draft-ietf-nsis-threats-02.txt   draft-ietf-nsis-threats-03.txt 
Internet Engineering Task Force NSIS Internet Engineering Task Force NSIS
Internet Draft H. Tschofenig Internet Draft H. Tschofenig
D. Kroeselberg D. Kroeselberg
Siemens Siemens
Document: Document:
draft-ietf-nsis-threats-02.txt draft-ietf-nsis-threats-03.txt
Expires: December 2003 June 2003 Expires: April 2004 October 2003
Security Threats for NSIS Security Threats for NSIS
<draft-ietf-nsis-threats-02.txt> <draft-ietf-nsis-threats-03.txt>
Status of this Memo Status of this Memo
This document is an Internet-Draft and is subject to all provisions This document is an Internet-Draft and is subject to all provisions
of Section 10 of RFC2026. of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other Task Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet- Drafts. groups may also distribute working documents as Internet- Drafts.
skipping to change at page 2, line 8 skipping to change at page 2, line 8
This threats document provides a detailed analysis of the security This threats document provides a detailed analysis of the security
threats relevant for the NSIS working group. It motivates and helps threats relevant for the NSIS working group. It motivates and helps
to understand various security considerations in the NSIS to understand various security considerations in the NSIS
Requirements, Framework and Protocol proposals. This document does Requirements, Framework and Protocol proposals. This document does
not describe vulnerabilities of specific NSIS protocols. not describe vulnerabilities of specific NSIS protocols.
Table of Contents Table of Contents
1. Introduction...................................................2 1. Introduction...................................................2
2. Terminology....................................................3 2. Relevant communication models..................................3
3. Relevant communication models..................................3 2.1 First-Peer Communication...................................5
3.1 First-Peer Communication...................................5 2.2 End-to-Middle Communication................................6
3.2 End-to-Middle Communication................................6 2.3 Intra-Domain Communication.................................6
3.3 Intra-Domain Communication.................................6 2.4 Inter-Domain Communication.................................6
3.4 Inter-Domain Communication.................................6 2.5 End-to-End Communication...................................7
3.5 End-to-End Communication...................................7 2.6 Middle-to-middle Communication.............................8
3.6 Middle-to-middle Communication.............................8 3. Generic Threats................................................8
4. Generic Threats................................................8 3.1 Man-in-the-middle attacks..................................8
4.1 Man-in-the-middle attacks..................................8 3.2 Adversary being able to replay signaling messages.........10
4.2 Adversary being able to replay signaling messages.........10 3.3 Adversary being able to inject/modify messages............10
4.3 Adversary being able to inject/modify messages............10 3.4 Insecure Parameter Exchange/Negotiation...................11
4.4 Security Parameter Exchange/Negotiation...................11 4. Signaling specific Threats....................................11
5. Signaling specific Threats....................................11 4.1 Threats based on NSIS SA Usage............................11
5.1 Attacks during NSIS SA Usage..............................11 4.2 Threats based on combining Signaling and SA Establishment.11
5.2 Combining Signaling and SA Establishment..................11 4.3 Eavesdropping and Traffic Analysis........................12
5.3 Eavesdropping and Traffic Analysis........................12 4.4 Identity Spoofing.........................................13
5.4 Identity Spoofing.........................................12 4.5 Missing Protection of Authorization Information...........14
5.5 Missing Protection of Authorization Information...........14 4.6 Missing Non-Repudiation...................................15
5.6 Missing Non-Repudiation...................................15 4.7 Malicious NSIS Entity.....................................16
5.7 Malicious NSIS Entity.....................................15 4.8 Denial of Service Attacks.................................17
5.8 Denial of Service Attacks.................................16 4.9 Disclosing the network topology...........................18
5.9 Disclosing the network topology...........................17 4.10 Missing protection of Session/Reservation Ownership......19
5.10 Session/Reservation Ownership............................18 4.11 Attacks against the transport mechanism..................20
5.11 Attacks against the signaling message transport mechanism19 5. Security Considerations.......................................20
6. Security Considerations.......................................19 6. Normative References..........................................20
7. Normative References..........................................19 7. Informative References........................................21
8. Informative References........................................20 Acknowledgments..................................................22
Acknowledgments..................................................20 Author's Addresses...............................................22
Author's Addresses...............................................21 Full Copyright Statement.........................................22
Full Copyright Statement.........................................21
1. Introduction 1. Introduction
Whenever a new protocol has to be developed or existing protocols Whenever a new protocol has to be developed or existing protocols
have to be modified their security threats should be evaluated. The have to be modified their security threats should be evaluated. The
process of securing protocols is separated into individual steps. To process of securing protocols is separated into individual steps. To
address security in the NSIS working group a number of steps have address security in the NSIS working group a number of steps have
been taken: been taken:
+----------------------------------------------+ - NSIS Analysis Activities (e.g. RSVP Security Properties)
| NSIS Analysis Activities | - Security Threats for NSIS
| (e.g. RSVP Security Properties) | - NSIS Requirements
+----------------------------------------------+ - NSIS Framework
+----------------------------------------------+ - NSIS Protocol Proposals
| Security Threats for NSIS |
| |
+----------------------------------------------+
+----------------------------------------------+
| NSIS Requirements |
| |
+----------------------------------------------+
+----------------------------------------------+
| NSIS Framework |
| |
+----------------------------------------------+
+----------------------------------------------+
| |
| NSIS Protocol Proposals |
+----------------------------------------------+
Figure 1: NSIS Security Steps
This document identifies the basic security threats that need to be This document identifies the basic security threats that need to be
addressed by the NSIS signaling protocol design. In addition, addressed by the NSIS signaling protocol design. In addition,
although the base protocol might be secure, some extensions may cause although the base protocol might be secure, some extensions may cause
problems when used in a particular environment. Furthermore it is problems when used in a particular environment. Furthermore it is
necessary to investigate the context in which a signaling protocol is necessary to investigate the context in which a signaling protocol is
used and the architecture where it is integrated. As an example of used and the architecture where it is integrated. As an example of
such interaction accounting and charging are taken into account in such interaction accounting and charging are taken into account in
this document, since without an appropriate integration of the two it this document, since without an appropriate integration of the two it
is difficult to deploy any NSIS solution. This interaction is also is difficult to deploy any NSIS solution. This interaction is also
subject to discussion within the NSIS framework. subject to discussion within the NSIS framework.
2. Terminology
This document uses NSIS terms defined in [Bru03]. This document uses NSIS terms defined in [Bru03].
3. Relevant communication models 2. Relevant communication models
Signaling messages traverse different network parts, which demand Signaling messages traverse different network parts, which demand
different security protection and raise different security problems. different security protection and raise different security problems.
The difference in security protection is mainly caused by the fact The difference in security protection is mainly caused by the fact
that the NSIS signaling messages cross trust boundaries where that the NSIS signaling messages cross trust boundaries where
different trust relationships are prevalent. Often a categorization different trust relationships are prevalent. Often a categorization
into first-peer/last-peer, intra-domain and inter-domain into first-peer/last-peer, intra-domain and inter-domain
communication is applicable (see Figure 2). communication is applicable (see Figure 1).
The main properties of the listed network parts are briefly described The main properties of the listed network parts are briefly described
in this section and the threats of Section 4 and Section 5 classify in this section and the threats of Section 3 and Section 4 classify
them to generic threats and signaling specific threats. Figure 2 them to generic threats and signaling specific threats. Figure 1
depicts a typical end-to-end communication scenario including an depicts a typical end-to-end communication scenario including an
access part between the NSIS end entities and the nearest NSIS hops, access part between the NSIS end entities and the nearest NSIS hops,
respectively. This "first-peer communication" commonly comes with respectively. This "first-peer communication" commonly comes with
specific security requirements (as described below), especially specific security requirements (as described below), especially
important for properly addressing security in mobile scenarios. important for properly addressing security in mobile scenarios.
Differences in the trust relationship and the required security for Differences in the trust relationship and the required security for
first-peer communication, compared to other parts of the signaling first-peer communication, compared to other parts of the signaling
path, might exist. path, might exist.
