Draft looks good overall. Some overall comments, then an edited version
cleaning up some typos and confusing phrases here and there.
Network Working
Group
L.
Amini
Internet-Draft
IBM Research
Expires: March 31, 2003
A. Barbir
Nortel Networks
Oskar Batuner
Independent consultant
M. Day
Cisco Systems
O. Spatscheck
AT&T Labs
Kobus van der Merwe
AT&T Labs
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all
provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task
Force (IETF), its areas, and its working groups. Note that
other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and
may be updated, replaced, or obsoleted by other documents at any
time. It is
inappropriate to use Internet-Drafts as reference material
or to cite them
other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on March 31, 2003 Copyright Notice
Copyright (C) The Internet Society (2000). All Rights Reserved.
INTERNET-DRAFT
draft-ietf-cdi-threat-00.txt Page 2
Security Threats for Content
Internetworking
draft-ietf-cdi-threat-00.txt
Abstract
Content internetworking (also referred to as content
distribution
internetworking, or CDI) is the technology for interconnecting
content
networks. The CDI model allows for interconnecting various
Content
Networks. The internetworking task requires request routing
and
content distribution protocols. This document investigates
the
security risks and threats associated with the
content
internetworking. Proposed remedies are viewed not as
design
recommendations but more as illustrations of the nature of
threats.
1. Introduction
Content internetworking (CDI) combines the resources of multiple
content
networks (CN) to increase their scale and reach. At the core
of CDI are a
request routing system and a distribution system. The
request-routing system
(RRS) directs client requests to surrogates
and/or CNs that can best service
the request. The internetworking of
CNs is performed through Content
Internetworking Gateway (CIG). The
internetworking distribution system is
responsible for moving content
from one Distribution CN to another
Distribution CN. Finally, the
accounting infrastructure tracks and
collects data on
request-routing, distribution, and delivery functions within
the CN.
The details of the CDI model can be found in [1].
The use of CDI - as any new mechanism - introduces new security
risks
and threats to the internetworked CNs. Some of these threats
are
specific to the CDI model, some are inherited from the CN
systems.
This document covers both new and inherited threats with
distinctions
made where appropriate.
The security risks within CDI can be classified along
various
dimensions including:
- the source of the threat ("insider" versus "outsider"),
- the level at which the attack occurs (network-level attack
versus
application-level attack),
- the type of harm that results from an attack (harm to content, harm
to
identity, harm to finances).
INTERNET-DRAFT
draft-ietf-cdi-threat-00.txt Page 3
- the elements of the architecture attacked (e.g., the
Distribution
System, the Request Routing System, the Accounting System,
the
clients, or publishers)
All of these dimensions are considered in this document (some in
greater
detail) to develop a complete view of the threat model for
content
internetworking. However, this document focuses only on those
threats
specific to the content internetworking model. It does not
consider,
for example, the following issues:
- The security risks within an individual CN, such as denial of
service
attacks on individual surrogates, are beyond the scope of
this document.
- Content security issues, such as the integrity of transformations
or
adaptations performed on content, are outside the scope of the
current
work.
- This document does not specify or recommend any
particular
solutions. In some cases however, potential threat
mitigation steps
are given to help illustrate a given threat.
The remainder of this document is organized as follows. We begin
by
describing the CDI Trust Model, and distinguish between "insider"
and
"outsider" attacks. Next, we broadly classify attacks as
occurring
at the network, content internetworking, or application level,
and
detail the resultant type of harm. We refine this list by
detailing
how the attacks might be perpetrated on specific components
of the
CDI architecture, and potential mitigation steps.
1.1 Conventions used in this document
Key terms in ALL CAPS, except those qualified with explicit
citations, are
defined in [1].
2. Content Internetworking Trust model
Relationships between CN's in the CDI model can be decomposed
into
relationships between individual pairs comprising a CONTENT SOURCE
and
a CONTENT DESTINATION. The ORIGIN refers to the point at
which
CONTENT enters the CDI model, and therefore is a specific type
of
CONTENT SOURCE. The trust model utilized within CDI is
based on a
transitive trust between a CONTENT SOURCE and a CONTENT
DESTINATION.
The transitive nature of the trust originates from the
need of an
ORIGIN to rely on one or more CONTENT SOURCE - CONTENT
DESTINATION
INTERNET-DRAFT
draft-ietf-cdi-threat-00.txt Page 4
pairs to deliver CONTENT to CLIENTs on the ORIGIN's behalf.
