draft-ietf-nsis-threats-03.txt   draft-ietf-nsis-threats-04.txt 
Internet Engineering Task Force NSIS NSIS
Internet Draft H. Tschofenig Internet Draft H. Tschofenig
D. Kroeselberg D. Kroeselberg
Siemens Siemens
Document: Document:
draft-ietf-nsis-threats-03.txt draft-ietf-nsis-threats-04.txt
Expires: April 2004 October 2003 Expires: August 2004 February 2004
Security Threats for NSIS Security Threats for NSIS
<draft-ietf-nsis-threats-03.txt> <draft-ietf-nsis-threats-04.txt>
Status of this Memo Status of this Memo
This document is an Internet-Draft and is subject to all provisions This document is an Internet-Draft and is subject to all provisions
of Section 10 of RFC2026. of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that other Task Force (IETF), its areas, and its working groups. Note that
groups may also distribute working documents as Internet- Drafts. other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six
and may be updated, replaced, or obsoleted by other documents at any months and may be updated, replaced, or obsoleted by other documents
time. It is inappropriate to use Internet-Drafts as reference at any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/1id-abstracts.html http://www.ietf.org/1id-abstracts.html
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html http://www.ietf.org/shadow.html
Abstract Abstract
This threats document provides a detailed analysis of the security This threats document provides a detailed analysis of the security
threats relevant for the NSIS working group. It motivates and helps threats relevant for the NSIS protocol. It calls attention to and
to understand various security considerations in the NSIS helps with understanding of various security considerations in the
Requirements, Framework and Protocol proposals. This document does NSIS Requirements, Framework, and Protocol proposals. This document
not describe vulnerabilities of specific NSIS protocols. does not describe vulnerabilities of specific NSIS protocols.
Table of Contents Table of Contents
1. Introduction...................................................2 1. Introduction..................................................2
2. Relevant communication models..................................3 2. Relevant Communications Models................................3
2.1 First-Peer Communication...................................5 2.1 First-Peer Communications.................................5
2.2 End-to-Middle Communication................................6 2.2 End-to-Middle Communications..............................6
2.3 Intra-Domain Communication.................................6 2.3 Intra-Domain Communications...............................6
2.4 Inter-Domain Communication.................................6 2.4 Inter-Domain Communications...............................6
2.5 End-to-End Communication...................................7 2.5 End-to-End Communications.................................7
2.6 Middle-to-middle Communication.............................8 2.6 Middle-to-Middle Communications...........................8
3. Generic Threats................................................8 3. Generic Threats...............................................8
3.1 Man-in-the-middle attacks..................................8 3.1 Man-in-the-Middle Attacks.................................8
3.2 Adversary being able to replay signaling messages.........10 3.2 Replay of Signaling Messages.............................10
3.3 Adversary being able to inject/modify messages............10 3.3 Injecting or Modifying Messages..........................11
3.4 Insecure Parameter Exchange/Negotiation...................11 3.4 Insecure Parameter Exchange and Negotiation..............11
4. Signaling specific Threats....................................11 4. NSIS-Specific Threat Scenarios...............................11
4.1 Threats based on NSIS SA Usage............................11 4.1 NSIS SA Usage............................................12
4.2 Threats based on combining Signaling and SA Establishment.11 4.2 Combining Signaling and SA Establishment.................12
4.3 Eavesdropping and Traffic Analysis........................12 4.3 Eavesdropping and Traffic Analysis.......................13
4.4 Identity Spoofing.........................................13 4.4 Identity Spoofing........................................13
4.5 Missing Protection of Authorization Information...........14 4.5 Unprotected Authorization Information....................15
4.6 Missing Non-Repudiation...................................15 4.6 Missing Non-Repudiation..................................16
4.7 Malicious NSIS Entity.....................................16 4.7 Malicious NSIS Entity....................................17
4.8 Denial of Service Attacks.................................17 4.8 Denial of Service Attacks................................17
4.9 Disclosing the network topology...........................18 4.9 Disclosing the Network Topology..........................18
4.10 Missing protection of Session/Reservation Ownership......19 4.10 Unprotected Session or Reservation Ownership............19
4.11 Attacks against the transport mechanism..................20 4.11 Attacks against the Transport Mechanism.................20
5. Security Considerations.......................................20 5. Security Considerations......................................21
6. Normative References..........................................20 6. Normative References.........................................21
7. Informative References........................................21 7. Informative References.......................................22
Acknowledgments..................................................22 Author's Addresses..............................................23
Author's Addresses...............................................22 Full Copyright Statement........................................23
Full Copyright Statement.........................................22
1. Introduction 1. Introduction
Whenever a new protocol has to be developed or existing protocols Whenever a new protocol has to be developed or existing protocols
have to be modified their security threats should be evaluated. The have to be modified, threats to their security should be evaluated.
process of securing protocols is separated into individual steps. To The process of securing protocols is broken down into discrete
address security in the NSIS working group a number of steps have steps. To address security in the NSIS working group, a number of
been taken: steps have been taken:
- NSIS Analysis Activities (e.g. RSVP Security Properties) - NSIS Analysis Activities (e.g., RSVP Security Properties)
- Security Threats for NSIS - Security Threats for NSIS
- NSIS Requirements - NSIS Requirements
- NSIS Framework - NSIS Framework
- NSIS Protocol Proposals - NSIS Protocol Proposals
This document identifies the basic security threats that need to be This document identifies the basic security threats that need to be
addressed by the NSIS signaling protocol design. In addition, addressed during the NSIS signaling protocol design. This document
although the base protocol might be secure, some extensions may cause cannot provide detailed threats for all possible NSIS NSLPs. QoS,
problems when used in a particular environment. Furthermore it is NAT/Firewall and other NSLPs documents need to provide a description
necessary to investigate the context in which a signaling protocol is of their trust models and a threat description for their specific
used and the architecture where it is integrated. As an example of application domain. In addition, although the base protocol might be
such interaction accounting and charging are taken into account in secure, certain extensions may cause problems when used in a
this document, since without an appropriate integration of the two it particular environment. Furthermore, it is necessary to investigate
is difficult to deploy any NSIS solution. This interaction is also the context in which a signaling protocol is used and the
subject to discussion within the NSIS framework. architecture into which it is integrated. As an example of such
interaction, accounting and charging are taken into account in this
document, because without an appropriate integration of the two, it
is difficult to deploy any NSIS solution. This interaction is also a
subject of discussion within the NSIS Framework.
This document uses NSIS terms defined in [Bru03]. We use the NSIS terms defined in [Brun03].
2. Relevant communication models 2. Relevant Communications Models
Signaling messages traverse different network parts, which demand Signaling messages traverse different parts of a network, demand
different security protection and raise different security problems. different security protection, and raise different security
The difference in security protection is mainly caused by the fact problems. The different needs for security protection are mainly due
that the NSIS signaling messages cross trust boundaries where to the fact that NSIS signaling messages cross trust boundaries into
different trust relationships are prevalent. Often a categorization domains where different trust relationships exist. Often, one may
into first-peer/last-peer, intra-domain and inter-domain describe this by categorizing communications as first-peer, last-
communication is applicable (see Figure 1). peer, intra-domain, or inter-domain (see Figure 1).
The main properties of the listed network parts are briefly described The main properties of the parts of a network listed here are
in this section and the threats of Section 3 and Section 4 classify briefly described in this section, and the threats against them in
them to generic threats and signaling specific threats. Figure 1 Sections 3 and 4 are classified as generic and NSIS specific. Figure
depicts a typical end-to-end communication scenario including an 1 depicts a typical end-to-end communication scenario including
access part between the NSIS end entities and the nearest NSIS hops, access parts between the NSIS end-entities and their nearest NSIS
respectively. This "first-peer communication" commonly comes with hops. This "first-peer communications" commonly comes with specific
specific security requirements (as described below), especially security requirements (as described below) that are especially
important for properly addressing security in mobile scenarios. important for properly addressing security in mobile scenarios.
Differences in the trust relationship and the required security for Differences in the trust relationship and the required security for
first-peer communication, compared to other parts of the signaling first-peer communication, compared with other parts of the signaling
path, might exist. path, might exist.
To refine the above differentiation based on the network parts that
NSIS signaling may traverse, we consider trust relationships between
different network parts.
Additional threats may apply to NSIS communications in which one
entity involved is an end-entity (Initiator or Responder) and the
other entity is any intermediate hop except the immediately adjacent
peer. This is typically called the end-to-middle scenario (see
Figure 2 for a description of relevant trust relations).