+------------------+ +---------------+ +------------------+ +------------------+ +---------------+ +------------------+
skipping to change at page 4, line 38 skipping to change at page 4, line 26
+--------+---------+ +---------------+ +---------+--------+ +--------+---------+ +---------------+ +---------+--------+
^ v ^ v
| | | |
First Peer Communication Last Peer Communication First Peer Communication Last Peer Communication
| | | |
+-----+-----+ +-----+-----+ +-----+-----+ +-----+-----+
| NSIS | | NSIS | | NSIS | | NSIS |
| Initiator | | Responder | | Initiator | | Responder |
+-----------+ +-----------+ +-----------+ +-----------+
Figure 2: Involved Network Parts Figure 1: Involved Network Parts
To further refine the above differentiation based on network parts To further refine the above differentiation based on network parts
that NSIS signaling may traverse, we consider trust relationships that NSIS signaling may traverse, we consider trust relationships
between NSIS hops. between NSIS hops.
Additional threats may apply to NSIS communication where one entity Additional threats may apply to NSIS communication where one entity
involved is an end-entity (initiator or responder) and the other involved is an end-entity (initiator or responder) and the other
entity is any intermediate hop not being the first peer. This is entity is any intermediate hop not being the first peer. This is
typically called end-to-middle scenario. The motivation for including typically called end-to-middle scenario. The motivation for including
this configuration stems for example from the SIP [RFC3261] protocol. this configuration stems for example from the SIP [RFC3261] protocol.
Any intermediate SIP hop may request a SIP end entity (UA) to
authenticate, countering a number of specific security threats. Such To counter a number of specific security threats, any intermediate
SIP hop may request a SIP end entity (UA) to authenticate. Such
functionality in general seems to be useful for intermediaries at the functionality in general seems to be useful for intermediaries at the
borders of trust domains that signaling messages need to traverse. borders of trust domains that signaling messages need to traverse.
Intermediate NSIS hops as well may have to deal with specific Intermediate NSIS hops as well may have to deal with specific
security threats that do not (directly) relate to end-entities. This security threats that do not (directly) relate to end-entities. This
scenario is called middle-to-middle. A typical example of middle-to- scenario is called middle-to-middle. A typical example of middle-to-
middle communication is between two NSIS hops at the border of their middle communication is between two NSIS hops at the border of their
respective trust domains (i.e. inter-domain communication). NSIS respective trust domains (i.e. inter-domain communication). NSIS
messages may have to traverse one or more untrusted hops between messages may have to traverse one or more untrusted hops between
these NSIS entities. these NSIS entities.
Figure 3 illustrates these additional scenarios. The first-peer case Figure 2 illustrates these additional scenarios. The first-peer case
discussed further above is covered by the peer-to-peer trust discussed further above is covered by the peer-to-peer trust
relationships between end entity and closest hop, respectively. relationships between end entity and closest hop, respectively.
**************************************** ****************************************
* * * *
+----+-----+ +----------+ +----+-----+ +----+-----+ +----------+ +----+-----+
+-----+ NSIS +-------+ NSIS +--------+ NSIS +-----+ +-----+ NSIS +-------+ NSIS +--------+ NSIS +-----+
| | Node 1 | | Node 2 | | Node 3 | | | | Node 1 | | Node 2 | | Node 3 | |
| +----------+ +----+-----+ +----------+ | | +----------+ +----+-----+ +----------+ |
| ~ | | ~ |
skipping to change at page 5, line 33 skipping to change at page 5, line 25
| NSIS +//////////////////////////////////////////+ NSIS | | NSIS +//////////////////////////////////////////+ NSIS |
| Initiator | | Responder | | Initiator | | Responder |
+-----------+ +-----------+ +-----------+ +-----------+
Legend: Legend:
-----: Peer-to-Peer Trust Relationship -----: Peer-to-Peer Trust Relationship
/////: End-to-End Trust Relationship /////: End-to-End Trust Relationship
*****: Middle-to-Middle Trust Relationship *****: Middle-to-Middle Trust Relationship
~~~~~: End-to-Middle Trust Relationship ~~~~~: End-to-Middle Trust Relationship
Figure 3: Trust Relationships Figure 2: Trust Relationships
3.1 First-Peer Communication 2.1 First-Peer Communication
First peer communication refers to the peer-to-peer interaction First peer communication refers to the peer-to-peer interaction
between a signaling message originator, the NSIS Initiator (NI), and between a signaling message originator, the NSIS Initiator (NI), and
the first NSIS aware entity along the path. Assumptions about the the first NSIS aware entity along the path. Assumptions about the
threats, security requirements and the available trust relationships threats, security requirements and the available trust relationships
may be difficult here. may be difficult here.
To illustrate this, in many mobility environments it is difficult to To illustrate this, in many mobility environments it is difficult to
assume the existence of a pre-established security association assume the existence of a pre-established security association
directly available for NSIS peers involved in first-peer directly available for NSIS peers involved in first-peer
communication, as these peers cannot be assumed to have any relation communication, as these peers cannot be assumed to have any relation
skipping to change at page 6, line 9 skipping to change at page 5, line 49
the situation is different. Usually there is a fairly strong (pre- the situation is different. Usually there is a fairly strong (pre-
established) trust relationship between the peers. Enterprise network established) trust relationship between the peers. Enterprise network
administrators usually have some degree of freedom to select the administrators usually have some degree of freedom to select the
appropriate security protection and to enforce it. The choice of appropriate security protection and to enforce it. The choice of
selecting a security mechanism is therefore often influenced by the selecting a security mechanism is therefore often influenced by the
already available infrastructure. Per-session negotiation of security already available infrastructure. Per-session negotiation of security
mechanisms is therefore often not required (which, in contrast, is mechanisms is therefore often not required (which, in contrast, is
required for the mobility case). required for the mobility case).
For first-peer communication, especially threats related to initial For first-peer communication, especially threats related to initial
security association setup, replay attacks, lack of confidentiality, security association setup, or threats due to replay attacks, lack of
denial of service, integrity violation, identity spoofing, theft of confidentiality, denial of service, integrity violation or identity
service and fraud are applicable. spoofing are relevant, an potentially lead to theft of service and
fraud.
3.2 End-to-Middle Communication 2.2 End-to-Middle Communication
End-to-middle interaction in signaling may be required to e.g. grant End-to-middle interaction in signaling may be required to e.g. grant
end-entities access to, or specific services in trust domains end-entities access to specific services in trust domains different
different from the one the first peer belongs to. Threats, in from the one the first peer belongs to. Threats specific to this
addition to these already discussed for first-hop communication, may scenario may be introduced by untrusted intermediate NSIS hops that
be untrusted intermediate NSIS hops that maliciously alter NSIS maliciously alter NSIS signaling. These threats are still relevant if
signaling. These threats are still relevant if security mechanisms security mechanisms are in place between the NSIS hops, but terminate
are in place between the NSIS hops, but terminate at each hop (e.g. at each hop (e.g. IPsec hop-by-hop protection).
IPsec hop-by-hop protection).
3.3 Intra-Domain Communication 2.3 Intra-Domain Communication
After having been verified at the first peer, an NSIS signaling After having been verified at the first peer, an NSIS signaling
message traverses the network within the same administrative domain message traverses the network within the same administrative domain
the first peer belongs to. Since the request has already been the first peer belongs to. Since the request has already been
authenticated and authorized threats are different to those described authenticated and authorized threats are different to those described
above in a). To differentiate first-peer communication with the in the previous sections. To differentiate first-peer communication
intra-domain communication (i.e. communication internally within one with the intra-domain communication (i.e. communication internally
administrative domain) we assume that no end hosts have direct access within one administrative domain) we assume that no end hosts have
to the internal network nodes, except the first peer. We furthermore direct access to the internal network nodes, except the first peer.
assume that NSIS peers within the same administrative domain have at We furthermore assume that NSIS peers within the same administrative
least some sort of trust relationship. domain have at least some sort of trust relationship.
3.4 Inter-Domain Communication 2.4 Inter-Domain Communication
The threat assumptions between the borders of different The threat assumptions between the borders of different
administrative domains largely depend on the authorization administrative domains largely depend on the authorization
procedures. If one domain forges QoS reservations then this domain procedures. If one domain forges QoS reservations then this domain
may also have to pay for the reservation. Hence in this case, there may also have to pay for the reservation. Hence in this case, there
is no real benefit for this domain to forge a QoS reservation. If an is no real benefit for this domain to forge a QoS reservation. If an
end host is directly charged by intermediate domains (i.e. by a end host is directly charged by intermediate domains (i.e. by a
domain different from the malicious domain) such an attack may be domain different from the malicious domain) such an attack may be
quite a reasonable threat. quite a reasonable threat.
