[Docs] [txt|pdf] [Tracker] [Email] [Nits]

Versions: 00

RMT (TBD)                                                 Brian. Adamson
Internet-Draft                                 Naval Research Laboratory
Intended status: Informational                             Vincent. Roca
Expires: April 7, 2007                                             INRIA
                                                         October 4, 2006


  Security and Reliable Multicast Transport Protocols: Discussions and
                               Guidelines
                  draft-adamson-roca-rmtsec-issues-00

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on April 7, 2007.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   This document describes some security risks of the Reliable Multicast
   Transport (RMT) Working Group set of building blocks and protocols.
   An emphasis is placed on risks that might be resolved in the scope of
   transport protocol design.  However, relevant security issues related
   to IP Multicast control-plane and other concerns not strictly within
   the scope of reliable transport protocol design are also discussed.



Adamson & Roca            Expires April 7, 2007                 [Page 1]


Internet-Draft         Security and RMT Protocols           October 2006


   The document also begins an exploration of approaches that could be
   embraced to mitigate these risks.  The purpose of this document is to
   provide a consolidated security discussion and provide a basis for
   further discussion and potential resolution of any significant
   security issues that may exist in the current set of RMT standards.


Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  4
   2.  Quick Introduction to RMT Protocols and their Use  . . . . . .  5
     2.1.  The Two Families of CDP  . . . . . . . . . . . . . . . . .  5
     2.2.  RMT Protocol Specificities . . . . . . . . . . . . . . . .  5
     2.3.  Target Use Case Specificities  . . . . . . . . . . . . . .  6
   3.  Known Security Threats . . . . . . . . . . . . . . . . . . . .  7
     3.1.  Control-Plane Attacks  . . . . . . . . . . . . . . . . . .  8
       3.1.1.  Control Plane Monitoring . . . . . . . . . . . . . . .  8
       3.1.2.  Unauthorized (or Malicious) Group Membership . . . . .  8
     3.2.  Data-Plane Attacks . . . . . . . . . . . . . . . . . . . .  9
       3.2.1.  Rogue Traffic Generation . . . . . . . . . . . . . . .  9
       3.2.2.  Sender Message Spoofing  . . . . . . . . . . . . . . . 10
       3.2.3.  Receiver Message Spoofing  . . . . . . . . . . . . . . 10
       3.2.4.  Replay Attacks . . . . . . . . . . . . . . . . . . . . 11
   4.  General Security Goals . . . . . . . . . . . . . . . . . . . . 12
     4.1.  Network Protection . . . . . . . . . . . . . . . . . . . . 12
     4.2.  Protocol Protection  . . . . . . . . . . . . . . . . . . . 13
     4.3.  Content Protection . . . . . . . . . . . . . . . . . . . . 13
   5.  Elementary Security Services . . . . . . . . . . . . . . . . . 13
   6.  Technological Building Blocks  . . . . . . . . . . . . . . . . 15
     6.1.  IPsec  . . . . . . . . . . . . . . . . . . . . . . . . . . 15
       6.1.1.  Benefits . . . . . . . . . . . . . . . . . . . . . . . 15
       6.1.2.  Requirements . . . . . . . . . . . . . . . . . . . . . 15
       6.1.3.  Limitations  . . . . . . . . . . . . . . . . . . . . . 16
     6.2.  TESLA  . . . . . . . . . . . . . . . . . . . . . . . . . . 16
       6.2.1.  Benefits . . . . . . . . . . . . . . . . . . . . . . . 16
       6.2.2.  Requirements . . . . . . . . . . . . . . . . . . . . . 16
       6.2.3.  Limitations  . . . . . . . . . . . . . . . . . . . . . 17
     6.3.  SSM Multicast Routing  . . . . . . . . . . . . . . . . . . 17
       6.3.1.  Benefits . . . . . . . . . . . . . . . . . . . . . . . 17
       6.3.2.  Requirements . . . . . . . . . . . . . . . . . . . . . 17
       6.3.3.  Limitations  . . . . . . . . . . . . . . . . . . . . . 17
   7.  Global Security Infrastructure . . . . . . . . . . . . . . . . 17
     7.1.  Public Key Infrastructure  . . . . . . . . . . . . . . . . 18
       7.1.1.  Benefits . . . . . . . . . . . . . . . . . . . . . . . 18
       7.1.2.  Requirements . . . . . . . . . . . . . . . . . . . . . 18
       7.1.3.  Limitations  . . . . . . . . . . . . . . . . . . . . . 18
     7.2.  Group Key Management and Re-keying Protocols . . . . . . . 18
       7.2.1.  Benefits . . . . . . . . . . . . . . . . . . . . . . . 18



Adamson & Roca            Expires April 7, 2007                 [Page 2]