The trust model involves the following parties in trust relationships:
-
CONTENT SOURCE and CONTENT DESTINATION
- CONTENT SOURCE and CLIENT
-
CONTENT DESTINATION and CLIENT
We will use the term TRUSTED PARTY to refer to a party involved in
a
trust relationship.
We begin by classifying security risks into two main categories:
threats
from "insiders," and threats from "outsiders." Outsiders
are
those entities that have not established a trust relationship
within
the content internetworking system. Insiders are TRUSTED
PARTIES
that are participating in a trust relationship within the
content
internetworking system.
Threats from within the system may be intentional or
unintentional.
Intentional threats refer to the ability of a TRUSTED PARTY of
a CDI
relationship to mislead, or harm, the party with which it has a
trust
relationship. For example, the TRUSTED PARTY, a CONTENT
DESTINATION,
might misrepresent quality or quantity of the service
provided to the
trusting party, a CONTENT SOURCE. This is distinct from
the case when
a TRUSTED PARTY's system is compromised by an outsider,
which is
covered as an "outsider" threat.
Unintentional threats refer to the ability of a TRUSTED PARTY,
through
improper implementation or configuration resulting in bad
system
behavior, to mislead or harm the party with which it has a
trust
relationship.
Content internetworking allows for relationships whose terms
and
conditions are partially or completely established outside
the
context of the content internetworking protocols, and refers to
these
relationships as NEGOTIATED RELATIONSHIPS. Just as
trust
relationships established completely within the context of
content
internetworking protocols, NEGOTIATED RELATIONSHIPS can result
in
intentional or unintentional threats.
Threats from outside the system, or outsiders, may also be intentional
or
unintentional. Since unintentional threats from outsiders do not
rely
on the trust model, and are not specific to the content
internetworking
model, this document will consider only outsider
threats that are
intentionally perpetrated.
In this document, we will focus on intentional and unintentional
threats
from within the system, and intentional threats from outside
the
system.
INTERNET-DRAFT
draft-ietf-cdi-threat-00.txt Page 5
3. Threat classification by architectural level
In this section, we broadly classify threats according the
architectural
level -- network, content internetworking, or
application -- at which
the threat occurs. We refer to threats
exploiting design or
implementation weaknesses of internetworking and
transport protocols
(i.e., layer 3 and below of the TCP/IP protocol
suite) as network-level
threats. We refer to threats exploiting
weaknesses in content
internetworking protocols as content
internetworking-level threats. We
include in content internetworking
level attacks, threats against CONTENT
distributed using CDI-specific
protocols. Finally, we refer to threats
to applications that utilize
a content internetworking system as
application-level threats.
Where appropriate, the type of harm that can result from an attack
is
provided to show the complex interaction between different
threats
and/or attacks. For example, harm to content in the form of
content
degradation or content substitution might harm the finances of
the
content provider, which might in turn harm the finances of the
service
provider. A denial of service attack or theft of identity might have
a
similar effect on parties involved with CDI.
3.1 Network-level Threats.
The content internetworking model comprises CONTENT NETWORKs, which
in
turn comprise CONTENT NETWORK ELEMENTS. A CONTENT NETWORK
ELEMENT is
a network device that performs at least some of its
processing by
examining CONTENT-related parts of network
messages. Examples of
CONTENT NETWORK ELEMENTS include CONTENT
INTERNETWORKING GATEWAYs
(CIG) and SURROGATES.
In IP-based networks, a CONTENT NETWORK ELEMENT is a device
whose
processing depends on examining some or all of an IP packet's
body.
As such, CONTENT NETWORK ELEMENTs are vulnerable to many types
of
network-level attacks. Examples of TCP/IP attacks
include IP
spoofing and session stealing. The CERT Coordination
Center [2]
maintains an extensive repository of Internet
Security
vulnerabilities.
Harm specific to CONTENT NETWORK ELEMENTS, such as a CIG,
achievable
by hijacking a TCP/IP session includes the ability of
outsiders to
inject believable content distribution and request
routing messages
into the communication between CIG peers. This may
lead to the
injection of bogus content or bogus routing information
that may lead
to the breaking of the peer-to-peer connection. Any
break in the
INTERNET-DRAFT
draft-ietf-cdi-threat-00.txt Page 6
peer-to-peer communication can have a ripple effect on the
request
routing system or the distribution system that could lead
to
disrupted services to end users.
