summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc3552.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc3552.txt')
-rw-r--r--doc/rfc/rfc3552.txt2467
1 files changed, 2467 insertions, 0 deletions
diff --git a/doc/rfc/rfc3552.txt b/doc/rfc/rfc3552.txt
new file mode 100644
index 0000000..37a94da
--- /dev/null
+++ b/doc/rfc/rfc3552.txt
@@ -0,0 +1,2467 @@
+
+
+
+
+
+
+Network Working Group E. Rescorla
+Request for Comments: 3552 RTFM, Inc.
+BCP: 72 B. Korver
+Category: Best Current Practice Xythos Software
+ Internet Architecture Board
+ IAB
+ July 2003
+
+
+ Guidelines for Writing RFC Text on Security Considerations
+
+Status of this Memo
+
+ This document specifies an Internet Best Current Practices for the
+ Internet Community, and requests discussion and suggestions for
+ improvements. Distribution of this memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
+
+Abstract
+
+ All RFCs are required to have a Security Considerations section.
+ Historically, such sections have been relatively weak. This document
+ provides guidelines to RFC authors on how to write a good Security
+ Considerations section.
+
+Table of Contents
+
+ 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 3
+ 1.1. Requirements. . . . . . . . . . . . . . . . . . . . . 3
+ 2. The Goals of Security. . . . . . . . . . . . . . . . . . . 3
+ 2.1. Communication Security. . . . . . . . . . . . . . . . 3
+ 2.1.1. Confidentiality. . . . . . . . . . . . . . . . 4
+ 2.1.2. Data Integrity . . . . . . . . . . . . . . . . 4
+ 2.1.3. Peer Entity authentication . . . . . . . . . . 4
+ 2.2. Non-Repudiation . . . . . . . . . . . . . . . . . . . 5
+ 2.3. Systems Security. . . . . . . . . . . . . . . . . . . 5
+ 2.3.1. Unauthorized Usage . . . . . . . . . . . . . . 6
+ 2.3.2. Inappropriate Usage. . . . . . . . . . . . . . 6
+ 2.3.3. Denial of Service. . . . . . . . . . . . . . . 6
+ 3. The Internet Threat Model. . . . . . . . . . . . . . . . . 6
+ 3.1. Limited Threat Models . . . . . . . . . . . . . . . . 7
+ 3.2. Passive Attacks . . . . . . . . . . . . . . . . . . . 7
+ 3.2.1. Confidentiality Violations . . . . . . . . . . 8
+ 3.2.2. Password Sniffing. . . . . . . . . . . . . . . 8
+ 3.2.3. Offline Cryptographic Attacks. . . . . . . . . 9
+
+
+
+Rescorla & Korver Best Current Practice [Page 1]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+ 3.3. Active Attacks. . . . . . . . . . . . . . . . . . . . 9
+ 3.3.1. Replay Attacks . . . . . . . . . . . . . . . . 10
+ 3.3.2. Message Insertion. . . . . . . . . . . . . . . 10
+ 3.3.3. Message Deletion . . . . . . . . . . . . . . . 11
+ 3.3.4. Message Modification . . . . . . . . . . . . . 11
+ 3.3.5. Man-In-The-Middle. . . . . . . . . . . . . . . 12
+ 3.4. Topological Issues. . . . . . . . . . . . . . . . . . 12
+ 3.5. On-path versus off-path . . . . . . . . . . . . . . . 13
+ 3.6. Link-local. . . . . . . . . . . . . . . . . . . . . . 13
+ 4. Common Issues. . . . . . . . . . . . . . . . . . . . . . . 13
+ 4.1. User Authentication . . . . . . . . . . . . . . . . . 14
+ 4.1.1. Username/Password. . . . . . . . . . . . . . . 14
+ 4.1.2. Challenge Response and One Time Passwords. . . 14
+ 4.1.3. Shared Keys. . . . . . . . . . . . . . . . . . 15
+ 4.1.4. Key Distribution Centers . . . . . . . . . . . 15
+ 4.1.5. Certificates . . . . . . . . . . . . . . . . . 15
+ 4.1.6. Some Uncommon Systems. . . . . . . . . . . . . 15
+ 4.1.7. Host Authentication. . . . . . . . . . . . . . 16
+ 4.2. Generic Security Frameworks . . . . . . . . . . . . . 16
+ 4.3. Non-repudiation . . . . . . . . . . . . . . . . . . . 17
+ 4.4. Authorization vs. Authentication. . . . . . . . . . . 18
+ 4.4.1. Access Control Lists . . . . . . . . . . . . . 18
+ 4.4.2. Certificate Based Systems. . . . . . . . . . . 18
+ 4.5. Providing Traffic Security. . . . . . . . . . . . . . 19
+ 4.5.1. IPsec. . . . . . . . . . . . . . . . . . . . . 19
+ 4.5.2. SSL/TLS. . . . . . . . . . . . . . . . . . . . 20
+ 4.5.3. Remote Login . . . . . . . . . . . . . . . . . 22
+ 4.6. Denial of Service Attacks and Countermeasures . . . . 22
+ 4.6.1. Blind Denial of Service. . . . . . . . . . . . 23
+ 4.6.2. Distributed Denial of Service. . . . . . . . . 23
+ 4.6.3. Avoiding Denial of Service . . . . . . . . . . 24
+ 4.6.4. Example: TCP SYN Floods. . . . . . . . . . . . 24
+ 4.6.5. Example: Photuris. . . . . . . . . . . . . . . 25
+ 4.7. Object vs. Channel Security . . . . . . . . . . . . . 25
+ 4.8. Firewalls and Network Topology. . . . . . . . . . . . 26
+ 5. Writing Security Considerations Sections . . . . . . . . . 26
+ 6. Examples . . . . . . . . . . . . . . . . . . . . . . . . . 28
+ 6.1. SMTP. . . . . . . . . . . . . . . . . . . . . . . . . 29
+ 6.1.1. Security Considerations. . . . . . . . . . . . 29
+ 6.1.2. Communications security issues . . . . . . . . 34
+ 6.1.3. Denial of Service. . . . . . . . . . . . . . . 36
+ 6.2. VRRP. . . . . . . . . . . . . . . . . . . . . . . . . .36
+ 6.2.1. Security Considerations. . . . . . . . . . . . 36
+ 7. Acknowledgments. . . . . . . . . . . . . . . . . . . . . . 38
+ 8. Normative References . . . . . . . . . . . . . . . . . . . 39
+ 9. Informative References . . . . . . . . . . . . . . . . . . 41
+ 10.Security Considerations. . . . . . . . . . . . . . . . . . 42
+ Appendix A. . . . . . . . . . . . . . . . . . . . . . . . . . 43
+
+
+
+Rescorla & Korver Best Current Practice [Page 2]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+ Authors' Addresses. . . . . . . . . . . . . . . . . . . . . . 43
+ Full Copyright Statement. . . . . . . . . . . . . . . . . . . 44
+
+1. Introduction
+
+ All RFCs are required by RFC 2223 to contain a Security
+ Considerations section. The purpose of this is both to encourage
+ document authors to consider security in their designs and to inform
+ the reader of relevant security issues. This memo is intended to
+ provide guidance to RFC authors in service of both ends.
+
+ This document is structured in three parts. The first is a
+ combination security tutorial and definition of common terms; the
+ second is a series of guidelines for writing Security Considerations;
+ the third is a series of examples.
+
+1.1. Requirements
+
+ The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in BCP 14, RFC 2119
+ [KEYWORDS].
+
+2. The Goals of Security
+
+ Most people speak of security as if it were a single monolithic
+ property of a protocol or system, however, upon reflection, one
+ realizes that it is clearly not true. Rather, security is a series
+ of related but somewhat independent properties. Not all of these
+ properties are required for every application.
+
+ We can loosely divide security goals into those related to protecting
+ communications (COMMUNICATION SECURITY, also known as COMSEC) and
+ those relating to protecting systems (ADMINISTRATIVE SECURITY or
+ SYSTEM SECURITY). Since communications are carried out by systems
+ and access to systems is through communications channels, these goals
+ obviously interlock, but they can also be independently provided.
+
+2.1. Communication Security
+
+ Different authors partition the goals of communication security
+ differently. The partitioning we've found most useful is to divide
+ them into three major categories: CONFIDENTIALITY, DATA INTEGRITY and
+ PEER ENTITY AUTHENTICATION.
+
+
+
+
+
+
+
+Rescorla & Korver Best Current Practice [Page 3]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+2.1.1. Confidentiality
+
+ When most people think of security, they think of CONFIDENTIALITY.
+ Confidentiality means that your data is kept secret from unintended
+ listeners. Usually, these listeners are simply eavesdroppers. When
+ an adversary taps your phone, it poses a risk to your
+ confidentiality.
+
+ Obviously, if you have secrets, then you are probably concerned about
+ others discovering them. Thus, at the very least, you want to
+ maintain confidentiality. When you see spies in the movies go into
+ the bathroom and turn on all the water to foil bugging, the property
+ they're looking for is confidentiality.
+
+2.1.2. Data Integrity
+
+ The second primary goal is DATA INTEGRITY. The basic idea here is
+ that we want to make sure that the data we receive is the same data
+ that the sender has sent. In paper-based systems, some data
+ integrity comes automatically. When you receive a letter written in
+ pen you can be fairly certain that no words have been removed by an
+ attacker because pen marks are difficult to remove from paper.
+ However, an attacker could have easily added some marks to the paper
+ and completely changed the meaning of the message. Similarly, it's
+ easy to shorten the page to truncate the message.
+
+ On the other hand, in the electronic world, since all bits look
+ alike, it's trivial to tamper with messages in transit. You simply
+ remove the message from the wire, copy out the parts you like, add
+ whatever data you want, and generate a new message of your choosing,
+ and the recipient is no wiser. This is the moral equivalent of the
+ attacker taking a letter you wrote, buying some new paper and
+ recopying the message, changing it as he does it. It's just a lot
+ easier to do electronically since all bits look alike.
+
+2.1.3. Peer Entity authentication
+
+ The third property we're concerned with is PEER ENTITY
+ AUTHENTICATION. What we mean by this is that we know that one of the
+ endpoints in the communication is the one we intended. Without peer
+ entity authentication, it's very difficult to provide either
+ confidentiality or data integrity. For instance, if we receive a
+ message from Alice, the property of data integrity doesn't do us much
+ good unless we know that it was in fact sent by Alice and not the
+ attacker. Similarly, if we want to send a confidential message to
+ Bob, it's not of much value to us if we're actually sending a
+ confidential message to the attacker.
+
+
+
+
+Rescorla & Korver Best Current Practice [Page 4]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+ Note that peer entity authentication can be provided asymmetrically.
+ When you call someone on the phone, you can be fairly certain that
+ you have the right person -- or at least that you got a person who's
+ actually at the phone number you called. On the other hand, if they
+ don't have caller ID, then the receiver of a phone call has no idea
+ who's calling them. Calling someone on the phone is an example of
+ recipient authentication, since you know who the recipient of the
+ call is, but they don't know anything about the sender.
+
+ In messaging situations, you often wish to use peer entity
+ authentication to establish the identity of the sender of a certain
+ message. In such contexts, this property is called DATA ORIGIN
+ AUTHENTICATION.
+
+2.2. Non-Repudiation
+
+ A system that provides endpoint authentication allows one party to be
+ certain of the identity of someone with whom he is communicating.
+ When the system provides data integrity a receiver can be sure of
+ both the sender's identity and that he is receiving the data that
+ that sender meant to send. However, he cannot necessarily
+ demonstrate this fact to a third party. The ability to make this
+ demonstration is called NON-REPUDIATION.