+------------------+ +---------------+ +------------------+ +------------------+ +---------------+ +------------------+
| | | | | | | | | | | |
| Administrative | | Intermediate | | Administrative | | Administrative | | Intermediate | | Administrative |
| Domain A | | Domains | | Domain B | | Domain A | | Domains | | Domain B |
| | | | | | | | | | | |
| (Inter-domain Communication) | | (Inter-domain Communication) |
| +---------+---+---------------+---+---------+ | | +---------+---+---------------+---+---------+ |
| (Intra-domain | | | | (Intra-domain | | (Intra-domain | | | | (Intra-domain |
| Communication) | | | | Communication) | | Communication) | | | | Communication) |
| | | | | | | | | | | | | | | |
skipping to change at page 4, line 26 skipping to change at page 4, line 26
+--------+---------+ +---------------+ +---------+--------+ +--------+---------+ +---------------+ +---------+--------+
^ v ^ v
| | | |
First Peer Communication Last Peer Communication First Peer Communication Last Peer Communication
| | | |
+-----+-----+ +-----+-----+ +-----+-----+ +-----+-----+
| NSIS | | NSIS | | NSIS | | NSIS |
| Initiator | | Responder | | Initiator | | Responder |
+-----------+ +-----------+ +-----------+ +-----------+
Figure 1: Involved Network Parts Figure 1: NSIS Network Parts
To further refine the above differentiation based on network parts The motivation for including this scenario stems, for example, from
that NSIS signaling may traverse, we consider trust relationships the SIP [RFC3261] protocol. To counter a number of specific security
between NSIS hops. threats, any intermediate SIP hop may request a SIP end-entity (UA)
Additional threats may apply to NSIS communication where one entity to authenticate. Such functionality seems generally useful for
involved is an end-entity (initiator or responder) and the other intermediaries at the borders of trust domains that signaling
entity is any intermediate hop not being the first peer. This is messages need to traverse.
typically called end-to-middle scenario. The motivation for including
this configuration stems for example from the SIP [RFC3261] protocol.
To counter a number of specific security threats, any intermediate Intermediate NSIS hops may have to deal as well with specific
SIP hop may request a SIP end entity (UA) to authenticate. Such security threats not (directly) involving any end-entities. This
functionality in general seems to be useful for intermediaries at the
borders of trust domains that signaling messages need to traverse.
Intermediate NSIS hops as well may have to deal with specific
security threats that do not (directly) relate to end-entities. This
scenario is called middle-to-middle. A typical example of middle-to- scenario is called middle-to-middle. A typical example of middle-to-
middle communication is between two NSIS hops at the border of their middle communication is between two NSIS hops at the borders of
respective trust domains (i.e. inter-domain communication). NSIS their respective trust domains (i.e., inter-domain communications).
messages may have to traverse one or more untrusted hops between NSIS messages may have to traverse one or more untrusted hops
these NSIS entities. between these NSIS entities.
Figure 2 illustrates these additional scenarios. The first-peer case
discussed further above is covered by the peer-to-peer trust Figure 2 illustrates these additional scenarios. The first-peer and
relationships between end entity and closest hop, respectively. last-peer cases discussed above are covered by the peer-to-peer
trust relationships between end-entity and closest hop.
**************************************** ****************************************
* * * *
+----+-----+ +----------+ +----+-----+ +----+-----+ +----------+ +----+-----+
+-----+ NSIS +-------+ NSIS +--------+ NSIS +-----+ +-----+ NSIS +-------+ NSIS +--------+ NSIS +-----+
| | Node 1 | | Node 2 | | Node 3 | | | | Node 1 | | Node 2 | | Node 3 | |
| +----------+ +----+-----+ +----------+ | | +----------+ +----+-----+ +----------+ |
| ~ | | ~ |
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| ~ | | ~ |
skipping to change at page 5, line 25 skipping to change at page 5, line 25
| NSIS +//////////////////////////////////////////+ NSIS | | NSIS +//////////////////////////////////////////+ NSIS |
| Initiator | | Responder | | Initiator | | Responder |
+-----------+ +-----------+ +-----------+ +-----------+
Legend: Legend:
-----: Peer-to-Peer Trust Relationship -----: Peer-to-Peer Trust Relationship
/////: End-to-End Trust Relationship /////: End-to-End Trust Relationship
*****: Middle-to-Middle Trust Relationship *****: Middle-to-Middle Trust Relationship
~~~~~: End-to-Middle Trust Relationship ~~~~~: End-to-Middle Trust Relationship
Figure 2: Trust Relationships Figure 2: NSIS Trust Relationships
2.1 First-Peer Communication 2.1 First-Peer Communications
First peer communication refers to the peer-to-peer interaction First-peer communications refers to the peer-to-peer interaction
between a signaling message originator, the NSIS Initiator (NI), and between a signaling message originator, the NSIS Initiator (NI), and
the first NSIS aware entity along the path. Assumptions about the the first NSIS-aware entity along the path. Making assumptions about
threats, security requirements and the available trust relationships the threats, security requirements, and available trust
may be difficult here. relationships may be difficult here.
To illustrate this, in many mobility environments it is difficult to
To illustrate this, in public mobile environments it is difficult to
assume the existence of a pre-established security association assume the existence of a pre-established security association
directly available for NSIS peers involved in first-peer directly available for NSIS peers involved in first-peer
communication, as these peers cannot be assumed to have any relation communications, because these peers cannot be assumed to have any
between each other in advance. For enterprise networks, in contrast, pre-existing relationship between each other. For enterprise
the situation is different. Usually there is a fairly strong (pre- networks, in contrast, the situation is different. Usually there is
established) trust relationship between the peers. Enterprise network a fairly strong (pre-established) trust relationship between the
administrators usually have some degree of freedom to select the peers. Enterprise network administrators usually have some degree of
appropriate security protection and to enforce it. The choice of freedom to select the appropriate security protection and to enforce
selecting a security mechanism is therefore often influenced by the it. The choice of selecting a security mechanism is therefore often
already available infrastructure. Per-session negotiation of security influenced by the already available infrastructure, and per-session
mechanisms is therefore often not required (which, in contrast, is negotiation of security mechanisms is often not required (which, in
required for the mobility case). contrast, is required for the public mobile case).
For first-peer communication, especially threats related to initial For first-peer communications, especially, threats related to
security association setup, or threats due to replay attacks, lack of initial security association setup, or threats due to replay
confidentiality, denial of service, integrity violation or identity attacks, lack of confidentiality, denial of service, integrity
spoofing are relevant, an potentially lead to theft of service and violation, or identity spoofing are relevant, and potentially lead
fraud. to theft of service, fraud, or violations of privacy.
2.2 End-to-Middle Communication 2.2 End-to-Middle Communications
End-to-middle interaction in signaling may be required to e.g. grant End-to-middle interaction in signaling may be required, e.g., to
end-entities access to specific services in trust domains different grant end-entities access to specific services in trust domains
from the one the first peer belongs to. Threats specific to this different from the one to which the first peer belongs. Threats
scenario may be introduced by untrusted intermediate NSIS hops that specific to this scenario may be introduced by untrusted
maliciously alter NSIS signaling. These threats are still relevant if intermediate NSIS hops that maliciously alter NSIS signaling. These
security mechanisms are in place between the NSIS hops, but terminate threats are still relevant if security mechanisms are in place
at each hop (e.g. IPsec hop-by-hop protection). between the NSIS hops, but terminate at each hop (e.g., IPsec hop-
by-hop protection).
2.3 Intra-Domain Communication 2.3 Intra-Domain Communications
After having been verified at the first peer, an NSIS signaling After having been verified at the first peer, an NSIS signaling
message traverses the network within the same administrative domain message traverses the network within the same administrative domain
the first peer belongs to. Since the request has already been to which the first peer belongs. Because the request has already
authenticated and authorized threats are different to those described been authenticated and authorized, the threats are different from
in the previous sections. To differentiate first-peer communication those described in the previous sections. To differentiate first-
with the intra-domain communication (i.e. communication internally peer communications from intra-domain communications (i.e.,
within one administrative domain) we assume that no end hosts have communications internally within one administrative domain) we
direct access to the internal network nodes, except the first peer. assume that no external end hosts have direct access to the internal
We furthermore assume that NSIS peers within the same administrative network nodes, except to the first peer. We furthermore assume that
domain have at least some sort of trust relationship. NSIS peers within the same administrative domain have at least some
sort of trust relationship.
2.4 Inter-Domain Communication 2.4 Inter-Domain Communications
The threat assumptions between the borders of different The threat assumptions between the borders of different
administrative domains largely depend on the authorization administrative domains largely depend on the authorization
procedures. If one domain forges QoS reservations then this domain procedures. If one domain forges QoS reservations, then this domain
may also have to pay for the reservation. Hence in this case, there may also have to pay for the reservation. Hence, in this case, there
is no real benefit for this domain to forge a QoS reservation. If an is no real benefit for this domain to forge a QoS reservation. If an
end host is directly charged by intermediate domains (i.e. by a end host is directly charged by intermediate domains (i.e., by a
domain different from the malicious domain) such an attack may be domain different from the malicious domain), such an attack may be a
quite a reasonable threat. quite realistic threat.
However, security protection of messages transmitted between Security protection of messages transmitted between different
different administrative domains is still necessary to tackle attacks administrative domains is necessary to tackle attacks like spoofing,
like spoofing, integrity violation, or denial of service between integrity violation, or denial of service between these domains,
these domains, e.g. to allow proper accounting. The number of e.g., to allow proper accounting. The number of neighboring domains
neighboring domains is usually rather limited (compared to first-peer is usually rather limited (compared with first-peer communications),
communication) which causes fewer problems for the key management which substantially reduces the key management considerations for
required for securing inter-domain NSIS signaling. securing inter-domain NSIS signaling.
Signaling information other than QoS service parameters such as Signaling information other than QoS service parameters, such as
policy rules in case of middlebox communication demands different policy rules in the case of middlebox communications, places
assumptions for inter-domain communication. Trust assumptions and different assumptions on inter-domain communications. Business
business relationships are of particular importance for their relationships and trust assumptions are of particular importance as
communication. a basis for securing these communications.