However, security protection of messages transmitted between However, security protection of messages transmitted between
different administrative domains is still necessary to tackle attacks different administrative domains is still necessary to tackle attacks
like spoofing, integrity violation, or denial of service between like spoofing, integrity violation, or denial of service between
these domains, e.g. to allow for proper accounting. In case of these domains, e.g. to allow proper accounting. The number of
securing signaling messages between adjacent administrative domains, neighboring domains is usually rather limited (compared to first-peer
the number of domains is usually rather limited (compared to first- communication) which causes fewer problems for the key management
peer communication) which causes fewer problems for the key required for securing inter-domain NSIS signaling.
management.
Signaling information other than QoS service parameters such as Signaling information other than QoS service parameters such as
policy rules in case of middlebox communication demands different policy rules in case of middlebox communication demands different
assumptions for inter-domain communication. Trust assumptions and assumptions for inter-domain communication. Trust assumptions and
business relationships are of particular importance for their business relationships are of particular importance for their
communication. communication.
If signaling messages are conveyed transparently in the core network If signaling messages are conveyed transparently in the core network
(i.e. they are not intercepted and processed in the core network) (i.e. they are not intercepted and processed in the core network)
then the signaling message communication effectively takes place then the signaling message communication effectively takes place
between access networks. This might place a burden on the key between access networks. This might place a burden on the key
management infrastructure because of the global PKI requirements. management infrastructure required between these access networks
Hence this can be seen as a serious deployment threat since it might which might not know each other in advance. This might lead to an
be unacceptable for an access network service provider to perform inability to secure signaling messages for a direct communication
processing (QoS reservations, policy rule installation at firewalls) between the access networks. Hence, this can be seen as a serious
triggered by unprotected incoming signaling messages. deployment problem since it might be unacceptable for an access
network service provider to perform processing (QoS reservations,
policy rule installation at firewalls) triggered by unprotected
incoming signaling messages.
3.5 End-to-End Communication 2.5 End-to-End Communication
NSIS aims to signal information between the initiator and the NSIS aims to signal information between the initiator and the
responder. This section refers to the trust relationships required responder. This section refers to the trust relationships required
between the end points in cases where security protection is between the end points in cases where security protection is
required. Note that this security protection is likely to be required required. Note that this security protection is likely to be required
only for certain objects such as pricing and charging related only for certain objects such as pricing and charging related
information. Protecting the entire signaling message is not possible information. Protecting the entire signaling message is not possible
since intermediate NSIS nodes need to (a) inspect various objects and since intermediate NSIS nodes need to (a) inspect various objects and
(b) need to add, modify or delete objects from the signaling message. (b) need to add, modify or delete objects from the signaling message.
skipping to change at page 8, line 11 skipping to change at page 8, line 5
objects or price information (i.e. Bob has to pay more), fraud (i.e. objects or price information (i.e. Bob has to pay more), fraud (i.e.
to force Bob always to pay for the reservations) to identity spoofing to force Bob always to pay for the reservations) to identity spoofing
(i.e. the adversary claims to be Alice). (i.e. the adversary claims to be Alice).
Regarding end-to-end security one additional issue needs to be Regarding end-to-end security one additional issue needs to be
addressed - delegation. Whenever a signaling is addressed end-to-end addressed - delegation. Whenever a signaling is addressed end-to-end
and an arbitrary node along the path acts as a proxy on behalf of the and an arbitrary node along the path acts as a proxy on behalf of the
other endpoint a delegation mechanism is required to provide secure other endpoint a delegation mechanism is required to provide secure
interaction. This might lead to additional complexity. interaction. This might lead to additional complexity.
3.6 Middle-to-middle Communication 2.6 Middle-to-middle Communication
We do not explicitly consider the middle-to-middle case here, We do not explicitly consider the middle-to-middle case here,
although it is important, since it is already covered by either although it is important, since it is already covered by either
intra- or inter-domain communication depending on the location of the intra- or inter-domain communication depending on the location of the
involved entities. involved entities.
4. Generic Threats 3. Generic Threats
This section provides threat scenarios that are applicable to This section provides threat scenarios that are applicable to
signaling protocols. Note that some threat scenarios use the term signaling protocols. Note that some threat scenarios use the term
user instead of NSIS Initiator. This is mainly because security user instead of NSIS Initiator. This is mainly because security
protocols allow a differentiation between entities being hosts and protocols allow a differentiation between entities being hosts and
users (based on the identities used). users (based on the identities used).
4.1 Man-in-the-middle attacks 3.1 Man-in-the-middle attacks
We differentiate this type of attack according to the separation of
different steps, or phases, for securing protocols that is typically
made. Therefore, this section starts with a brief motivation of this
separation.
Security protection of protocols is often separated into two steps. Security protection of protocols is often separated into two steps.
The first step provides entity authentication and key establishment The first step provides entity authentication and key establishment
whereas the second step provides message protection using the whereas the second step provides message protection using the
previously established security association. The first step usually previously established security association. The first step usually
tends to be more expensive than the second which is also the main tends to be more expensive than the second which is also the main
reason for separation. If messages are transmitted very infrequently reason for separation. If messages are transmitted very infrequently
then these two steps are collapsed into a single and usually rather then these two steps are collapsed into a single and usually rather
costly step. One such example is e-mail protection via S/MIME. An costly step. One such example is e-mail protection via S/MIME. An
example for a two-step approach is provided by IKE/IPsec. We use this example for a two-step approach is provided by IKE/IPsec. We use this
skipping to change at page 8, line 52 skipping to change at page 8, line 51
Finally a denial of service attack is described which is applicable Finally a denial of service attack is described which is applicable
to a signaling message when no separation between SA establishment to a signaling message when no separation between SA establishment
and signaling protection takes place. Particularly the discovery and signaling protection takes place. Particularly the discovery
procedure is vulnerable against a number of attacks. procedure is vulnerable against a number of attacks.
- Attacks during NSIS SA Establishment - Attacks during NSIS SA Establishment
During the process of establishing a security association an During the process of establishing a security association an
adversary fools the signaling message initiator with respect to the adversary fools the signaling message initiator with respect to the
entity to which it has to authenticate. The man-in-the-middle entity to which it has to authenticate. The man-in-the-middle
adversary is able to modify signaling messages to mount e.g. DoS adversary is able to modify signaling messages to mount DoS attacks.
attacks. In addition, it may be able to terminate NSIS messages of In addition, it may be able to terminate NSIS messages of the
the Initiator and inject messages to a peer itself, therefore acting Initiator and inject messages to a peer itself, therefore acting as
as the peer to the initiator and as the initiator to the peer. This the peer to the initiator and as the initiator to the peer. This
results in the initiator wrongly believing that it talks to the results in the initiator wrongly believing that it talks to the
"real" network whereas it is actually attached to an adversary. "real" network whereas it is actually attached to an adversary.
For this attack to be successful, pre-conditions have to hold which For this attack to be successful, pre-conditions have to hold which
are described with the following two cases: are described with the following two cases:
- Missing Authentication - Missing Authentication
The first case addresses missing authentication between the The first case addresses missing authentication between the
neighboring peers: Without authentication a NI, NR or NF is unable to neighboring peers: Without authentication a NI, NR or NF is unable to
detect an adversary. However in some cases protection available might detect an adversary. However, in some cases protection might be
be difficult to accomplish in a practical environment either because difficult to accomplish in a practical environment either because the
the next peer is unknown, because of misbelieved trust relationships next peer is unknown, because of misbelieved trust relationships in
in parts of the network or because of the inability to establish parts of the network or because of the inability to establish proper
proper security protection (inter-domain signaling messages, dynamic security protection (inter-domain signaling messages, dynamic
establishment of a security association, etc.). If one of the establishment of a security association, etc.). If one of the
communication endpoints is unknown then for some security mechanisms communication endpoints is unknown then for some security mechanisms
it is either not possible or very difficult to apply appropriate it is either not possible or very difficult to apply appropriate
security protection. Sometimes network administrators use intra- security protection. Sometimes network administrators use intra-
domain signaling messages without proper security. Such a domain signaling messages without proper security. Such a
configuration would then allow an adversary on a compromised non-NSIS configuration would then allow an adversary on a compromised non-NSIS
aware node to interfere with nodes running an NSIS signaling aware node to interfere with nodes running an NSIS signaling
protocol. Note that this type of threat goes beyond a threat caused protocol. Note that this type of threat goes beyond a threat caused
by malicious NSIS nodes (described in Section 5.7). by malicious NSIS nodes (described in Section 4.7).