+
+ There are many situations in which non-repudiation is desirable.
+ Consider the situation in which two parties have signed a contract
+ which one party wishes to unilaterally abrogate. He might simply
+ claim that he had never signed it in the first place. Non-
+ repudiation prevents him from doing so, thus protecting the
+ counterparty.
+
+ Unfortunately, non-repudiation can be very difficult to achieve in
+ practice and naive approaches are generally inadequate. Section 4.3
+ describes some of the difficulties, which generally stem from the
+ fact that the interests of the two parties are not aligned -- one
+ party wishes to prove something that the other party wishes to deny.
+
+2.3. Systems Security
+
+ In general, systems security is concerned with protecting one's
+ machines and data. The intent is that machines should be used only
+ by authorized users and for the purposes that the owners intend.
+ Furthermore, they should be available for those purposes. Attackers
+ should not be able to deprive legitimate users of resources.
+
+
+
+
+
+
+
+Rescorla & Korver Best Current Practice [Page 5]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+2.3.1. Unauthorized Usage
+
+ Most systems are not intended to be completely accessible to the
+ public. Rather, they are intended to be used only by certain
+ authorized individuals. Although many Internet services are
+ available to all Internet users, even those servers generally offer a
+ larger subset of services to specific users. For instance, Web
+ Servers often will serve data to any user, but restrict the ability
+ to modify pages to specific users. Such modifications by the general
+ public would be UNAUTHORIZED USAGE.
+
+2.3.2. Inappropriate Usage
+
+ Being an authorized user does not mean that you have free run of the
+ system. As we said above, some activities are restricted to
+ authorized users, some to specific users, and some activities are
+ generally forbidden to all but administrators. Moreover, even
+ activities which are in general permitted might be forbidden in some
+ cases. For instance, users may be permitted to send email but
+ forbidden from sending files above a certain size, or files which
+ contain viruses. These are examples of INAPPROPRIATE USAGE.
+
+2.3.3. Denial of Service
+
+ Recall that our third goal was that the system should be available to
+ legitimate users. A broad variety of attacks are possible which
+ threaten such usage. Such attacks are collectively referred to as
+ DENIAL OF SERVICE attacks. Denial of service attacks are often very
+ easy to mount and difficult to stop. Many such attacks are designed
+ to consume machine resources, making it difficult or impossible to
+ serve legitimate users. Other attacks cause the target machine to
+ crash, completely denying service to users.
+
+3. The Internet Threat Model
+
+ A THREAT MODEL describes the capabilities that an attacker is assumed
+ to be able to deploy against a resource. It should contain such
+ information as the resources available to an attacker in terms of
+ information, computing capability, and control of the system. The
+ purpose of a threat model is twofold. First, we wish to identify the
+ threats we are concerned with. Second, we wish to rule some threats
+ explicitly out of scope. Nearly every security system is vulnerable
+ to a sufficiently dedicated and resourceful attacker.
+
+ The Internet environment has a fairly well understood threat model.
+ In general, we assume that the end-systems engaging in a protocol
+ exchange have not themselves been compromised. Protecting against an
+ attack when one of the end-systems has been compromised is
+
+
+
+Rescorla & Korver Best Current Practice [Page 6]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+ extraordinarily difficult. It is, however, possible to design
+ protocols which minimize the extent of the damage done under these
+ circumstances.
+
+ By contrast, we assume that the attacker has nearly complete control
+ of the communications channel over which the end-systems communicate.
+ This means that the attacker can read any PDU (Protocol Data Unit) on
+ the network and undetectably remove, change, or inject forged packets
+ onto the wire. This includes being able to generate packets that
+ appear to be from a trusted machine. Thus, even if the end-system
+ with which you wish to communicate is itself secure, the Internet
+ environment provides no assurance that packets which claim to be from
+ that system in fact are.
+
+ It's important to realize that the meaning of a PDU is different at
+ different levels. At the IP level, a PDU means an IP packet. At the
+ TCP level, it means a TCP segment. At the application layer, it
+ means some kind of application PDU. For instance, at the level of
+ email, it might either mean an RFC-822 message or a single SMTP
+ command. At the HTTP level, it might mean a request or response.
+
+3.1. Limited Threat Models
+
+ As we've said, a resourceful and dedicated attacker can control the
+ entire communications channel. However, a large number of attacks
+ can be mounted by an attacker with fewer resources. A number of
+ currently known attacks can be mounted by an attacker with limited
+ control of the network. For instance, password sniffing attacks can
+ be mounted by an attacker who can only read arbitrary packets. This
+ is generally referred to as a PASSIVE ATTACK [INTAUTH].
+
+ By contrast, Morris' sequence number guessing attack [SEQNUM] can be
+ mounted by an attacker who can write but not read arbitrary packets.
+ Any attack which requires the attacker to write to the network is
+ known as an ACTIVE ATTACK.
+
+ Thus, a useful way of organizing attacks is to divide them based on
+ the capabilities required to mount the attack. The rest of this
+ section describes these categories and provides some examples of each
+ category.
+
+3.2. Passive Attacks
+
+ In a passive attack, the attacker reads packets off the network but
+ does not write them. The simplest way to mount such an attack is to
+ simply be on the same LAN as the victim. On most common LAN
+ configurations, including Ethernet, 802.3, and FDDI, any machine on
+ the wire can read all traffic destined for any other machine on the
+
+
+
+Rescorla & Korver Best Current Practice [Page 7]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+ same LAN. Note that switching hubs make this sort of sniffing
+ substantially more difficult, since traffic destined for a machine
+ only goes to the network segment which that machine is on.
+
+ Similarly, an attacker who has control of a host in the
+ communications path between two victim machines is able to mount a
+ passive attack on their communications. It is also possible to
+ compromise the routing infrastructure to specifically arrange that
+ traffic passes through a compromised machine. This might involve an
+ active attack on the routing infrastructure to facilitate a passive
+ attack on a victim machine.
+
+ Wireless communications channels deserve special consideration,
+ especially with the recent and growing popularity of wireless-based
+ LANs, such as those using 802.11. Since the data is simply broadcast
+ on well known radio frequencies, an attacker simply needs to be able
+ to receive those transmissions. Such channels are especially
+ vulnerable to passive attacks. Although many such channels include
+ cryptographic protection, it is often of such poor quality as to be
+ nearly useless [WEP].
+
+ In general, the goal of a passive attack is to obtain information
+ which the sender and receiver would prefer to remain private. This
+ private information may include credentials useful in the electronic
+ world and/or passwords or credentials useful in the outside world,
+ such as confidential business information.
+
+3.2.1. Confidentiality Violations
+
+ The classic example of passive attack is sniffing some inherently
+ private data off of the wire. For instance, despite the wide
+ availability of SSL, many credit card transactions still traverse the
+ Internet in the clear. An attacker could sniff such a message and
+ recover the credit card number, which can then be used to make
+ fraudulent transactions. Moreover, confidential business information
+ is routinely transmitted over the network in the clear in email.
+
+3.2.2. Password Sniffing
+
+ Another example of a passive attack is PASSWORD SNIFFING. Password
+ sniffing is directed towards obtaining unauthorized use of resources.
+ Many protocols, including [TELNET], [POP], and [NNTP] use a shared
+ password to authenticate the client to the server. Frequently, this
+ password is transmitted from the client to the server in the clear
+ over the communications channel. An attacker who can read this
+ traffic can therefore capture the password and REPLAY it. In other
+ words, the attacker can initiate a connection to the server and pose
+ as the client and login using the captured password.
+
+
+
+Rescorla & Korver Best Current Practice [Page 8]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+ Note that although the login phase of the attack is active, the
+ actual password capture phase is passive. Moreover, unless the
+ server checks the originating address of connections, the login phase
+ does not require any special control of the network.
+
+3.2.3. Offline Cryptographic Attacks
+
+ Many cryptographic protocols are subject to OFFLINE ATTACKS. In such
+ a protocol, the attacker recovers data which has been processed using
+ the victim's secret key and then mounts a cryptanalytic attack on
+ that key. Passwords make a particularly vulnerable target because
+ they are typically low entropy. A number of popular password-based
+ challenge response protocols are vulnerable to DICTIONARY ATTACK.
+ The attacker captures a challenge-response pair and then proceeds to
+ try entries from a list of common words (such as a dictionary file)
+ until he finds a password that produces the right response.
+
+ A similar such attack can be mounted on a local network when NIS is
+ used. The Unix password is crypted using a one-way function, but
+ tools exist to break such crypted passwords [KLEIN]. When NIS is
+ used, the crypted password is transmitted over the local network and
+ an attacker can thus sniff the password and attack it.
+
+ Historically, it has also been possible to exploit small operating
+ system security holes to recover the password file using an active
+ attack. These holes can then be bootstrapped into an actual account
+ by using the aforementioned offline password recovery techniques.
+ Thus we combine a low-level active attack with an offline passive
+ attack.
+
+3.3. Active Attacks
+
+ When an attack involves writing data to the network, we refer to this
+ as an ACTIVE ATTACK. When IP is used without IPsec, there is no
+ authentication for the sender address. As a consequence, it's
+ straightforward for an attacker to create a packet with a source
+ address of his choosing. We'll refer to this as a SPOOFING ATTACK.
+
+ Under certain circumstances, such a packet may be screened out by the
+ network. For instance, many packet filtering firewalls screen out
+ all packets with source addresses on the INTERNAL network that arrive
+ on the EXTERNAL interface. Note, however, that this provides no
+ protection against an attacker who is inside the firewall. In
+ general, designers should assume that attackers can forge packets.
+
+
+
+
+
+
+
+Rescorla & Korver Best Current Practice [Page 9]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+ However, the ability to forge packets does not go hand in hand with
+ the ability to receive arbitrary packets. In fact, there are active
+ attacks that involve being able to send forged packets but not
+ receive the responses. We'll refer to these as BLIND ATTACKS.
+
+ Note that not all active attacks require forging addresses. For
+ instance, the TCP SYN denial of service attack [TCPSYN] can be
+ mounted successfully without disguising the sender's address.
+ However, it is common practice to disguise one's address in order to
+ conceal one's identity if an attack is discovered.
+
+ Each protocol is susceptible to specific active attacks, but
+ experience shows that a number of common patterns of attack can be
+ adapted to any given protocol. The next sections describe a number
+ of these patterns and give specific examples of them as applied to
+ known protocols.
+
+3.3.1. Replay Attacks
+
+ In a REPLAY ATTACK, the attacker records a sequence of messages off
+ of the wire and plays them back to the party which originally
+ received them. Note that the attacker does not need to be able to
+ understand the messages. He merely needs to capture and retransmit
+ them.
+
+ For example, consider the case where an S/MIME message is being used
+ to request some service, such as a credit card purchase or a stock
+ trade. An attacker might wish to have the service executed twice, if
+ only to inconvenience the victim. He could capture the message and
+ replay it, even though he can't read it, causing the transaction to
+ be executed twice.
+
+3.3.2. Message Insertion
+
+ In a MESSAGE INSERTION attack, the attacker forges a message with
+ some chosen set of properties and injects it into the network. Often
+ this message will have a forged source address in order to disguise
+ the identity of the attacker.
+
+ For example, a denial-of-service attack can be mounted by inserting a
+ series of spurious TCP SYN packets directed towards the target host.
+ The target host responds with its own SYN and allocates kernel data
+ structures for the new connection. The attacker never completes the
+ 3-way handshake, so the allocated connection endpoints just sit there
+ taking up kernel memory. Typical TCP stack implementations only
+
+
+
+
+
+
+Rescorla & Korver Best Current Practice [Page 10]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+ allow some limited number of connections in this "half-open" state
+ and when this limit is reached, no more connections can be initiated,
+ even from legitimate hosts. Note that this attack is a blind attack,
+ since the attacker does not need to process the victim's SYNs.