CONTENT NETWORK ELEMENTS are also susceptible to a number of
security
threats commonly associated with network infrastructure.
These
threats include snooping, denial of service, sabotage,
vandalism,
industrial espionage, theft of service and inadequate
system
configuration that leaves unneeded ports and services open to
the
public.
3.2 . Content Internetworking-level Threats.
Content internetworking-level threats generally belong to one or more of
the
following categories:
- denial of service
- content distortion
- threats to identity
-
threats to privacy
- content theft
- security threats
- threats to
finances
In the following subsections we elaborate on these threats and
potential
resultant harm.
3.2.1 Denial of service threats.
At the Content Internetworking-level, a denial of service (DoS) threat
can
be perpetrated on a number of levels. For example, an
attack
could be launched:
- specifically against a CONTENT SOURCE, thereby preventing any
distribution
from taking place
- against a content set, causing all CNs
servicing this content set to be
affected.
- against all SURROGATES of a
specific CN.
A CONTENT SOURCE distributing streaming content, due to its
high
bandwidth nature and, in the case of live streaming,
limited
injection points, are likely to be especially vulnerable to
DoS
threats.
Misuse of a CN may make its facilities unavailable or available
only
at reduced functionality. Denial of service attacks can be
targeted
at a CN accounting system, distribution system, or
request-routing
system.
INTERNET-DRAFT
draft-ietf-cdi-threat-00.txt Page 7
3.2.1.1. "Complexity threat": both CN and CDI introduce many
components
and complex infrastructure. Malfunctioning of these
components and
infrastructure may result in DoS.
3.2.1.2. Misconfigured request routing (unintentional or malicious)
may
cause request loss or looping and result in DoS.
3.2.1.3. Conflicts between request routing and accounting mechanisms
may
create a DoS threat: a CN may refuse to deliver content because
the
authorization system treats a valid request as invalid (not
coming from
an authorized customer).
3.2.1.4. By redistributing the load between CNs CDI may cause DoS
by
unintentionally overloading one of CNs. Usually CNs have a
specific
(proprietary) adaptive mechanisms for load balancing. CDI
load
balancing mechanisms may be inadequate/malfunction or be
incompatible
with corresponding CN load balancing.
3.2.1.5. A CN may cause problems in another CN by sending
(unintentionally
or with malicious intent) more content than
advertised capacity
permits.
3.2.1.6. Corruption (intentional or non intentional) of security
related
metadata (authentication data) might result in DoS: CN or CDI
may
refuse to perform a legitimate service.
3.2.1.7. False advertisement (unintentional or malicious)
of
nonexistent distribution/coverage capacity may result in failure
of
several CNs. Same problems may result when advertisement and
usage
policy do not reflect dynamic conditions.
3.2.1.8. Incompatible request routing systems may cause problems
resulting
in DoS.
3.2.1.9. Peering agreements may be vital for CN functionality.
This
makes peering reliability a security issue. CIGs (distribution CIG
and
request routing CIG) may introduce a single point of failure.
Attack
on (or malfunctioning of) a CIG may result in system
disintegration
and DoS for both CNs.
3.2.2 Content distortion threats.
3.2.2.1 An attacker may cause a CN to advertise bogus content,
e.g.
replacing proper content with bogus content either at the
injection
point of the system (CN or CDI) or inside elements of the
system (e.g.
surrogates inside the CN).
INTERNET-DRAFT
draft-ietf-cdi-threat-00.txt Page 8
3.2.2.2. A CN may provide bogus information, e.g. a rogue "CN"
inserting
itself in the distribution path between two CNs to monitor
and/or
modify the content that they exchange.
3.2.2.3. A CN may advertise the availability of content which it
doesn't
have and can not distribute. This attack can be the result
of a
malicious CIG taking over the identity of a CIG to be able to
inject
bogus info into system, or a CIG that is compromised.
3.2.3 Threats to user identity.
Identity/authentication threats may result from third party getting
access
to authentication data of end user or system component
(surrogate, CIG) and
this data permits unauthorized actions to be
performed. Note that the
last condition is essential: interception of
session initiation packets of
replay-resistant secure authentication
protocol does not create such a
threat.
Storage of security related data (user identities, passwords,
etc.)
creates an additional security threat.
3.2.4 Threats to privacy. Privacy threats may result in personal
user
information made available to third party without a user's consent.