- Unilateral Authentication - Unilateral Authentication
In case of a unilateral authentication the NSIS entity that does not In case of a unilateral authentication the NSIS entity that does not
authenticate its peer is unable to discover the man-in-the-middle authenticate its peer is unable to discover the man-in-the-middle
adversary. Although authentication of signaling messages should take adversary. Although authentication of signaling messages should take
place between each peer participating in the protocol operation place between each peer participating in the protocol operation
special attention is given here to first-peer communication. special attention is given here to first-peer communication.
Unilateral authentication between an end host and the first peer Unilateral authentication between an end host and the first peer
(just authenticating the end host) is still common today, but (just authenticating the end host) is still common today, but
certainly opens up many possibilities for MITM attackers certainly opens up many possibilities for MITM attackers
impersonating either the end host or the (administrative domain impersonating either the end host or the (administrative domain
represented by the) first peer. represented by the) first peer.
The two threats described above are a general problem of network Missing or unilateral authentication, as described above, are a
access without appropriate authentication, not only for an NSIS general problem of network access without appropriate authentication,
signaling protocol. Obviously there is a strong need to correctly and should not be considered as valid for the NSIS signaling
address them in a future NSIS protocol. The signaling protocols protocol, only. Obviously there is a strong need to correctly address
addressed by NSIS are different to other protocols where only two them in a future NSIS protocol. The signaling protocols addressed by
entities are involved. Note, that especially first-peer NSIS are different to other protocols, where only two entities are
authentication is important, as the impacts of a security breach involved. Note, that especially first-peer authentication is
likely reach beyond the directly involved entities (or even beyond a important, as the impacts of a security breach could impact nodes
local network). beyond the directly involved entities (or even beyond a local
network).
Finally it should be noted that the signaling protocol should be Finally it should be noted that the signaling protocol should be
considered as a peer-to-peer protocol where the roles of initiator considered as a peer-to-peer protocol where the roles of initiator
and responder can be reversed at any time. This leads to the and responder can be reversed at any time. This leads to the
conclusion that unilateral authentication is not very useful for such conclusion that unilateral authentication is not very useful for such
a protocol. However there might be a need to have some form of a protocol. However there might be a need to have some form of
asymmetry in the authentication process whereby one entity uses a asymmetry in the authentication process whereby one entity uses a
different authentication mechanism than the other one. As an example different authentication mechanism than the other one. As an example
the combination of symmetric and asymmetric cryptography should be the combination of symmetric and asymmetric cryptography should be
mentioned. mentioned.
- Weak Authentication - Weak Authentication
This threat addresses weak authentication mechanisms whereby This threat addresses weak authentication mechanisms whereby
information transmitted during the NSIS SA establishment process may information transmitted during the NSIS SA establishment process may
leak passwords and/or may allow offline dictionary attacks. This leak passwords and/or may allow offline dictionary attacks. This
threat is applicable to NSIS for the process of selecting certain threat is applicable to NSIS for the process of selecting certain
security mechanisms. security mechanisms.
4.2 Adversary being able to replay signaling messages 3.2 Adversary being able to replay signaling messages
This threat scenario covers the case where an adversary eavesdrops This threat scenario covers the case where an adversary eavesdrops
and collects signaling messages and replays them at a later point in and collects signaling messages and replays them at a later point in
time (or at a different place, or uses parts of them at a different time (or at a different place, or uses parts of them at a different
place or in a different way - e.g. cut and paste attacks). Without place or in a different way - e.g. cut and paste attacks). Without
proper replay protection an adversary might mount man-in-the-middle, proper replay protection an adversary might mount man-in-the-middle,
denial of service and theft of service attacks. denial of service and theft of service attacks.
A more difficult attack that may cause problems even in case of A more difficult attack that may cause problems even in case of
replay protection requires the adversary to crash an NSIS aware node replay protection requires the adversary to crash an NSIS aware node
to loose state information (sequence numbers, security associations, to loose state information (sequence numbers, security associations,
etc.) and to be able to replay old signaling messages. This attack etc.) and to be able to replay old signaling messages. This attack
addresses re-synchronization deficiencies. addresses re-synchronization deficiencies.
4.3 Adversary being able to inject/modify messages 3.3 Adversary being able to inject/modify messages
This type of threat addresses integrity violations whereby an This type of threat addresses integrity violations whereby an
adversary modifies signaling messages (e.g. by acting as a man-in- adversary modifies signaling messages (e.g. by acting as a man-in-
the-middle attacker) to cause an unexpected network behavior. the-middle attacker) to cause an unexpected network behavior.
Possible actions an adversary might consider for its attack are Possible actions an adversary might consider for its attack are
reordering, delaying, dropping, injecting and modifying. reordering, delaying, dropping, injecting and modifying.
An adversary may inject a signaling message requesting a large amount An adversary may inject a signaling message requesting a large amount
of resources (possibly using a different user identity). Other of resources (possibly using a different user identity). Other
resource requests could then be rejected. In combination with resource requests could then be rejected. In combination with
identity spoofing it is also possible accomplish fraud. This attack identity spoofing it is also possible to accomplish fraud. This
is only successful in absence of signaling message protection. attack is only successful in absence of signaling message protection
and authentication.
Some directly related threats are described in Section 5.7, 5.4 and Some directly related threats are described in Section 4.7, 4.4 and
5.8. 4.8.
4.4 Security Parameter Exchange/Negotiation 3.4 Insecure Parameter Exchange/Negotiation
Protocols, which should be useful for a variety of scenarios, tend to Protocols, which should be useful for a variety of scenarios, tend to
have different security requirements. It is often difficult to meet have different security requirements. It is often difficult to meet
these (sometimes conflicting requirements) with a single security these (sometimes conflicting requirements) with a single security
mechanism or a fixed security parameter. Hence often a few selected mechanism or fixed security parameters. Often a selection of
mechanisms/parameters are supported. Therefore some protocol exchange mechanisms and parameters are offered. Therefore a protocol exchange
is required to agree on some security mechanisms/parameters. This is required to agree on some security mechanisms/parameters. An
protocol exchanged can be misused by an adversary to mount a insecure parameter exchange/negotiation protocol exchange can help an
downgrading attack by selecting weaker mechanisms than desired. Hence adversary to mount a downgrading attack by selecting weaker
without protecting the negotiation process the security of an NSIS mechanisms than desired. Hence without protecting the negotiation
protocol might be as secure as the weakest mechanism if no process the security of an NSIS protocol might be as secure as the
configuration parameters (for example a security policy disallowing weakest mechanism if no configuration parameters (for example a
the weakest mechanism, etc.) are used otherwise. security policy disallowing the weakest mechanism, etc.) are used
otherwise.
5. Signaling specific Threats 4. Signaling specific Threats
5.1 Attacks during NSIS SA Usage This section lists both threats and attacks on the NSIS signaling
protocol. A number of reasons might lead to an attack. Fraud is an
example of an attack which might be caused by a number of reasons:
missing replay protection, missing protection of authorization
tokens, identity spoofing, missing authentication and many more might
help an adversary to steal resources. These reasons which could lead
to an attack are primarily addressed in this section.
In some cases we point to specific attacks which again might have a
subsequent result since well-established security terms, such as
denial of service, have to be addressed.
4.1 Threats based on NSIS SA Usage
Once a security association is established (and used to protect Once a security association is established (and used to protect
signaling messages) basic attacks are prevented. However, a malicious signaling messages) basic attacks are prevented. However, a malicious
NSIS node is still able to perform various attacks as described in NSIS node is still able to perform various attacks as described in
Section 5.7. Replay attacks, which can be a problem when a NSIS node Section 4.7. Replay attacks can be a problem when an NSIS node
crashes, restarts and performs state re-establishment. Proper re- crashes, restarts and performs state re-establishment. Proper re-
synchronization capability of the security mechanism must therefore synchronization capability of the security mechanism must therefore
address this problem. address this problem.
5.2 Combining Signaling and SA Establishment 4.2 Threats based on combining Signaling and SA Establishment
This threat covers an attack which allows an adversary to flood an These threats may lead to attacks which allow an adversary to flood
NSIS node with bogus signaling messages to cause a denial of service an NSIS node with bogus signaling messages to cause a denial of
attack. service attack.