If signaling messages are conveyed transparently in the core network If signaling messages are conveyed transparently in the core network
(i.e. they are not intercepted and processed in the core network) (i.e., they are neither intercepted nor processed in the core
then the signaling message communication effectively takes place network), then the signaling message communications effectively
between access networks. This might place a burden on the key takes place between potentially distant access networks. This might
management infrastructure required between these access networks place a burden on the key management infrastructure required between
which might not know each other in advance. This might lead to an these access networks, which might not know of each other in
inability to secure signaling messages for a direct communication advance. This might lead to an inability to secure signaling
between the access networks. Hence, this can be seen as a serious messages for direct communications between the access networks.
deployment problem since it might be unacceptable for an access Hence, this can be seen as a serious deployment problem, because it
network service provider to perform processing (QoS reservations, might be unacceptable for an access network service provider to
policy rule installation at firewalls) triggered by unprotected perform processing (e.g., QoS reservations or policy rule
incoming signaling messages. installation at firewalls) triggered by unprotected,
unauthenticated, and possibly unauthorized incoming signaling
messages.
2.5 End-to-End Communication 2.5 End-to-End Communications
NSIS aims to signal information between the initiator and the NSIS aims to signal information between the Initiator and the
responder. This section refers to the trust relationships required Responder. This section refers to the trust relationships required
between the end points in cases where security protection is between the end points in cases where security protection is
required. Note that this security protection is likely to be required required. Note that this security protection is likely to be
only for certain objects such as pricing and charging related required only for certain objects such as those related to pricing
information. Protecting the entire signaling message is not possible and charging. Protecting the entire signaling message end to end is
since intermediate NSIS nodes need to (a) inspect various objects and not normally regarded as feasible, because intermediate NSIS nodes
(b) need to add, modify or delete objects from the signaling message. need (a) to inspect various objects and (b) to add, modify, or
delete objects from the signaling message.
The following example tries to illustrate a possible application of The following example illustrates a possible application of end-to-
end-to-end protection for objects carried within the NSIS signaling end protection for objects carried within the NSIS signaling
protocol. Alice, the data sender, wants Bob, the data receiver, to protocol. Alice, the data sender, wants Bob, the data receiver, to
pay for a QoS reservation (reverse charging). Bob wants to be assured pay for a QoS reservation (reverse charging). Bob wants to be
that the QoS signaling message he receives was indeed transmitted by assured that the QoS signaling message he receives was indeed
Alice because he is only willing to pay for particular users and not transmitted by Alice, because he is only willing to pay for
for everyone. Hence Bob wants to verify that the request came from particular users and not for everyone. Hence, Bob wants to verify
Alice (authentication) and that the included parameters are that the request came from Alice (authentication) and that the
unmodified. Additionally it might be necessary to secure a included parameters are unmodified (integrity). Additionally it
negotiation step and to secure deliver authorization information to might be necessary to secure a negotiation step and to deliver
the involved parties. Information which is required to compute an authorization information securely to the parties involved.
authorization decision (such as prices or QoS objects) also needs Information required to render an authorization decision (such as
proper security protection. prices or QoS objects) also needs proper security protection.
Typical threats in such a scenario range from modification of QoS Typical threats in such a scenario range from modification of QoS
objects or price information (i.e. Bob has to pay more), fraud (i.e. objects or price information (i.e., making Bob pay too much), to
to force Bob always to pay for the reservations) to identity spoofing fraud (i.e., forcing Bob always to pay for the reservations), to
(i.e. the adversary claims to be Alice). identity spoofing (i.e., an impostor claiming to be Alice).
Regarding end-to-end security one additional issue needs to be Regarding end-to-end security, one additional issue needs to be
addressed - delegation. Whenever a signaling is addressed end-to-end addressed: delegation. Whenever signaling is addressed end to end
and an arbitrary node along the path acts as a proxy on behalf of the and an arbitrary node along the path acts as a proxy on behalf of
other endpoint a delegation mechanism is required to provide secure the other endpoint, a delegation mechanism is required to provide
interaction. This might lead to additional complexity. secure interaction. This might lead to additional complexity.
2.6 Middle-to-middle Communication 2.6 Middle-to-Middle Communications
We do not explicitly consider the middle-to-middle case here, The middle-to-middle case is not explicitly considered here,
although it is important, since it is already covered by either although it is important, because it is already covered by either
intra- or inter-domain communication depending on the location of the intra- or inter-domain communications depending on the locations of
involved entities. the entities involved.
3. Generic Threats 3. Generic Threats
This section provides threat scenarios that are applicable to This section provides scenarios of threats that are applicable to
signaling protocols. Note that some threat scenarios use the term signaling protocols in general. Note that some of these scenarios
user instead of NSIS Initiator. This is mainly because security use the term user instead of NSIS Initiator. This is mainly because
protocols allow a differentiation between entities being hosts and security protocols allow differentiation between entities as hosts
users (based on the identities used). and as users (based on the identifiers used).
3.1 Man-in-the-middle attacks
We differentiate this type of attack according to the separation of For the following subsections, we use the general distinction into
different steps, or phases, for securing protocols that is typically two cases in which attacks may occur. These are according to the
made. Therefore, this section starts with a brief motivation of this separate steps, or phases, normally encountered when applying
protocol security (with, e.g., IPsec, TLS, Kerberos, or SSH).
Therefore, this section starts with a brief motivation for this
separation. separation.
Security protection of protocols is often separated into two steps. Security protection of protocols is often separated into two steps.
The first step provides entity authentication and key establishment The first step provides primarily entity authentication and key
whereas the second step provides message protection using the establishment (which result in a persistent state often called a
previously established security association. The first step usually security association), whereas the second step provides message
tends to be more expensive than the second which is also the main protection (some combination of data origin authentication, data
reason for separation. If messages are transmitted very infrequently integrity, confidentiality, and replay protection) using the
then these two steps are collapsed into a single and usually rather previously established security association. The first step tends to
costly step. One such example is e-mail protection via S/MIME. An be more expensive than the second, which is the main reason for the
example for a two-step approach is provided by IKE/IPsec. We use this separation. If messages are transmitted infrequently, then these two
separation to cover the different threats in more detail. steps may be collapsed into a single and usually rather costly one.
The first paragraph describes security threats where two peers do not One such example is e-mail protection via S/MIME. The two steps may
already share a security association, or do not use security be tightly bound into a single protocol, as in TLS, or defined in
mechanisms at all. The next paragraph describes threats which are separate protocols, as with IKE and IPsec. We use this separation to
applicable when a security association is already established. cover the different threats in more detail.
Finally a denial of service attack is described which is applicable
to a signaling message when no separation between SA establishment 3.1 Man-in-the-Middle Attacks
and signaling protection takes place. Particularly the discovery
procedure is vulnerable against a number of attacks. This section describes both (1) security threats that exist if two
peers do not already share a security association or do not use
security mechanisms at all, and (2) threats that are applicable when
a security association is already established. Note also that a
denial of service attack on a signaling protocol exists when no
separation between SA establishment and signaling protection takes
place. The discovery procedure, in particular, is vulnerable to a
number of such attacks.
- Attacks during NSIS SA Establishment - Attacks during NSIS SA Establishment
During the process of establishing a security association an While establishing a security association, an adversary fools the
adversary fools the signaling message initiator with respect to the signaling message Initiator with respect to the entity to which it
entity to which it has to authenticate. The man-in-the-middle has to authenticate. The Initiator authenticates to the man-in-the-
adversary is able to modify signaling messages to mount DoS attacks. middle adversary, who is then able to modify signaling messages to
In addition, it may be able to terminate NSIS messages of the mount DoS attacks or steal services that get billed to the
Initiator and inject messages to a peer itself, therefore acting as Initiator. In addition, it may be able to terminate the Initiator's
the peer to the initiator and as the initiator to the peer. This NSIS messages of and inject messages to a peer itself, therefore
results in the initiator wrongly believing that it talks to the acting as the peer to the Initiator and as the Initiator to the
"real" network whereas it is actually attached to an adversary. peer. This results in the Initiator wrongly believing that it is
talking to the "real" network, whereas it is actually attached to an
adversary.
For this attack to be successful, pre-conditions have to hold which For this attack to be successful, pre-conditions have to hold which
are described with the following two cases: are described in the following two cases:
- Missing Authentication - Missing Authentication
The first case addresses missing authentication between the In the first case, this threat can be carried out because of missing
neighboring peers: Without authentication a NI, NR or NF is unable to authentication between neighboring peers: without authentication a
detect an adversary. However, in some cases protection might be NI, NR, or NF is unable to detect an adversary. However, in some
difficult to accomplish in a practical environment either because the practical cases authentication might be difficult to accomplish,
next peer is unknown, because of misbelieved trust relationships in either because the next peer is unknown, because of misbelieved
parts of the network or because of the inability to establish proper trust relationships in parts of the network, or because of the
security protection (inter-domain signaling messages, dynamic inability to establish proper security protection (inter-domain
establishment of a security association, etc.). If one of the signaling messages, dynamic establishment of a security association,
communication endpoints is unknown then for some security mechanisms etc.). If one of the communicating endpoints is unknown, then for
it is either not possible or very difficult to apply appropriate some security mechanisms it is either impossible or impractical to
security protection. Sometimes network administrators use intra- apply appropriate security protection. Sometimes network
domain signaling messages without proper security. Such a administrators use intra-domain signaling messages without proper
configuration would then allow an adversary on a compromised non-NSIS security. Such a configuration would then allow an adversary on a
aware node to interfere with nodes running an NSIS signaling compromised non-NSIS-aware node to interfere with nodes running an
protocol. Note that this type of threat goes beyond a threat caused NSIS signaling protocol. Note that this type of threat goes beyond
by malicious NSIS nodes (described in Section 4.7). those caused by malicious NSIS nodes (described in Section 4.7).
