[Search] [txt|pdf|bibtex] [Tracker] [Email] [Nits]

Versions: 00 01                                                         
   NSIS Working Group
   Internet Draft                                     Hannes Tschofenig
   Document: draft-tschofenig-nsis-threats-                     Siemens
   Expires: August 2002                                        May 2002

                               NSIS Threats

Status of this Memo

   This document is an Internet-Draft and is in full conformance
   with all provisions of Section 10 of RFC2026.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other documents
   at any time.  It is inappropriate to use Internet-Drafts as
   reference material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   The list of Internet-Draft Shadow Directories can be accessed at

                 Informational - Expires August 2002                1
                             NSIS Threats                     May 2002


   As the work in the NSIS working has begun to describe requirements
   and the framework people started thinking about possible security
   implication. This document should provide a starting point for the
   discussion at the NSIS interim meeting and at the NSIS working group
   mailing list regarding the security issues that have to be
   addressed. It does not describe threats for a particular published
   protocol. This memo is furthermore meant to create awareness for the
   security within the group. The threat scenarios in this document are
   matched against the security requirements described in [1].

1  Introduction

   It is often argued that QoS signaling protocols are similar to other
   signaling protocols and one might re-use their security mechanisms
   for avoiding reengineering overhead. This is true up to some point:
   A QoS signaling protocol might borrow many security mechanisms from
   other protocols but different trust assumptions, and different
   protocol processing may demand different solutions or adaptations.
   This document tries to show security issues that need to be
   addressed by a QoS signaling protocol that claims to be secure.
   Although the base protocol might be sure, some extensions may cause
   problems when used in a particular environment. We think that it is
   necessary to investigate the kontext in which a QoS protocol is
   integrated and in which sequence protocols are executed (when
   combined together with other protocols). A particular focus of QoS
   signaling protocols should be given to the interaction with
   accounting and charging solutions: Without an appropriate
   integration of QoS and accounting protocols there is no good
   incentive for network operators to deploy them.

   Independent of the threat scenarios described in Section 3 we
   indentify the following structural pieces, which require different
   security protection because of different trust relationships.  The
   sub-parts are:_access network part, intra and inter-domain part, and
   the issues related to the end-to-end communication. These parts are
   briefly described. The threat scenarios in Section 3 can be assigned
   to the individual parts.

   a) Access Network

   This section addresses threats that arise when the QoS Inititiator
   (QI) is attached to access network and transmits and receives QoS
   signaling messages. There might not exist a pre-established trust
   relationship between a user and the access network, as in many
   mobility scenarios it is usually assumed.

   Threat scenarios dealing with initial QoS security association
   setup, replay attacks, lack of confidentiality, denial of service,
   integrity violation, identity spoofing and fraud are applicable.
   From a security point of view this part of the network causes the
   most problems.

   Tschofenig    Informational - Expires August 2002                2
                             NSIS Threats                     May 2002

   b) Intra-Domain

   After receiving and verifying a QoS request at the access network
   the signaling messages traverse the network within the same
   administrative domain. Since the request has already been
   authenticated and authorized threats are different compared to those
   described in the previous section. To differentiate the user-to-
   access network interface with the intra-domain communication (i.e.
   communication within the core-network) we assume that no user hosts
   are attached to the core-network. (That is: the interface between
   any host and the first router is part of the access network). We
   furthermore assume that nodes within one administrative domain have
   a stronger trust relationship between each other.

   c) Inter-Domain

   The security considerations at the border between different
   administrative domains largely depends on how accounting is done. If
   one domain transmits forged QoS reservations (for example stating a
   higher QoS reservation than a aggregated number of user did) to next
   domain then it is likely that the originating network domain has
   also has to pay for the reservation. Hence in this case, there is no
   real benefit for the first network domain to forge a QoS
   reservation. But if the user is directly charged by intermediate
   domains too then this kind of attack may be reasonable. Security
   protection of messages transmitted between different administrative
   domains is still necessary to tackle attacks like spoofing,
   integrity violation, denial of service etc. The lower number of
   networks and higher trust relationship (compared in the access
   network case) cause fewer problems for a key management.