+
+3.3.3. Message Deletion
+
+ In a MESSAGE DELETION attack, the attacker removes a message from the
+ wire. Morris' sequence number guessing attack [SEQNUM] often
+ requires a message deletion attack to be performed successfully. In
+ this blind attack, the host whose address is being forged will
+ receive a spurious TCP SYN packet from the host being attacked.
+ Receipt of this SYN packet generates a RST, which would tear the
+ illegitimate connection down. In order to prevent this host from
+ sending a RST so that the attack can be carried out successfully,
+ Morris describes flooding this host to create queue overflows such
+ that the SYN packet is lost and thus never responded to.
+
+3.3.4. Message Modification
+
+ In a MESSAGE MODIFICATION attack, the attacker removes a message from
+ the wire, modifies it, and reinjects it into the network. This sort
+ of attack is particularly useful if the attacker wants to send some
+ of the data in the message but also wants to change some of it.
+
+ Consider the case where the attacker wants to attack an order for
+ goods placed over the Internet. He doesn't have the victim's credit
+ card number so he waits for the victim to place the order and then
+ replaces the delivery address (and possibly the goods description)
+ with his own. Note that this particular attack is known as a CUT-
+ AND-PASTE attack since the attacker cuts the credit card number out
+ of the original message and pastes it into the new message.
+
+ Another interesting example of a cut-and-paste attack is provided by
+ [IPSPPROB]. If IPsec ESP is used without any MAC then it is possible
+ for the attacker to read traffic encrypted for a victim on the same
+ machine. The attacker attaches an IP header corresponding to a port
+ he controls onto the encrypted IP packet. When the packet is
+ received by the host it will automatically be decrypted and forwarded
+ to the attacker's port. Similar techniques can be used to mount a
+ session hijacking attack. Both of these attacks can be avoided by
+ always using message authentication when you use encryption. Note
+ that this attack only works if (1) no MAC check is being used, since
+ this attack generates damaged packets (2) a host-to-host SA is being
+ used, since a user-to-user SA will result in an inconsistency between
+ the port associated with the SA and the target port. If the
+ receiving machine is single-user than this attack is infeasible.
+
+
+
+
+Rescorla & Korver Best Current Practice [Page 11]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+3.3.5. Man-In-The-Middle
+
+ A MAN-IN-THE-MIDDLE attack combines the above techniques in a special
+ form: The attacker subverts the communication stream in order to pose
+ as the sender to receiver and the receiver to the sender:
+
+ What Alice and Bob think:
+ Alice <----------------------------------------------> Bob
+
+ What's happening:
+ Alice <----------------> Attacker <----------------> Bob
+
+ This differs fundamentally from the above forms of attack because it
+ attacks the identity of the communicating parties, rather than the
+ data stream itself. Consequently, many techniques which provide
+ integrity of the communications stream are insufficient to protect
+ against man-in-the-middle attacks.
+
+ Man-in-the-middle attacks are possible whenever a protocol lacks PEER
+ ENTITY AUTHENTICATION. For instance, if an attacker can hijack the
+ client TCP connection during the TCP handshake (perhaps by responding
+ to the client's SYN before the server does), then the attacker can
+ open another connection to the server and begin a man-in-the-middle
+ attack. It is also trivial to mount man-in-the-middle attacks on
+ local networks via ARP spoofing -- the attacker forges an ARP with
+ the victim's IP address and his own MAC address. Tools to mount this
+ sort of attack are readily available.
+
+ Note that it is only necessary to authenticate one side of the
+ transaction in order to prevent man-in-the-middle attacks. In such a
+ situation the the peers can establish an association in which only
+ one peer is authenticated. In such a system, an attacker can
+ initiate an association posing as the unauthenticated peer but cannot
+ transmit or access data being sent on a legitimate connection. This
+ is an acceptable situation in contexts such as Web e-commerce where
+ only the server needs to be authenticated (or the client is
+ independently authenticated via some non-cryptographic mechanism such
+ as a credit card number).
+
+3.4. Topological Issues
+
+ In practice, the assumption that it's equally easy for an attacker to
+ read and generate all packets is false, since the Internet is not
+ fully connected. This has two primary implications.
+
+
+
+
+
+
+
+Rescorla & Korver Best Current Practice [Page 12]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+3.5. On-path versus off-path
+
+ In order for a datagram to be transmitted from one host to another,
+ it generally must traverse some set of intermediate links and
+ gateways. Such gateways are naturally able to read, modify, or
+ remove any datagram transmitted along that path. This makes it much
+ easier to mount a wide variety of attacks if you are on-path.
+
+ Off-path hosts can, of course, transmit arbitrary datagrams that
+ appear to come from any hosts but cannot necessarily receive
+ datagrams intended for other hosts. Thus, if an attack depends on
+ being able to receive data, off-path hosts must first subvert the
+ topology in order to place themselves on-path. This is by no means
+ impossible but is not necessarily trivial.
+
+ Applications protocol designers MUST NOT assume that all attackers
+ will be off-path. Where possible, protocols SHOULD be designed to
+ resist attacks from attackers who have complete control of the
+ network. However, designers are expected to give more weight to
+ attacks which can be mounted by off-path attackers as well as on-path
+ ones.
+
+3.6. Link-local
+
+ One specialized case of on-path is being on the same link. In some
+ situations, it's desirable to distinguish between hosts who are on
+ the local network and those who are not. The standard technique for
+ this is verifying the IP TTL value [IP]. Since the TTL must be
+ decremented by each forwarder, a protocol can demand that TTL be set
+ to 255 and that all receivers verify the TTL. A receiver then has
+ some reason to believe that conforming packets are from the same
+ link. Note that this technique must be used with care in the
+ presence of tunneling systems, since such systems may pass packets
+ without decrementing TTL.
+
+4. Common Issues
+
+ Although each system's security requirements are unique, certain
+ common requirements appear in a number of protocols. Often, when
+ naive protocol designers are faced with these requirements, they
+ choose an obvious but insecure solution even though better solutions
+ are available. This section describes a number of issues seen in
+ many protocols and the common pieces of security technology that may
+ be useful in addressing them.
+
+
+
+
+
+
+
+Rescorla & Korver Best Current Practice [Page 13]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+4.1. User Authentication
+
+ Essentially every system which wants to control access to its
+ resources needs some way to authenticate users. A nearly uncountable
+ number of such mechanisms have been designed for this purpose. The
+ next several sections describe some of these techniques.
+
+4.1.1. Username/Password
+
+ The most common access control mechanism is simple USERNAME/PASSWORD
+ The user provides a username and a reusable password to the host
+ which he wishes to use. This system is vulnerable to a simple
+ passive attack where the attacker sniffs the password off the wire
+ and then initiates a new session, presenting the password. This
+ threat can be mitigated by hosting the protocol over an encrypted
+ connection such as TLS or IPSEC. Unprotected (plaintext)
+ username/password systems are not acceptable in IETF standards.
+
+4.1.2. Challenge Response and One Time Passwords
+
+ Systems which desire greater security than USERNAME/PASSWORD often
+ employ either a ONE TIME PASSWORD [OTP] scheme or a CHALLENGE-
+ RESPONSE. In a one time password scheme, the user is provided with a
+ list of passwords, which must be used in sequence, one time each.
+ (Often these passwords are generated from some secret key so the user
+ can simply compute the next password in the sequence.) SecureID and
+ DES Gold are variants of this scheme. In a challenge-response
+ scheme, the host and the user share some secret (which often is
+ represented as a password). In order to authenticate the user, the
+ host presents the user with a (randomly generated) challenge. The
+ user computes some function based on the challenge and the secret and
+ provides that to the host, which verifies it. Often this computation
+ is performed in a handheld device, such as a DES Gold card.
+
+ Both types of scheme provide protection against replay attack, but
+ often still vulnerable to an OFFLINE KEYSEARCH ATTACK (a form of
+ passive attack): As previously mentioned, often the one-time password
+ or response is computed from a shared secret. If the attacker knows
+ the function being used, he can simply try all possible shared
+ secrets until he finds one that produces the right output. This is
+ made easier if the shared secret is a password, in which case he can
+ mount a DICTIONARY ATTACK -- meaning that he tries a list of common
+ words (or strings) rather than just random strings.
+
+ These systems are also often vulnerable to an active attack. Unless
+ communication security is provided for the entire session, the
+ attacker can simply wait until authentication has been performed and
+ hijack the connection.
+
+
+
+Rescorla & Korver Best Current Practice [Page 14]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+4.1.3. Shared Keys
+
+ CHALLENGE-RESPONSE type systems can be made secure against dictionary
+ attack by using randomly generated shared keys instead of user-
+ generated passwords. If the keys are sufficiently large then
+ keysearch attacks become impractical. This approach works best when
+ the keys are configured into the end nodes rather than memorized and
+ typed in by users, since users have trouble remembering sufficiently
+ long keys.
+
+ Like password-based systems, shared key systems suffer from
+ management problems. Each pair of communicating parties must have
+ their own agreed-upon key, which leads to there being a lot of keys.
+
+4.1.4. Key Distribution Centers
+
+ One approach to solving the large number of keys problem is to use an
+ online "trusted third party" that mediates between the authenticating
+ parties. The trusted third party (generally called a a KEY
+ DISTRIBUTION CENTER (KDC)) shares a symmetric key or password with
+ each party in the system. It first contacts the KDC which gives it a
+ TICKET containing a randomly generated symmetric key encrypted under
+ both peer's keys. Since only the proper peers can decrypt the
+ symmetric key the ticket can be used to establish a trusted
+ association. By far the most popular KDC system is Kerberos
+ [KERBEROS].
+
+4.1.5. Certificates
+
+ A simple approach is to have all users have CERTIFICATES [PKIX] which
+ they then use to authenticate in some protocol-specific way, as in
+ [TLS] or [S/MIME]. A certificate is a signed credential binding an
+ entity's identity to its public key. The signer of a certificate is
+ a CERTIFICATE AUTHORITY (CA), whose certificate may itself be signed
+ by some superior CA. In order for this system to work, trust in one
+ or more CAs must be established in an out-of-band fashion. Such CAs
+ are referred to as TRUSTED ROOTS or ROOT CAS. The primary obstacle
+ to this approach in client-server type systems is that it requires
+ clients to have certificates, which can be a deployment problem.
+
+4.1.6. Some Uncommon Systems
+
+ There are ways to do a better job than the schemes mentioned above,
+ but they typically don't add much security unless communications
+ security (at least message integrity) will be employed to secure the
+ connection, because otherwise the attacker can merely hijack the
+ connection after authentication has been performed. A number of
+ protocols ([EKE], [SPEKE], [SRP]) allow one to securely bootstrap a
+
+
+
+Rescorla & Korver Best Current Practice [Page 15]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+ user's password into a shared key which can be used as input to a
+ cryptographic protocol. One major obstacle to the deployment of
+ these protocols has been that their Intellectual Property status is
+ extremely unclear. Similarly, the user can authenticate using public
+ key certificates (e.g., S-HTTP client authentication). Typically
+ these methods are used as part of a more complete security protocol.
+
+4.1.7. Host Authentication
+
+ Host authentication presents a special problem. Quite commonly, the
+ addresses of services are presented using a DNS hostname, for
+ instance as a URL [URL]. When requesting such a service, one has to
+ ensure that the entity that one is talking to not only has a
+ certificate but that that certificate corresponds to the expected
+ identity of the server. The important thing to have is a secure
+ binding between the certificate and the expected hostname.