Internet-Draft         Security and RMT Protocols           October 2006


       7.2.2.  Requirements . . . . . . . . . . . . . . . . . . . . . 18
       7.2.3.  Limitations  . . . . . . . . . . . . . . . . . . . . . 18
   8.  New Threats Introduced by the Security Scheme Itself . . . . . 18
   9.  Consequences for the RMT and MSEC Working Group  . . . . . . . 18
     9.1.  RMT Transport Message Security Encapsulation Header  . . . 18
   10. Security Considerations  . . . . . . . . . . . . . . . . . . . 19
   11. Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 19
   12. Normative References . . . . . . . . . . . . . . . . . . . . . 19
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 20
   Intellectual Property and Copyright Statements . . . . . . . . . . 21









































Adamson & Roca            Expires April 7, 2007                 [Page 3]


Internet-Draft         Security and RMT Protocols           October 2006


1.  Introduction

   The Reliable Multicast Transport (RMT) Working Group has produced a
   set of building blocks (BB) and protocol instantiation (PI)
   specifications for reliable multicast data transport.  The two PIs
   defined within the scope of RMT: ALC
   [RFC3450][draft-ietf-rmt-pi-alc-revised-03] and NORM [RFC3940], as
   well as the FLUTE application [RFC3926] built on top of ALC, are
   "Content Delivery Protocols" (CDP).  In this document the term CDP
   will refer indifferently to either ALC or NORM, with their associated
   BBs.

   The use of these BBs and PIs raises new security risks.  For
   instance, these protocols share a novel set of Forward Error
   Correction (FEC) and congestion control building blocks that present
   some new capabilities for Internet transport, but may also pose some
   new security risks.  Yet some security risks are not related to the
   particular BBs used by the PIs, but are more general.  Reliable
   multicast transport sessions are expected to involve at least one
   sender and multiple receivers.  Thus, the risk of and avenues to
   attack are implicitly greater than that of point-to-point (unicast)
   transport sessions.  Also the nature of IP multicast can expose other
   coexistent network flows and services to risk if malicious users
   exploit it.  The classic any-source multicast (ASM) model of
   multicast routing allows any host to join an IP multicast group and
   send traffic to that group.  This poses many potential security
   challenges.  And, while the emerging single-source multicast (SSM)
   model that allows only a single sender to send traffic to a group
   simplifies some challenges, there remain some specific issues.  For
   instance, possible areas of attack include those against the control
   plane where malicious hosts join IP multicast groups to cause
   multicast traffic to be directed to parts of the network where it is
   not needed or desired.  This can indirectly cause denial-of-service
   (DoS) to other network flows.  Also, attackers may transmit erroneous
   or corrupt messages to the group or employ strategies such as replay
   attack within the "data plane" of protocol operation.

   The goals of this document are therefore:

   1.  to define the possible general security goals.  Defining what we
       want to protect, i.e. the network itself, and/or the protocol,
       and/or the content, is the first step.

   2.  to list the possible elementary security services that will make
       it possible to fullfil the general security goals.  Some of these
       services are generic (e.g. object and/or packet integrity), while
       others are specific to RMT protocols (e.g. congestion control
       specific security schemes).



Adamson & Roca            Expires April 7, 2007                 [Page 4]


Internet-Draft         Security and RMT Protocols           October 2006


   3.  to list some technological building blocks and solutions that can
       provide the desired security services.

   4.  last but not least, to highlight the CDP specificities that will
       impact security and define some use-cases.  Indeed, the set of
       solutions proposed to fulfill the security goals will greatly be
       impacted by the target use case.

   In some cases, the existing RMT documents already discuss the risks
   and outline approaches to solve them, at least partially.  The
   purpose of this document is to consolidate this content and provide a
   basis for further discussion and potential resolution of any
   significant security issues that may exist.


2.  Quick Introduction to RMT Protocols and their Use

2.1.  The Two Families of CDP

   TODO: a quick introduction to the two families of solutions: ALC/LCT
   and NORM.

2.2.  RMT Protocol Specificities

   This section focuses on the RMT protocol specificities that will
   impact the choice of the technological building blocks, and the way
   they can be applied.

   Both ALC and NORM have been designed with scalability in mind (in
   terms of the number of receivers).  Yet if ALC targets massively
   scalable sessions (e.g. with millions of receivers), NORM is less
   ambitious, essentially because of the use of feedback messages to the
   source.  Ideally, the use of security mechanisms should not break
   this scalability feature.

   The ALC and NORM protocols differ in the communication paths:

   o  sender to receivers: ALC and NORM, for bulk data transfer and
      signaling messages;

   o  receivers to sender: NORM only, for feedback messages;

   o  receivers to receivers: NORM only for control messages;

   But the fact that ALC is capable of working on top of purely
   unidirectional networks does not mean that no back-channel will be
   available (see Section 2.3).




