.

[4] M. Thomas, "Analysis of mobile ip and rsvp interactions," Internet
Draft, Internet Engineering Task Force, 2002.  Work in progress.

[5] J. Manner and X. Fu, "Analysis of existing quality of service
signaling protocols," Internet Draft, Internet Engineering Task Force,
2002.  Work in progress.

[6] M. Brunner, M., "Requirements for QoS Signaling Protocols",
  <draft-ietf-nsis-req-04.txt>, (work signaling protocols," Internet
Draft, Internet Engineering Task Force, July 2002.  Work in progress.

[7] R. Hancock, I. Freytsis, G. Karagiannis, J. Loughney, and S. V. den
Bosch, "Next steps in progress), August, signaling: Framework," Internet Draft, Internet
Engineering Task Force, 2002.

  [2]  Kempf, J., Nordmark, E.: ˘Threat Analysis for IPv6 Public
  Multi-Access Links÷, <draft-kempf-ipng-netaccess-threats-02.txt>,
  (work  Work in progress), December, progress.

[8] J. Rosenberg, H. Schulzrinne, G. Camarillo, A. Johnston, J.
Peterson, R. Sparks, M. Handley, and E. Schooler, "SIP: session

initiation protocol," RFC 3261, Internet Engineering Task Force, June
2002.

  [3]

[9] S. Kent and R. Atkinson, "Security architecture for the internet
protocol," RFC 2401, Internet Engineering Task Force, Nov. 1998.

[10] L. Hamer, L-N., B. Gage, B., M. Broda, M., B. Kosinski, B., and H. Shieh, H.:
  ˘Session Authorization "Session
authorization for RSVP÷, <draft-ietf-rap-rsvp-authsession-
  04.txt>, (work in progress), October, RSVP," Internet Draft, Internet Engineering Task
Force, July 2002.

  [4]  Work in progress.

[11] L. Hamer, L-N., B. Gage, B., and H. Shieh, H.: ˘Framework "Framework for session set-up with
media authorization÷, <draft-ietf-rap-session-auth-04.txt>,
  (work in progress), June, authorization," Internet Draft, Internet Engineering Task Force,
July 2002.

  [5]  Freytsis, I., Hancock, R., Karagiannis, G., Loughney, J., Van
  den Bosch, S.: ˘Next Steps in Signaling: A Framework Proposal÷,
  <draft-ietf-nsis-fw-00.txt>, (work  Work in progress), October, 2002.

   Tschofenig     Informational - Expires April 2003                14 
                             NSIS Threats                 October 2002

  [6] progress.

[12] C. Partridge, C.: "Using the Flow Label Field flow label field in IPv6", IPv6," RFC 1809, June,
Internet Engineering Task Force, June 1995.

  [7]

[13] J. Rajahalme, J., A. Conta, A., B. Carpenter, B., and S. Deering, S.: "IPv6
  Flow Label Specification", <draft-ietf-ipv6-flow-label-02.txt>, (work
  in progress), September, 2002.

  [8]  Fu, S., Kappler, C., Tschofenig, H.: "Analysis on RSVP
  Regarding Multicast", <draft-fu-rsvp-multicast-analysis-01.txt>,
  (work in progress), October, 2002.

  [9]  Tschofenig, H.: "RSVP Security Properties", <draft-tschofenig-
  rsvp-sec-properties-01.txt>, (work in progress), October, flow
label specification," Internet Draft, Internet Engineering Task Force,
June 2002.

  [10] de Meer, H., Feher, G., Blefari-Melazzi, N., Tschofenig, H.,
  Karagiannis, G., Partain, D., Rexhepi, V., Westberg, L.: "Analysis of
  Existing QoS Solutions", <draft-demeer-nsis-analysis-03.txt>, (work  Work in progress), October, 2002.

  [11] progress.

[14] A. Terzis, A., B. Braden, B., S. Vincent, S., and L. Zhang, L.: "RSVP
  Diagnostic Messages", diagnostic
messages," RFC 2745, January, Internet Engineering Task Force, Jan. 2000.

  6    Acknowledgments

  I would like to thank (in alphabetical order) Marcus Brunner, Jorge
  Cuellar, Mehmet Ersue, Xiaoming Fu and Robert Hancock

[15] B. Braden and B. Lindell, "A two-level architecture for their
  comments to this draft. Jorge internet
signaling," Internet Draft, Internet Engineering Task Force, Nov. 2001.
Work in progress.

[16] J. Kempf and Robert gave me an extensive list E. Nordmark, "Threat analysis for IPv6 public multi-
access links," Internet Draft, Internet Engineering Task Force, June
2002.  Work in progress.

                           Table of
  comments Contents

1          Introduction  . . . . . . . . . . . . . . . . . . . . . .   2
1.1        NSIS Security Process . . . . . . . . . . . . . . . . . .   2
1.2        Relevant communication models . . . . . . . . . . . . . .   4
2          Threat Scenarios  . . . . . . . . . . . . . . . . . . . .   9
2.1        MITM Attacks  . . . . . . . . . . . . . . . . . . . . . .   9
2.2        Eavesdropping and provided information on additional threats.

  7    Author's Traffic Analysis  . . . . . . . . . . .  12
2.3        Adversary being able to replay signaling messages . . . .  12
2.4        Missing Protection of Authorization Information . . . . .  13
2.5        Identity Spoofing . . . . . . . . . . . . . . . . . . . .  13
2.6        Adversary being able to inject/modify messages  . . . . .  15
2.7        Missing Non-Repudiation . . . . . . . . . . . . . . . . .  15
2.8        Malicious NSIS Entity . . . . . . . . . . . . . . . . . .  16
2.9        Denial of Service Attacks . . . . . . . . . . . . . . . .  17
2.10       Disclosing the network topology . . . . . . . . . . . . .  18
2.11       Session/Reservation Ownership . . . . . . . . . . . . . .  18
2.12       Security Parameter Exchange/Negotiation . . . . . . . . .  20
2.13       Attacks against the signaling message transport
mechanism  . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  20
2.14       Deployment Threats  . . . . . . . . . . . . . . . . . . .  21
3          Security Considerations . . . . . . . . . . . . . . . . .  22
4          Acknowledgements  . . . . . . . . . . . . . . . . . . . .  22
5          Authors' Addresses

  Hannes Tschofenig
  Siemens AG
  Otto-Hahn-Ring  . . . . . . . . . . . . . . . . . . .  23
6
  81739 Munich
  Germany
  Email: Hannes.Tschofenig@siemens.com

   Tschofenig     Informational - Expires April 2003                15          Bibliography  . . . . . . . . . . . . . . . . . . . . . .  23