draft-ietf-rserpool-threats-12.txt   draft-ietf-rserpool-threats-13.txt 
Network Working Group M. Stillman, Ed. Network Working Group M. Stillman, Ed.
Internet-Draft Nokia Internet-Draft Nokia
Intended status: Informational R. Gopal Intended status: Informational R. Gopal
Expires: November 7, 2008 Nokia Siemens Networks Expires: December 12, 2008 Nokia Siemens Networks
E. Guttman E. Guttman
Sun Microsystems Sun Microsystems
M. Holdrege M. Holdrege
Strix Systems Strix Systems
S. Sengodan S. Sengodan
Nokia Siemans Networks Nokia Siemans Networks
May 6, 2008 June 10, 2008
Threats Introduced by RSerPool and Requirements for Security in Response Threats Introduced by RSerPool and Requirements for Security in Response
to Threats to Threats
draft-ietf-rserpool-threats-12.txt draft-ietf-rserpool-threats-13.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 42 skipping to change at page 1, line 42
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on November 7, 2008. This Internet-Draft will expire on December 12, 2008.
Abstract Abstract
RSerPool is an architecture and set of protocols for the management RSerPool is an architecture and set of protocols for the management
and access to server pools supporting highly reliable applications and access to server pools supporting highly reliable applications
and for client access mechanisms to a server pool. This Internet and for client access mechanisms to a server pool. This Internet
draft describes security threats to the RSerPool architecture and draft describes security threats to the RSerPool architecture and
presents requirements for security to thwart these threats. presents requirements for security to thwart these threats.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Definitions . . . . . . . . . . . . . . . . . . . . . . . 3
1.2. Conventions . . . . . . . . . . . . . . . . . . . . . . . 4 1.2. Conventions . . . . . . . . . . . . . . . . . . . . . . . 4
2. Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. PE Registration/Deregistration flooding -- 2.1. PE Registration/Deregistration flooding --
non-existent PE . . . . . . . . . . . . . . . . . . . . . 4 non-existent PE . . . . . . . . . . . . . . . . . . . . . 4
2.2. PE Registration/Deregistration flooding -- 2.2. PE Registration/Deregistration flooding --
unauthorized PE . . . . . . . . . . . . . . . . . . . . . 5 unauthorized PE . . . . . . . . . . . . . . . . . . . . . 5
2.3. PE Registration/Deregistration spoofing . . . . . . . . . 5 2.3. PE Registration/Deregistration spoofing . . . . . . . . . 6
2.4. PE Registration/Deregistration unauthorized . . . . . . . 6 2.4. PE Registration/Deregistration unauthorized . . . . . . . 6
2.5. Malicious ENRP server joins the group of legitimate 2.5. Malicious ENRP server joins the group of legitimate
ENRP servers . . . . . . . . . . . . . . . . . . . . . . . 6 ENRP servers . . . . . . . . . . . . . . . . . . . . . . . 7
2.6. Registration/deregistration with malicious ENRP server . . 7 2.6. Registration/deregistration with malicious ENRP server . . 7
2.7. Malicious ENRP Handlespace Resolution . . . . . . . . . . 7 2.7. Malicious ENRP Handlespace Resolution . . . . . . . . . . 7
2.8. Malicious node performs a replay attack . . . . . . . . . 8 2.8. Malicious node performs a replay attack . . . . . . . . . 8
2.9. Re-establishing PU-PE security during failover . . . . . . 8 2.9. Re-establishing PU-PE security during failover . . . . . . 8
2.10. Integrity . . . . . . . . . . . . . . . . . . . . . . . . 9 2.10. Integrity . . . . . . . . . . . . . . . . . . . . . . . . 9
2.11. Data Confidentiality . . . . . . . . . . . . . . . . . . . 9 2.11. Data Confidentiality . . . . . . . . . . . . . . . . . . . 9
2.12. ENRP Server Discovery . . . . . . . . . . . . . . . . . . 10 2.12. ENRP Server Discovery . . . . . . . . . . . . . . . . . . 10
2.13. Flood of endpoint unreachable messages from the PU to 2.13. Flood of endpoint unreachable messages from the PU to
the ENRP server . . . . . . . . . . . . . . . . . . . . . 11 the ENRP server . . . . . . . . . . . . . . . . . . . . . 11
2.14. Flood of endpoint keep alive messages from the ENRP 2.14. Flood of endpoint keep alive messages from the ENRP
server to a PE . . . . . . . . . . . . . . . . . . . . . . 11 server to a PE . . . . . . . . . . . . . . . . . . . . . . 11