Adamson & Roca            Expires April 7, 2007                 [Page 5]


Internet-Draft         Security and RMT Protocols           October 2006


   ALC defines an on-demand content delivery model where receivers can
   arrive at any time, at their own discretion, download the content and
   leave the session.  This delivery model is not supported by NORM The
   push and streaming content delivery models are supported by both ALC
   and NORM.

2.3.  Target Use Case Specificities

   This section focuses on the target use cases and their specificities.
   These specificities will impact both the choice of the technological
   building blocks and the way they can be applied.  One can distinguish
   the following use case features:

   o  Purely unidirectional transport versus symmetric bidirectional
      transport versus asymmetric bidirectional transport.  Most of the
      time, the amount of traffic flowing to the source is limited, and
      one can overlook whether the transport channel is symmetric or
      not.  The nature of the underlying transport channel is of
      paramount importance, since many security building blocks will
      require a bidirectional communication;

   o  Massively scalable versus moderately scalable session.  Here we do
      not define precisely what the terms "massively scalable" and
      "moderately scalable" mean.

   o  Known set of receivers versus unknown set of receivers: does the
      source know at any point of time the set of receivers or not?  Of
      course, knowing the set of receivers is usually not compatible
      with massively scalable sessions;

   o  Dynamic set of receivers versus fixed set of receivers: does the
      source know at some point of time the maximum set of receivers or
      will it evolve dynamically?  In case of a dynamic set of
      receivers, the source might desire to provide

   o  High rate data flow versus small rate data flow: some security
      building blocks are CPU intensive and are therefore incompatible
      with high data rate sessions (e.g. this is the case of solutions
      that digitally sign all the packets sent).

   o  Protocol stack available at both ends: a solution that requires
      some non-usual features within the protocol stack will not always
      be usable.  Some target environments (e.g. embedded systems) only
      provide a minimum set of features and extending them (e.g. to add
      IPsec) is not necessarily realistic;

   o  Multicast routing other layer-3 protocols in use: for instance,
      SSM multicast routing is often seen as one of the key service to



Adamson & Roca            Expires April 7, 2007                 [Page 6]


Internet-Draft         Security and RMT Protocols           October 2006


      improve the security within multicast sessions, and some security
      building blocks require specialized versions of layer-3 protocols
      (e.g.  IGMP/MLD with security extensions).  Depending on the
      target use case, these assumptions might or not be realistic;

   o  (TBD) more items?

   Depending on the target goal and the associated security building
   block used, other features, related to the use case, might be of
   importance.  For instance TESLA requires a loose time synchronization
   between the source and the receivers.  Several possibilities exist to
   that purpose, some of them being only feasible if the target use case
   provide the appropriate features.


3.  Known Security Threats

   Reliable multicast transport sessions are expected to involve at
   least one sender and multiple receivers.  Thus, the risk of and
   avenues to attack are implicitly greater than that of point-to-point
   (unicast) transport sessions.  Also the nature of IP multicast can
   expose other coexistent network flows and services to risk if
   malicious users exploit it.  The classic any-source multicast (ASM)
   model of multicast routing allows any host to join an IP multicast
   group and send traffic to that group.  This poses many potential
   security challenges.  And, while the emerging single-source multicast
   (SSM) model that allows only a single sender to send traffic to a
   group simplifies some challenges, there remain some specific issues
   with respect to adopting standard Internet security mechanisms such
   as IPSec[RFC2401].  Possible areas of attack include those against
   the control plane where malicious hosts join IP multicast groups to
   cause multicast traffic to be directed to parts of the network where
   it is not needed or desired.  This can indirectly cause denial-of-
   service (DoS) to other network flows.  Also, attackers may transmit
   erroneous or corrupt messages to the group or employ strategies such
   as replay attack within the "data plane" of protocol operation.

   CDP integrate several BBs.  The TCP-Friendly Multicast Congestion
   Control (TFMCC) [RFC4654] building block specifies protocol
   mechanisms where senders and receivers exchange messages to manage
   sender transmission rate.

   The IP architecture provides common access to notional control and
   data planes to both end and intermediate systems.  For the purposes
   of discussion here, the "control plane" mechanisms are considered
   those with message exchanges between end systems (typically
   computers) and intermediate systems (typically routers) and while the
   "data plane" encompasses messages exchanged among end systems,



Adamson & Roca            Expires April 7, 2007                 [Page 7]


Internet-Draft         Security and RMT Protocols           October 2006


   usually pertaining to the transfer of application data.

