NSIS Working Group Internet Draft Hannes Tschofenig Document: draft-tschofenig-nsis-threats- Siemens AG 01.txt Expires: December 2002 July 2002 NSIS Threats <draft-tschofenig-nsis-threats-01.txt> Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress". The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Informational - Expires December 2002 1 NSIS Threats July 2002 Abstract As the work in the NSIS working has begun to describe requirements and the framework people started thinking about possible security implication. This document should provide a starting point for the discussion at the NSIS working group mailing list regarding the security issues that have to be addressed by a protocol or within the framework. This document does not describe vulnerabilities of a particular protocol or threats of published NSIS framework proposals. This memo is furthermore meant to create awareness for security issues within the NSIS group. Security requirements related to the threat scenarios are described in [1]. 1 Introduction It is often argued that QoS signaling protocols are similar to other signaling protocols and one might re-use their security mechanisms for avoiding reengineering overhead. This is true up to some point: A QoS signaling protocol might borrow many security mechanisms from other protocols but different trust assumptions, and different protocol processing may demand different solutions or adaptations. This document tries to show threats that need to be addressed by the designers of a QoS signaling protocol. Although the base protocol might be sure, some extensions may cause problems when used in a particular environment. We think that it is necessary to investigate the context in which a QoS protocol is integrated and in which sequence protocols are executed (when combined together with other protocols). A particular focus of QoS signaling protocols should be given to the interaction with accounting and charging solutions: Without an appropriate integration of QoS and accounting protocols there is no good incentive for network operators to deploy them. The interaction between the protocols is subject of a framework. Some of these issues are therefore found in [5]. Independent of the threat scenarios described in Section 3 we identify the following structural pieces, which require different security protection because of different trust relationships. The sub-parts are: access network part, intra and inter-domain part, and finally end-to-end communication between the two signaling end- points. These parts are briefly described. The threat scenarios in Section 3 can be assigned to the individual parts. a) Access Network This section addresses threats that arise when the QoS Initiator (QI) is attached to access network and transmits and receives QoS signaling messages. In many mobility environments it is difficult to assume the existence of a pre-established trust relationship between a user and the access network. Threat scenarios dealing with initial QoS security association setup, replay attacks, lack of confidentiality, denial of service, integrity violation, identity spoofing and fraud are applicable. Tschofenig Informational - Expires August 2002 2 NSIS Threats July 2002 From a security point of view this part of the network causes the most problems. b) Intra-Domain After receiving a QoS signaling message and verifying the request somewhere in the access network the signaling messages traverse the network within the same administrative domain. Since the request has already been authenticated and authorized threats might likely be different compared to those described in the previous section. To differentiate the end-node-to-access network interface with the intra-domain communication (i.e. communication internally within one administrative domain) we assume that no user hosts are attached to the core-network. (That is: the interface between any host and the first router is part of the access network). We furthermore assume that nodes within one administrative domain have a stronger trust relationship between each other. c) Inter-Domain The security protection between the borders of different administrative domains largely depends on how accounting is done. If one domain transmits forged QoS reservations (for example stating a higher QoS reservation than a aggregated number of user did) to next domain then it is likely that the originating network domain has also has to pay for the reservation. Hence in this case, there is no real benefit for the first network domain to forge a QoS reservation. But if an end-node is directly charged by intermediate domains then this kind of attack may be reasonable. Security protection of messages transmitted between different administrative domains is still necessary to tackle attacks like spoofing, integrity violation, denial of service etc. The lower number of networks and higher trust relationship (compared in the access network case) usually causes fewer problems for the key management. d) End-to-End In our opinion end-to-end security for QoS signaling messages (in addition to hop-by-hop security) is rarely required if we assume that end-to-end issues like charging and the selection which user has to pay for a reservation is already securely negotiated by preceding upper layer protocols (for example SIP). Information carried within a QoS signaling protocol for the purpose of charging is therefore assumed opaque to the QoS protocol itself and appropriately protected as part of the AAA interaction. For accounting data, the QoS signaling protocol is therefore only used as a transport mechanism. Note however that this assumption strongly depends on the chosen solution of a protocol interaction with AAA, QoS and application layer protocol. It is however possible to select a charging solution that requires end-to-end protection of information delivered within the QoS signaling protocol. The following example requires some sort of end-to-end protection: Alice wants Bob to pay for the QoS reservation (reverse charging). Bob wants to be assured that the QoS signaling message he receives was Tschofenig Informational - Expires August 2002 3 NSIS Threats July 2002 transmitted by Alice because he is only willing to pay for particular users and not for everyone. Hence Bob requires Alice to protect the reservation request. Regarding end-to-end security one additional issue needs to be clarified. Whenever a signaling protocol travels end-to-end and a node along the path acts on behalf of the other endpoint then further investigation is required how to solve this delegation issue. 