+
+ For instance, it is usually not acceptable for the certificate to
+ contain an identity in the form of an IP address if the request was
+ for a given hostname. This does not provide end-to-end security
+ because the hostname-IP mapping is not secure unless secure name
+ resolution [DNSSEC] is being used. This is a particular problem when
+ the hostname is presented at the application layer but the
+ authentication is performed at some lower layer.
+
+4.2. Generic Security Frameworks
+
+ Providing security functionality in a protocol can be difficult. In
+ addition to the problem of choosing authentication and key
+ establishment mechanisms, one needs to integrate it into a protocol.
+ One response to this problem (embodied in IPsec and TLS) is to create
+ a lower-level security protocol and then insist that new protocols be
+ run over that protocol. Another approach that has recently become
+ popular is to design generic application layer security frameworks.
+ The idea is that you design a protocol that allows you to negotiate
+ various security mechanisms in a pluggable fashion. Application
+ protocol designers then arrange to carry the security protocol PDUs
+ in their application protocol. Examples of such frameworks include
+ GSS-API [GSS] and SASL [SASL].
+
+ The generic framework approach has a number of problems. First, it
+ is highly susceptible to DOWNGRADE ATTACKS. In a downgrade attack,
+ an active attacker tampers with the negotiation in order to force the
+ parties to negotiate weaker protection than they otherwise would.
+ It's possible to include an integrity check after the negotiation and
+ key establishment have both completed, but the strength of this
+ integrity check is necessarily limited to the weakest common
+ algorithm. This problem exists with any negotiation approach, but
+
+
+
+Rescorla & Korver Best Current Practice [Page 16]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+ generic frameworks exacerbate it by encouraging the application
+ protocol author to just specify the framework rather than think hard
+ about the appropriate underlying mechanisms, particularly since the
+ mechanisms can very widely in the degree of security offered.
+
+ Another problem is that it's not always obvious how the various
+ security features in the framework interact with the application
+ layer protocol. For instance, SASL can be used merely as an
+ authentication framework -- in which case the SASL exchange occurs
+ but the rest of the connection is unprotected, but can also negotiate
+ traffic protection, such as via GSS, as a mechanism. Knowing under
+ what circumstances traffic protection is optional and which it is
+ required requires thinking about the threat model.
+
+ In general, authentication frameworks are most useful in situations
+ where new protocols are being added to systems with pre-existing
+ legacy authentication systems. A framework allows new installations
+ to provide better authentication while not forcing existing sites
+ completely redo their legacy authentication systems. When the
+ security requirements of a system can be clearly identified and only
+ a few forms of authentication are used, choosing a single security
+ mechanism leads to greater simplicity and predictability. In
+ situations where a framework is to be used, designers SHOULD
+ carefully examine the framework's options and specify only the
+ mechanisms that are appropriate for their particular threat model.
+ If a framework is necessary, designers SHOULD choose one of the
+ established ones instead of designing their own.
+
+4.3. Non-repudiation
+
+ The naive approach to non-repudiation is simply to use public-key
+ digital signatures over the content. The party who wishes to be
+ bound (the SIGNING PARTY) digitally signs the message in question.
+ The counterparty (the RELYING PARTY) can later point to the digital
+ signature as proof that the signing party at one point agreed to the
+ disputed message. Unfortunately, this approach is insufficient.
+
+ The easiest way for the signing party to repudiate the message is by
+ claiming that his private key has been compromised and that some
+ attacker (though not necessarily the relying party) signed the
+ disputed message. In order to defend against this attack the relying
+ party needs to demonstrate that the signing party's key had not been
+ compromised at the time of the signature. This requires substantial
+ infrastructure, including archival storage of certificate revocation
+ information and timestamp servers to establish the time that the
+ message was signed.
+
+
+
+
+
+Rescorla & Korver Best Current Practice [Page 17]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+ Additionally, the relying party might attempt to trick the signing
+ party into signing one message while thinking he's signing another.
+ This problem is particularly severe when the relying party controls
+ the infrastructure that the signing party uses for signing, such as
+ in kiosk situations. In many such situations the signing party's key
+ is kept on a smartcard but the message to be signed is displayed by
+ the relying party.
+
+ All of these complications make non-repudiation a difficult service
+ to deploy in practice.
+
+4.4. Authorization vs. Authentication
+
+ AUTHORIZATION is the process by which one determines whether an
+ authenticated party has permission to access a particular resource or
+ service. Although tightly bound, it is important to realize that
+ authentication and authorization are two separate mechanisms.
+ Perhaps because of this tight coupling, authentication is sometimes
+ mistakenly thought to imply authorization. Authentication simply
+ identifies a party, authorization defines whether they can perform a
+ certain action.
+
+ Authorization necessarily relies on authentication, but
+ authentication alone does not imply authorization. Rather, before
+ granting permission to perform an action, the authorization mechanism
+ must be consulted to determine whether that action is permitted.
+
+4.4.1. Access Control Lists
+
+ One common form of authorization mechanism is an access control list
+ (ACL), which lists users that are permitted access to a resource.
+ Since assigning individual authorization permissions to each resource
+ is tedious, resources are often hierarchically arranged so that the
+ parent resource's ACL is inherited by child resources. This allows
+ administrators to set top level policies and override them when
+ necessary.
+
+4.4.2. Certificate Based Systems
+
+ While the distinction between authentication and authorization is
+ intuitive when using simple authentication mechanisms such as
+ username and password (i.e., everyone understands the difference
+ between the administrator account and a user account), with more
+ complex authentication mechanisms the distinction is sometimes lost.
+
+ With certificates, for instance, presenting a valid signature does
+ not imply authorization. The signature must be backed by a
+ certificate chain that contains a trusted root, and that root must be
+
+
+
+Rescorla & Korver Best Current Practice [Page 18]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+ trusted in the given context. For instance, users who possess
+ certificates issued by the Acme MIS CA may have different web access
+ privileges than users who possess certificates issued by the Acme
+ Accounting CA, even though both of these CAs are "trusted" by the
+ Acme web server.
+
+ Mechanisms for enforcing these more complicated properties have not
+ yet been completely explored. One approach is simply to attach
+ policies to ACLs describing what sorts of certificates are trusted.
+ Another approach is to carry that information with the certificate,
+ either as a certificate extension/attribute [PKIX, SPKI] or as a
+ separate "Attribute Certificate".
+
+4.5. Providing Traffic Security
+
+ Securely designed protocols should provide some mechanism for
+ securing (meaning integrity protecting, authenticating, and possibly
+ encrypting) all sensitive traffic. One approach is to secure the
+ protocol itself, as in [DNSSEC], [S/MIME] or [S-HTTP]. Although this
+ provides security which is most fitted to the protocol, it also
+ requires considerable effort to get right.
+
+ Many protocols can be adequately secured using one of the available
+ channel security systems. We'll discuss the two most common, IPsec
+ [AH, ESP] and [TLS].
+
+4.5.1. IPsec
+
+ The IPsec protocols (specifically, AH and ESP) can provide
+ transmission security for all traffic between two hosts. The IPsec
+ protocols support varying granularities of user identification,
+ including for example "IP Subnet", "IP Address", "Fully Qualified
+ Domain Name", and individual user ("Mailbox name"). These varying
+ levels of identification are employed as inputs to access control
+ facilities that are an intrinsic part of IPsec. However, a given
+ IPsec implementation might not support all identity types. In
+ particular, security gateways may not provide user-to-user
+ authentication or have mechanisms to provide that authentication
+ information to applications.
+
+ When AH or ESP is used, the application programmer might not need to
+ do anything (if AH or ESP has been enabled system-wide) or might need
+ to make specific software changes (e.g., adding specific setsockopt()
+ calls) -- depending on the AH or ESP implementation being used.
+ Unfortunately, APIs for controlling IPsec implementations are not yet
+ standardized.
+
+
+
+
+
+Rescorla & Korver Best Current Practice [Page 19]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+ The primary obstacle to using IPsec to secure other protocols is
+ deployment. The major use of IPsec at present is for VPN
+ applications, especially for remote network access. Without
+ extremely tight coordination between security administrators and
+ application developers, VPN usage is not well suited to providing
+ security services for individual applications since it is difficult
+ for such applications to determine what security services have in
+ fact been provided.
+
+ IPsec deployment in host-to-host environments has been slow. Unlike
+ application security systems such as TLS, adding IPsec to a non-IPsec
+ system generally involves changing the operating system, either by
+ modifying with the kernel or installing new drivers. This is a
+ substantially greater undertaking than simply installing a new
+ application. However, recent versions of a number of commodity
+ operating systems include IPsec stacks, so deployment is becoming
+ easier.
+
+ In environments where IPsec is sure to be available, it represents a
+ viable option for protecting application communications traffic. If
+ the traffic to be protected is UDP, IPsec and application-specific
+ object security are the only options. However, designers MUST NOT
+ assume that IPsec will be available. A security policy for a generic
+ application layer protocol SHOULD NOT simply state that IPsec must be
+ used, unless there is some reason to believe that IPsec will be
+ available in the intended deployment environment. In environments
+ where IPsec may not be available and the traffic is solely TCP, TLS
+ is the method of choice, since the application developer can easily
+ ensure its presence by including a TLS implementation in his package.
+
+ In the special-case of IPv6, both AH and ESP are mandatory to
+ implement. Hence, it is reasonable to assume that AH/ESP are already
+ available for IPv6-only protocols or IPv6-only deployments. However,
+ automatic key management (IKE) is not required to implement so
+ protocol designers SHOULD not assume it will be present. [USEIPSEC]
+ provides quite a bit of guidance on when IPsec is a good choice.
+
+4.5.2. SSL/TLS
+
+ Currently, the most common approach is to use SSL or its successor
+ TLS. They provide channel security for a TCP connection at the
+ application level. That is, they run over TCP. SSL implementations
+ typically provide a Berkeley Sockets-like interface for easy
+ programming. The primary issue when designing a protocol solution
+ around TLS is to differentiate between connections protected using
+ TLS and those which are not.
+
+
+
+
+
+Rescorla & Korver Best Current Practice [Page 20]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+ The two primary approaches used have a separate well-known port for
+ TLS connections (e.g., the HTTP over TLS port is 443) [HTTPTLS] or to
+ have a mechanism for negotiating upward from the base protocol to TLS
+ as in [UPGRADE] or [STARTTLS]. When an upward negotiation strategy
+ is used, care must be taken to ensure that an attacker can not force
+ a clear connection when both parties wish to use TLS.
+
+ Note that TLS depends upon a reliable protocol such as TCP or SCTP.
+ This produces two notable difficulties. First, it cannot be used to
+ secure datagram protocols that use UDP. Second, TLS is susceptible
+ to IP layer attacks that IPsec is not. Typically, these attacks take
+ some form of denial of service or connection assassination. For
+ instance, an attacker might forge a TCP RST to shut down SSL
+ connections. TLS has mechanisms to detect truncation attacks but
+ these merely allow the victim to know he is being attacked and do not
+ provide connection survivability in the face of such attacks. By
+ contrast, if IPsec were being used, such a forged RST could be
+ rejected without affecting the TCP connection. If forged RSTs or
+ other such attacks on the TCP connection are a concern, then AH/ESP
+ or the TCP MD5 option [TCPMD5] are the preferred choices.
+
+4.5.2.1. Virtual Hosts
+
+ If the "separate ports" approach to TLS is used, then TLS will be
+ negotiated before any application-layer traffic is sent. This can
+ cause a problem with protocols that use virtual hosts, such as
+ [HTTP], since the server does not know which certificate to offer the
+ client during the TLS handshake. The TLS hostname extension [TLSEXT]
+ can be used to solve this problem, although it is too new to have
+ seen wide deployment.
