Skip to main content

Telechat Review of draft-ietf-intarea-probe-07
review-ietf-intarea-probe-07-secdir-telechat-sheffer-2017-12-02-00

Request Review of draft-ietf-intarea-probe
Requested revision No specific revision (document currently at 10)
Type Telechat Review
Team Security Area Directorate (secdir)
Deadline 2017-12-12
Requested 2017-11-28
Authors Ron Bonica , Reji Thomas , Jen Linkova , Chris Lenart , Mohamed Boucadair
I-D last updated 2017-12-02
Completed reviews Intdir Early review of -06 by Jean-Michel Combes (diff)
Genart Telechat review of -07 by Joel M. Halpern (diff)
Secdir Telechat review of -07 by Yaron Sheffer (diff)
Opsdir Telechat review of -07 by Stefan Winter (diff)
Assignment Reviewer Yaron Sheffer
State Completed
Request Telechat review on draft-ietf-intarea-probe by Security Area Directorate Assigned
Reviewed revision 07 (document currently at 10)
Result Has issues
Completed 2017-12-02
review-ietf-intarea-probe-07-secdir-telechat-sheffer-2017-12-02-00
Summary

The Security Considerations section is extensive, given that this is not a
major protocol. However I think a few additional security risks should be
mentioned, see below. In addition, there are several points where this
(arguably uneducated) reader was confused, and which could benefit from
additional clarity.

Details (security-related)

* The probed interface can be identified by an IEEE 802 address (presumably, a
MAC address). This is an important detail from a security point of view.
Normally you don't expect a remote node to be able to access machines by MAC
address, and many firewall deployments enforce access control solely at the IP
level. * Similarly, in an IPv4 setting, the proxy can be identified by a
routable address, and used to probe a non-routable (RFC 1918) address. * "The
incoming ICMP Extend Echo Request carries a source address that is not
explicitly authorized for the incoming ICMP Extended Echo Request L-bit
setting" - this implies a per-node whitelist listing all IP addresses that are
allowed to probe it. I don't think we mean seriously to list all the addresses
that can ping a given node, so this smells like security theater - sorry.

Other Details

* Abstract: I think the word "alternatively" should really be "instead" (also
in the Introduction). * "The proxy interface resides on a probed node" - this
contradicts the previous paragraph that states that either the proxy is on the
same node, or it has direct connectivity to it (and is presumably on a
different node). * "The probed interface can reside on the probed node or it
can be directly connected to the probed node." I'm confused. This contradicts
the first paragraph of the Intro: "The probing interface resides on a probing
node while the probed interface resides on a probed node." * "encapsulated in
an IP header" - shouldn't that be "in an IP packet" (at least for IPv4)? *
"Ethernet is running on the probed interface" - is this well-defined? There are
numerous 802.* protocols. Do we mean any of them? Or just 802.3?