3.1.  Control-Plane Attacks

   While control-plane attacks may be considered outside of the scope of
   the transport protocol specfications discussed here, it is important
   to understand the potential impact of such attacks with respect to
   the deployment and operation of these protocols.  For example,
   awareness of possible IP Multicast control-plane manipulation that
   can lead to unauthorized (or unexpected) monitoring of data plane
   traffic by malicious users may lead a transport application or
   protocol implementation to support encryption to ensure data
   confidentiality and/or privacy.  Also, these types of attack also
   have bearing on assessing the real risks of potentially more complex
   attacks against the transport mechanisms themselves.  In some cases,
   the solutions to these control-plane risk areas may reduce the impact
   or possibility of some data-plane attacks that are discussed in this
   document.

3.1.1.  Control Plane Monitoring

   While this may not be a direct attack on the transport system, it may
   be possible for an attacker to gain useful information in advancing
   attack goals by monitoring IP Multicast control plane traffic
   including group membership and multicast routing information.
   Indentification of hosts and/or routers participating in specific
   multicast groups may readily identify systems vulnerable to protocol-
   specific exploitation.  And, with regards to user privacy concerns,
   such "side information" may be relevant to this emerging aspect of
   network security.

3.1.2.  Unauthorized (or Malicious) Group Membership

   One of the simplest attacks is that where a malicious host joins an
   IP multicast group so that potentially unwanted traffic is routed to
   the host's network interface.  This type of attack can turn a
   legitimate source of IP traffic into a "attacker" without requiring
   any access privileges to the source host or routers involved.  This
   type of attack can be used for denial-of-service purposes or for the
   real attacker (the malicious joiner) to gain access to the
   information content being sent.  Similarly, some routing protocols
   may permit any sender (whether joined to the specific group or not)
   to transmit messages to a multicast group.

   It is possible that malicious hosts could also spoof IGMP messages,
   joining groups posing as legitimate hosts (or spoof source traffic
   from legitimate hosts).  This may be done at intermediate locations
   in the network or by hosts co-resident with the authorized hosts on



Adamson & Roca            Expires April 7, 2007                 [Page 8]


Internet-Draft         Security and RMT Protocols           October 2006


   local area networks.  Such spoofing could be done by raw packet
   generation or with replay of previously-recorded control messages.
   For the sake of completeness, it should be noted that multicast
   routing protocol control messaging may be subject to similar threats
   if insufficient protocol security mechanisms are enabled in the
   routing infrastructure.

   The presence of these types of attack may necessitate that policy-
   based controls be emplaced in routers to limit the distribution
   (including transmission and reception) of multicast traffic (on a
   group-wise and/or traffic volume basis) to different parts of the
   network.  Such policy-based controls are beyond the scope of the RMT
   protocol specifications.  However, such network protection mechanisms
   may reduce the opportunities for or effectiveness of of some of the
   data-plane attacks discussed later.  For example, reverse-path checks
   can significantly limit opportunities for attackers to conduct replay
   attacks when hosts actually do use IPSec.  Also, future IP Multicast
   control protocols may wish to consider providing security mechanism
   to prevent unauthorized monitoring or manipulation of messages
   related to group membership, routing, and activity.

3.2.  Data-Plane Attacks

   This section discusses some types of active attacks that might be
   conducted "in-band" with respect to the reliable multicast transport
   protocol operating within the data plane of network data transfer.
   The passive attack of unauthorized data-plan monitoring is discussed
   above since such activity might be made possible by the
   vulnerabilities of the IP Multicast control plane.  To cover the two
   classes of RMT protocols, the active data-plane attacks are
   categorized as 1) those where the attacker generates messages posing
   as a data sender, and 2) those where the attacker generates messages
   posing as a receiver providing feedback to the sender(s) or group.
   Additionally, a common threat to protocol operation is that of brute-
   force, rogue packet generation.  This is discussed briefly below, but
   the more subtle attacks that might be conducted are given more
   attention as those fall within the scope of the RMT transport
   protocol design.  Additionally, special consideration is given to
   that of the "replay attack" [see Section 3.2.4], as it can be applied
   across these different categories.

3.2.1.  Rogue Traffic Generation

   If an attacker is able to successfully inject packets into the
   multicast distribution tree, the most obvious denial-of-service
   attack is for the attacker to generate a large volume of apparently
   authenticate (when authentication mechanisms are used, a "replay"
   attack strategy might be used and this is discussed in more in detail



Adamson & Roca            Expires April 7, 2007                 [Page 9]


Internet-Draft         Security and RMT Protocols           October 2006


   in ) traffic.  The impact of this type of attack can be significant
   since the potential for routers to relay the traffic to multiple
   portions of a networks (as compared to a single unicast routing
   path).  However, other than the amplified negative impact to the
   network, this type of attack is no different than what is possible
   with rogue unicast packet generation and similar measures used to
   protect the network from such attacks could be used to contain this
   type of brute-force attack.  Of course, the pragmatic question of
   whether current implementations of such protection mechanisms support
   IP Multicast should be considered.