+
+4.5.2.2. Remote Authentication and TLS
+
+ One difficulty with using TLS is that the server is authenticated via
+ a certificate. This can be inconvenient in environments where
+ previously the only form of authentication was a password shared
+ between client and server. It's tempting to use TLS without an
+ authenticated server (i.e., with anonymous DH or a self-signed RSA
+ certificate) and then authenticate via some challenge-response
+ mechanism such as SASL with CRAM-MD5.
+
+ Unfortunately, this composition of SASL and TLS is less strong than
+ one would expect. It's easy for an active attacker to hijack this
+ connection. The client man-in-the-middles the SSL connection
+ (remember we're not authenticating the server, which is what
+ ordinarily prevents this attack) and then simply proxies the SASL
+ handshake. From then on, it's as if the connection were in the
+
+
+
+
+Rescorla & Korver Best Current Practice [Page 21]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+ clear, at least as far as that attacker is concerned. In order to
+ prevent this attack, the client needs to verify the server's
+ certificate.
+
+ However, if the server is authenticated, challenge-response becomes
+ less desirable. If you already have a hardened channel then simple
+ passwords are fine. In fact, they're arguably superior to
+ challenge-response since they do not require that the password be
+ stored in the clear on the server. Thus, compromise of the key file
+ with challenge-response systems is more serious than if simple
+ passwords were used.
+
+ Note that if the client has a certificate than SSL-based client
+ authentication can be used. To make this easier, SASL provides the
+ EXTERNAL mechanism, whereby the SASL client can tell the server
+ "examine the outer channel for my identity". Obviously, this is not
+ subject to the layering attacks described above.
+
+4.5.3. Remote Login
+
+ In some special cases it may be worth providing channel-level
+ security directly in the application rather than using IPSEC or
+ SSL/TLS. One such case is remote terminal security. Characters are
+ typically delivered from client to server one character at a time.
+ Since SSL/TLS and AH/ESP authenticate and encrypt every packet, this
+ can mean a data expansion of 20-fold. The telnet encryption option
+ [ENCOPT] prevents this expansion by foregoing message integrity.
+
+ When using remote terminal service, it's often desirable to securely
+ perform other sorts of communications services. In addition to
+ providing remote login, SSH [SSH] also provides secure port
+ forwarding for arbitrary TCP ports, thus allowing users run arbitrary
+ TCP-based applications over the SSH channel. Note that SSH Port
+ Forwarding can be security issue if it is used improperly to
+ circumvent firewall and improperly expose insecure internal
+ applications to the outside world.
+
+4.6. Denial of Service Attacks and Countermeasures
+
+ Denial of service attacks are all too frequently viewed as an fact of
+ life. One problem is that an attacker can often choose from one of
+ many denial of service attacks to inflict upon a victim, and because
+ most of these attacks cannot be thwarted, common wisdom frequently
+ assumes that there is no point protecting against one kind of denial
+ of service attack when there are many other denial of service attacks
+ that are possible but that cannot be prevented.
+
+
+
+
+
+Rescorla & Korver Best Current Practice [Page 22]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+ However, not all denial of service attacks are equal and more
+ importantly, it is possible to design protocols so that denial of
+ service attacks are made more difficult, if not impractical. Recent
+ SYN flood attacks [TCPSYN] demonstrate both of these properties: SYN
+ flood attacks are so easy, anonymous, and effective that they are
+ more attractive to attackers than other attacks; and because the
+ design of TCP enables this attack.
+
+ Because complete DoS protection is so difficult, security against DoS
+ must be dealt with pragmatically. In particular, some attacks which
+ would be desirable to defend against cannot be defended against
+ economically. The goal should be to manage risk by defending against
+ attacks with sufficiently high ratios of severity to cost of defense.
+ Both severity of attack and cost of defense change as technology
+ changes and therefore so does the set of attacks which should be
+ defended against.
+
+ Authors of internet standards MUST describe which denial of service
+ attacks their protocol is susceptible to. This description MUST
+ include the reasons it was either unreasonable or out of scope to
+ attempt to avoid these denial of service attacks.
+
+4.6.1. Blind Denial of Service
+
+ BLIND denial of service attacks are particularly pernicious. With a
+ blind attack the attacker has a significant advantage. If the
+ attacker must be able to receive traffic from the victim, then he
+ must either subvert the routing fabric or use his own IP address.
+ Either provides an opportunity for the victim to track the attacker
+ and/or filter out his traffic. With a blind attack the attacker can
+ use forged IP addresses, making it extremely difficult for the victim
+ to filter out his packets. The TCP SYN flood attack is an example of
+ a blind attack. Designers should make every attempt possible to
+ prevent blind denial of service attacks.
+
+4.6.2. Distributed Denial of Service
+
+ Even more dangerous are DISTRIBUTED denial of service attacks (DDoS)
+ [DDOS]. In a DDoS the attacker arranges for a number of machines to
+ attack the target machine simultaneously. Usually this is
+ accomplished by infecting a large number of machines with a program
+ that allows remote initiation of attacks. The machines actually
+ performing the attack are called ZOMBIEs and are likely owned by
+ unsuspecting third parties in an entirely different location from the
+ true attacker. DDoS attacks can be very hard to counter because the
+ zombies often appear to be making legitimate protocol requests and
+
+
+
+
+
+Rescorla & Korver Best Current Practice [Page 23]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+ simply crowd out the real users. DDoS attacks can be difficult to
+ thwart, but protocol designers are expected to be cognizant of these
+ forms of attack while designing protocols.
+
+4.6.3. Avoiding Denial of Service
+
+ There are two common approaches to making denial of service attacks
+ more difficult:
+
+4.6.3.1. Make your attacker do more work than you do
+
+ If an attacker consumes more of his resources than yours when
+ launching an attack, attackers with fewer resources than you will be
+ unable to launch effective attacks. One common technique is to
+ require the attacker perform a time-intensive operation, such as a
+ cryptographic operation. Note that an attacker can still mount a
+ denial of service attack if he can muster substantially sufficient
+ CPU power. For instance, this technique would not stop the
+ distributed attacks described in [TCPSYN].
+
+4.6.3.2. Make your attacker prove they can receive data from you
+
+ A blind attack can be subverted by forcing the attacker to prove that
+ they can can receive data from the victim. A common technique is to
+ require that the attacker reply using information that was gained
+ earlier in the message exchange. If this countermeasure is used, the
+ attacker must either use his own address (making him easy to track)
+ or to forge an address which will be routed back along a path that
+ traverses the host from which the attack is being launched.
+
+ Hosts on small subnets are thus useless to the attacker (at least in
+ the context of a spoofing attack) because the attack can be traced
+ back to a subnet (which should be sufficient for locating the
+ attacker) so that anti-attack measures can be put into place (for
+ instance, a boundary router can be configured to drop all traffic
+ from that subnet). A common technique is to require that the
+ attacker reply using information that was gained earlier in the
+ message exchange.
+
+4.6.4. Example: TCP SYN Floods
+
+ TCP/IP is vulnerable to SYN flood attacks (which are described in
+ section 3.3.2) because of the design of the 3-way handshake. First,
+ an attacker can force a victim to consume significant resources (in
+ this case, memory) by sending a single packet. Second, because the
+ attacker can perform this action without ever having received data
+ from the victim, the attack can be performed anonymously (and
+ therefore using a large number of forged source addresses).
+
+
+
+Rescorla & Korver Best Current Practice [Page 24]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+4.6.5. Example: Photuris
+
+ [PHOTURIS] specifies an anti-clogging mechanism that prevents attacks
+ on Photuris that resemble the SYN flood attack. Photuris employs a
+ time-variant secret to generate a "cookie" which is returned to the
+ attacker. This cookie must be returned in subsequent messages for
+ the exchange to progress. The interesting feature is that this
+ cookie can be regenerated by the victim later in the exchange, and
+ thus no state need be retained by the victim until after the attacker
+ has proven that he can receive packets from the victim.
+
+4.7. Object vs. Channel Security
+
+ It's useful to make the conceptual distinction between object
+ security and channel security. Object security refers to security
+ measures which apply to entire data objects. Channel security
+ measures provide a secure channel over which objects may be carried
+ transparently but the channel has no special knowledge about object
+ boundaries.
+
+ Consider the case of an email message. When it's carried over an
+ IPSEC or TLS secured connection, the message is protected during
+ transmission. However, it is unprotected in the receiver's mailbox,
+ and in intermediate spool files along the way. Moreover, since mail
+ servers generally run as a daemon, not a user, authentication of
+ messages generally merely means authentication of the daemon not the
+ user. Finally, since mail transport is hop-by-hop, even if the user
+ authenticates to the first hop relay the authentication can't be
+ safely verified by the receiver.
+
+ By contrast, when an email message is protected with S/MIME or
+ OpenPGP, the entire message is encrypted and integrity protected
+ until it is examined and decrypted by the recipient. It also
+ provides strong authentication of the actual sender, as opposed to
+ the machine the message came from. This is object security.
+ Moreover, the receiver can prove the signed message's authenticity to
+ a third party.
+
+ Note that the difference between object and channel security is a
+ matter of perspective. Object security at one layer of the protocol
+ stack often looks like channel security at the next layer up. So,
+ from the perspective of the IP layer, each packet looks like an
+ individually secured object. But from the perspective of a web
+ client, IPSEC just provides a secure channel.
+
+ The distinction isn't always clear-cut. For example, S-HTTP provides
+ object level security for a single HTTP transaction, but a web page
+ typically consists of multiple HTTP transactions (the base page and
+
+
+
+Rescorla & Korver Best Current Practice [Page 25]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+ numerous inline images). Thus, from the perspective of the total web
+ page, this looks rather more like channel security. Object security
+ for a web page would consist of security for the transitive closure
+ of the page and all its embedded content as a single unit.
+
+4.8. Firewalls and Network Topology
+
+ It's common security practice in modern networks to partition the
+ network into external and internal networks using a firewall. The
+ internal network is then assumed to be secure and only limited
+ security measures are used there. The internal portion of such a
+ network is often called a WALLED GARDEN.
+
+ Internet protocol designers cannot safely assume that their protocols
+ will be deployed in such an environment, for three reasons. First,
+ protocols which were originally designed to be deployed in closed
+ environments often are later deployed on the Internet, thus creating
+ serious vulnerabilities.
+
+ Second, networks which appear to be topologically disconnected may
+ not be. One reason may be that the network has been reconfigured to
+ allow access by the outside world. Moreover, firewalls are
+ increasingly passing generic application layer protocols such as
+ [SOAP] or [HTTP]. Network protocols which are based on these generic
+ protocols cannot in general assume that a firewall will protect them.
+ Finally, one of the most serious security threats to systems is from
+ insiders, not outsiders. Since insiders by definition have access to
+ the internal network, topological protections such as firewalls will
+ not protect them.
+
+5. Writing Security Considerations Sections
+
+ While it is not a requirement that any given protocol or system be
+ immune to all forms of attack, it is still necessary for authors to
+ consider as many forms as possible. Part of the purpose of the
+ Security Considerations section is to explain what attacks are out of
+ scope and what countermeasures can be applied to defend against them.
+ In
+
+ There should be a clear description of the kinds of threats on the
+ described protocol or technology. This should be approached as an
+ effort to perform "due diligence" in describing all known or
+ foreseeable risks and threats to potential implementers and users.
+
+
+
+
+
+
+
+
+Rescorla & Korver Best Current Practice [Page 26]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+ Authors MUST describe
+
+ 1. which attacks are out of scope (and why!)