   d) End-to-End

   In our opinion end-to-end security for QoS signaling messages is
   rarely required if we assume that end-to-end issues like charging
   and the selection which user has to pay for a reservation is already
   securely negotiated by preceding upper layer protocols (for example
   SIP). Information carried within a QoS signaling protocol for the
   purpose of charging is therefore assumed opaque to the QoS protocol
   itself and appropriately protected as part of the AAA interaction.
   For accounting data, the QoS signaling protocol is therefore only
   used as a transport mechanism. Note however that this assumption
   strongly depends on the chosen solution of a protocol interaction
   with AAA, QoS and application layer protocol. It is however possible
   to select a charging solution that requires end-to-end protection of
   information delivered within the QoS signaling protocol. The
   following example requires some sort of end-to-end protection: Alice
   wants Bob to pay for the QoS reservation. (reverse charging) Bob
   wants to be assured that the QoS signaling message he receives are
   transmitted by Alice because he is only willing to pay for
   particular users and not for everyone. Hence Bob requires Alice to
   authenticated the request.

   Tschofenig    Informational - Expires August 2002                3
                             NSIS Threats                     May 2002

2  Terminology

   Some threat scenarios in this document use the entity user instead
   of the QoS Initiator (as introduced by [1]). This is mainly due to
   the fact that security protocols allow a differentiation between
   entities being hosts or users. Since the QoS Initiator as used in
   [1] also allows to act on behalf of various entities including a
   network it is reasonable to distinguish between these identities.

   We use the term access network for a network to which a mobile node
   is attached. Other terms often used in this context are foreign or
   visited network. The missing direct trust relationship between the
   mobile node and the visited networks is characteristic for such an
   interface and complicates authentication and key agreement. Usually
   AAA protocols (like Radius or Diameter) are used for such a purpose.
   These protocols exploit the infrastructure and trust relationships
   between the access network and the home network of the user.

   The term security association is used to describe established
   security-relevant data structure between two entities. This data
   structure consists of keys, algorithms including their parameters,
   values used for replay protection etc. Using this information two
   nodes are able to protect QoS signaling messages.

3  Threat Scenarios

   This section provides threat scenarios that are applicable to the
   quality of service signaling protocols.

   Additionally, it might also be possible that the QoS initiator acts
   on behalf of an other user and must therefore interact with this
   node to be able to trigger the reservation setup. This issue however
   requires further investigation based on specific protocol proposals.

3.1 Man-in-the-Middle Attacks

   This Section describes man-in-the-middle attacks of the following
   type: During the process of establishing a security association an
   adversary fools the QI with respect to the entity to which it has to
   authenticate. The man-in-the-middle adversary is able to modify
   signaling messages transmitted to the real network requesting
   different QoS parameters. The QI wrongly believes that it talks to
   the ôrealö network whereas it is actually attached to an adversary.
   Note that a solution for protecting QoS signaling messages does not
   necessarily need to establish a security association. In general it
   is however advisable to create one because of performance reasons.

   For this attack to be successful, pre-conditions have to hold which
   are described with the two scenarios below:

   a) No authentication

   The first case considers the case that no authentication between the
   QI and other entity (access network, other networks, a single node)

   Tschofenig    Informational - Expires August 2002                4
                             NSIS Threats                     May 2002

   takes places: Without authentication the QI is unable to detect an

   b) Unilateral authentication

   In case of only unilateral authentication (that is, a missing
   authentication of the access network to the QI) the QI is not able
   to discover the man-in-the-middle adversary. In the
   telecommunication world this type of attack is known as the false
   base-station attacks (if the unilateral authentication is executed
   between a user and the access network).

   The two threats described above are a general problem of network
   access without appropriate authentication, not only for QoS. Still
   these issues need to be correctly addressed in a proposed protocol
   since the impacts may reach beyond the local network.

3.2 Missing real-time notifications of QoS reservation costs (cost

   An other type of attack uses the fact that a user is not able to
   authorize a particular network service provider (i.e. because of a
   large number of providers). A large number of service providers with
   complex roaming agreements create a non-transparent cost-structure.
   Using AAA protocols in a subscription-based scenario (i.e. user is
   registered with his home service provider) the user does not learn
   the identity of the network using a regular message exchange. The
   user is only authenticated to the home network (and possibly vice
   versa). The identity of the access network is possibly not revealed.
   Furthermore one service provider ôstealsö users from an other close-
   by service provider and because of a missing cost-notification the
   user is unable to refuse the more expensive service provider
   although he could route his traffic possible via both providers. The
   user is not able to select the ôcheapestö access router (in terms of
   QoS costs).

   Although real-time notifications of quality of service reservation
   costs (cost control) to the user are outside the scope of a quality
   of service protocol itself there are still interactions with AAA and
   other protocols.