- Unilateral Authentication - Unilateral Authentication
In case of a unilateral authentication the NSIS entity that does not In the case of unilateral authentication, the NSIS entity that does
authenticate its peer is unable to discover the man-in-the-middle not authenticate its peer is unable to discover a man-in-the-middle
adversary. Although authentication of signaling messages should take adversary. Although mutual authentication of signaling messages
place between each peer participating in the protocol operation should take place between each peer participating in the protocol
special attention is given here to first-peer communication. operation, special attention is given here to first-peer
Unilateral authentication between an end host and the first peer communications. Unilateral authentication between an end host and
(just authenticating the end host) is still common today, but the first peer (just authenticating the end host) is still common
certainly opens up many possibilities for MITM attackers today, but it certainly opens up many possibilities for man-in-the-
impersonating either the end host or the (administrative domain middle attackers impersonating either the end host or the
represented by the) first peer. (administrative domain represented by the) first peer.
Missing or unilateral authentication, as described above, are a Missing or unilateral authentication, as described above, is part of
general problem of network access without appropriate authentication, a general problem of network access with inadequate authentication,
and should not be considered as valid for the NSIS signaling and it should not be considered something unique to the NSIS
protocol, only. Obviously there is a strong need to correctly address signaling protocol. Obviously, there is a strong need to correctly
them in a future NSIS protocol. The signaling protocols addressed by address this in a future NSIS protocol. The signaling protocols
NSIS are different to other protocols, where only two entities are addressed by NSIS are different from other protocols, in which only
involved. Note, that especially first-peer authentication is two entities are involved. Note that first-peer authentication is
important, as the impacts of a security breach could impact nodes especially important, because a security breach here could impact
beyond the directly involved entities (or even beyond a local nodes beyond the entities directly involved (or even beyond a local
network). network).
Finally it should be noted that the signaling protocol should be Finally it should be noted that the signaling protocol should be
considered as a peer-to-peer protocol where the roles of initiator considered as a peer-to-peer protocol, whereby the roles of
and responder can be reversed at any time. This leads to the Initiator and Responder can be reversed at any time. Hence,
conclusion that unilateral authentication is not very useful for such unilateral authentication is not particularly useful for such a
a protocol. However there might be a need to have some form of protocol. However, there might be a need to have some form of
asymmetry in the authentication process whereby one entity uses a asymmetry in the authentication process, whereby one entity uses a
different authentication mechanism than the other one. As an example different authentication mechanism than the other one. As an
the combination of symmetric and asymmetric cryptography should be example, the combination of symmetric and asymmetric cryptography
mentioned. should be mentioned.
- Weak Authentication - Weak Authentication
This threat addresses weak authentication mechanisms whereby In this case, the threat can be carried out because of weak
information transmitted during the NSIS SA establishment process may authentication mechanisms whereby information transmitted during the
leak passwords and/or may allow offline dictionary attacks. This NSIS SA establishment process may leak passwords or allow offline
threat is applicable to NSIS for the process of selecting certain dictionary attacks. This threat is applicable to NSIS for the
security mechanisms. process of selecting certain security mechanisms.
3.2 Adversary being able to replay signaling messages 3.2 Replay of Signaling Messages
This threat scenario covers the case where an adversary eavesdrops This threat scenario covers the case in which an adversary
and collects signaling messages and replays them at a later point in eavesdrops and collects signaling messages and replays them at a
time (or at a different place, or uses parts of them at a different later time (or at a different place, or uses parts of them at a
place or in a different way - e.g. cut and paste attacks). Without different place or in a different way, e.g., cut-and-paste attacks).
proper replay protection an adversary might mount man-in-the-middle, Without proper replay protection, an adversary might mount man-in-
denial of service and theft of service attacks. the-middle, denial of service, and theft of service attacks.
A more difficult attack that may cause problems even in case of A more difficult attack that may cause problems even in case of
replay protection requires the adversary to crash an NSIS aware node replay protection requires the adversary to crash an NSIS-aware
to loose state information (sequence numbers, security associations, node, cause it to lose state information (sequence numbers, security
etc.) and to be able to replay old signaling messages. This attack associations, etc.), and then be able to replay old signaling
addresses re-synchronization deficiencies. messages. This attack takes advantage of re-synchronization
deficiencies.
3.3 Adversary being able to inject/modify messages 3.3 Injecting or Modifying Messages
This type of threat addresses integrity violations whereby an This type of threat involves integrity violations, whereby an
adversary modifies signaling messages (e.g. by acting as a man-in- adversary modifies signaling messages (e.g., by acting as a man-in-
the-middle attacker) to cause an unexpected network behavior. the-middle) to cause unexpected network behavior. Possible actions
Possible actions an adversary might consider for its attack are an adversary might consider for its attack are reordering, delaying,
reordering, delaying, dropping, injecting and modifying. dropping, injecting, truncating, and otherwise modifying messages.
An adversary may inject a signaling message requesting a large amount An adversary may inject a signaling message requesting a large
of resources (possibly using a different user identity). Other amount of resources (possibly using a different user's identity).
resource requests could then be rejected. In combination with Other resource requests may then be rejected. In combination with
identity spoofing it is also possible to accomplish fraud. This identity spoofing, it is also possible to carry out fraud. This
attack is only successful in absence of signaling message protection attack is only feasible in the absence of authentication and
and authentication. signaling message protection.
Some directly related threats are described in Section 4.7, 4.4 and Some threats directly related to these are described in Sections
4.8. 4.4, 4.7, and 4.8.
3.4 Insecure Parameter Exchange/Negotiation 3.4 Insecure Parameter Exchange and Negotiation
Protocols, which should be useful for a variety of scenarios, tend to First, protocols may be useful in a variety of scenarios with
have different security requirements. It is often difficult to meet different security requirements. Second, different users (e.g., a
these (sometimes conflicting requirements) with a single security university, a hospital, a commercial enterprise, or a government
mechanism or fixed security parameters. Often a selection of ministry) have inherently different security requirements. Third,
mechanisms and parameters are offered. Therefore a protocol exchange different parts of a network (e.g., within a building, across a
is required to agree on some security mechanisms/parameters. An public carrier's network, or over a private microwave link) may need
insecure parameter exchange/negotiation protocol exchange can help an different levels of protection. It is often difficult to meet these
adversary to mount a downgrading attack by selecting weaker (sometimes conflicting) requirements with a single security
mechanisms than desired. Hence without protecting the negotiation mechanism or fixed set of security parameters, so often a selection
process the security of an NSIS protocol might be as secure as the of mechanisms and parameters is offered. Therefore, a protocol is
weakest mechanism if no configuration parameters (for example a required to agree on certain security mechanisms and parameters. An
security policy disallowing the weakest mechanism, etc.) are used insecure parameter exchange or security negotiation protocol can
otherwise. help an adversary mount a downgrading attack to force selection of
weaker mechanisms than mutually desired. Hence, without binding the
negotiation process to the legitimate parties and protecting it, an
NSIS protocol might be only as secure as the weakest mechanism
provided (e.g., weak authentication), and the benefits of defining
configuration parameters and a negotiation protocol are lost.
4. Signaling specific Threats 4. NSIS-Specific Threat Scenarios
This section lists both threats and attacks on the NSIS signaling This section describes 11 threat scenarios in terms of attacks on
protocol. A number of reasons might lead to an attack. Fraud is an and security deficiencies in the NSIS signaling protocol. A number
example of an attack which might be caused by a number of reasons: of security deficiencies might enable an attack. Fraud is an example
missing replay protection, missing protection of authorization of an attack that might be enabled by missing replay protection,
tokens, identity spoofing, missing authentication and many more might missing protection of authorization tokens, identity spoofing,
help an adversary to steal resources. These reasons which could lead missing authentication, and other deficiencies that help an
to an attack are primarily addressed in this section. adversary steal resources. Different threat scenarios based on
deficiencies that could enable an attack are addressed in this
section.
In some cases we point to specific attacks which again might have a The threat scenarios are not independent. Some of them, e.g., denial
subsequent result since well-established security terms, such as of service, are well-established security terms and, as such, need
denial of service, have to be addressed. to be addressed, but are often enabled by one or more deficiencies
described under other scenarios.
4.1 Threats based on NSIS SA Usage 4.1 NSIS SA Usage
Once a security association is established (and used to protect Once a security association is established (and used) to protect
signaling messages) basic attacks are prevented. However, a malicious signaling messages, many basic attacks are prevented. However, a
NSIS node is still able to perform various attacks as described in malicious NSIS node is still able to perform various attacks as
Section 4.7. Replay attacks can be a problem when an NSIS node described in Section 4.7. Replay attacks may be possible when an
crashes, restarts and performs state re-establishment. Proper re- NSIS node crashes, restarts, and performs state re-establishment.
synchronization capability of the security mechanism must therefore Proper re-synchronization of the security mechanism must therefore
address this problem. be provided to address this problem.
4.2 Threats based on combining Signaling and SA Establishment 4.2 Combining Signaling and SA Establishment
These threats may lead to attacks which allow an adversary to flood This scenario describes attacks that allow an adversary to flood an
an NSIS node with bogus signaling messages to cause a denial of NSIS node with bogus signaling messages to cause a denial of service
service attack. attack.