3.2.2.  Sender Message Spoofing

   These types of attacks are applicable to both general types of RMT
   protocols (e.g., ALC (sender-only transmission) and NORM (sender-
   receiver exhanges)).  Without an authentication mechanism, it is
   easily possible for a computer to generate sender messages that could
   disrupt a reliable multicast transfer session.  And with FEC-based
   transport mechanisms, a single packet with an apparently-correct FEC
   payload identifier [RFC3452] but a corrupted FEC payload could
   potentially render an entire block of transported data invalid.
   Thus, a modest injection rate of corrupt traffic could cause severe
   impairment of data transport.  Additionallly, such invalid sender
   packets could convey out-of-bound indices (payload symbol or block
   identifiers, etc) that could lead to buffer overflow exploits in
   receivers or other similar issues in implementations with
   insufficient checks for invalid data.

   An indirect use of sender message spoofing would be to generate
   messages that would cause receivers to take inappropriate congestion-
   control action.  In the case of the layered congestion control
   mechanisms proposed for ALC use, this could lead to the receivers
   erroneusly leaving groups associated with higher bandwidth transport
   layers and suffering unnecessarily low transport rates.  Similarly,
   receivers may be misled to join inappropriate groups directing
   unwanted traffic to their part of the network.  Attacks with similar
   effect could be conducted against the TFMCC approach proposed for
   NORM operation with spoofing of sender messages carrying congestion
   control state to receivers.

3.2.3.  Receiver Message Spoofing

   These atacks are limited to RMT protocols that use feedback from
   receivers in the group to influence sender and other receiver
   operation.  In the NORM protocol, this includes negative-
   acknowledgement (NACK) messages fed back to the sender to achieve
   reliable transfer, congestion control feedback content, and the
   optional positive acknowledgement features of the specification.  It



Adamson & Roca            Expires April 7, 2007                [Page 10]


Internet-Draft         Security and RMT Protocols           October 2006


   is also important to note that for ASM operation, NORM receivers pay
   attention to the messages of other receivers for the purpose of
   suppression to avoid feedback implosion as group size grows large.

   An attacker that can generate false feedback can manipulate the NORM
   sender to unnecessarily transmit repair information and reduce the
   goodput of the reliable transfer regardless of the sender's transmit
   rate.  Contrived congestion control feedback could also cause the
   sender to transmit at an unfairly low rate.

   As mentioned, spoofed receiver messaging may not be directed only at
   senders, but also at receivers participating in the session.  For
   example, an attacker may direct phony receiver feedback messages to
   selected receivers in the group causing those receivers to suppress
   feedback that might have otherwise been transmitted.  This attack
   could compromise the ability of those receivers to achieve reliable
   transfer.  Also, suppressed congestion control feedback could cause
   the sender to perhaps transmit at a rate unfair to those attacked
   receivers if their fair congestion control rate were lower than other
   receivers in the group.

3.2.4.  Replay Attacks

   The infamous "replay attack" (injection of a previously transmitted
   packet (or at least its payload) into the reliable transport group or
   directly to one or more of its participants) is given special
   attention here because of the special consequences it can have on RMT
   protocol operation.  Without specific protection mechanisms against
   replay (e.g. duplicate message detection), it is possible for these
   attacks to be successful even when security mechanisms such as packet
   authentication and/or encryption are employed.

3.2.4.1.  Replay of Sender Messages

   Generally, replay of recent protocol messages from the sender will
   not harm transport, and could potentially assist it, unless it is of
   sufficient volume to result in the same type of impact as the "rogue
   traffic generation" described above.  However, it is possible that
   replay of sufficiently old messages may cause receivers to think they
   are "out of sync" with the sender and reset state, compromising the
   transfer.  Also, if sender transport data identifiers are reused
   (object identifiers, FEC payload identifiers, etc), it is possible
   that replay of old messages could corrupt data of a current transfer.

3.2.4.2.  Replay of Receiver Messages

   Replay of receiver messages are problematic for the NORM protocol,
   because replay of NACK messages could cause the sender unnecessarily



Adamson & Roca            Expires April 7, 2007                [Page 11]


Internet-Draft         Security and RMT Protocols           October 2006


   transmit repair information for an FEC coding block.  Similarly, the
   sender transmission rate might be manipulated by replay of congestion
   control feedback messages from receivers in the group.  And the way
   that NORM senders estimate group round-trip timing (GRTT) could allow
   a replay attack to manipulate the senders' GRTT estimate to an
   unnecessarily large value, adding latency to the reliable transport
   process.


4.  General Security Goals

   The term "security" is extremely vast and encompasses many different
   meanings.  The goal of this section is to clarify what "security"
   means when considering the reliable multicast transport (RMT)
   protocols being defined in the IETF RMT working group.  The scope can
   also encompass additional group communication applications, for
   instance streaming applications.  This section only focuses on the
   desired general goals.  The following sections will then discuss the
   possible elementary services that will be required to fulfill these
   general goals, as well as the underlying technological building
   blocks.