2 Terminology Some threat scenarios in this document use the entity user instead of the QoS Initiator (as introduced in [1]). This is mainly due to the fact that security protocols allow a differentiation between entities being hosts or users (based on the identities used). Since the QoS Initiator as used in [1] also allows to act on behalf of various entities including a network it is reasonable to distinguish between these identities. We use the term access network for a network to which a mobile node is attached. Other terms often used in this context are foreign or visited network. The missing direct trust relationship between the mobile node and the access network is characteristic for such an interface and complicates authentication and key agreement. Usually AAA protocols (like Radius or Diameter) are used to provide the initial authentication and key establishment. These protocols take advantage of the infrastructure (AAAL, AAAH, Broker, etc.) and trust relationships between the access network and the user's home network. This trust relationship is usually based on some sort of contract and hence it can be seen as symmetric whereas the dynamically established trust relationship between the mobile node and the access network is asymmetric. The mobile node has to trust the access network in many regards. The access network usually does not trust attached end-hosts. The term security association is used to describe established security-relevant data structure between two entities. This data structure consists of keys, algorithms including their parameters, values used for replay protection etc. Using this information two (or more) nodes are able to protect QoS signaling messages. 3 Threat Scenarios This section provides threat scenarios that are applicable to the quality of service signaling protocols. 3.1 Man-in-the-Middle Attacks This Section describes man-in-the-middle attacks of the following type: During the process of establishing a security association an adversary fools the QI with respect to the entity to which it has to authenticate. The man-in-the-middle adversary is able to modify signaling messages transmitted to the real network requesting Tschofenig Informational - Expires August 2002 4 NSIS Threats July 2002 different QoS parameters. The QI wrongly believes that it talks to the ôrealö network whereas it is actually attached to an adversary. Note that a solution for protecting QoS signaling messages does not necessarily need to establish a "long-lasting" security association. Performance reasons may however require to create one. For this attack to be successful, pre-conditions have to hold which are described with the two scenarios below: a) No authentication The first case considers the case that no authentication between the QI and other entity (access network, other networks, a single node) takes places: Without authentication the QI is unable to detect an adversary. It may seem to be strange why someone does not consider to protect QoS signaling messages. However in some cases protection available might be difficult to accomplish in a practical environment either because the other end-point of the communication is unknown, because of a failure in the network configuration or because of misbelieved trust relationships in parts of the network. If one of the communication endpoints is unknown then for some security protocols it is not possible or difficult to select the appropriate key. Regarding an assumed trust relationship, which is not present in some environments, some network administrators refuse to consider security protection of intra-domain signaling messages because of various reasons. Such a configuration sometimes allows a compromised node in the network to interfere the communication of other nodes although it was never intended to actively participate in the signaling. b) Unilateral authentication In case of only unilateral authentication (that is, a missing authentication of the access network to the QI) the QI is not able to discover the man-in-the-middle adversary. In the telecommunication world this type of attack is known as the false base-station attacks (if the unilateral authentication is executed between a user and the access network). The two threats described above are a general problem of network access without appropriate authentication, not only for QoS signaling protocol. Still these issues need to be correctly addressed in a proposed protocol since the impacts may reach beyond the local network. No authentication or unilateral authentication is not only applicable for signaling messages transmitted between a QI and the access network but also between all other nodes. 