When a signaling message arrives at an NSIS aware network element When a signaling message arrives at an NSIS-aware network element,
some processing is required. If this message contains security certain processing is required. If this message contains security
objects such as digital signatures and no security association is objects such as digital signatures, and no security association is
already available then some processing is required for the already available, then some additional processing is required for
cryptographic verification. Since NSIS signaling should not require the cryptographic verification. Because NSIS signaling should not
several roundtrips between two NSIS peers it is difficult to provide require extra roundtrips between two NSIS peers, it is difficult to
DoS protection mechanisms commonly found in authentication and key provide the DoS protection mechanisms commonly found in
agreement protocols. Signaling messages can be idempotent which means authentication and key agreement protocols. Signaling messages can
that they contain the same amount of information as the original be idempotent, which means that they contain the same amount of
message. An example would be a 'refresh' message which is in this information as the original message. An example would be a refresh
case equivalent to a create message. This property enables that a message that is equivalent to a create message. This property allows
refresh message creates new state along a new path although no a refresh message to create new state along a new path, although no
previous state is available. In order for this to work it is previous state is available. For this to work, specific classes of
necessary to use specific classes of cryptographic mechanisms cryptographic mechanisms supporting this behavior are needed. An
supporting this behavior. An example is a digital signature based example is a scheme based on digital signatures, which, however,
scheme which, however, should be used with care due to possible should be used with care due to possible denial of service attacks.
denial of service attacks. The problems of these types of message Problems with using these types of exchanges with public key based
exchanges with public key based protection are described in [AN97] protection are described in [AN97] and in [ALN00].
and in [ALN00].
Additionally to the threat described above an incoming signaling In addition to the threat scenario described above, an incoming
message might require time consuming processing (computations, state signaling message might require time consuming processing
maintenance, timer setting, etc) and communication with third-party (computations, state maintenance, timer setting, etc.) and
nodes including policy servers, LDAP servers, etc. If an adversary is communication with third-party nodes such as policy servers, LDAP
able to transmit a large number of signaling messages (for example servers, etc. If an adversary is able to transmit a large number of
with QoS reservation requests) with invalid credentials then the signaling messages (for example, with QoS reservation requests) with
verifying node may not be able to process further reservation invalid credentials, then the verifying node may not be able to
messages by legitimate users. process other reservation messages from legitimate users.
Further threats could be introduced by allowing an adversary to gain Further attacks may be enabled by injecting error messages or
additional information by injecting error messages or by forcing the forcing the creation of error messages to extract additional
creation of error messages. information.
4.3 Eavesdropping and Traffic Analysis 4.3 Eavesdropping and Traffic Analysis
This section covers threats whereby an adversary is able to eavesdrop This section covers threats whereby an adversary is able to
signaling messages. The collected signaling packets may serve for the eavesdrop on signaling messages. The signaling packets collected may
purpose of traffic analysis or to later mount replay attacks as allow traffic analysis or be used later to mount replay attacks, as
described in the Section 3.2. The eavesdropper might learn QoS described in Section 3.2. The eavesdropper might learn QoS
parameters, communication patterns, policy rules for firewall parameters, communication patterns, policy rules for firewall
traversal, policy information, application identifiers, user traversal, policy information, application identifiers, user
identities, NAT bindings, authorization objects and more. identities, NAT bindings, authorization objects, network
configuration and performance information, and more.
The capability for an adversary to eavesdrop signaling messages might An adversary's capability to eavesdrop on signaling messages might
violate a users privacy preference particularly if authentication or violate a user's preference for privacy, particularly if unprotected
authorization information (including policies and profile authentication or authorization information (including policies and
information) exchanged in an unprotected fashion. profile information) is exchanged.
Note, that the above threats are also applicable if the messages are Note that this threat scenario is not mitigated by applying
integrity protected which is often considered sufficient for integrity protection to the messages, which is often considered
signaling protocols. sufficient for signaling protocols.
Since the NSIS protocol signals messages through a number of nodes it Because the NSIS protocol signals messages through a number of
is possible to differentiate between nodes actively participating in nodes, it is possible to differentiate between nodes actively
the NSIS protocol and others who do not actively participate in the participating in the NSIS protocol and others that do not actively
NSIS protocol. For certain objects or messages it might be desirable participate in the NSIS protocol. For certain objects or messages it
to permit actively participating intermediate NSIS nodes to might be desirable to permit actively participating intermediate
eavesdrop. As a further extension it might be desired that only the NSIS nodes to eavesdrop. On the other hand, it might be desirable
intended end points (NSIS initiator and NSIS responder) are able to that only the intended end points (NSIS Initiator and NSIS
read certain objects. Responder) are able to read certain other objects.
4.4 Identity Spoofing 4.4 Identity Spoofing
Identity spoofing relevant for NSIS, appears in two flavors: First, Identity spoofing relevant for NSIS occurs in two forms: first,
identity spoofing can appear during the establishment of a security identity spoofing can happen during the establishment of a security
association if based on a weak authentication mechanism. association based on a weak authentication mechanismn and, second,
it can consist of spoofing data traffic.
Eve, acting as an adversary, claims to be the registered user Alice In the first case, Eve, acting as an adversary, may claim to be the
by spoofing the identity of Alice. Thereby Eve causes the network to registered user Alice by spoofing Alice's identity. Eve thereby
charge Alice for the consumed network resources. This type of attack causes the network to charge Alice for the network resources
is possible if authentication is done based on a simple username consumed. This type of attack is possible if authentication is based
identifier (i.e. in absence of cryptographic authentication) or if on a simple username identifier (i.e., in absence of cryptographic
authentication is provided for hosts and multiple users have access authentication), or if authentication is provided for hosts, and
to a single host. This attack could also be classified as theft of multiple users have access to a single host. This attack could also
service. be classified as theft of service.
An adversary is able to exploit the established flow identifiers In the second case, an adversary may be able to exploit the
(required for QoS and middlebox communication (Midcom) specific established flow identifiers (required for QoS and middlebox
signaling protocols). Some identifiers such as IP addresses, communication [Midcom] specific signaling protocols). Some
transport protocol identifiers, port numbers, flow labels (see identifiers, among others, IP addresses, transport protocol
[RFC1809] and [RC+03]) and others are communicated in these identifiers, port numbers, and flow labels (see [RFC1809] and
protocols. Modification of these flow identifiers causes quality of [RC+03]), are transported in these protocols. Modification of these
service reservations or policy rules at middleboxes to be either flow identifiers allows adversaries to exploit or to render
ineffective or exploitable by adversaries. An adversary could mount ineffective quality of service reservations or policy rules at
an attack by modifying the flow identifier of a signaling message. middleboxes. An adversary could mount an attack by modifying the
flow identifier of a signaling message.
NSIS signaling messages contain some sort of flow identifier, which NSIS signaling messages contain some sort of flow identifier, which
is associated with a specified behavior (e.g. a particular flow is associated with a specified behavior (e.g., a particular flow
experiences QoS treatment or allows packets to traverse a firewall, experiences QoS treatment or allows packets to traverse a firewall).
etc.). An adversary might therefore use IP spoofing and inject data An adversary might, therefore, use IP spoofing and inject data
packets to benefit from previously installed flow identifiers. packets to benefit from previously installed flow identifiers.
The following threat is caused by identity spoofing of transmitted The following threat is carried out by spoofing the identity of
data traffic. The spoofed identity is thereby the source IP transmitted data traffic. The spoofed identity is the IP source
addresses. For this attack to be successful accounting records are address. For this attack to be successful, accounting records are
collected based on the source IP address and not on a SPI due to collected based on the IP source address and not on a SPI due to
IPSec protection. After the network receives a properly protected IPsec protection. After the network receives a properly protected
reservation request, transmitted by the legitimate user Alice, reservation request, transmitted by the legitimate user Alice,
Traffic Selectors are installed at the corresponding devices (for Traffic Selectors are installed at the corresponding devices (for
example edge router). These Traffic Selectors are used for flow example, the edge router). These Traffic Selectors are used for flow
identification and allow to match data traffic originated from a identification and allow data traffic originated from a given source
given source address to be assigned to a particular QoS reservation. address to be matched and assigned to a particular QoS reservation.
The adversary Eve now spoofs the IP address of the Alice. The adversary Eve now spoofs the IP address of the Alice. In
Additionally Alice's host may be crashed by the adversary as a result addition, Alice's host may be crashed by the adversary with a denial
of a denial of service attack or lost connectivity for example of service attack or may lose connectivity, for example, because of
because of mobility reasons. If both nodes are located at the same mobility considerations. If both nodes are located at the same link
link and use the same IP address then obviously a duplicate IP and use the same IP address, then obviously a duplicate IP address
address will be detected. Assuming that only Eve is present at the will be detected. Assuming that only Eve is now present at the link,
link then she is able to receive and transmit data (for example RTP she is able to receive and transmit data (for example RTP data
data traffic), which receives preferential QoS treatment based on the traffic) that receives preferential QoS treatment based on the
previous reservation. Depending on the installed Traffic Selector previous reservation. Depending on the installed Traffic Selector
granularity Eve might have more possibilities to exploit the QoS granularity, Eve might have more possibilities to exploit the QoS
reservation or a pin-holed firewall. Assuming the soft state reservation or a pin-holed firewall. Assuming the soft state
paradigm, where periodical refresh messages are required, the absence paradigm, whereby periodic refresh messages are required, the
of Alice will not be detected until the next signaling message absence of Alice will not be detected until the next signaling
appears and forces Eve to respond with a protected signaling message. message appears and forces Eve to respond with a protected signaling
Again this issue is not only applicable to QoS traffic but the message. Again, this attack is applicable not just to QoS traffic,
existence of QoS reservation causes more difficulties since this type but the existence of a QoS reservation increases its impact, because
of traffic is more expensive. The same procedure is also applicable this type of traffic is more expensive. The same attack is also
to a Middlebox communication protocol. applicable to a Middlebox protocol.