   The possible final goals include, in decreasing order of importance:

   o  network protection: the goal is to protect the network from
      attacks, no matter whether these attacks are voluntary (i.e.
      launched by one or several attackers) or non voluntary (i.e.
      caused by a misbehaving system, where "system" can designate a
      building block, a protocol, an application, or a user);

   o  protocol protection: the goal is to protect the RMT protocol
      itself, e.g. to avoid that a misbehaving receiver prevents other
      receivers to get the content, no matter whether this is done
      intentionally or not;

   o  and content protection: to goal is to protect the content itself,
      for instance to guaranty the integrity of the content, or to make
      sure that only authorized clients can access the content.

4.1.  Network Protection

   Protecting the network is of course of primary importance.  An
   attacker should not be able to damage the whole infrastructure by
   exploiting some features of the RMT protocol.  Unfortunately, recent
   past has shown that the multicast routing infrastructure is
   relatively fragile, as well as the applications built on top of it.

   (TBD) develop...



Adamson & Roca            Expires April 7, 2007                [Page 12]


Internet-Draft         Security and RMT Protocols           October 2006


4.2.  Protocol Protection

   Protecting the protocols is also importance, since the higher the
   number of clients, the more serious the consequences of an attack.
   This is all the more true as scalability is often one of the desired
   goals of RMT protocols.  Ideally, receivers should be sufficiently
   isolated from one another, so that a single misbehaving receiver does
   not affect others.  Similarly, an external attacker should not be
   able to break the system.

   (TBD) develop...

4.3.  Content Protection

   Finally, the content itself should be protected when meaningful.
   This level of security is often the concern of the content provider
   (and its responsibility).  For instance, in case of confidential (or
   non-free) content, the typical solution consists in encrypting the
   content.  It can be done within the upper application, i.e. above the
   RMT protocol, or within the transport system.

   But other requirements may exist, like verifying the integrity of a
   received object, or authenticating the sender of the received
   packets.  To that goal, one can rely on the use of building blocks
   integrated within, or above, or beneath the RMT protocol.

   One may also consider that offering the packet sender authentication
   and content integrity services are basic requirements that should
   fulfill any RMT system that operates within an open network, where
   any attacker can easily inject spurious traffic in an ongoing NORM or
   ALC session.  In that case this goal is not the responsibility of the
   content provider but the responsibility of the administrator who
   deploys the RMT system itself.


5.  Elementary Security Services

   The goals defined in Section 4 will be fulfilled by means of
   underlying elementary services, provided by one or several
   technological building blocks.  This section only focuses on these
   elementary services.

   The services traditionally listed are:

   o  packet source authentication and integrity: the goal is to enable
      a receiver to verify the source of a packet and that the packet
      has not been modified in transit;




Adamson & Roca            Expires April 7, 2007                [Page 13]


Internet-Draft         Security and RMT Protocols           October 2006


   o  packet group authentication and integrity: the goal is to enable a
      receiver to verify that a packet originated within the group and
      has not been modified by nonmembers in transit;

   o  packet non-repudiation: the goal is to enable any third party to
      verify the source of a packet.  In that case the source cannot
      repudiate having sent the packet;

   o  packet anti-replay: the goal is to enable a receiver to detect
      that a given packet has already been received;

   o  object integrity: the goal is to enable a receiver to verify the
      integrity of the whole object;

   o  object confidentiality: the goal is to enable a source to guaranty
      that only authorized receivers can access the object data;

   o  (TBD) more items?

   To this list, one must add the services specific to the RMT
   protocols:

   o  congestion control security: the goal is to prevent an attacker
      from modifying the congestion control protocol normal behavior.
      Possible goals for an attacker can be to reduce the transmission
      (NORM) and/or reception rate (ALC or NORM) up to a point where no/
      little traffic will flow, or on the opposite, to increase this
      rate up to a point where it will congest the network;

   o  group management: the goal is to make sure that only authorized
      receivers (as defined by a certain group management policy), join
      the RMT session and possibly inform the source;

   o  backward group secrecy: the goal is to prevent a new group member
      to access the information in clear sent to the group before he
      joined the group;

   o  forward group secrecy: the goal is to prevent a former group
      member to access the information in clear sent to the group after
      he left the group;

   o  (TBD) more items?

   These services are usually achieved by means of one or several
   technological building blocks.  The target use case where the RMT
   system will be deployed will greatly impact the choice of the
   technological building block(s) used to provide these services, as
   explained in Section 2.3.