3.2 Missing real-time notifications of QoS reservation costs (cost control) This type of threat is addresses a deployment problem when using QoS signaling in a real-world environment. It is not a particular attack. A large number of service providers with complex roaming agreements create a non-transparent cost-structure. Using AAA Tschofenig Informational - Expires August 2002 5 NSIS Threats July 2002 protocols in a subscription-based scenario (i.e. user is registered with his home service provider) the user does not learn the identity of the network using a regular message exchange. The user is only authenticated to the home network (and possibly vice versa). The identity of the access network is possibly not revealed. When issuing a reservation request to the network the end-user does not know the cost of such a reservation. Furthermore due to mobility and route changes along the path the costs for a reservation and for transmitted data packets might not be acceptable for the end-user. However a missing protocol between the user and the network and without the possibility for the user to interact with the network to commit the credit withdrawal costs can reach unexpected amounts. When selecting a new point of attachment in case of roaming the end- host does not currently have an option to query the network for a reservation cost. Some proposals which try to merge mobility protocols with QoS signaling probe the access network up to the cross-over router for the possibility making a QoS reservation (without actually making the reservation itself). Without such a mechanism to provide network providers a user cannot take reservation costs into consideration when choosing between different networks. Hence the user is unable to refuse the more expensive service provider. The choice for selecting different providers might be available not only because of overlapping frequency ranges but also because of different access technologies (either using a WLAN card to access the local network or to use UMTS/UTRAN based technology). Although real-time notifications of quality of service reservation costs (cost control) to the user are outside the scope of a quality of service signaling protocol itself some interactions might be required. 3.3 Eavesdropping and Traffic Analysis This Section covers two threats: The first scenario is related to privacy concerns whereas the second addresses problems caused by weak authentication mechanisms and the increased risk of eavesdropping on the wireless link in absence of appropriate confidentiality protection. The first threat case covers adversaries that are unable to actively participate in the QoS signaling (passive adversary) but eavesdrop messages. The collected signaling packets may serve for the purpose of traffic analysis or to later mount replay attacks as described in the next Section. By eavesdropping an adversary might violate a userÆs privacy preference. Especially QoS signaling messages provide information that may be interesting for an adversary since the messages include user and/or application identities, policy information, information about the desired QoS reservation, etc. The information gathered by an adversary can be to learn usage patterns of users requesting resources and track QoS reservations. An adversary who is able to actively participate in the signaling might be able to use the signaling protocol to discover the topology Tschofenig Informational - Expires August 2002 6 NSIS Threats July 2002 of a network (e.g. using record route). Additionally it might be possible to obtain diagnostic information usually used for network monitoring and administration. Other options might allow an adversary to route signaling messages specifically along a particular route similar to source routing. The second threat case addresses weak authentication mechanisms whereby information transmitted within the QoS signaling protocol may leak passwords and may allow offline dictionary attacks. This threat is not specific to QoS signaling protocols by may also be applicable and countermeasures must be taken. 3.4 Adversary being able to replay signaling messages This threat scenario covers the case where an adversary eavesdrops and collects signaling messages and replays them at a latter point in time (or at a different place, or uses parts of them at a different place or in a different way û e.g. cut and paste attacks). The adversary may use this technique in absence of appropriately protected messages to mount denial of service attacks. Furthermore also theft of service is possible. A more difficult attack that may cause problems even in case of replay protection requires the adversary to crash a QoS aware node (router, broker, etc.) to lose synchronization and to be able to replay old QoS signaling messages. Additionally it should be mentioned that the interaction between different protocols based on authorization tokens requires some care. Using such an authorization token it is possible to link state information between different protocols. When returning an authorization token to the end-host based for example on a SIP message exchange eavesdropping an replay could allow an adversary to steal resources without proper protection of the token delivery and without verification of the hopefully protected content of the token. The functionality and structure of such an authorization token for RSVP is described in [3] and in [4]. 