The ability for an adversary to inject data traffic which matches a The ability for an adversary to inject data traffic that matches a
certain flow identifier established by a legitimate user often certain flow identifier established by a legitimate user often
requires the ability to also receive the data traffic. This is, requires the ability also to receive the data traffic. This is,
however, only true if the flow identifier consists of values which however, true only if the flow identifier consists of values that
contain addresses used for routing. If we imagine to use attributes contain addresses used for routing. If we imagine using attributes
for a flow identifier where such a property is not required then of a flow identifier that do not require such a property, then
identity spoofing and injecting traffic is much easier. An adversary identity spoofing and injecting traffic are much easier. An
can use a nearly arbitrary endpoint identifier to experience the adversary can use a nearly arbitrary endpoint identifier to achieve
desired result. Obviously the endpoint identifiers are still not the desired result. Obviously, though, the endpoint identifiers are
irrelevant since the messages have to travel the same path through not irrelevant, because the messages have to travel the same path
the network. through the network.
Data traffic marking based on DiffServ is such an example. Whenever Data traffic marking based on DiffServ is such an example. Whenever
an ingress router uses only marked incoming data traffic for an ingress router uses only marked incoming data traffic for
admission control procedures then various attacks are possible. These admission control procedures, then various attacks are possible.
problems are known in the DiffServ community for a long time and These problems have been known in the DiffServ community for a long
documented in various DiffServ related documents. The IPSec time and have been documented in various DiffServ-related documents.
protection of DiffServ Code Points is described in Section 6.2 of The IPsec protection of DiffServ Code Points is described in Section
[RFC2745]. Related security issues (for example denial of service 6.2 of [RFC2745]. Related security issues (for example denial of
attacks) are described in Section 6.1 of the same document. service attacks) are described in Section 6.1 of the same document.
4.5 Missing Protection of Authorization Information
Authorization is an important step for providing resources such as 4.5 Unprotected Authorization Information
QoS reservations, NAT bindings and pinholes on firewalls.
Authorization is an important criterion for providing resources such
as QoS reservations, NAT bindings, and pin-holes through firewalls.
Authorization information might be delivered to the NSIS Authorization information might be delivered to the NSIS
participating entities in a number of ways. participating entities in a number of ways.
Typically the authenticated identity is used to assist during the Typically the authenticated identifier is used to assist during the
authorization procedure as e.g. described in [RFC3812]. Depending on authorization procedure as, e.g., described in [RFC3812]. Depending
the chosen authentication protocol certain threats may exist. Section on the chosen authentication protocol, certain threats may exist.
3 discusses a number of issues related to this approach when the Section 3 discusses a number of issues related to this approach when
authentication and key exchange protocol is used to establish session the authentication and key exchange protocol is used to establish
keys for signaling message protection. session keys for signaling message protection.
Another approach is to use some sort of authorization token. The Another approach is to use some sort of authorization token. The
functionality and structure of such an authorization token for RSVP functionality and structure of such an authorization token for RSVP
is described in [RFC3520] and in [RFC3521]. is described in [RFC3520] and [RFC3521].
The interaction between different protocols based on authorization Achieving secure interaction between different protocols based on
tokens, however, requires some care. By using such an authorization authorization tokens, however, requires some care. By using such an
token it is possible to link state information between different authorization token it is possible to link state information between
protocols. Returning an unprotected authorization token to the end different protocols. Returning an unprotected authorization token to
host might allow an adversary (for example an eavesdropper) to steal the end host might allow an adversary (for example an eavesdropper)
resources. An adversary might also use the token to learn to steal resources. An adversary might also use the token to monitor
communication patterns. An untrustworthy end host might also modify communication patterns. Finally, an untrustworthy end host might
the token content. also modify the token content.
The Session/Reservation Ownership problem can also be considered as The Session/Reservation Ownership problem can also be regarded as an
an authorization problem. Details are described in Section 4.10. In authorization problem. Details are described in Section 4.10. In
enterprise networks authorization is often coupled with membership to enterprise networks, authorization is often coupled with membership
a particular class of users/groups. This type of information can in a particular class of users or groups. This type of information
either be delivered as part of the authentication and key agreement either can be delivered as part of the authentication and key
procedure or has to be retrieved via separate protocols from other agreement procedure or has to be retrieved via separate protocols
entities. If an adversary manages to modify information relevant for from other entities. If an adversary manages to modify information
determining authorization or the outcome of the authorization process relevant for determining authorization or the outcome of the
itself then theft of service might be the consequence. authorization process itself, then theft of service might be
possible.
4.6 Missing Non-Repudiation 4.6 Missing Non-Repudiation
Repudiation in this context refers to a problem where one party later Repudiation in this context refers to a problem where one party
denies to have requested a certain action (such as a QoS later denies having taken a certain action (such as requesting a QoS
reservation). The problem of a missing non-repudiation property reservation). Problems stemming from a lack of non-repudiation
appears in two flavors: appear in two forms:
From a service provider point-of-view the following threat may be On the one hand, from a service provider's point-of-view, the
worth an investigation. A user may deny to have issued reservation following threat may be worth investigation. A user may deny having
request for which it was charged. A service provider may then like to issued a reservation request for which it was charged. The service
prove that a particular user issued reservation requests. provider may then want to be able to prove that a particular user
issued the reservation request in question.
The same threat can be interpreted from the user's point-of-view. A On the other hand, the same threat can be interpreted from a user's
service provider claims to have received a number of reservation point-of-view. A service provider may claim to have received a
requests. The user in question thinks that he never issued those number of reservation requests. The user in question thinks that it
requests and wants to have a proof for correct service usage for a never issued those requests and wants to see a proof of correct
given set of QoS parameters. service usage for a given set of QoS parameters.
In today's telecommunication networks non-repudiation is not In today's telecommunication networks, non-repudiation is not
provided. The user has to trust the network operator to correctly provided. The user has to trust the network operator to meter the
meter the traffic, collect and merge accounting data and that no traffic correctly, collect and merge accounting data, and ensure
unforeseen problems occur. If a signaling protocol is used to that no unforeseen problems occur. If a signaling protocol with the
establish QoS reservations with the non-repudiation property for the non-repudiation property is desired for establishing QoS
authorized resources then it has an impact on the protocol design. reservations for authorized resources, this impacts the protocol
design.
Non-repudiation poses additional requirements on the security Non-repudiation poses additional requirements on the security
mechanisms as it can only be provided through public-key mechanisms, because it public-key cryptography is needed to provide
cryptography. As this would often increase the overall cost for it. Because this would normally increase the overall cost for
security, threats related to missing non-repudiation are only security, threats related to missing non-repudiation are only
considered relevant for certain specific scenarios (e.g. specific considered relevant in certain specific cases (e.g., specific
authorization mechanisms) and not for general NSIS signaling. authorization mechanisms) and not for general NSIS signaling.
4.7 Malicious NSIS Entity 4.7 Malicious NSIS Entity
Network elements within a domain (intra-domain) experience a Network elements within a domain (intra-domain) experience a
different trust relationship with regard to the security protection different trust relationship with regard to the security protection
of signaling messages compared to the edge NSIS entity. We assume of signaling messages compared with edge NSIS entities. It is
that edge NSIS entity have the responsibility to perform assumed that edge NSIS entities are responsible for performing
cryptographic processing (authentication, integrity and replay cryptographic processing (authentication, integrity and replay
protection, authorization and accounting) for signaling message protection, authorization, and accounting) for signaling messages
arriving from the outside. This prevents signaling messages to appear arriving from the outside. This prevents unprotected signaling
unprotected within the internal network. If, however, an adversary messages from appearing within the internal network. If, however, an
manages to take over an edge router then the security of the entire adversary manages to take over an edge router, then the security of
network is affected. An adversary is then able to launch a number of the entire network is compromised. An adversary is then able to
attacks including denial of service, integrity violation, replay, launch a number of attacks including denial of service; integrity
reordering and deletion of data packets and various other attacks. In violations; replay, reordering, and deletion of data packets; and
case of policy rule installation a rogue firewall can cause harm to various others. A rogue firewall can harm other firewalls by
other firewalls by modifying the policy rules accordingly. The chain- modifying policy rules. The chain-of-trust principle applied in
of-trust principle applied in the peer-to-peer security protection peer-to-peer security protection cannot protect against a malicious
cannot provide protection against a malicious NSIS node. An adversary NSIS node. An adversary with access to a NSIS router is also able to
with access to an NSIS router is then also able to get access to get access to security associations and transmit secured signaling
security associations to transmit secured signaling messages. Note messages. Note that even non-peer-to-peer security protection might
that even non peer-to-peer security protection might not be able to not be able to prevent this problem fully. Because an NSIS node
fully prevent this problem. Since an NSIS node might issue signaling might issue signaling messages on behalf of someone else (by acting
messages on behalf of someone else (by acting as a proxy) additional as a proxy), additional problems need to be considered.
problems are the consequence.