When a signaling message arrives at a NSIS aware network element some When a signaling message arrives at an NSIS aware network element
processing is required. If this message contains security objects some processing is required. If this message contains security
such as digital signatures and no security association is already objects such as digital signatures and no security association is
available then some processing is required for the cryptographic already available then some processing is required for the
verification. Since NSIS signaling should not require several cryptographic verification. Since NSIS signaling should not require
roundtrips between two NSIS peers it is difficult to provide DoS several roundtrips between two NSIS peers it is difficult to provide
protection mechanisms commonly found in authentication and key DoS protection mechanisms commonly found in authentication and key
agreement protocols. If signaling messages furthermore aim to be agreement protocols. Signaling messages can be idempotent which means
idempotent and no security association should be created then some that they contain the same amount of information as the original
cryptographic mechanisms should be used with precaution (for example message. An example would be a 'refresh' message which is in this
public key cryptography). case equivalent to a create message. This property enables that a
refresh message creates new state along a new path although no
previous state is available. In order for this to work it is
necessary to use specific classes of cryptographic mechanisms
supporting this behavior. An example is a digital signature based
scheme which, however, should be used with care due to possible
denial of service attacks. The problems of these types of message
exchanges with public key based protection are described in [AN97]
and in [ALN00].
Additionally to the threat described above an incoming signaling Additionally to the threat described above an incoming signaling
message might require time consuming processing (computations, state message might require time consuming processing (computations, state
maintenance, timer setting, etc) and communication with third-party maintenance, timer setting, etc) and communication with third-party
nodes including policy servers, LDAP servers, etc. If an adversary is nodes including policy servers, LDAP servers, etc. If an adversary is
able to transmit a large number of signaling messages (for example able to transmit a large number of signaling messages (for example
with QoS reservation requests) with invalid credentials then the with QoS reservation requests) with invalid credentials then the
verifying node may not be able to process further reservation verifying node may not be able to process further reservation
messages by legitimate users. messages by legitimate users.
Further threats could be introduced by allowing an adversary to gain Further threats could be introduced by allowing an adversary to gain
additional information by injecting error messages or by forcing the additional information by injecting error messages or by forcing the
creation of error messages. creation of error messages.
5.3 Eavesdropping and Traffic Analysis 4.3 Eavesdropping and Traffic Analysis
This section covers threats whereby an adversary is able to eavesdrop This section covers threats whereby an adversary is able to eavesdrop
signaling messages. The collected signaling packets may serve for the signaling messages. The collected signaling packets may serve for the
purpose of traffic analysis or to later mount replay attacks as purpose of traffic analysis or to later mount replay attacks as
described in the Section 4.2. The eavesdropper might learn QoS described in the Section 3.2. The eavesdropper might learn QoS
parameters, communication patterns, policy rules for firewall parameters, communication patterns, policy rules for firewall
traversal, policy information, application identifiers, user traversal, policy information, application identifiers, user
identities, NAT bindings, authorization objects and more. identities, NAT bindings, authorization objects and more.
Note, that such a threat is also applicable if the messages are
The capability for an adversary to eavesdrop signaling messages might
violate a users privacy preference particularly if authentication or
authorization information (including policies and profile
information) exchanged in an unprotected fashion.
Note, that the above threats are also applicable if the messages are
integrity protected which is often considered sufficient for integrity protected which is often considered sufficient for
signaling protocols. signaling protocols.
Since the NSIS protocol signals messages through a number of nodes it Since the NSIS protocol signals messages through a number of nodes it
is possible to differentiate between nodes actively participating in is possible to differentiate between nodes actively participating in
the NSIS protocol and others who do not actively participate in the the NSIS protocol and others who do not actively participate in the
NSIS protocol. For certain objects or messages it might be desirable NSIS protocol. For certain objects or messages it might be desirable
to permit actively participating intermediate NSIS nodes to to permit actively participating intermediate NSIS nodes to
eavesdrop. As a further extension it might be desired that only the eavesdrop. As a further extension it might be desired that only the
intended end points (NSIS initiator and NSIS responder) are able to intended end points (NSIS initiator and NSIS responder) are able to
read certain objects. read certain objects.
5.4 Identity Spoofing 4.4 Identity Spoofing
Identity spoofing relevant for NSIS appears in two flavors: First, Identity spoofing relevant for NSIS, appears in two flavors: First,
identity spoofing can appear during the establishment of a security identity spoofing can appear during the establishment of a security
association if based on a weak authentication mechanism. association if based on a weak authentication mechanism.
Eve, acting as an adversary, claims to be the registered user Alice Eve, acting as an adversary, claims to be the registered user Alice
by spoofing the identity of Alice. Thereby Eve causes the network to by spoofing the identity of Alice. Thereby Eve causes the network to
charge Alice for the consumed network resources. This type of attack charge Alice for the consumed network resources. This type of attack
is possible if authentication is done based on a simple username is possible if authentication is done based on a simple username
identifier (i.e. in absence of cryptographic authentication) or if identifier (i.e. in absence of cryptographic authentication) or if
authentication is provided for hosts and multiple users have access authentication is provided for hosts and multiple users have access
to a single host. This attack could also be classified as theft of to a single host. This attack could also be classified as theft of
service. service.
An adversary is able to exploit the established flow identifiers An adversary is able to exploit the established flow identifiers
(required for QoS and Midcom specific signaling protocols). Some (required for QoS and middlebox communication (Midcom) specific
identifiers such as IP addresses, transport protocol identifiers, signaling protocols). Some identifiers such as IP addresses,
port numbers, flow labels (see [RFC1809] and [RC+03]) and others are transport protocol identifiers, port numbers, flow labels (see
communicated in these protocols. Modification of these flow [RFC1809] and [RC+03]) and others are communicated in these
identifiers causes quality of service reservations or policy rules at protocols. Modification of these flow identifiers causes quality of
middleboxes to be either ineffective or exploidable for adversaries. service reservations or policy rules at middleboxes to be either
An adversary could mount an attack by modifying the flow identifier ineffective or exploitable by adversaries. An adversary could mount
of a signaling message. an attack by modifying the flow identifier of a signaling message.
NSIS signaling messages contain some sort of flow identifier, which NSIS signaling messages contain some sort of flow identifier, which
is associated with a specified behavior (e.g. a particular flow is associated with a specified behavior (e.g. a particular flow
experiences QoS treatment or allows packets to traverse a firewall, experiences QoS treatment or allows packets to traverse a firewall,
etc.). An adversary might therefore use IP spoofing and inject data etc.). An adversary might therefore use IP spoofing and inject data
packets to benefit from previously installed flow identifiers. packets to benefit from previously installed flow identifiers.
The following threat caused by identity spoofing of transmitted data The following threat is caused by identity spoofing of transmitted
traffic. The spoofed identity is thereby the source IP addresses. For data traffic. The spoofed identity is thereby the source IP
this attack to be successful accounting records are collected based addresses. For this attack to be successful accounting records are
on the source IP address and not on a SPI due to IPSec protection. collected based on the source IP address and not on a SPI due to
After the network receives a properly protected reservation request, IPSec protection. After the network receives a properly protected
transmitted by the legitimate user Alice, Traffic Selectors are reservation request, transmitted by the legitimate user Alice,
installed at the corresponding devices (for example edge router). Traffic Selectors are installed at the corresponding devices (for
These Traffic Selectors are used for flow identification and allow to example edge router). These Traffic Selectors are used for flow
match data traffic originated from a given source address to be identification and allow to match data traffic originated from a
assigned to a particular QoS reservation. The adversary Eve now given source address to be assigned to a particular QoS reservation.
spoofs the IP address of the Alice. Additionally Alice's host may be The adversary Eve now spoofs the IP address of the Alice.
crashed by the adversary as a result of a denial of service attack or Additionally Alice's host may be crashed by the adversary as a result
lost connectivity for example because of mobility reasons. If both of a denial of service attack or lost connectivity for example
nodes are located at the same link and use the same IP address then because of mobility reasons. If both nodes are located at the same
obviously a duplicate IP address will be detected. Assuming that only link and use the same IP address then obviously a duplicate IP
Eve is present at the link then she is able to receive and transmit address will be detected. Assuming that only Eve is present at the
data (for example RTP data traffic), which receives preferential QoS link then she is able to receive and transmit data (for example RTP
treatment based on the previous reservation. Depending on the data traffic), which receives preferential QoS treatment based on the
installed Traffic Selector granularity Eve might have more previous reservation. Depending on the installed Traffic Selector
possibilities to exploit the QoS reservation or a pin-holed firewall. granularity Eve might have more possibilities to exploit the QoS
Assuming the soft state paradigm, where periodical refresh messages reservation or a pin-holed firewall. Assuming the soft state
are required, the absence of Alice will not be detected until the paradigm, where periodical refresh messages are required, the absence
next signaling message appears and forces Eve to respond with a of Alice will not be detected until the next signaling message
protected signaling message. Again this issue is not only applicable appears and forces Eve to respond with a protected signaling message.
to QoS traffic but the existence of QoS reservation causes more Again this issue is not only applicable to QoS traffic but the
difficulties since this type of traffic is more expensive. The same existence of QoS reservation causes more difficulties since this type
procedure is also applicable to a Middlebox communication protocol. of traffic is more expensive. The same procedure is also applicable
to a Middlebox communication protocol.