3.5 Identity Spoofing An adversary with the capability to spoof the identity may mount the following attacks: Eve, acting as an adversary, claims to be the registered user Alice by spoofing the identity of Alice. Thereby Eve causes the network to charge Alice for the consumed network resources. Using unprotected signaling messages Eve may experience no particular problems in succeeding. This attack can be classified as theft of service. In case that the signaling request is properly protected the adversary has to spent considerable more effort. This threat tries to address possible problems with traffic classification based on some identifiers (IP addresses, transport protocol id, ports, flow label [6] and [7], etc.). Additionally concerns might occur if the Tschofenig Informational - Expires August 2002 7 NSIS Threats July 2002 end-host performs the traffic marking for example by using a DSCP. When the ingress router uses the DSCP of the incoming data traffic then the situation might be worse since this field is not protected by IPSec AH (and also by IPSec ESP). Issues of DiffServ and IPSec protection are described in Section 6.2 of [RFC2745]. Other security issues related to denial of service attacks are described in Section 6.1 of [RFC2745]. The following paragraph describes a possible threat caused by identity spoofing of transmitted data traffic. After the network receives a properly protected reservation request, transmitted by the legitimate user Alice, traffic filters are installed at edge devices. These traffic filters allow data traffic originated from a given address to be assigned to a particular QoS class. The adversary Eve now spoofs the IP address of the Alice (or whatever identifier is used in the flow classification). Additionally AliceÆs host may be crashed by the adversary as a result of a denial of service attack or lost connectivity for a variety of other reasons. If both nodes are located at the same link and use the same IP address then obviously the usage of a duplicate IP address will be detected. Assuming that only Eve is available at the link then she is now able to receive and transmit data (for example RTP data traffic), that receives preferential QoS treatment, using AliceÆs IP address (or whatever identifier is used in the flow classification). Assuming the soft state paradigm where periodical refresh messages are required the absence of Alice will not be detected until the next signaling message appears and forces Eve to respond with a protected signaling message. Again this issue is not only applicable to QoS traffic but the existence of QoS reservation causes more difficulties since this type of traffic is more expensive. 3.6 Adversary being able to inject/modify messages The next type of threat is caused by an integrity violation: An adversary modifies signaling messages (e.g. by acting as a man-in- the-middle) to achieve an unexpected network behavior with the bogus request. Possible actions are reordering, delaying, dropping, injecting and modifying. Using a different identity the adversary may forward a modified a QoS signaling message requesting a large amount of resources (using a different identity). If granted it causes other user's resource- request not to be successful and a different initiator (for example a user) to pay for the QoS reservation. This attack is only successful in absence of signaling message protection. 3.7 Missing Non-Repudiation Property Repudiation in this context refers to a problem where one party later denies to have made a reservation. This issue comes in two flavors: From a service provider point-of-view the following threat may be worth an investigation because a user may deny to have issued Tschofenig Informational - Expires August 2002 8 NSIS Threats July 2002 reservation requests for which it was charged. A service provider may then like to prove that a particular user issued the reservation request. The same threat can be interpreted from the users point-of-view. A service provider claims to have received a number of reservation requests. The user in question thinks that he never issued those requests and wants to have a proof for correct service usage for a given set of QoS parameters. In todayÆs telecommunication networks non-repudiation is not provided. The user has to trust the network operator to correctly meter the traffic, collect and merge accounting data and that no unforeseen problems occur. If a signaling protocol is used to establish QoS reservations with a higher volume (for example service level agreements) then this issue might have a major impact on the design of a protocol. 3.8 Malicious Edge-Router Network elements within a domain (intra-domain) experience a different trust relationship with regard to the security protection of signaling messages compared to edge routers. We assume that edge routers have the responsibility to perform cryptographic processing (authentication, integrity and replay protection, authorization and accounting). If however an adversary manages to take over an edge router then the security of the entire network is affected. An adversary is then able to launch a number of attacks including denial of service, integrity violation, replay attacks etc. Note that this problem is not only restricted to QoS signaling protocols. The chain-of-trust principle applied in the hop-by-hop security protection does not prevent the network from being vulnerable. An adversary with full access to the edge router is then also able to access the keys used to secure messages to other nodes. Thus the edge router is a critical component that requires strong security protection. This does not necessarily imply that all routers within the core network do not need to cryptographically verify signaling messages and that these routers cannot cause security problems when acting maliciously. If the chain-of-trust principle is deployed then the security protection of the path (in this case within the network of a single administrative domain) is as strong as the weakest link. In our case the edge router is the most critical component of this network that may also act as a security gateway/firewall for incoming/outgoing traffic. For outgoing traffic this device has to act according to the security policy of the local domain to apply the appropriate security protection. 