An NSIS aware edge router is a critical component that requires An NSIS-aware edge router is a critical component that requires
strong security protection. A strong security policy applied at edge strong security protection. A strong security policy applied at the
does not imply that all routers within an intra-domain network do not edge does not imply that other routers within an intra-domain
need to cryptographically verify signaling messages. If the chain-of- network do not need to verify signaling messages cryptographically.
trust principle is deployed then the security protection of the If the chain-of-trust principle is deployed, then the security
entire path (in this case within the network of a single protection of the entire path (in this case within the network of a
administrative domain) is as strong as the weakest link. In our case single administrative domain) is as strong as the weakest link. In
the edge router is the most critical component of this network that the case under consideration, the edge router is the most critical
may also act as a security gateway/firewall for incoming/outgoing component of this network, and it may also act as a security gateway
traffic. For outgoing traffic this device has to act according to the or firewall for incoming and outgoing traffic. For outgoing traffic
security policy of the local domain to apply the appropriate security this device has to implement the security policy of the local domain
protection. and apply the appropriate security protection.
For an adversary to mount this attack either an existing NSIS aware For an adversary to mount this attack, either an existing NSIS-aware
node along the path has to be successfully attacked or an adversary node along the path has to be attacked successfully, or an adversary
succeeds to convince another NSIS node to be the next NSIS peer (man- must succeed in convincing another NSIS node to be the next NSIS
in-the-middle attack). peer (man-in-the-middle attack).
4.8 Denial of Service Attacks 4.8 Denial of Service Attacks
A number of denial of service attacks can cause NSIS nodes to A number of denial of service (DoS) attacks can cause NSIS nodes to
malfunction. Other attacks that could lead to DoS, such as man-in- malfunction. Other attacks that could lead to DoS, such as man-in-
the-middle attacks, replay attacks, injection or modification of the-middle attacks, replay attacks, injection or modification of
signaling messages etc., are mentioned throughout this document. signaling messages, etc., are mentioned throughout this document.
- Path Finding - Path Finding
This threat tries to address potential denial of service attacks when This threat scenario includes potential DoS attacks that exist when
the reservation setup is split into two phases i.e. path and the reservation setup is split into two phases, i.e., path and
reservation (as for example used in receiver based reservation reservation (as used, for example, in receiver-based reservation
setup). For this example we assume that the node transmitting the setup). In this case, assuming that the node transmitting the path
path message is not charged for the path message itself and is able message is not charged for the path message itself, it may be able
to issue a high number of reservation requests (possibly in a to generate a large number of reservation requests (possibly in a
distributed fashion). Charging is activated only after successful distributed fashion). Charging is activated only after successful
verification of the reservation request. The reservations are however verification of the reservation request. The reservations are,
never intended to be successful because of various reasons: the however, never intended to be successful for various reasons: the
destination node cannot be reached; it is not responding or simply destination node cannot be reached; it is not responding; or it
rejects the reservation. An adversary can benefit from the fact that simply rejects the reservation. An adversary can succeed because
state has already been allocated along the path for various state has already been allocated along the path for various
processing tasks including path pinning. processing tasks including path pinning.
- Discovery Phase - Discovery Phase
Signaling information to a large number of entities along a data path Conveying signaling information to a large number of entities along
requires some sort of discovery. This discovery process is vulnerable a data path requires some sort of discovery. This discovery process
to a number of attacks since it is difficult to secure. An adversary is vulnerable to a number of attacks, because it is difficult to
can use the discovery mechanisms to convince an entity to signal secure. An adversary can use the discovery mechanisms to convince
information to another entity which is not along the data path or to one entity to signal information to another entity not along the
cause the discovery process to fail. In the first case the signaling data path or to cause the discovery process to fail. In the first
protocol could be correctly continued with the problem that policy case, the signaling protocol could appear to continue correctly,
rules are installed at incorrect firewalls or QoS resource except that policy rules are installed at the incorrect firewalls or
reservations take place at the wrong entities. For an end host this QoS resource reservations take place at the wrong entities. For an
means that the protocol failed for unknown reasons. end host, this means that the protocol failed for unknown reasons.
- Faked Error/Response messages - Faked Error or Response Messages
An adversary may be able to inject false error/response messages as
part of a denial of service attack. This could be either at the
message signaling protocol level (NTLP), at the level of each client
layer protocol (NSLP: QoS, Midcom, etc.) or at the transport level
protocol. An adversary might cause unexpected protocol behavior, or
might succeed with denial of service attacks. Especially the
discovery protocol shows vulnerabilities with regard to this threat
(see above discussion on discovery). In case that no separate
discovery protocol is used by addressing signaling messages to end
hosts only (with a Router Alert Option to intercept message as NSIS
aware nodes) then an error message might be used to indicate a path
change. Such a design is a combination of a discovery protocol
together with a signaling message exchange protocol.
4.9 Disclosing the network topology An adversary may be able to inject false error or response messages
as part of a DoS attack. This could be either at the signaling
message protocol layer (NTLP), at the layer of each client layer
protocol (NSLP: QoS, Midcom, etc.), or at the transport protocol
layer. An adversary might cause unexpected protocol behavior or
might succeed with a DoS attack. The discovery protocol,
especially, exhibits vulnerabilities with regard to this threat
scenario (see the above discussion on discovery). In the case in
which no separate discovery protocol is used and signaling
messages are addressed to end hosts only (with a Router Alert
Option to intercept message as NSIS aware nodes), an error
message might be used to indicate a path change. Such a design
combines a discovery protocol together with a signaling message
exchange protocol.
In some architectures there is a desire not to reveal the internal 4.9 Disclosing the Network Topology
network structure (or other related information) to the outside In some organizations or enterprises there is a desire not to reveal
world. An adversary might be able to use NSIS messages for network internal network structure (or other related information) outside of
mapping (e.g. discovering which nodes exist, which use NSIS, what a closed community. An adversary might be able to use NSIS messages
version, what resources are allocated, capabilities of nodes along a for network mapping (e.g., discovering which nodes exist, which use
paths etc.). Discovery messages, traceroute, diagnostic messages (see NSIS, what version, what resources are allocated, what capabilities
[RFC2745] for a description of diagnostic message functionality for nodes along a path have, etc.). Discovery messages, traceroute,
RSVP), query messages in addition to record route and route objects diagnostic messages (see [RFC2745] for a description of diagnostic
provide the potential to assist an adversary. Hence the requirement message functionality for RSVP), and query messages, in addition to
of not disclosing a network topology might conflict with another record route and route objects, provide potential assistance to an
requirement to provide means for automatically discovering NSIS aware adversary. Hence, the requirement of not disclosing a network
nodes or to provide diagnostic facilities (used for network topology might conflict with other requirements to provide means for
monitoring and administration). automatically discovering NSIS-aware nodes or to provide diagnostic
facilities (used for network monitoring and administration).
4.10 Missing protection of Session/Reservation Ownership 4.10 Unprotected Session or Reservation Ownership
Figure 3 shows an NSIS Initiator which established state information Figure 3 shows an NSIS Initiator that has established state
at NSIS nodes along the path as part of the signaling procedure. As a information at NSIS nodes along a path as part of the signaling
result the Access Router1 Router 3 and Router 4 (and other nodes) procedure. As a result, Access Router 1, Router 3, and Router 4 (and
store session state information including the Session Identifier SID- other nodes) have stored session state information including the
x. Session Identifier SID-x.
Session ID(SID-x) Session ID(SID-x)
+--------+ +--------+
+-----------------+ Router +------------> +-----------------+ Router +------------>
Session ID(SID-x)| | 4 | Session ID(SID-x)| | 4 |
+---+----+ +--------+ +---+----+ +--------+
| Router | | Router |
+------+ 3 +******* +------+ 3 +*******
| +---+----+ * | +---+----+ *
| * | *
skipping to change at page 19, line 35 skipping to change at page 19, line 48
| Router | | Router | | Router | | Router |
| 1 | | 2 | | 1 | | 2 |
+---+----+ +---+----+ +---+----+ +---+----+
| * | *
| Session ID(SID-x) * Session ID(SID-x) | Session ID(SID-x) * Session ID(SID-x)
+----+------+ +----+------+ +----+------+ +----+------+
| NSIS | | Adversary | | NSIS | | Adversary |
| Initiator | | | | Initiator | | |
+-----------+ +-----------+ +-----------+ +-----------+
Figure 3: Session/Reservation Ownership Figure 3: Session or Reservation Ownership
The Session Identifier is included in signaling messages to reference The Session Identifier is included in signaling messages to
to the established state. reference to the established state.
If an adversary was able to obtain the Session Identifier for example If an adversary were able to obtain the Session Identifier, for
by eavesdropping signaling messages it is able to add the same example by eavesdropping on signaling messages, it would be able to
Session Identifier SID-x to a new signaling message. When the add the same Session Identifier SID-x to a new signaling message.
signaling message hits Router3 (as shown in Figure 3) then existing When the new signaling message hits Router 3 (as shown in Figure 3),
state information can be modified. The adversary can then modify or existing state information can be modified. The adversary can then
delete the established reservation causing unexpected behavior for modify or delete the established reservation and cause unexpected
the legitimate user. behavior for the legitimate user.
The source of the problem is that Router3 (cross-over router) is The source of the problem is that Router 3 (a cross-over router) is
unable to decide whether the new signaling message was initiated from unable to decide whether the new signaling message was initiated
the owner of the session/reservation. from the owner of the session or reservation.
