Secdir telechat review of draft-ietf-intarea-probe-07

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Reviewer: Yaron Sheffer
Review result: Has Issues

Summary

The Security Considerations section is extensive, given that this is not a
major protocol. However I think a few additional security risks should be
mentioned, see below. In addition, there are several points where this
(arguably uneducated) reader was confused, and which could benefit from
additional clarity.

Details (security-related)

* The probed interface can be identified by an IEEE 802 address (presumably, a
MAC address). This is an important detail from a security point of view.
Normally you don't expect a remote node to be able to access machines by MAC
address, and many firewall deployments enforce access control solely at the IP
level. * Similarly, in an IPv4 setting, the proxy can be identified by a
routable address, and used to probe a non-routable (RFC 1918) address. * "The
incoming ICMP Extend Echo Request carries a source address that is not
explicitly authorized for the incoming ICMP Extended Echo Request L-bit
setting" - this implies a per-node whitelist listing all IP addresses that are
allowed to probe it. I don't think we mean seriously to list all the addresses
that can ping a given node, so this smells like security theater - sorry.

Other Details

* Abstract: I think the word "alternatively" should really be "instead" (also
in the Introduction). * "The proxy interface resides on a probed node" - this
contradicts the previous paragraph that states that either the proxy is on the
same node, or it has direct connectivity to it (and is presumably on a
different node). * "The probed interface can reside on the probed node or it
can be directly connected to the probed node." I'm confused. This contradicts
the first paragraph of the Intro: "The probing interface resides on a probing
node while the probed interface resides on a probed node." * "encapsulated in
an IP header" - shouldn't that be "in an IP packet" (at least for IPv4)? *
"Ethernet is running on the probed interface" - is this well-defined? There are
numerous 802.* protocols. Do we mean any of them? Or just 802.3?





[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]