3.3 Eavesdropping and Traffic Analysis

   This Section covers two threats: The first one is related to privacy
   concerns whereas the second addresses problems caused by weak
   authentication mechanisms and the increased risk of eavesdropping on
   the wireless link in absence of appropriate confidentiality

   The first threat case covers adversaries that are unable to actively
   participate in the QoS signaling (passive adversary) but eavesdrop
   messages. The collected signaling packets may serve for the purpose
   of traffic analysis or to later mount replay attacks as described in
   the next Section. By eavesdropping an adversary might violate a

   Tschofenig    Informational - Expires August 2002                5
                             NSIS Threats                     May 2002

   userÆs privacy preference. Especially QoS signaling messages provide
   information that may be interesting for an adversary since the
   messages include user and/or application identities, policy
   information, information about the desired QoS reservation, etc. The
   information gathered by an adversary can be to learn usage patterns
   of users requesting resources and track QoS reservations.

   The second threat case addresses weak authentication mechanisms
   whereby information transmitted within the QoS signaling protocol
   may leak passwords and may allow offline dictionary attacks. This
   threat is not specific to QoS signaling protocols by may also be
   applicable and countermeasures must be taken.

3.4 Adversary being able to replay signaling messages

   This threat scenario covers the case where an adversary eavesdrops
   and collects signaling messages and replays them at a latter point
   in time (or at a different place, or uses parts of them at a
   different place or in a different way û e.g. cut and paste attacks).
   The adversary may use this technique in absence of appropriately
   protected messages to mount denial of service attacks. Furthermore
   also theft of service is possible.

   A more difficult attack that may cause problems even in case of
   replay protection requires the adversary to crash a QoS aware node
   (router, broker, etc.) to lose synchronization and to be able to
   replay old QoS signaling messages.

3.5 Identity Spoofing

   An adversary with the capability to spoof the identity may mount the
   following attacks:

   Eve, acting as an adversary, claims to be the registered user Alice
   by spoofing the identity of Alice. Thereby Eve causes the network to
   charge Alice for the consumed network resources. Using unprotected
   messages Eve may experience no particular problems in succeeding.

   In case that the signaling request is properly protected the
   situation becomes more difficult. This threat tries to address
   possible problems with network based QoS traffic classification
   based on some identifiers (IP address, ports, other header
   information etc.). The situation does not change when the data
   traffic is marked by the transmitting host (i.e. using DSCP).

   After the network receives a properly protected reservation request,
   transmitted by the legitimate user Alice, traffic filters are
   installed at edge devices. These traffic filters allow data traffic
   originated from a given address to be assigned to a particular QoS
   class. The adversary Eve now spoofs the IP address of the Alice (or
   whatever identifier is used in the flow classification).
   Additionally AliceÆs host may be crashed by the adversary as a
   result of a denial of service attack or lost connectivity for a
   variety of other reasons. In any case Eve is now able to receive and

   Tschofenig    Informational - Expires August 2002                6
                             NSIS Threats                     May 2002

   transmit data (for example RTP data traffic), that receives
   preferential QoS treatment, using AliceÆs IP address (or whatever
   identifier is used in the flow classification) until the next
   signaling message appears and forces Eve to respond with a protected
   signaling message. Again this issue is not only applicable to QoS
   traffic but the existence of QoS reservation causes more
   difficulties since this type of traffic is more expensive.

3.6 Adversary being able to inject/modify messages

   The next type of threat is caused by an integrity violation: An
   adversary modifies signaling messages (e.g. by acting as a man-in-
   the-middle) to achieve an unexpected network behavior with the bogus
   request. Possible actions are reordering, delaying, dropping,
   injecting and modifying.

   Using a different identity the adversary may forward a modified a
   QoS signaling message requesting a large amount of resources (using
   a different identity). If granted it causes other user's resource-
   request not to be successful and a different user to pay for the
   reservation. This attack is only useful in absence of user
   authentication or if the adversary is able to spoof someoneÆs
   identity since the attack is useless if the adversary itself is
   charged for the huge resource reservation.

3.7 Missing Non-Repudiation Property

   Repudiation in this context refers to a problem where one party
   later denies to have made a reservation. This issue comes in two

   From a service provider point-of-view the following threat may be
   worth an investigation because a user may deny to have issued
   reservation requests for which he was charged. A service provider
   may then like to prove that a particular user issued the reservation

   The same threat can be interpreted from the users point-of-view. A
   service provider claims to have received a number of reservation
   requests. The user in question thinks that he never issued those
   requests and wants to have a proof for correct service usage for a
   given set of QoS parameters.