3.2.4.1. A CN may inadvertently or maliciously expose
private
information (passwords, buying patterns, page views, and credit
card
numbers) as it collects it and transits from surrogate to
origin
and/or publisher.
3.2.4.2. Accounting information transfer may jeopardize privacy.
3.2.4.3. Privacy threats may result from differences in privacy
policy
of Publisher, CN and CDI.
3.2.4.4. Privacy and security threats from crossing
jurisdiction
boundaries: transfer and storage of sensitive
privacy-related data
(accounting, logs), transfer and storage of
(secure) content and
distribution of content from a different
jurisdiction may create a
security threat due to different level of
legal protection.
3.2.5. Legal threats: by extending activities through
jurisdiction
boundaries CN and CDI may unintentionally violate local
regulations
(privacy and security policies).
3.2.6 Content theft.
Unauthorized access to non-public (secure or non-secure) content. For
INTERNET-DRAFT
draft-ietf-cdi-threat-00.txt Page 9
secure content such unauthorized access clearly violates intention
of
security system and usually constitutes a content theft (paid
content,
proprietary data).
An example of unauthorized access to non-secure content is
interception of
form data in not-secure transmission or direct access
to a URL that is not
supposed to be publicly available.
3.2.7 Security threats
3.2.7.1 Unauthorized access to metadata that is not supposed to
be
publicly available. This may include access to logs and accounting
data
containing private user's information, access to configuration
data that may
be used to facilitate future attacks and so on.
3.2.7.2 Exposure of Security Settings: There may be risks that
expose
client's security settings when content is served from
surrogates as
opposed to origin servers. Since the location of the
surrogate is
generally transparent to the client, the client may be
aware that its
protections are no longer enforced.
3.2.7.3 Improper enforcement of Security Policy
Policy information regarding security of the client may not
be
properly propagated when the requests are directed to surrogates in
a
CN that are different from the origin server. Client passwords
and
personal information may be less secure.
3.2.8. Improper Carriage of Security Policies
Surrogate may not employ the same security policies and procedures as
the
origin server. This may expose the client private information to
access
by unauthorized entities. The same threat may also result if
the legal
jurisdiction of the surrogate is different from that of the
origin.
3.2.8.1. Different implementation of security at Publisher, CN and
CDI
level may create security threats
3.2.8.2. Distribution of content from a different network location
may
create a security threat if client security policy depends on
network
location ("Internet Web Content Zone").
3.2.8.3. Transfer and storage of secure content create additional
security
threats.
3.2.8.4. The process of propagation of security policy and
security
related data (user identities, passwords, etc.) creates
security
INTERNET-DRAFT
draft-ietf-cdi-threat-00.txt Page 10
threats both at CN and CDI level.
3.2.9 Threats to finances
Delivery of inaccurate accounting information or malicious distortion
of
this information may cause financial harm to all
participating
parties.
3.2.9.1 The client may be inappropriately charged for viewing content
that
was not successfully accessed or delivered according to some
QoS
criteria.
3.2.9.2 If a CN or Publisher is unable to collect or receive
correct
accounting information they may be unable to collect
compensation for
services.
3.3 Application-level threats.
TBD (section should include attacks targeting applications
that
utilize the content internetworking system)
4. Threats against specific elements of the CDI architecture
In this section, we refine the list of threats by detailing how
the
attacks might be perpetrated on specific components of the
CDI
architecture. This section is intended to be used input to
specify
the security requirements for the content distribution and
request
routing protocols.
Along the dimension of threats against specific elements of
the
architecture, threats against the accounting system should also
be
noted. A detailed analysis of the threats against the accounting
system
can however only be done within the framework of a specific
accounting system
and is considered outside the scope of this document.
4.1 Threats to the Content Internetworking Gateway The CIG is
the
connecting point for the CNs that are participating in the
CDI
model. CIGs from various CNs establish peer-to-peer relationships
in
order to exchange content distribution and request
routing
information. Threats on the CIG can be perpetrated at all
levels, the
network, content internetworking, and application
level.
A CIG must be accessible at the network level from many other
CIGs.
The CIG is vulnerable to any of the network-level attacks
specified in
Section 3.1. The CIG is susceptible to network level
INTERNET-DRAFT
draft-ietf-cdi-threat-00.txt Page 11
attacks from outsiders, which may or may not be posing as the CIG
of
a TRUSTED PARTY, and from CIGs of TRUSTED PARTIES.
