Telechat Review of draft-ietf-intarea-probe-07
review-ietf-intarea-probe-07-secdir-telechat-sheffer-2017-12-02-00

Request Review of draft-ietf-intarea-probe
Requested rev. no specific revision (document currently at 10)
Type Telechat Review
Team Security Area Directorate (secdir)
Deadline 2017-12-12
Requested 2017-11-28
Other Reviews Intdir Early review of -06 by Jean-Michel Combes (diff)
Genart Telechat review of -07 by Joel Halpern (diff)
Opsdir Telechat review of -07 by Stefan Winter (diff)
Review State Completed
Reviewer Yaron Sheffer
Review review-ietf-intarea-probe-07-secdir-telechat-sheffer-2017-12-02
Posted at https://mailarchive.ietf.org/arch/msg/secdir/huIElgi6AYnJKb_CO4m-kfrVYhw
Reviewed rev. 07 (document currently at 10)
Review result Has Issues
Draft last updated 2017-12-02
Review completed: 2017-12-02

Review
review-ietf-intarea-probe-07-secdir-telechat-sheffer-2017-12-02

Summary

The Security Considerations section is extensive, given that this is not a major protocol. However I think a few additional security risks should be mentioned, see below. In addition, there are several points where this (arguably uneducated) reader was confused, and which could benefit from additional clarity.

Details (security-related)

* The probed interface can be identified by an IEEE 802 address (presumably, a MAC address). This is an important detail from a security point of view. Normally you don't expect a remote node to be able to access machines by MAC address, and many firewall deployments enforce access control solely at the IP level.
* Similarly, in an IPv4 setting, the proxy can be identified by a routable address, and used to probe a non-routable (RFC 1918) address.
* "The incoming ICMP Extend Echo Request carries a source address that is not explicitly authorized for the incoming ICMP Extended Echo Request L-bit setting" - this implies a per-node whitelist listing all IP addresses that are allowed to probe it. I don't think we mean seriously to list all the addresses that can ping a given node, so this smells like security theater - sorry.

Other Details

* Abstract: I think the word "alternatively" should really be "instead" (also in the Introduction).
* "The proxy interface resides on a probed node" - this contradicts the previous paragraph that states that either the proxy is on the same node, or it has direct connectivity to it (and is presumably on a different node).
* "The probed interface can reside on the probed node or it can be directly connected to the probed node." I'm confused. This contradicts the first paragraph of the Intro: "The probing interface resides on a probing node while the probed interface resides on a probed node."
* "encapsulated in an IP header" - shouldn't that be "in an IP packet" (at least for IPv4)?
* "Ethernet is running on the probed interface" - is this well-defined? There are numerous 802.* protocols. Do we mean any of them? Or just 802.3?