3.8 Malicious Edge-Router

   Network elements within a domain (intra-domain) experience a
   different trust relationship with regard to the security protection
   of signaling messages compared to edge routers. Assuming that edge
   routers have the responsibility to perform cryptographic processing
   (authentication, integrity and replay protection, authorization and
   accounting). If however an adversary manages to take over an edge
   router then the security of the entire network is affected. An
   adversary can then launch a number of attacks including denial of
   service, integrity violation, replay attacks etc. Note that this

   Tschofenig    Informational - Expires August 2002                7
                             NSIS Threats                     May 2002

   problem is not only restricted to the QoS protocols. In such a case
   even the chain-of-trust principle does not prevent the network from
   being vulnerable: If we assume that the adversary, with access to
   the edge router, is able to access the keys used to secure messages
   to other nodes.

   Thus the edge router is a critical component that requires strong
   security protection. This does not necessarily imply that all
   routers within the core network do not need to cryptographically
   verify signaling messages and that these routers cannot have any
   security effect if they act maliciously. If the (hop-by-hop) chain-
   of-trust principle is deployed then the security of the path (in
   this case within the network of a single administrative domain) is
   as strong as the weakest link. In our case the edge router is the
   most critical component of this network that may also act as a
   security gateway/firewall for incoming/outgoing traffic. For
   outgoing traffic this device has to act according to the security
   policy of the local domain to apply the appropriate security

3.9 Denial of Service in a two phase reservation

   This threat tries to address potential denial of service attacks
   when the reservation setup is split into two phases i.e. path and
   reservation. For this example we assume that the node transmitting
   the path message is not charged for this message and is able to
   issue a high number of reservation request (possibly in a
   distributed fashion). The reservations are however never intended to
   be successful because of various reasons: for example the
   destination node cannot be reached or is not responding node or
   rejects the reservation. An adversary can benefit from the fact that
   resources are already consumed along the path for various processing
   tasks including path pinning.

3.10    Denial of Service with a bogus reservation request

   With a resource reservation request received at a network element
   (for example by the first QoS aware router) processing is required
   for authentication and authorization (processing by other nodes
   including policy server, LDAP server, etc. is also possible
   depending on the network architecture). The verification of the
   provided credentials requires computations and resources to be
   allocated memory for state maintenance, setting timers, additional
   messages transmitted to other nodes, cryptographic computations). If
   an adversary is able to transmit a large number of reservation
   request (flooding) with bogus credentials and assuming that the
   verification is expensive in terms of resource consumption then the
   verifying node may not be able to process further reservation
   messages by legitimate user.

3.11    Disclosing the networking structure

   In some architectures a network provider does not want to reveal its
   internal network structure to the outside world. An adversary might

   Tschofenig    Informational - Expires August 2002                8
                             NSIS Threats                     May 2002

   be able to use NSIS messages for network mapping (e.g. discovering
   which nodes existed, which used NSIS, what version etc.). This
   requirement might conflict with a protocol solution that provides a
   mean to automatically discover NSIS aware nodes and their identity
   (the identity required for security protection).

3.12    Modification of subsequent reservation request

   An adversary might be able to modify an existing reservation which
   had already been established within the network as a result of a
   previous QoS signaling message. This means that a QoS signaling
   messages that modifies established state must be subject to security
   protection comparable to the original signaling message setting up
   the reservation. Furthermore it might be necessary to provide
   (possibly cryptographic) information to assure a correct binding to
   a specific state/session.

3.13    Faked Error/Response messages

   An adversary may be able to use false error/response messages as
   part of a denial of service attack. This could be either at the
   reservation level or at the protocol level.

4  Security Considerations

   This entire memo discusses security issues.

5  References

   [1] Brunner, M., "Requirements for QoS Signaling Protocols", draft-
   ietf-nsis-req-02.txt, Work In Progress, May 2002.

6  Acknowledgments

   I would like to thank (in alphabetical order) Marcus Brunner, Jorge
   Cuellar, Xiaoming Fu and Robert Hancock for their comments to this
   draft. Jorge and Robert gave me an extensive list of comments for
   this memo and provided more information on additional threats that
   should be added.

7  Author's Addresses

   Hannes Tschofenig
   Siemens AG
   Otto-Hahn-Ring 6
   81739 Munchen
   Email: Hannes.Tschofenig@mchp.siemens.de

   Tschofenig    Informational - Expires August 2002                9