+ 2. which attacks are in-scope
+ 2.1 and the protocol is susceptible to
+ 2.2 and the protocol protects against
+
+ At least the following forms of attack MUST be considered:
+ eavesdropping, replay, message insertion, deletion, modification, and
+ man-in-the-middle. Potential denial of service attacks MUST be
+ identified as well. If the protocol incorporates cryptographic
+ protection mechanisms, it should be clearly indicated which portions
+ of the data are protected and what the protections are (i.e.,
+ integrity only, confidentiality, and/or endpoint authentication,
+ etc.). Some indication should also be given to what sorts of attacks
+ the cryptographic protection is susceptible. Data which should be
+ held secret (keying material, random seeds, etc.) should be clearly
+ labeled.
+
+ If the technology involves authentication, particularly user-host
+ authentication, the security of the authentication method MUST be
+ clearly specified. That is, authors MUST document the assumptions
+ that the security of this authentication method is predicated upon.
+ For instance, in the case of the UNIX username/password login method,
+ a statement to the effect of:
+
+ Authentication in the system is secure only to the extent that it
+ is difficult to guess or obtain a ASCII password that is a maximum
+ of 8 characters long. These passwords can be obtained by sniffing
+ telnet sessions or by running the 'crack' program using the
+ contents of the /etc/passwd file. Attempts to protect against
+ on-line password guessing by (1) disconnecting after several
+ unsuccessful login attempts and (2) waiting between successive
+ password prompts is effective only to the extent that attackers
+ are impatient.
+
+ Because the /etc/passwd file maps usernames to user ids, groups,
+ etc. it must be world readable. In order to permit this usage but
+ make running crack more difficult, the file is often split into
+ /etc/passwd and a 'shadow' password file. The shadow file is not
+ world readable and contains the encrypted password. The regular
+ /etc/passwd file contains a dummy password in its place.
+
+ It is insufficient to simply state that one's protocol should be run
+ over some lower layer security protocol. If a system relies upon
+ lower layer security services for security, the protections those
+
+
+
+
+
+Rescorla & Korver Best Current Practice [Page 27]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+ services are expected to provide MUST be clearly specified. In
+ addition, the resultant properties of the combined system need to be
+ specified.
+
+ Note: In general, the IESG will not approve standards track protocols
+ which do not provide for strong authentication, either internal to
+ the protocol or through tight binding to a lower layer security
+ protocol.
+
+ The threat environment addressed by the Security Considerations
+ section MUST at a minimum include deployment across the global
+ Internet across multiple administrative boundaries without assuming
+ that firewalls are in place, even if only to provide justification
+ for why such consideration is out of scope for the protocol. It is
+ not acceptable to only discuss threats applicable to LANs and ignore
+ the broader threat environment. All IETF standards-track protocols
+ are considered likely to have deployment in the global Internet. In
+ some cases, there might be an Applicability Statement discouraging
+ use of a technology or protocol in a particular environment.
+ Nonetheless, the security issues of broader deployment should be
+ discussed in the document.
+
+ There should be a clear description of the residual risk to the user
+ or operator of that protocol after threat mitigation has been
+ deployed. Such risks might arise from compromise in a related
+ protocol (e.g., IPsec is useless if key management has been
+ compromised), from incorrect implementation, compromise of the
+ security technology used for risk reduction (e.g., a cipher with a
+ 40-bit key), or there might be risks that are not addressed by the
+ protocol specification (e.g., denial of service attacks on an
+ underlying link protocol). Particular care should be taken in
+ situations where the compromise of a single system would compromise
+ an entire protocol. For instance, in general protocol designers
+ assume that end-systems are inviolate and don't worry about physical
+ attack. However, in cases (such as a certificate authority) where
+ compromise of a single system could lead to widespread compromises,
+ it is appropriate to consider systems and physical security as well.
+
+ There should also be some discussion of potential security risks
+ arising from potential misapplications of the protocol or technology
+ described in the RFC. This might be coupled with an Applicability
+ Statement for that RFC.
+
+6. Examples
+
+ This section consists of some example security considerations
+ sections, intended to give the reader a flavor of what's intended by
+ this document.
+
+
+
+Rescorla & Korver Best Current Practice [Page 28]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+ The first example is a 'retrospective' example, applying the criteria
+ of this document to an existing widely deployed protocol, SMTP. The
+ second example is a good security considerations section clipped from
+ a current protocol.
+
+6.1. SMTP
+
+ When RFC 821 was written, Security Considerations sections were not
+ required in RFCs, and none is contained in that document. [RFC 2821]
+ updated RFC 821 and added a detailed security considerations section.
+ We reproduce here the Security Considerations section from that
+ document (with new section numbers). Our comments are indented and
+ prefaced with 'NOTE:'. We also add a number of new sections to cover
+ topics we consider important. Those sections are marked with [NEW]
+ in the section header.
+
+6.1.1. Security Considerations
+
+6.1.1.1. Mail Security and Spoofing
+
+ SMTP mail is inherently insecure in that it is feasible for even
+ fairly casual users to negotiate directly with receiving and relaying
+ SMTP servers and create messages that will trick a naive recipient
+ into believing that they came from somewhere else. Constructing such
+ a message so that the "spoofed" behavior cannot be detected by an
+ expert is somewhat more difficult, but not sufficiently so as to be a
+ deterrent to someone who is determined and knowledgeable.
+ Consequently, as knowledge of Internet mail increases, so does the
+ knowledge that SMTP mail inherently cannot be authenticated, or
+ integrity checks provided, at the transport level. Real mail
+ security lies only in end-to-end methods involving the message
+ bodies, such as those which use digital signatures (see [14] and,
+ e.g., PGP [4] or S/MIME [31]).
+
+ NOTE: One bad approach to sender authentication is [IDENT] in
+ which the receiving mail server contacts the alleged sender and
+ asks for the username of the sender. This is a bad idea for a
+ number of reasons, including but not limited to relaying, TCP
+ connection hijacking, and simple lying by the origin server.
+ Aside from the fact that IDENT is of low security value, use of
+ IDENT by receiving sites can lead to operational problems. Many
+ sending sites blackhole IDENT requests, thus causing mail to be
+ held until the receiving server's IDENT request times out.
+
+ Various protocol extensions and configuration options that provide
+ authentication at the transport level (e.g., from an SMTP client to
+ an SMTP server) improve somewhat on the traditional situation
+ described above. However, unless they are accompanied by careful
+
+
+
+Rescorla & Korver Best Current Practice [Page 29]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+ handoffs of responsibility in a carefully-designed trust environment,
+ they remain inherently weaker than end-to-end mechanisms which use
+ digitally signed messages rather than depending on the integrity of
+ the transport system.
+
+ Efforts to make it more difficult for users to set envelope return
+ path and header "From" fields to point to valid addresses other than
+ their own are largely misguided: they frustrate legitimate
+ applications in which mail is sent by one user on behalf of another
+ or in which error (or normal) replies should be directed to a special
+ address. (Systems that provide convenient ways for users to alter
+ these fields on a per-message basis should attempt to establish a
+ primary and permanent mailbox address for the user so that Sender
+ fields within the message data can be generated sensibly.)
+
+ This specification does not further address the authentication issues
+ associated with SMTP other than to advocate that useful functionality
+ not be disabled in the hope of providing some small margin of
+ protection against an ignorant user who is trying to fake mail.
+
+ NOTE: We have added additional material on communications security
+ and SMTP in Section 6.1.2 In a final specification, the above text
+ would be edited somewhat to reflect that fact.
+
+6.1.1.2. Blind Copies
+
+ Addresses that do not appear in the message headers may appear in the
+ RCPT commands to an SMTP server for a number of reasons. The two
+ most common involve the use of a mailing address as a "list exploder"
+ (a single address that resolves into multiple addresses) and the
+ appearance of "blind copies". Especially when more than one RCPT
+ command is present, and in order to avoid defeating some of the
+ purpose of these mechanisms, SMTP clients and servers SHOULD NOT copy
+ the full set of RCPT command arguments into the headers, either as
+ part of trace headers or as informational or private-extension
+ headers. Since this rule is often violated in practice, and cannot
+ be enforced, sending SMTP systems that are aware of "bcc" use MAY
+ find it helpful to send each blind copy as a separate message
+ transaction containing only a single RCPT command.
+
+ There is no inherent relationship between either "reverse" (from
+ MAIL, SAML, etc., commands) or "forward" (RCPT) addresses in the SMTP
+ transaction ("envelope") and the addresses in the headers. Receiving
+ systems SHOULD NOT attempt to deduce such relationships and use them
+
+
+
+
+
+
+
+Rescorla & Korver Best Current Practice [Page 30]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+ to alter the headers of the message for delivery. The popular
+ "Apparently-to" header is a violation of this principle as well as a
+ common source of unintended information disclosure and SHOULD NOT be
+ used.
+
+6.1.1.3. VRFY, EXPN, and Security
+
+ As discussed in section 3.5, individual sites may want to disable
+ either or both of VRFY or EXPN for security reasons. As a corollary
+ to the above, implementations that permit this MUST NOT appear to
+ have verified addresses that are not, in fact, verified. If a site
+ disables these commands for security reasons, the SMTP server MUST
+ return a 252 response, rather than a code that could be confused with
+ successful or unsuccessful verification.
+
+ Returning a 250 reply code with the address listed in the VRFY
+ command after having checked it only for syntax violates this rule.
+ Of course, an implementation that "supports" VRFY by always returning
+ 550 whether or not the address is valid is equally not in
+ conformance.
+
+ Within the last few years, the contents of mailing lists have become
+ popular as an address information source for so-called "spammers."
+ The use of EXPN to "harvest" addresses has increased as list
+ administrators have installed protections against inappropriate uses
+ of the lists themselves. Implementations SHOULD still provide
+ support for EXPN, but sites SHOULD carefully evaluate the tradeoffs.
+ As authentication mechanisms are introduced into SMTP, some sites may
+ choose to make EXPN available only to authenticated requesters.
+
+ NOTE: It's not clear that disabling VRFY adds much protection,
+ since it's often possible to discover whether an address is valid
+ using RCPT TO.
+
+6.1.1.4. Information Disclosure in Announcements
+
+ There has been an ongoing debate about the tradeoffs between the
+ debugging advantages of announcing server type and version (and,
+ sometimes, even server domain name) in the greeting response or in
+ response to the HELP command and the disadvantages of exposing
+ information that might be useful in a potential hostile attack. The
+ utility of the debugging information is beyond doubt. Those who
+ argue for making it available point out that it is far better to
+ actually secure an SMTP server rather than hope that trying to
+ conceal known vulnerabilities by hiding the server's precise identity
+ will provide more protection. Sites are encouraged to evaluate the
+
+
+
+
+
+Rescorla & Korver Best Current Practice [Page 31]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+ tradeoff with that issue in mind; implementations are strongly
+ encouraged to minimally provide for making type and version
+ information available in some way to other network hosts.
+
+6.1.1.5. Information Disclosure in Trace Fields
+
+ In some circumstances, such as when mail originates from within a LAN
+ whose hosts are not directly on the public Internet, trace
+ ("Received") fields produced in conformance with this specification
+ may disclose host names and similar information that would not
+ normally be available. This ordinarily does not pose a problem, but
+ sites with special concerns about name disclosure should be aware of
+ it. Also, the optional FOR clause should be supplied with caution or
+ not at all when multiple recipients are involved lest it
+ inadvertently disclose the identities of "blind copy" recipients to
+ others.
+
+6.1.1.6. Information Disclosure in Message Forwarding
+
+ As discussed in section 3.4, use of the 251 or 551 reply codes to
+ identify the replacement address associated with a mailbox may
+ inadvertently disclose sensitive information. Sites that are
+ concerned about those issues should ensure that they select and
+ configure servers appropriately.