4.2 Threats to Distribution System
Threats to distribution system from insiders can be intentional or
the
result of bad implementation. Outsiders can pose the same threats
if
they acquire access to the distribution system. The threats
include:
4.2.1 Advertising of unavailable content.
4.2.3 Advertising of bad metrics
that are associated with a given content.
4.2.4 Delivery of bad content to
surrogates in the connected CN
4.2.5 Using badly formed messages for
advertisements
4.3 Threats to Request Routing System
Threats to the request routing system from insiders or outsiders include:
4.3.1 Advertising of wrong metrics to force unfair or
inaccurate
redirection to a given CN.
4.3.2 Redirection to a CN that does
not have the content.
4.3.3 The introduction of loops in the requesting
routing system.
4.3.4 Redirection to an inappropriate surrogate.
4.3.5
Forwarding request when no forwarding is appropriate.
4.3.6 Failing to
forward requests when forwarding is appropriate.
4.3.7 Using badly formed
messages for advertisements
h) TBD
5. CDI Security Threat Mitigation
The main security issues for the CDI model are focused on the
Trust
model. Insiders are TRUSTED PARTIES, while outsiders are not.
Threats from outsiders are primarily at the network level. There are
well
known solutions to network-level threats that are practiced in
the industry.
In this work, it is recommended that the security of the
CONTENT NETWORK
ELEMENTs at the network level be enhanced using
standard
techniques and methods that minimize the risks of IP
spoofing, snooping,
denial of service and session stealing.
Threats at the content internetworking and application levels can
be
mitigated by using strong authentication and
encryption
techniques. Therefore, there may be the need to make
strong
authentication and encryption a requirement for the CDI model.
IPSec
INTERNET-DRAFT
draft-ietf-cdi-threat-00.txt Page 12
and TLS are solutions for this requirement. Regardless of the
choice
of the protocol, the solution must scale to accommodate large
number
of interconnected CNs. Furthermore, it is recommended not to
send
passwords in the clear.
To mitigate threats from insiders CDI must implement
appropriate
monitoring, signaling, logging, dynamic authorization
and
verification mechanisms. The following sections provide more
detailed
guidelines for development of request routing and
distribution
protocols for content internetworking.
5.1 Treatment of malformed messages
Malformed message can be the result of bad implementation or a
consequence
of an outside attack on a given CN whereby, the attacker
gains access
of the peering system. A Malformed messages is a message
that does not
comply with the message format for the distribution (or
request
routing) protocol. A malformed message may be a message that
has wrong
content attributes in it or wrong IP footprint. A malformed
IP or IPSec
packet is not considered a malformed message.
In the event that a CN detect malformed messages terminating the
session
appears to be the only safe way to handle it. Terminating a
session
does not mean terminating the peering relationship. The
session can be
restarted after termination. If the problem of
malformed messages
persists, the interconnected CNs must verify the
cause of the problem
and proceed with a solution.
The treatment of malformed messages is different than the case where
a
peer intentionally or unintentionally sends incorrect
advertisements
which might lead to incorrect selections. For example, a
CN might
incorrectly advertise low load, low cost and good coverage
and
therefore attract a large proportion of traffic. This problem can
be
somewhat mitigated through filtering of advertisements and
local
policies but ultimately comes down to a trust relationship
between
peers.
5.2 General Distribution and Request Routing Protocol Requirements
Based on the security threats that are faced by other
peer-to-peer
based protocols such as BGP, this section provide some
guidelines
that should be used during the design of the request routing
and
content distribution protocols.
5.2.1 There should be a mechanism that provides strong protection of
the
integrity, freshness and source authenticity of the messages in
INTERNET-DRAFT
draft-ietf-cdi-threat-00.txt Page 13
the protocol. Techniques such as digital signature may be used.
5.2.2 There should be a mechanism to validate the authenticity of
a
CN_Path value.
5.2.3 There should be a mechanism to use IP-level protection that can
be
used to provide connectionless integrity, data origin
authentication,
and secure authentication.
5.2.4 There should be a mechanism to protect the peer-to-peer
connection
by applying cryptographic protection at the TCP level to
provide
connectionless integrity and data origin authentication.
References
[1] Day, M., Cain, B. and G. Tomlinson, "A Model for
Content
Distribution Internetworking", January 2001.
[2] CERT
Coordination Center (CERT/CC).
http://www.cert.org/nav/index_main.html