The ability for an adversary to inject data traffic which matches a The ability for an adversary to inject data traffic which matches a
certain flow identifier established by a legitimate user often certain flow identifier established by a legitimate user often
requires the ability to also receive the data traffic. This is, requires the ability to also receive the data traffic. This is,
however, only true if the flow identifier consists of values which however, only true if the flow identifier consists of values which
contain addresses used for routing. If we imagine to use attributes contain addresses used for routing. If we imagine to use attributes
for a flow identifier where such a property is not required then for a flow identifier where such a property is not required then
identity spoofing and injecting traffic is much easier. An adversary identity spoofing and injecting traffic is much easier. An adversary
can use a nearly arbitrary endpoint identifier to experience the can use a nearly arbitrary endpoint identifier to experience the
desired result. Obviously the endpoint identifiers are still not desired result. Obviously the endpoint identifiers are still not
skipping to change at page 14, line 21 skipping to change at page 14, line 49
Data traffic marking based on DiffServ is such an example. Whenever Data traffic marking based on DiffServ is such an example. Whenever
an ingress router uses only marked incoming data traffic for an ingress router uses only marked incoming data traffic for
admission control procedures then various attacks are possible. These admission control procedures then various attacks are possible. These
problems are known in the DiffServ community for a long time and problems are known in the DiffServ community for a long time and
documented in various DiffServ related documents. The IPSec documented in various DiffServ related documents. The IPSec
protection of DiffServ Code Points is described in Section 6.2 of protection of DiffServ Code Points is described in Section 6.2 of
[RFC2745]. Related security issues (for example denial of service [RFC2745]. Related security issues (for example denial of service
attacks) are described in Section 6.1 of the same document. attacks) are described in Section 6.1 of the same document.
5.5 Missing Protection of Authorization Information 4.5 Missing Protection of Authorization Information
Authorization is an important step for providing resources such as Authorization is an important step for providing resources such as
QoS reservations, NAT bindings and pin-holed firewalls. Authorization QoS reservations, NAT bindings and pinholes on firewalls.
information might be delivered to the NSIS participating entities in
a number of ways. Authorization information might be delivered to the NSIS
participating entities in a number of ways.
Typically the authenticated identity is used to assist during the Typically the authenticated identity is used to assist during the
authorization procedure ass for example described in [RFC3812]. authorization procedure as e.g. described in [RFC3812]. Depending on
Depending on the chosen authentication protocol certain attacks are the chosen authentication protocol certain threats may exist. Section
possible. Section 4 discusses a number of issues related to this 3 discusses a number of issues related to this approach when the
approach when the authentication and key exchange protocol is used to authentication and key exchange protocol is used to establish session
establish session keys for signaling message protection. keys for signaling message protection.
Another approach is to use some sort of authorization token. The Another approach is to use some sort of authorization token. The
functionality and structure of such an authorization token for RSVP functionality and structure of such an authorization token for RSVP
is described in [RFC3520] and in [RFC3521]. is described in [RFC3520] and in [RFC3521].
The interaction between different protocols based on authorization The interaction between different protocols based on authorization
tokens, however, requires some care. Using such an authorization tokens, however, requires some care. By using such an authorization
token it is possible to link state information between different token it is possible to link state information between different
protocols. Returning an unprotected authorization token to the end protocols. Returning an unprotected authorization token to the end
host might allow an adversary (for example an eavesdropper) to steal host might allow an adversary (for example an eavesdropper) to steal
resources. An adversary might also use the token to learn resources. An adversary might also use the token to learn
communication patterns. An untrustworthy end host might also modify communication patterns. An untrustworthy end host might also modify
the token content. the token content.
Other authorization mechanisms might depend on availability of
sufficient funds and therefore real-time information.
The Session/Reservation Ownership problem can also be considered as The Session/Reservation Ownership problem can also be considered as
an authorization problem. Details are described in Section 5.10. In an authorization problem. Details are described in Section 4.10. In
enterprise networks authorization is often coupled with membership to enterprise networks authorization is often coupled with membership to
a particular class user of users/groups. This type of information can a particular class of users/groups. This type of information can
either be delivered as part of the authentication and key agreement either be delivered as part of the authentication and key agreement
procedure or has to be retrieved via separate protocols from other procedure or has to be retrieved via separate protocols from other
entities. If an adversary manages to modify information relevant for entities. If an adversary manages to modify information relevant for
determining authorization or the outcome of the authorization process determining authorization or the outcome of the authorization process
itself then theft of service might be the consequence. itself then theft of service might be the consequence.
5.6 Missing Non-Repudiation 4.6 Missing Non-Repudiation
Repudiation in this context refers to a problem where one party later Repudiation in this context refers to a problem where one party later
denies to have requested a certain action (such as a QoS denies to have requested a certain action (such as a QoS
reservation). The problem of a missing non-repudiation property reservation). The problem of a missing non-repudiation property
appears in two flavors: appears in two flavors:
From a service provider point-of-view the following threat may be From a service provider point-of-view the following threat may be
worth an investigation. A user may deny to have issued reservation worth an investigation. A user may deny to have issued reservation
request for which it was charged. A service provider may then like to request for which it was charged. A service provider may then like to
prove that a particular user issued reservation requests. prove that a particular user issued reservation requests.
skipping to change at page 15, line 44 skipping to change at page 16, line 21
establish QoS reservations with the non-repudiation property for the establish QoS reservations with the non-repudiation property for the
authorized resources then it has an impact on the protocol design. authorized resources then it has an impact on the protocol design.
Non-repudiation poses additional requirements on the security Non-repudiation poses additional requirements on the security
mechanisms as it can only be provided through public-key mechanisms as it can only be provided through public-key
cryptography. As this would often increase the overall cost for cryptography. As this would often increase the overall cost for
security, threats related to missing non-repudiation are only security, threats related to missing non-repudiation are only
considered relevant for certain specific scenarios (e.g. specific considered relevant for certain specific scenarios (e.g. specific
authorization mechanisms) and not for general NSIS signaling. authorization mechanisms) and not for general NSIS signaling.
5.7 Malicious NSIS Entity 4.7 Malicious NSIS Entity
Network elements within a domain (intra-domain) experience a Network elements within a domain (intra-domain) experience a
different trust relationship with regard to the security protection different trust relationship with regard to the security protection
of signaling messages compared to the edge NSIS entity. We assume of signaling messages compared to the edge NSIS entity. We assume
that edge NSIS entity have the responsibility to perform that edge NSIS entity have the responsibility to perform
cryptographic processing (authentication, integrity and replay cryptographic processing (authentication, integrity and replay
protection, authorization and accounting) for signaling message protection, authorization and accounting) for signaling message
arriving from the outside. This prevents signaling messages to appear arriving from the outside. This prevents signaling messages to appear
unprotected within the internal network. If however an adversary unprotected within the internal network. If, however, an adversary
manages to take over an edge router then the security of the entire manages to take over an edge router then the security of the entire
network is affected. An adversary is then able to launch a number of network is affected. An adversary is then able to launch a number of
attacks including denial of service, integrity violation, replay attacks including denial of service, integrity violation, replay,
attacks etc. In case of policy rule installation a rogue firewall can reordering and deletion of data packets and various other attacks. In
cause harm to other firewalls by modifying the policy rules case of policy rule installation a rogue firewall can cause harm to
accordingly. The chain-of-trust principle applied in the peer-to-peer other firewalls by modifying the policy rules accordingly. The chain-
security protection cannot provide protection against a malicious of-trust principle applied in the peer-to-peer security protection
NSIS node. An adversary with access to an NSIS router is then also cannot provide protection against a malicious NSIS node. An adversary
able to get access to security associations to transmit secured with access to an NSIS router is then also able to get access to
signaling messages. Note that even non peer-to-peer security security associations to transmit secured signaling messages. Note
protection might not be able to fully prevent this problem. Since an that even non peer-to-peer security protection might not be able to
NSIS node might issue signaling messages on behalf of someone else fully prevent this problem. Since an NSIS node might issue signaling
(by acting as a proxy) additional problems are the consequence. messages on behalf of someone else (by acting as a proxy) additional
problems are the consequence.