Adamson & Roca            Expires April 7, 2007                [Page 14]


Internet-Draft         Security and RMT Protocols           October 2006


6.  Technological Building Blocks

   Here is a list of techniques and building blocks that are likely to
   fulfill one or several of the goals listed above:

   o  IPsec;

   o  TESLA;

   o  use of SSM (Source Specific Multicast) multicast routing;

   o  Digital Signature;

   o  (TBD) add other BBs

   Each of them is now quickly discussed.  In particular we identify
   what service it can offer, its limitations, and its field of
   application (adequacy W.R.T. the CDP and the target use case).

6.1.  IPsec

6.1.1.  Benefits

   One direct approach using existing standards is to apply IPSec
   [RFC2401] to achieve the following properties for message
   transmission:

   1.  Authentication (IPSec AH or ESP)

   2.  Confidentiality (IPSec ESP)

6.1.2.  Requirements

   It is expected that the approach to apply IPSec for reliable
   multicast transport sessions is similar to that described for OSPFv3
   security[RFC4552].  The following list proposes the IPSec
   capabilities needed to support a similar approach to RMT protocol
   security:

   1.  Mode - Transport mode IPSec security is required;

   2.  Selectors - source and destination addresses and ports, protocol.

   3.  For some uses, preplaced manual key support may be required to
       support application deployment and operation.  For automated key
       management for group communication the Group Secure Association
       Key Management Protocol (GSAKMP) described in [RFC4535] may be
       used to emplace the keys for IPSec operation.



Adamson & Roca            Expires April 7, 2007                [Page 15]


Internet-Draft         Security and RMT Protocols           October 2006


   Note that a periodic rekeying procedure similar to that described in
   RFC 4552 can also be applied with the additional benefit that the
   reliable transport aspects of the RMT protocols provide robustness to
   any message loss that might occur due to ANY timing discrepencies
   among the participants in the reliable multicast session.

6.1.3.  Limitations

   It should be noted that current IPSec implementations may not provide
   the capability for anti-replay protection for multicast operation.
   In the case of the NORM protocol, a sequence number is provided for
   packet loss measurement to support congestion control operation.
   This sequence number can also be used within a NORM implementation
   for detecting duplicate (replayed) messages from sources (senders or
   receivers) within the transport session group.  In this way,
   protection against replay attack can be achieved in conjunction with
   the authentication and possibly confidentiality properties provided
   by an IPSec encapsulation of NORM messages.  NORM receivers generate
   a very low volume of feedback traffic and it is expected that the 16-
   bit sequence space provided by NORM will be sufficient for replay
   attack protection.  When a NORM session is long-lived, the limits of
   the sender repair window are expected to provide protection from
   replayed NACKs as they would typically be outside of the sender's
   current repair window.  It is suggested that IPSec implementations
   that can provide anti-replay protection for IP Multicast traffic,
   even when there are multiple senders within a group, be adopted.  The
   GSAKMP document has some discussion in this area.

6.2.  TESLA

6.2.1.  Benefits

   TESLA [TESLA_4_ALC_NORM] offers a loss tolerant, lightweight,
   authentication/integrity service for the packets generated by the
   session's sender.  Depending on the time synchronization method used,
   TESLA is compatible with massively scalable sessions.  TESLA CPU
   processing remains limited, in particular because it essentially
   relies on symmetric cryptographic building blocks.

6.2.2.  Requirements

   The security offered by TESLA relies heavily on time.  Therefore the
   session's sender and each receiver need to be time synchronized in a
   secure way.  To that purpose, several methods exist, depending on the
   use case: direct time synchronization (which requires a bidirectional
   transport channel); using a secure NTP infrastructure (which also
   requires a bidirectional transport channel); or a GPS or Galileo
   device; or a clock with a time-drift that is negligible in front of



Adamson & Roca            Expires April 7, 2007                [Page 16]


Internet-Draft         Security and RMT Protocols           October 2006


   the TESLA time accuracy requirements.  So TESLA can be used with both
   bidirectional and unidirectional transport channels, in the later
   case on condition an appropriate indirect time synchronization method
   exists.

6.2.3.  Limitations

   TESLA does not consider the packets that will be generated by
   receivers, for instance the feedback packets of NORM, which must be
   protected by other means.

   Another limitation is that TESLA requires some buffering capabilities
   at the receivers in order to enable the delayed authentication
   feature.  This is not considered though as a major issue in the
   general case (e.g.  FEC decoding of objects within an ALC session
   already requires some buffering capabilities, that often exceed that
   of TESLA), but it might be one in case of embedded environments.