+
+6.1.1.7. Scope of Operation of SMTP Servers
+
+ It is a well-established principle that an SMTP server may refuse to
+ accept mail for any operational or technical reason that makes sense
+ to the site providing the server. However, cooperation among sites
+ and installations makes the Internet possible. If sites take
+ excessive advantage of the right to reject traffic, the ubiquity of
+ email availability (one of the strengths of the Internet) will be
+ threatened; considerable care should be taken and balance maintained
+ if a site decides to be selective about the traffic it will accept
+ and process.
+
+ In recent years, use of the relay function through arbitrary sites
+ has been used as part of hostile efforts to hide the actual origins
+ of mail. Some sites have decided to limit the use of the relay
+ function to known or identifiable sources, and implementations SHOULD
+ provide the capability to perform this type of filtering. When mail
+ is rejected for these or other policy reasons, a 550 code SHOULD be
+ used in response to EHLO, MAIL, or RCPT as appropriate.
+
+
+
+
+
+
+
+Rescorla & Korver Best Current Practice [Page 32]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+6.1.1.8. Inappropriate Usage [NEW]
+
+ SMTP itself provides no protection is provided against unsolicited
+ commercial mass e-mail (aka spam). It is extremely difficult to tell
+ a priori whether a given message is spam or not. From a protocol
+ perspective, spam is indistinguishable from other e-mail -- the
+ distinction is almost entirely social and often quite subtle. (For
+ instance, is a message from a merchant from whom you've purchased
+ items before advertising similar items spam?) SMTP spam-suppression
+ mechanisms are generally limited to identifying known spam senders
+ and either refusing to service them or target them for
+ punishment/disconnection. [RFC-2505] provides extensive guidance on
+ making SMTP servers spam-resistant. We provide a brief discussion of
+ the topic here.
+
+ The primary tool for refusal to service spammers is the blacklist.
+ Some authority such as [MAPS] collects and publishes a list of known
+ spammers. Individual SMTP servers then block the blacklisted
+ offenders (generally by IP address).
+
+ In order to avoid being blacklisted or otherwise identified, spammers
+ often attempt to obscure their identity, either simply by sending a
+ false SMTP identity or by forwarding their mail through an Open Relay
+ -- an SMTP server which will perform mail relaying for any sender.
+ As a consequence, there are now blacklists [ORBS] of open relays as
+ well.
+
+6.1.1.8.1. Closed Relaying [NEW]
+
+ To avoid being used for spam forwarding, many SMTP servers operate as
+ closed relays, providing relaying service only for clients who they
+ can identify. Such relays should generally insist that senders
+ advertise a sending address consistent with their known identity. If
+ the relay is providing service for an identifiable network (such as a
+ corporate network or an ISP's network) then it is sufficient to block
+ all other IP addresses). In other cases, explicit authentication
+ must be used. The two standard choices for this are TLS [STARTTLS]
+ and SASL [SASLSMTP].
+
+6.1.1.8.2. Endpoints [NEW]
+
+ Realistically, SMTP endpoints cannot refuse to deny service to
+ unauthenticated senders. Since the vast majority of senders are
+ unauthenticated, this would break Internet mail interoperability.
+ The exception to this is when the endpoint server should only be
+
+
+
+
+
+
+Rescorla & Korver Best Current Practice [Page 33]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+ receiving mail from some other server which can itself receive
+ unauthenticated messages. For instance, a company might operate a
+ public gateway but configure its internal servers to only talk to the
+ gateway.
+
+6.1.2. Communications security issues [NEW]
+
+ SMTP itself provides no communications security, and therefore a
+ large number of attacks are possible. A passive attack is sufficient
+ to recover the text of messages transmitted with SMTP. No endpoint
+ authentication is provided by the protocol. Sender spoofing is
+ trivial, and therefore forging email messages is trivial. Some
+ implementations do add header lines with hostnames derived through
+ reverse name resolution (which is only secure to the extent that it
+ is difficult to spoof DNS -- not very), although these header lines
+ are normally not displayed to users. Receiver spoofing is also
+ fairly straight-forward, either using TCP connection hijacking or DNS
+ spoofing. Moreover, since email messages often pass through SMTP
+ gateways, all intermediate gateways must be trusted, a condition
+ nearly impossible on the global Internet.
+
+ Several approaches are available for alleviating these threats. In
+ order of increasingly high level in the protocol stack, we have:
+
+ SMTP over IPSEC
+ SMTP/TLS
+ S/MIME and PGP/MIME
+
+6.1.2.1. SMTP over IPSEC [NEW]
+
+ An SMTP connection run over IPSEC can provide confidentiality for the
+ message between the sender and the first hop SMTP gateway, or between
+ any pair of connected SMTP gateways. That is to say, it provides
+ channel security for the SMTP connections. In a situation where the
+ message goes directly from the client to the receiver's gateway, this
+ may provide substantial security (though the receiver must still
+ trust the gateway). Protection is provided against replay attacks,
+ since the data itself is protected and the packets cannot be
+ replayed.
+
+ Endpoint identification is a problem, however, unless the receiver's
+ address can be directly cryptographically authenticated. Sender
+ identification is not generally available, since generally only the
+ sender's machine is authenticated, not the sender himself.
+ Furthermore, the identity of the sender simply appears in the From
+ header of the message, so it is easily spoofable by the sender.
+ Finally, unless the security policy is set extremely strictly, there
+ is also an active downgrade to cleartext attack.
+
+
+
+Rescorla & Korver Best Current Practice [Page 34]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+ Another problem with IPsec as a security solution for SMTP is the
+ lack of a standard IPsec API. In order to take advantage of IPsec,
+ applications in general need to be able to instruct the IPsec
+ implementation about their security policies and discover what
+ protection has been applied to their connections. Without a standard
+ API this is very difficult to do portably.
+
+ Implementors of SMTP servers or SMTP administrators MUST NOT assume
+ that IPsec will be available unless they have reason to believe that
+ it will be (such as the existence of preexisting association between
+ two machines). However, it may be a reasonable procedure to attempt
+ to create an IPsec association opportunistically to a peer server
+ when mail is delivered. Note that in cases where IPsec is used to
+ provide a VPN tunnel between two sites, this is of substantial
+ security value, particularly to the extent that confidentiality is
+ provided, subject to the caveats mentioned above. Also see
+ [USEIPSEC] for general guidance on the applicability of IPsec.
+
+6.1.2.2. SMTP/TLS [NEW]
+
+ SMTP can be combined with TLS as described in [STARTTLS]. This
+ provides similar protection to that provided when using IPSEC. Since
+ TLS certificates typically contain the server's host name, recipient
+ authentication may be slightly more obvious, but is still susceptible
+ to DNS spoofing attacks. Notably, common implementations of TLS
+ contain a US exportable (and hence low security) mode. Applications
+ desiring high security should ensure that this mode is disabled.
+ Protection is provided against replay attacks, since the data itself
+ is protected and the packets cannot be replayed. [Note: The
+ Security Considerations section of the SMTP over TLS document is
+ quite good and bears reading as an example of how to do things.]
+
+6.1.2.3. S/MIME and PGP/MIME [NEW]
+
+ S/MIME and PGP/MIME are both message oriented security protocols.
+ They provide object security for individual messages. With various
+ settings, sender and recipient authentication and confidentiality may
+ be provided. More importantly, the identification is not of the
+ sending and receiving machines, but rather of the sender and
+ recipient themselves. (Or, at least, of cryptographic keys
+ corresponding to the sender and recipient.) Consequently, end-to-end
+ security may be obtained. Note, however, that no protection is
+ provided against replay attacks. Note also that S/MIME and PGP/MIME
+ generally provide identifying marks for both sender and receiver.
+ Thus even when confidentiality is provided, traffic analysis is still
+ possible.
+
+
+
+
+
+Rescorla & Korver Best Current Practice [Page 35]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+6.1.3. Denial of Service [NEW]
+
+ None of these security measures provides any real protection against
+ denial of service. SMTP connections can easily be used to tie up
+ system resources in a number of ways, including excessive port
+ consumption, excessive disk usage (email is typically delivered to
+ disk files), and excessive memory consumption (sendmail, for
+ instance, is fairly large, and typically forks a new process to deal
+ with each message.)
+
+ If transport- or application-layer security is used for SMTP
+ connections, it is possible to mount a variety of attacks on
+ individual connections using forged RSTs or other kinds of packet
+ injection.
+
+6.2. VRRP
+
+ The second example is from VRRP, the Virtual Router Redundance
+ Protocol ([VRRP]). We reproduce here the Security Considerations
+ section from that document (with new section numbers). Our comments
+ are indented and prefaced with 'NOTE:'.
+
+6.2.1. Security Considerations
+
+ VRRP is designed for a range of internetworking environments that may
+ employ different security policies. The protocol includes several
+ authentication methods ranging from no authentication, simple clear
+ text passwords, and strong authentication using IP Authentication
+ with MD5 HMAC. The details on each approach including possible
+ attacks and recommended environments follows.
+
+ Independent of any authentication type VRRP includes a mechanism
+ (setting TTL=255, checking on receipt) that protects against VRRP
+ packets being injected from another remote network. This limits most
+ vulnerabilities to local attacks.
+
+ NOTE: The security measures discussed in the following sections
+ only provide various kinds of authentication. No confidentiality
+ is provided at all. This should be explicitly described as
+ outside the scope.
+
+6.2.1.1. No Authentication
+
+ The use of this authentication type means that VRRP protocol
+ exchanges are not authenticated. This type of authentication SHOULD
+ only be used in environments were there is minimal security risk and
+ little chance for configuration errors (e.g., two VRRP routers on a
+ LAN).
+
+
+
+Rescorla & Korver Best Current Practice [Page 36]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+6.2.1.2. Simple Text Password
+
+ The use of this authentication type means that VRRP protocol
+ exchanges are authenticated by a simple clear text password.
+
+ This type of authentication is useful to protect against accidental
+ misconfiguration of routers on a LAN. It protects against routers
+ inadvertently backing up another router. A new router must first be
+ configured with the correct password before it can run VRRP with
+ another router. This type of authentication does not protect against
+ hostile attacks where the password can be learned by a node snooping
+ VRRP packets on the LAN. The Simple Text Authentication combined
+ with the TTL check makes it difficult for a VRRP packet to be sent
+ from another LAN to disrupt VRRP operation.
+
+ This type of authentication is RECOMMENDED when there is minimal risk
+ of nodes on a LAN actively disrupting VRRP operation. If this type
+ of authentication is used the user should be aware that this clear
+ text password is sent frequently, and therefore should not be the
+ same as any security significant password.
+
+ NOTE: This section should be clearer. The basic point is that no
+ authentication and Simple Text are only useful for a very limited
+ threat model, namely that none of the nodes on the local LAN are
+ hostile. The TTL check prevents hostile nodes off-LAN from posing
+ as valid nodes, but nothing stops hostile nodes on-LAN from
+ impersonating authorized nodes. This is not a particularly
+ realistic threat model in many situations. In particular, it's
+ extremely brittle: the compromise of any node the LAN allows
+ reconfiguration of the VRRP nodes.
+
+6.2.1.3. IP Authentication Header
+
+ The use of this authentication type means the VRRP protocol exchanges
+ are authenticated using the mechanisms defined by the IP
+ Authentication Header [AH] using [HMAC]. This provides strong
+ protection against configuration errors, replay attacks, and packet
+ corruption/modification.
+
+ This type of authentication is RECOMMENDED when there is limited
+ control over the administration of nodes on a LAN. While this type
+ of authentication does protect the operation of VRRP, there are other
+ types of attacks that may be employed on shared media links (e.g.,
+ generation of bogus ARP replies) which are independent from VRRP and
+ are not protected.