2.15. Security of the ENRP database . . . . . . . . . . . . . . 12 2.15. Security of the ENRP database . . . . . . . . . . . . . . 12
2.16. Cookie mechanism security . . . . . . . . . . . . . . . . 12 2.16. Cookie mechanism security . . . . . . . . . . . . . . . . 13
3. Security Considerations . . . . . . . . . . . . . . . . . . . 13 3. Security Considerations . . . . . . . . . . . . . . . . . . . 13
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
5. Normative References . . . . . . . . . . . . . . . . . . . . . 15 5. Normative References . . . . . . . . . . . . . . . . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16
Intellectual Property and Copyright Statements . . . . . . . . . . 18 Intellectual Property and Copyright Statements . . . . . . . . . . 18
1. Introduction 1. Introduction
The RSerPool architecture[I-D.ietf-rserpool-overview] supports high- The RSerPool architecture[I-D.ietf-rserpool-overview] supports high-
availability and load balancing by enabling a pool user to identify availability and load balancing by enabling a pool user to identify
skipping to change at page 5, line 16 skipping to change at page 5, line 16
The malicious node will corrupt the pool registrar database and/or The malicious node will corrupt the pool registrar database and/or
disable the RSerPool discovery and database function. This disable the RSerPool discovery and database function. This
represents a denial of service attack as the PU would potentially get represents a denial of service attack as the PU would potentially get
an IP address of a non-existent PE in response to an ENRP query. an IP address of a non-existent PE in response to an ENRP query.
2.1.3. Requirement 2.1.3. Requirement
An ENRP server that receives a registration/deregistration MUST NOT An ENRP server that receives a registration/deregistration MUST NOT
create or update state information until it has authenticated the PE. create or update state information until it has authenticated the PE.
TLS is used as the authentication mechanism. TLS is used as the authentication mechanism. The RECOMMENDED
authorization model is that all rserpool components in one pool are
assigned to a dedicated CA. The network administrators of a pool
need to decide which nodes are authorized to participate in the pool.
2.2. PE Registration/Deregistration flooding -- unauthorized PE 2.2. PE Registration/Deregistration flooding -- unauthorized PE
2.2.1. Threat 2.2.1. Threat
A malicious node or PE could send a stream of registrations/ A malicious node or PE could send a stream of registrations/
deregistrations that are unauthorized to register/deregister - to deregistrations that are unauthorized to register/deregister - to
ENRP servers at a very rapid rate and thereby create unnecessary ENRP servers at a very rapid rate and thereby create unnecessary
state in an ENRP server. state in an ENRP server.
skipping to change at page 15, line 40 skipping to change at page 15, line 40
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.1", RFC 4346, April 2006. (TLS) Protocol Version 1.1", RFC 4346, April 2006.
[I-D.ietf-rserpool-asap] [I-D.ietf-rserpool-asap]
Stewart, R., Xie, Q., Stillman, M., and M. Tuexen, Stewart, R., Xie, Q., Stillman, M., and M. Tuexen,
"Aggregate Server Access Protocol (ASAP)", "Aggregate Server Access Protocol (ASAP)",
draft-ietf-rserpool-asap-19 (work in progress), draft-ietf-rserpool-asap-20 (work in progress), May 2008.
March 2008.
[I-D.ietf-rserpool-enrp] [I-D.ietf-rserpool-enrp]
Kim, D., Stewart, R., Stillman, M., Tuexen, M., and A. Xie, Q., Stewart, R., Stillman, M., Tuexen, M., and A.
Silverton, "Endpoint Handlespace Redundancy Protocol Silverton, "Endpoint Handlespace Redundancy Protocol
(ENRP)", draft-ietf-rserpool-enrp-19 (work in progress), (ENRP)", draft-ietf-rserpool-enrp-20 (work in progress),
March 2008. May 2008.
[I-D.ietf-rserpool-overview] [I-D.ietf-rserpool-overview]
Lei, P., Ong, L., Tuexen, M., and T. Dreibholz, "An Lei, P., Ong, L., Tuexen, M., and T. Dreibholz, "An
Overview of Reliable Server Pooling Protocols", Overview of Reliable Server Pooling Protocols",
draft-ietf-rserpool-overview-06 (work in progress), draft-ietf-rserpool-overview-06 (work in progress),
May 2008. May 2008.
Authors' Addresses Authors' Addresses
Maureen Stillman (editor) Maureen Stillman (editor)
 End of changes. 11 change blocks. 
13 lines changed or deleted 15 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/