In addition, not only the initial signaling message originator is In addition, nodes other than the initial signaling message
allowed to signal information during the lifetime of an established originator are allowed to signal information during the lifetime of
session. As part of the protocol any NSIS aware node along the path an established session. As part of the protocol, any NSIS-aware node
(and the path might change over time) could initiate a signaling along the path (and the path might change over time) could initiate
message exchange. It might, for example, be necessary to provide a signaling message exchange. It might, for example, be necessary to
mobility support or to trigger a local repair procedure. If only the provide mobility support or to trigger a local repair procedure. If
initial signaling message originator is allowed to trigger signaling only the initial signaling message originator were allowed to
message exchanges some protocol behavior would not be possible. trigger signaling message exchanges, some protocol behavior would
not be possible.
In case that this threat is not addressed an adversary can launch If this threat scenario is not addressed, an adversary can launch
denial of service, theft of service, and various other attacks. DoS, theft of service, and various other attacks.
4.11 Attacks against the transport mechanism 4.11 Attacks against the Transport Mechanism
In [BL01] a two-level architecture is proposed which suggests to In [BL01] a two-level architecture is proposed, which suggests
split an NSIS protocol into layers: a signaling message transport splitting an NSIS protocol into layers: a signaling message
specific layer and an application specific layer. This architectural transport-specific layer and an application-specific layer. This
assumption is also considered within the NSIS framework [HF+03]. architectural assumption is also considered within the NSIS
Most of the threats described in this document are applicable to the framework [HF+03]. Most of the threats described in this document
application specific part for signaling QoS or middlebox specific are applicable to the application-specific part (i.e., signaling QoS
information. There are, however, some threats which are applicable to or middlebox-specific information). There are, however, some threats
the transport of signaling messages. that are applicable to the transport of signaling messages.
Network or transport layer protocols lacking protection mechanisms Network or transport layer protocols lacking protection mechanisms
are vulnerable to certain attacks such as header manipulation, DoS, are vulnerable to certain attacks such as header manipulation, DoS,
spoofing of identities, session hijacking, unexpected aborts etc. spoofing of identities, session hijacking, unexpected aborts, etc.
Malicious nodes can attack the congestion control mechanism to force Malicious nodes can attack the congestion control mechanism to force
NSIS nodes into a congestion avoidance state. NSIS nodes into a congestion avoidance state.
In case that an existing protocol is used for exchanging NSIS In the case in which existing protocols are used for exchanging NSIS
signaling messages then threats known from these protocols are signaling messages, known threats scenarios applicable to these
relevant. protocols are relevant.
5. Security Considerations 5. Security Considerations
This entire memo discusses security issues relevant for NSIS. To This entire memo discusses security issues relevant for NSIS
counter these threats security requirements have been listed in protocol design. It begins by identifying the components of a
[Brun03]. Framework relevant topics have been incorporated into network running NSIS (Initiator, Responder, and different
[HF+03]. Administrative Domains between them). It then considers five cases
in which communications take place between these components, and it
examines the trust relationships presumed to exist in each case:
First-Peer Communications, End-to-Middle Communications, Intra-
Domain Communications, Inter-Domain Communications, and End-to-End
Communications. This analysis helps determine the security needs and
the relative seriousness of different threats in the different
cases.
The document points out the need for different protocol security
measures: authentication, key exchange, message integrity, replay
protection, confidentiality, authorization, and some precautions
against denial of service. The threats are subdivided into generic
ones (e.g., man-in-the-middle attacks, replay attacks, tampering and
forgery, and attacks on security negotiation protocols) and 11
threat scenarios particularly applicable to the NSIS protocol.
Denial of service, for example, is covered in the NSIS-specific
section, not because it cannot be carried out against other
protocols, but because the methods used to carry out denial of
service attacks tend to be protocol specific. Numerous illustrative
examples provide insight into what can happen if these threats are
not mitigated.
This document points out repeatedly that not all of the threats are
equally serious in every context. It does attempt to identify the
scenarios in which security failures may have the highest impact.
However, it is difficult for the protocol designer to foresee all
the ways in which NSIS protocols will be used or to anticipate the
security concerns of a wide variety of likely users. Therefore, the
protocol designer needs to offer a full range of security
capabilities and ways for users to negotiate and select what they
need, case by case. To counter these threats, security requirements
have been listed in [Brun03]. Topics relevant to the NSIS Framework
have been incorporated into [HF+03].
6. Normative References 6. Normative References
[Brun03] M. Brunner, "Requirements for QoS signaling protocols," [Brun03] M. Brunner, "Requirements for QoS signaling protocols,"
Internet Draft, Internet Engineering Task Force, August 2003. Work Internet Draft, Internet Engineering Task Force, August 2003. Work
in progress. in progress.
7. Informative References 7. Informative References
[HF+03] R. Hancock, I. Freytsis, G. Karagiannis, J. Loughney, and S. [HF+03] R. Hancock, I. Freytsis, G. Karagiannis, J. Loughney, and S.
skipping to change at page 21, line 45 skipping to change at page 22, line 45
[RC+03] J. Rajahalme, A. Conta, B. Carpenter, and S. Deering, "IPv6 [RC+03] J. Rajahalme, A. Conta, B. Carpenter, and S. Deering, "IPv6
Flow Label Specification," Internet Draft, Internet Engineering Task Flow Label Specification," Internet Draft, Internet Engineering Task
Force, April 2003. Work in progress. Force, April 2003. Work in progress.
[BL01] B. Braden and B. Lindell, "A two-level architecture for [BL01] B. Braden and B. Lindell, "A two-level architecture for
internet signaling," Internet Draft, Internet Engineering Task internet signaling," Internet Draft, Internet Engineering Task
Force, Nov. 2001. (Expired). Force, Nov. 2001. (Expired).
[AN97] T. Aura and P. Nikander: "Stateless Connections", In [AN97] T. Aura and P. Nikander: "Stateless Connections", In
Proceedings of the International Conference on Information and Proceedings of the International Conference on Information and
Communications Security (ICICSĂ97), Lecture Notes in Computer Communications Security (ICICS'97), Lecture Notes in Computer
Science 1334, Springer, 1997. Science 1334, Springer, 1997.
[ALN00] T. Aura, J. Leiwo and P. Nikander: "Towards Network Denial [ALN00] T. Aura, J. Leiwo and P. Nikander: "Towards Network Denial
of Service Resistant Protocols", In Proceedings of the 15th of Service Resistant Protocols", In Proceedings of the 15th
International Information Security Conference (IFIP/SEC 2000), International Information Security Conference (IFIP/SEC 2000),
Beijing, China, August 2000. Beijing, China, August 2000.
Acknowledgments
We would like to thank (in alphabetical order) Marcus Brunner, Jorge
Cuellar, Mehmet Ersue, Xiaoming Fu and Robert Hancock for their
comments to an initial version of this draft. Jorge and Robert gave
us an extensive list of comments and provided information on
additional threats.
Jukka Manner, Martin Buechli, Roland Bless, Marcus Brunner, Michael
Thomas, Cedric Aoun, John Loughney, Rene Solwitsch, Cornelia
Kappler, and Mohan Parthasarathy provided comments to a recent
version of this draft. Their input helped to improve the content of
this document. Particularly Roland Bless, Michael Thomas and
Cornelia Kappler provided good proposals for regrouping and
restructuring.
Author's Addresses Author's Addresses
Hannes Tschofenig Hannes Tschofenig
Siemens AG Siemens AG
Corporate Technology Corporate Technology
CT IC 3 CT IC 3
Otto-Hahn-Ring 6 Otto-Hahn-Ring 6
81739 Munich 81739 Munich
Germany Germany
EMail: Hannes.Tschofenig@siemens.com EMail: Hannes.Tschofenig@siemens.com
Dirk Kroeselberg Dirk Kroeselberg
Siemens AG Siemens AG
Otto-Hahn-Ring 6 Otto-Hahn-Ring 6
81739 Munich 81739 Munich
Germany Germany
EMail: Dirk.Kroeselberg@siemens.com EMail: Dirk.Kroeselberg@siemens.com
Appendix A. Contributors
We especially thank Richard Graveman, who provided text for the
security considerations section, besides a detailed review of the
document.
Appendix B. Acknowledgments
We would like to thank (in alphabetical order) Marcus Brunner, Jorge
Cuellar, Mehmet Ersue, Xiaoming Fu, and Robert Hancock for their
comments on an initial version of this draft. Jorge and Robert gave
us an extensive list of comments and provided information on
additional threats.
Jukka Manner, Martin Buechli, Roland Bless, Marcus Brunner, Michael
Thomas, Cedric Aoun, John Loughney, Rene Soltwisch, Cornelia
Kappler, and Mohan Parthasarathy provided comments on a recent
version of this draft. Their input helped improve the content of
this document. Roland Bless, Michael Thomas, and Cornelia Kappler,
in particular, provided good proposals for regrouping and
restructuring the material.
A final review was given by Michael Richardson. We thank him for the
detailed comments.
Full Copyright Statement Full Copyright Statement
Copyright (C) The Internet Society (2003). All Rights Reserved. Copyright (C) The Internet Society (2003). All Rights Reserved.
This document and translations of it may be copied and furnished to This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph kind, provided that the above copyright notice and this paragraph
are included on all such copies and derivative works. However, this are included on all such copies and derivative works. However, this
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/