An NSIS aware edge router is a critical component that requires An NSIS aware edge router is a critical component that requires
strong security protection. A strong security policy applied at edge strong security protection. A strong security policy applied at edge
does not imply that all routers within an intra-domain network do not does not imply that all routers within an intra-domain network do not
need to cryptographically verify signaling messages. If the chain-of- need to cryptographically verify signaling messages. If the chain-of-
trust principle is deployed then the security protection of the trust principle is deployed then the security protection of the
entire path (in this case within the network of a single entire path (in this case within the network of a single
administrative domain) is as strong as the weakest link. In our case administrative domain) is as strong as the weakest link. In our case
the edge router is the most critical component of this network that the edge router is the most critical component of this network that
may also act as a security gateway/firewall for incoming/outgoing may also act as a security gateway/firewall for incoming/outgoing
traffic. For outgoing traffic this device has to act according to the traffic. For outgoing traffic this device has to act according to the
security policy of the local domain to apply the appropriate security security policy of the local domain to apply the appropriate security
protection. protection.
For an adversary to mount this attack either an existing NSIS aware For an adversary to mount this attack either an existing NSIS aware
node along the path has to be successfully attacked or an adversary node along the path has to be successfully attacked or an adversary
succeeds to convince another NSIS node to be the next NSIS peer (man- succeeds to convince another NSIS node to be the next NSIS peer (man-
in-the-middle attack). in-the-middle attack).
5.8 Denial of Service Attacks 4.8 Denial of Service Attacks
A number of denial of service attacks can cause NSIS nodes to A number of denial of service attacks can cause NSIS nodes to
malfunction. Other attacks that could lead to DoS, such as man-in- malfunction. Other attacks that could lead to DoS, such as man-in-
the-middle attacks, replay attacks, injection or modification of the-middle attacks, replay attacks, injection or modification of
signaling messages etc., are mentioned throughout this document. signaling messages etc., are mentioned throughout this document.
- Path Finding - Path Finding
This threat tries to address potential denial of service attacks when This threat tries to address potential denial of service attacks when
the reservation setup is split into two phases i.e. path and the reservation setup is split into two phases i.e. path and
skipping to change at page 17, line 25 skipping to change at page 18, line 4
to a number of attacks since it is difficult to secure. An adversary to a number of attacks since it is difficult to secure. An adversary
can use the discovery mechanisms to convince an entity to signal can use the discovery mechanisms to convince an entity to signal
information to another entity which is not along the data path or to information to another entity which is not along the data path or to
cause the discovery process to fail. In the first case the signaling cause the discovery process to fail. In the first case the signaling
protocol could be correctly continued with the problem that policy protocol could be correctly continued with the problem that policy
rules are installed at incorrect firewalls or QoS resource rules are installed at incorrect firewalls or QoS resource
reservations take place at the wrong entities. For an end host this reservations take place at the wrong entities. For an end host this
means that the protocol failed for unknown reasons. means that the protocol failed for unknown reasons.
- Faked Error/Response messages - Faked Error/Response messages
An adversary may be able to inject false error/response messages as
part of a denial of service attack. This could be either at the
message signaling protocol level (NTLP), at the level of each client
layer protocol (NSLP: QoS, Midcom, etc.) or at the transport level
protocol. An adversary might cause unexpected protocol behavior, or
might succeed with denial of service attacks. Especially the
discovery protocol shows vulnerabilities with regard to this threat
(see above discussion on discovery). In case that no separate
discovery protocol is used by addressing signaling messages to end
hosts only (with a Router Alert Option to intercept message as NSIS
aware nodes) then an error message might be used to indicate a path
change. Such a design is a combination of a discovery protocol
together with a signaling message exchange protocol.
An adversary may be able to use false error/response messages as part 4.9 Disclosing the network topology
of a denial of service attack. This could be either at the message
signaling protocol level, at the level of each client layer protocol
(QoS, Midcom, etc.) or at the transport level protocol. An adversary
might cause unexpected protocol behavior or produce denial of service
attacks. Especially the discovery protocol shows vulnerabilities with
regard to this threat. In case that no separate discovery protocol is
used by addressing signaling messages to end hosts only (with a
Router Alert Option to intercept message as NSIS aware nodes) then an
error message might be used to indicate a path change. Such a design
is a combination of a discovery protocol together with a signaling
message exchange protocol.
5.9 Disclosing the network topology
In some architectures there is a desire not to reveal the internal In some architectures there is a desire not to reveal the internal
network structure (or other related information) to the outside network structure (or other related information) to the outside
world. An adversary might be able to use NSIS messages for network world. An adversary might be able to use NSIS messages for network
mapping (e.g. discovering which nodes exist, which use NSIS, what mapping (e.g. discovering which nodes exist, which use NSIS, what
version, what resources are allocated, capabilities of nodes along a version, what resources are allocated, capabilities of nodes along a
paths etc.). Discovery messages, traceroute, diagnostic messages (see paths etc.). Discovery messages, traceroute, diagnostic messages (see
[RFC2745] for a description of diagnostic message functionality for [RFC2745] for a description of diagnostic message functionality for
RSVP), query messages in addition to record route and route objects RSVP), query messages in addition to record route and route objects
provide the potential to assist an adversary. Hence the requirement provide the potential to assist an adversary. Hence the requirement
of not disclosing a network topology might conflict with another of not disclosing a network topology might conflict with another
requirement to provide means for automatically discovering NSIS aware requirement to provide means for automatically discovering NSIS aware
nodes or to provide diagnostic facilities (used for network nodes or to provide diagnostic facilities (used for network
monitoring and administration). monitoring and administration).
5.10 Session/Reservation Ownership 4.10 Missing protection of Session/Reservation Ownership
Figure 4 shows an NSIS Initiator which established state information Figure 3 shows an NSIS Initiator which established state information
at NSIS nodes along the path as part of the signaling procedure. As a at NSIS nodes along the path as part of the signaling procedure. As a
result the Access Router1 Router 3 and Router 4 (and other nodes) result the Access Router1 Router 3 and Router 4 (and other nodes)
store session state information including the Session Identifier SID- store session state information including the Session Identifier SID-
x. x.
Session ID(SID-x) Session ID(SID-x)
+--------+ +--------+
+-----------------+ Router +------------> +-----------------+ Router +------------>
Session ID(SID-x)| | 4 | Session ID(SID-x)| | 4 |
+---+----+ +--------+ +---+----+ +--------+
skipping to change at page 18, line 37 skipping to change at page 19, line 35
| Router | | Router | | Router | | Router |
| 1 | | 2 | | 1 | | 2 |
+---+----+ +---+----+ +---+----+ +---+----+
| * | *
| Session ID(SID-x) * Session ID(SID-x) | Session ID(SID-x) * Session ID(SID-x)
+----+------+ +----+------+ +----+------+ +----+------+
| NSIS | | Adversary | | NSIS | | Adversary |
| Initiator | | | | Initiator | | |
+-----------+ +-----------+ +-----------+ +-----------+
Figure 4: Session/Reservation Ownership Figure 3: Session/Reservation Ownership
The Session Identifier is included in signaling messages to reference The Session Identifier is included in signaling messages to reference
to the established state. to the established state.
If an adversary was able to obtain the Session Identifier for example If an adversary was able to obtain the Session Identifier for example
by eavesdropping signaling messages it is able to add the same by eavesdropping signaling messages it is able to add the same
Session Identifier SID-x to a new a signaling message. When the Session Identifier SID-x to a new signaling message. When the
signaling message hits Router3 (as shown in Figure 3) then existing signaling message hits Router3 (as shown in Figure 3) then existing
state information can be modified. The adversary can then modify or state information can be modified. The adversary can then modify or
delete the established reservation causing unexpected behavior for delete the established reservation causing unexpected behavior for
the legitimate user. the legitimate user.