+
+
+
+
+
+
+Rescorla & Korver Best Current Practice [Page 37]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+ NOTE: It's a mistake to have AH be a RECOMMENDED in this context.
+ Since AH is the only mechanism that protects VRRP against attack
+ from other nodes on the same LAN, it should be a MUST for cases
+ where there are untrusted nodes on the same network. In any case,
+ AH should be a MUST implement.
+
+ NOTE: There's an important piece of security analysis that's only
+ hinted at in this document, namely the cost/benefit tradeoff of
+ VRRP authentication.
+
+ [The rest of this section is NEW material]
+ The threat that VRRP authentication is intended to prevent is an
+ attacker arranging to be the VRRP master. This would be done by
+ joining the group (probably multiple times), gagging the master and
+ then electing oneself master. Such a node could then direct traffic
+ in arbitrary undesirable ways.
+
+ However, it is not necessary for an attacker to be the VRRP master to
+ do this. An attacker can do similar kinds of damage to the network
+ by forging ARP packets or (on switched networks) fooling the switch
+ VRRP authentication offers no real protection against these attacks.
+
+ Unfortunately, authentication makes VRRP networks very brittle in the
+ face of misconfiguration. Consider what happens if two nodes are
+ configured with different passwords. Each will reject messages from
+ the other and therefore both will attempt to be master. This creates
+ substantial network instability.
+
+ This set of cost/benefit tradeoffs suggests that VRRP authentication
+ is a bad idea, since the incremental security benefit is marginal but
+ the incremental risk is high. This judgment should be revisited if
+ the current set of non-VRRP threats are removed.
+
+7. Acknowledgments
+
+ This document is heavily based on a note written by Ran Atkinson in
+ 1997. That note was written after the IAB Security Workshop held in
+ early 1997, based on input from everyone at that workshop. Some of
+ the specific text above was taken from Ran's original document, and
+ some of that text was taken from an email message written by Fred
+ Baker. The other primary source for this document is specific
+ comments received from Steve Bellovin. Early review of this document
+ was done by Lisa Dusseault and Mark Schertler. Other useful comments
+ were received from Bill Fenner, Ned Freed, Lawrence Greenfield, Steve
+ Kent, Allison Mankin and Kurt Zeilenga.
+
+
+
+
+
+
+Rescorla & Korver Best Current Practice [Page 38]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+8. Normative References
+
+ [AH] Kent, S. and R. Atkinson, "IP Authentication Header", RFC
+ 2402, November 1998.
+
+ [DNSSEC] Eastlake, D., "Domain Name System Security Extensions",
+ RFC 2535, March 1999.
+
+ [ENCOPT] Tso, T., "Telnet Data Encryption Option", RFC 2946,
+ September, 2000.
+
+ [ESP] Kent, S. and R. Atkinson, "IP Encapsulating Security
+ Payload (ESP)", RFC 2406, November 1998.
+
+ [GSS] Linn, J., "Generic Security Services Application Program
+ Interface Version 2, Update 1", RFC 2743, January 2000.
+
+ [HTTP] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
+ Masinter, L., Leach, P. and T. Berners-Lee, "HyperText
+ Transfer Protocol", RFC 2616, June 1999.
+
+ [HTTPTLS] Rescorla, E., "HTTP over TLS", RFC 2818, May 2000.
+
+ [HMAC] Madson, C. and R. Glenn, "The Use of HMAC-MD5-96 within
+ ESP and AH", RFC 2403, November 1998.
+
+ KERBEROS] Kohl, J. and C. Neuman, "The Kerberos Network
+ Authentication Service (V5)", RFC 1510, September 1993.
+
+ [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate
+ Requirement Levels", BCP 14, RFC 2119, March 1997.
+
+ [OTP] Haller, N., Metz, C., Nesser, P. and M. Straw, "A One-Time
+ Password System", STD 61, RFC 2289, February 1998.
+
+ [PHOTURIS] Karn, P. and W. Simpson, "Photuris: Session-Key Management
+ Protocol", RFC 2522, March 1999.
+
+ [PKIX] Housley, R., Polk, W., Ford, W. and D. Solo, "Internet
+ X.509 "Public Key Infrastructure Certificate and
+ Certificate Restoration List (CRL) Profile", RFC 3280,
+ April 2002.
+
+ [RFC-2223] Postel J. and J. Reynolds, "Instructions to RFC Authors",
+ RFC 2223, October 1997.
+
+ [RFC-2505] Lindberg, G., "Anti-Spam Recommendations for SMTP MTAs",
+ BCP 30, RFC 2505, February 1999.
+
+
+
+Rescorla & Korver Best Current Practice [Page 39]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+ [RFC-2821] Klensin, J., "Simple Mail Transfer Protocol", RFC 2821,
+ April 2001.
+
+ [SASL] Myers, J., "Simple Authentication and Security Layer
+ (SASL)", RFC 2222, October 1997.
+
+ [SPKI] Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas,
+ B. and T. Ylonen, "SPKI Certificate Theory", RFC 2693,
+ September 1999.
+
+ [SSH] Ylonen, T., "SSH - Secure Login Connections Over the
+ Internet", 6th USENIX Security Symposium, p. 37-42, July
+ 1996.
+
+ [SASLSMTP] Myers, J., "SMTP Service Extension for Authentication",
+ RFC 2554, March 1999.
+
+ [STARTTLS] Hoffman, P., "SMTP Service Extension for Secure SMTP over
+ Transport Layer Security", RFC 3207, February 2002.
+
+ [S-HTTP] Rescorla, E. and A. Schiffman, "The Secure HyperText
+ Transfer Protocol", RFC 2660, August 1999.
+
+ [S/MIME] Ramsdell, B., Editor, "S/MIME Version 3 Message
+ Specification", RFC 2633, June 1999.
+
+ [TELNET] Postel, J. and J. Reynolds, "Telnet Protocol
+ Specification", STD 8, RFC 854, May 1983.
+
+ [TLS] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
+ RFC 2246, January 1999.
+
+ [TLSEXT] Blake-Wilson, S., Nystrom, M., Hopwood, D. and J.
+ Mikkelsen, "Transport Layer Security (TLS) Extensions",
+ RFC 3546, May 2003.
+
+ [TCPSYN] "TCP SYN Flooding and IP Spoofing Attacks", CERT Advisory
+ CA-1996-21, 19 September 1996, CERT.
+ http://www.cert.org/advisories/CA-1996-21.html
+
+ [UPGRADE] Khare, R. and S. Lawrence, "Upgrading to TLS Within
+ HTTP/1.1", RFC 2817, May 2000.
+
+ [URL] Berners-Lee, T., Masinter, M. and M. McCahill, "Uniform
+ Resource Locators (URL)", RFC 1738, December 1994.
+
+
+
+
+
+
+Rescorla & Korver Best Current Practice [Page 40]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+ [VRRP] Knight, S., Weaver, D., Whipple, D., Hinden, R., Mitzel,
+ D., Hunt, P., Higginson, P., Shand, M. and A. Lindemn,
+ "Virtual Router Redundancy Protocol", RFC 2338, April
+ 1998.
+
+9. Informative References
+
+ [DDOS] "Denial-Of-Service Tools" CERT Advisory CA-1999-17, 28
+ December 1999, CERT http://www.cert.org/advisories/CA-
+ 1999-17.html
+
+ [EKE] Bellovin, S., Merritt, M., "Encrypted Key Exchange:
+ Password-based protocols secure against dictionary
+ attacks", Proceedings of the IEEE Symposium on Research in
+ Security and Privacy, May 1992.
+
+ [IDENT] St. Johns, M. and M. Rose, "Identification Protocol", RFC
+ 1414, February 1993.
+
+ [INTAUTH] Haller, N. and R. Atkinson, "On Internet Authentication",
+ RFC 1704, October 1994.
+
+ [IPSPPROB] Bellovin, S. M., "Problem Areas for the IP Security
+ Protocols", Proceedings of the Sixth Usenix UNIX Security
+ Symposium, July 1996.
+
+ [KLEIN] Klein, D.V., "Foiling the Cracker: A Survey of and
+ Improvements to Password Security", 1990.
+
+ [NNTP] Kantor, B. and P. Lapsley, "Network News Transfer
+ Protocol", RFC 977, February 1986.
+
+ [POP] Myers, J. and M. Rose, "Post Office Protocol - Version 3",
+ STD 53, RFC 1939, May 1996.
+
+ [SEQNUM] Morris, R.T., "A Weakness in the 4.2 BSD UNIX TCP/IP
+ Software", AT&T Bell Laboratories, CSTR 117, 1985.
+
+ [SOAP] Box, D., Ehnebuske, D., Kakivaya, G., Layman, A.,
+ Mendelsoh, N., Nielsen, H., Thatte, S., Winer, D., "Simple
+ Object Access Protocol (SOAP) 1.1", May 2000.
+
+ [SPEKE] Jablon, D., "Strong Password-Only Authenticated Key
+ Exchange", Computer Communication Review, ACM SIGCOMM,
+ vol. 26, no. 5, pp. 5-26, October 1996.
+
+ [SRP] Wu T., "The Secure Remote Password Protocol", ISOC NDSS
+ Symposium, 1998.
+
+
+
+Rescorla & Korver Best Current Practice [Page 41]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+ [USEIPSEC] Bellovin, S., "Guidelines for Mandating the Use of IPsec",
+ Work in Progress.
+
+ [WEP] Borisov, N., Goldberg, I., Wagner, D., "Intercepting
+ Mobile Communications: The Insecurity of 802.11",
+ http://www.isaac.cs.berkeley.edu/isaac/wep-draft.pdf
+
+10. Security Considerations
+
+ This entire document is about security considerations.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Rescorla & Korver Best Current Practice [Page 42]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+Appendix A.
+
+ IAB Members at the time of this writing
+
+ Harald Alvestrand
+ Ran Atkinson
+ Rob Austein
+ Fred Baker
+ Leslie Daigle
+ Steve Deering
+ Sally Floyd
+ Ted Hardie
+ Geoff Huston
+ Charlie Kaufman
+ James Kempf
+ Eric Rescorla
+ Mike St. Johns
+
+Authors' Addresses
+
+ Eric Rescorla
+ RTFM, Inc.
+ 2439 Alvin Drive
+ Mountain View, CA 94043
+
+ Phone: (650)-320-8549
+ EMail: ekr@rtfm.com
+
+
+ Brian Korver
+ Xythos Software, Inc.
+ 77 Maiden Lane, 6th Floor
+ San Francisco, CA, 94108
+
+ Phone: (415)-248-3800
+ EMail: briank@xythos.com
+
+
+ Internet Architecture Board
+ IAB
+ EMail: iab@iab.org
+
+
+
+
+
+
+
+
+
+
+Rescorla & Korver Best Current Practice [Page 43]
+
+RFC 3552 Security Considerations Guidelines July 2003
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2003). All Rights Reserved.
+
+ This document and translations of it may be copied and furnished to
+ others, and derivative works that comment on or otherwise explain it
+ or assist in its implementation may be prepared, copied, published
+ and distributed, in whole or in part, without restriction of any
+ kind, provided that the above copyright notice and this paragraph are
+ included on all such copies and derivative works. However, this
+ document itself may not be modified in any way, such as by removing
+ the copyright notice or references to the Internet Society or other
+ Internet organizations, except as needed for the purpose of
+ developing Internet standards in which case the procedures for
+ copyrights defined in the Internet Standards process must be
+ followed, or as required to translate it into languages other than
+ English.
+
+ The limited permissions granted above are perpetual and will not be
+ revoked by the Internet Society or its successors or assigns.
+
+ This document and the information contained herein is provided on an
+ "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+ TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+ BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+ HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Rescorla & Korver Best Current Practice [Page 44]
+