3.9 Denial of Service in a two phase reservation This threat tries to address potential denial of service attacks when the reservation setup is split into two phases i.e. path and reservation (as for example used in receiver based reservation Tschofenig Informational - Expires August 2002 9 NSIS Threats July 2002 setup). For this example we assume that the node transmitting the path message is not charged for the path message itself (only for a reservation) and is able to issue a high number of reservation request (possibly in a distributed fashion). The reservations are however never intended to be successful because of various reasons: the destination node cannot be reached; it is not responding node or simply rejects the reservation. An adversary can benefit from the fact that resources are already consumed along the path for various processing tasks including path pinning. 3.10 Denial of Service with a bogus signaling request With a resource reservation request received at a network element (for example by the first QoS aware router) processing is required for authentication and authorization. Processing by other nodes including policy servers, LDAP servers, etc. is also possible depending on the network configuration. The verification of the provided credentials requires computations and resources to be allocated for state maintenance, setting timers, additional messages transmitted to other nodes, cryptographic computations). If an adversary is able to transmit a large number of reservation request (flooding) with bogus credentials and assuming that the verification is expensive in terms of resource consumption then the verifying node may not be able to process further reservation messages by legitimate user. 3.11 Disclosing the networking structure In some architectural environments there is a desire by the network provider not to reveal the internal network structure (or other related information) to the outside world. An adversary might be able to use NSIS messages for network mapping (e.g. discovering which nodes exist, which use NSIS, what version, what resources are allocated, capabilities of nodes along a paths etc.). This requirement might conflict with a protocol solution that provides a mean to automatically discover NSIS aware nodes and their identity. 3.12 Modification of subsequent reservation request An adversary might be able to modify an existing reservation which had already been established within the network as a result of a previous QoS signaling message. This means that a QoS signaling message that modifies established state must be subject to security protection comparable to the original signaling message setting up the reservation. Furthermore it might be necessary to provide assurance for a correct binding to a specific reservation state. Such a property can be designated as reservation ownership. This threat addresses operations for the reservation state established along the path. The reservation state at routers which is created by signaling messages is identified by a Reservation ID. The concept of the Reservation ID is described in [5]. Whenever a signaling message has to refresh, modify or delete a reservation it is necessary to process previously Tschofenig Informational - Expires August 2002 10 NSIS Threats July 2002 created state. Therefore the newly transmitted signaling messages have to be associated with an existing reservation. Hence there is a requirement that it must not be possible for someone to use an arbitrary Reservation ID to modify state where no ownership exits. Especially in a roaming scenario where a mobile node retransmits signaling messages from a different point of attachment it must be assured that the routers along the path are able to verify whether the entity transmitting the signaling messages is allowed to modify the established state. Potential problems caused by this threat are denial of service, theft of service, service disruption, etc. 3.13 Faked Error/Response messages An adversary may be able to use false error/response messages as part of a denial of service attack. This could be either at the reservation level or at the protocol level. 4 Security Considerations This entire memo discusses security issues. Some additional threats are applicable for a framework where a NSIS protocol is used. Some of these threats are described in [2]. 5 References [1] Brunner, M., "Requirements for QoS Signaling Protocols", draft- ietf-nsis-req-02.txt, Work In Progress, May 2002. [2] Kempf, J., Nordmark, E.: ôThreat Analysis for IPv6 Public Multi-Access Linksö, <draft-kempf-ipng-netaccess-threats-01.txt>, (work in progress), December, 2002. [3] Hamer, L-N., Gage, B., Broda, M., Kosinski, B., Shieh, H.: ôSession Authorization for RSVPö, <draft-ietf-rap-rsvp-authsession- 02.txt>, (work in progress), February, 2002. [4] Hamer, L-N., Gage, B., Shieh, H.: ôFramework for session set-up with media authorizationö, <draft-ietf-rap-session-auth-03.txt>, (work in progress), February, 2002. [5] Freytsis, I., Hancock, R., Karagiannis, G., Loughney, J., Van den Bosch, S.: ôNext Steps in Signaling: A Framework Proposalö, <draft-hancock-nsis-fw-00.txt>, (work in progress), June, 2002. [RFC2745] [6] Partridge, C.: "Using the Flow Label Field in IPv6", RFC 1809, June, 1995. [7] Rajahalme, J., Conta, A., Carpenter, B., Deering, S.: "IPv6 Flow Label Specification", <draft-ietf-ipv6-flow-label-02.txt>, (work in progress), June, 2002. Tschofenig Informational - Expires August 2002 11 NSIS Threats July 2002 6 Acknowledgments I would like to thank (in alphabetical order) Marcus Brunner, Jorge Cuellar, Mehmet Ersue, Xiaoming Fu and Robert Hancock for their comments to this draft. Jorge and Robert gave me an extensive list of comments and provided information on additional threats. 7 Author's Addresses Hannes Tschofenig Siemens AG Otto-Hahn-Ring 6 81739 Munich Germany Email: Hannes.Tschofenig@mchp.siemens.de Tschofenig Informational - Expires August 2002 12