The source of the problem is that Router3 (cross-over router) is The source of the problem is that Router3 (cross-over router) is
unable to decide whether the new signaling message was initiated from unable to decide whether the new signaling message was initiated from
the owner of the session/reservation. the owner of the session/reservation.
To make processing even more difficult it must be mentioned that not In addition, not only the initial signaling message originator is
only the initial signaling message originator is allowed to signal allowed to signal information during the lifetime of an established
information during the lifetime of an established session. As part of session. As part of the protocol any NSIS aware node along the path
the protocol any NSIS aware node along the path (and the path might (and the path might change over time) could initiate a signaling
change over time) could be involved in the signaling message exchange message exchange. It might, for example, be necessary to provide
and it might be necessary to provide mobility support or to trigger a mobility support or to trigger a local repair procedure. If only the
local repair procedure. Hence if only the initial signaling message initial signaling message originator is allowed to trigger signaling
originator is allowed to trigger signaling message exchange some message exchanges some protocol behavior would not be possible.
protocol behavior will not be possible.
In case that this threat is not addressed an adversary can launch In case that this threat is not addressed an adversary can launch
denial of service, theft of service, and various other attacks. denial of service, theft of service, and various other attacks.
5.11 Attacks against the signaling message transport mechanism 4.11 Attacks against the transport mechanism
In [BL01] a two-level architecture is proposed which suggests to In [BL01] a two-level architecture is proposed which suggests to
split an NSIS protocol into layers: a signaling message transport split an NSIS protocol into layers: a signaling message transport
specific layer and an application specific layer. This architectural specific layer and an application specific layer. This architectural
assumption is also considered within the NSIS framework [HF+03]. assumption is also considered within the NSIS framework [HF+03].
Most of the threats described in this document are applicable to the Most of the threats described in this document are applicable to the
application specific part for signaling QoS or middlebox specific application specific part for signaling QoS or middlebox specific
information. There are, however, some threats which are applicable to information. There are, however, some threats which are applicable to
the transport of signaling messages. the transport of signaling messages.
Network or transport layer protocols which experience no protection Network or transport layer protocols lacking protection mechanisms
are vulnerable to certain attacks such as header manipulation, DoS, are vulnerable to certain attacks such as header manipulation, DoS,
spoofing of identities, session hijacking, unexpected aborts etc. spoofing of identities, session hijacking, unexpected aborts etc.
Malicious nodes can attack the congestion control mechanism to force Malicious nodes can attack the congestion control mechanism to force
NSIS nodes into a congestion avoidance state. NSIS nodes into a congestion avoidance state.
In case that an existing protocol is used for exchanging NSIS In case that an existing protocol is used for exchanging NSIS
signaling messages then threats known from these protocols are signaling messages then threats known from these protocols are
relevant. relevant.
6. Security Considerations 5. Security Considerations
This entire memo discusses security issues relevant for NSIS. To This entire memo discusses security issues relevant for NSIS. To
counter these threats security requirements have been listed in counter these threats security requirements have been listed in
[Brun03]. Framework relevant topics have been incorporated into [Brun03]. Framework relevant topics have been incorporated into
[HF+03]. [HF+03].
7. Normative References 6. Normative References
[Brun03] M. Brunner, "Requirements for QoS signaling protocols," [Brun03] M. Brunner, "Requirements for QoS signaling protocols,"
Internet Draft, Internet Engineering Task Force, June 2003. Work in Internet Draft, Internet Engineering Task Force, August 2003. Work
progress. in progress.
7. Informative References
[HF+03] R. Hancock, I. Freytsis, G. Karagiannis, J. Loughney, and S. [HF+03] R. Hancock, I. Freytsis, G. Karagiannis, J. Loughney, and S.
V. den Bosch, "Next steps in signaling: Framework," Internet Draft, V. den Bosch, "Next steps in signaling: Framework," Internet Draft,
Internet Engineering Task Force, March 2003. Work in progress. Internet Engineering Task Force, September 2003. Work in progress.
8. Informative References
[RFC1809] C. Partridge, "Using the flow label field in IPv6," RFC [RFC1809] C. Partridge, "Using the flow label field in IPv6," RFC
1809, Internet Engineering Task Force, June 1995. 1809, Internet Engineering Task Force, June 1995.
[RFC2745] A. Terzis, B. Braden, S. Vincent, and L. Zhang, "RSVP [RFC2745] A. Terzis, B. Braden, S. Vincent, and L. Zhang, "RSVP
Diagnostic Messages," RFC 2745, Internet Engineering Task Force, Diagnostic Messages," RFC 2745, Internet Engineering Task Force,
Jan. 2000. Jan. 2000.
[RFC3182] Yadav, S., Yavatkar, R., Pabbati, R., Ford, P., Moore, [RFC3182] Yadav, S., Yavatkar, R., Pabbati, R., Ford, P., Moore,
T., Herzog, S., Hess, R.: "Identity Representation for RSVP", RFC T., Herzog, S., Hess, R.: "Identity Representation for RSVP", RFC
skipping to change at page 20, line 41 skipping to change at page 21, line 41
[RFC3520] L. Hamer, B. Gage, B. Kosinski, and H. Shieh, "Session [RFC3520] L. Hamer, B. Gage, B. Kosinski, and H. Shieh, "Session
Authorization Policy Element", RFC 3520, Internet Engineering Task Authorization Policy Element", RFC 3520, Internet Engineering Task
Force, April 2003. Force, April 2003.
[RC+03] J. Rajahalme, A. Conta, B. Carpenter, and S. Deering, "IPv6 [RC+03] J. Rajahalme, A. Conta, B. Carpenter, and S. Deering, "IPv6
Flow Label Specification," Internet Draft, Internet Engineering Task Flow Label Specification," Internet Draft, Internet Engineering Task
Force, April 2003. Work in progress. Force, April 2003. Work in progress.
[BL01] B. Braden and B. Lindell, "A two-level architecture for [BL01] B. Braden and B. Lindell, "A two-level architecture for
internet signaling," Internet Draft, Internet Engineering Task internet signaling," Internet Draft, Internet Engineering Task
Force, Nov. 2001. Work in progress. Force, Nov. 2001. (Expired).
[AN97] T. Aura and P. Nikander: "Stateless Connections", In
Proceedings of the International Conference on Information and
Communications Security (ICICSĂ97), Lecture Notes in Computer
Science 1334, Springer, 1997.
[ALN00] T. Aura, J. Leiwo and P. Nikander: "Towards Network Denial
of Service Resistant Protocols", In Proceedings of the 15th
International Information Security Conference (IFIP/SEC 2000),
Beijing, China, August 2000.
Acknowledgments Acknowledgments
We would like to thank (in alphabetical order) Marcus Brunner, Jorge We would like to thank (in alphabetical order) Marcus Brunner, Jorge
Cuellar, Mehmet Ersue, Xiaoming Fu and Robert Hancock for their Cuellar, Mehmet Ersue, Xiaoming Fu and Robert Hancock for their
comments to an initial version of this draft. Jorge and Robert gave comments to an initial version of this draft. Jorge and Robert gave
us an extensive list of comments and provided information on us an extensive list of comments and provided information on
additional threats. additional threats.
Jukka Manner, Martin Buechli, Roland Bless, Marcus Brunner, Michael Jukka Manner, Martin Buechli, Roland Bless, Marcus Brunner, Michael
Thomas and Mohan Parthasarathy provided comments to a recent version Thomas, Cedric Aoun, John Loughney, Rene Solwitsch, Cornelia
of this draft. Their input helped to improve the content of this Kappler, and Mohan Parthasarathy provided comments to a recent
document. Particularly Roland Bless and Michael Thomas provided version of this draft. Their input helped to improve the content of
proposals for regrouping and restructuring. this document. Particularly Roland Bless, Michael Thomas and
Cornelia Kappler provided good proposals for regrouping and
restructuring.
Author's Addresses Author's Addresses
Hannes Tschofenig Hannes Tschofenig
Siemens AG Siemens AG
Corporate Technology Corporate Technology
CT IC 3 CT IC 3
Otto-Hahn-Ring 6 Otto-Hahn-Ring 6
81739 Munich 81739 Munich
Germany Germany
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/