6.3.  SSM Multicast Routing

6.3.1.  Benefits

6.3.2.  Requirements

6.3.3.  Limitations


7.  Global Security Infrastructure

   Deploying the elementary technological building blocks often requires
   that a global security infrastructure exists.  This security
   infrastructure:

   o  can provide a PKI (Public Key Infrastructure): this PKI provides
      for trusted third party vetting of, and vouching for, user
      identities.  It also allows the binding of public keys to users,
      usually by means of certificates.

   o  can provide a group key management service: this service usually
      provides rekeying schemes, either periodic or triggered by some
      higher level event.  It is required in particular when the group
      is dynamic and forward/backward secrecy are important.  This is
      also required to improve the scalability of the CDP (since key
      management is done automatically, using a key server topology), or
      the security provided by the CDP (since the underlying
      cryptographic keys will be changed frequently).





Adamson & Roca            Expires April 7, 2007                [Page 17]


Internet-Draft         Security and RMT Protocols           October 2006


   o  (TBD): add more...

   TBD: more information on group key management, etc.

7.1.  Public Key Infrastructure

7.1.1.  Benefits

7.1.2.  Requirements

7.1.3.  Limitations

7.2.  Group Key Management and Re-keying Protocols

7.2.1.  Benefits

7.2.2.  Requirements

7.2.3.  Limitations


8.  New Threats Introduced by the Security Scheme Itself

   Introducing a security scheme, as a side effect, can sometimes
   introduce new security threats.  For instance, signing all packets
   with asymmetric cryptographic schemes (to provide a source
   authentication/content integrity/anti-replay service) opens the door
   to DoS attacks.  Indeed, verifying asymmetric-based cryptographic
   signatures is a CPU intensive task.  Therefore an attacker can easily
   overload a receiver (or a sender in case of NORM) by injecting a
   significant number of faked packets.

   XXX: TODO...


9.  Consequences for the RMT and MSEC Working Group

   (TBD) discuss here the possible recommendations for the RMT and MSEC
   groups...  Or remove this section altogether...

9.1.  RMT Transport Message Security Encapsulation Header

   An alternative approach to using IPSec to provide the necessary
   properties to protect RMT protocol operation from the application
   attacks described earlier, is to extend the RMT protocol message set
   to include a message encapsulation option.  This encapsulation header
   could be used to provide authentication, confidientiality, and anti-
   replay protection as needed.  Since this would be independent of the



Adamson & Roca            Expires April 7, 2007                [Page 18]


Internet-Draft         Security and RMT Protocols           October 2006


   IP layer, the header might need to provide a source identifier to be
   used as a "selector" for recalling security state (including
   authentication certificate(s), sequence state, etc) for a given
   message.  In the case of the NORM protocol, a NormNodeId field exists
   that could be used for this purpose.  In the case of ALC, the
   security encapsulation mechanism would need to add this function.
   The security encapsulation mechanism, although resident "above" the
   IP layer, could use GSAKMP [RFC4535] or a similar approach for
   automated key managment.


10.  Security Considerations

   Not applicable since this document does not introduce any new
   technique.


11.  Acknowledgments


12.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2401]  Kent, S. and R. Atkinson, "Security Architecture for the
              Internet Protocol", RFC 2401, November 1998.

   [RFC3450]  Luby, M., Gemmell, J., Vicisano, L., Rizzo, L., and J.
              Crowcroft, "Asynchronous Layered Coding (ALC) Protocol
              Instantiation", RFC 3450, December 2002.

   [RFC3451]  Luby, M., Gemmell, J., Vicisano, L., Rizzo, L., Handley,
              M., and J. Crowcroft, "Layered Coding Transport (LCT)
              Building Block", RFC 3451, December 2002.

   [RFC3452]  Luby, M., Vicisano, L., Gemmell, J., Rizzo, L., Handley,
              M., and J. Crowcroft, "Forward Error Correction (FEC)
              Building Block", RFC 3452, December 2002.

   [RFC3926]  Paila, T., Luby, M., Lehtonen, R., Roca, V., and R. Walsh,
              "FLUTE - File Delivery over Unidirectional Transport",
              RFC 3926, October 2004.

   [RFC3940]  Adamson, B., Bormann, C., Handley, M., and J. Macker,
              "Negative-acknowledgment (NACK)-Oriented Reliable
              Multicast (NORM) Protocol", RFC 3940, November 2004.




Adamson & Roca            Expires April 7, 2007                [Page 19]


Internet-Draft         Security and RMT Protocols           October 2006


   [RFC4535]  Harney, H., Meth, U., Colegrove, A., and G. Gross,
              "GSAKMP: Group Secure Association Key Management
              Protocol", RFC 4535, June 2006.

   [RFC4552]  Gupta, M. and N. Melam, "Authentication/Confidentiality
              for OSPFv3", RFC 4552, June 2006.

   [RFC4654]  Widmer, J. and M. Handley, "TCP-Friendly Multicast
              Congestion Control (TFMCC): Protocol Specification",
              RFC 4654, August 2006.

   [TESLA_4_ALC_NORM]
              Roca, V., Francillon, A., and S. Faurite, "The Use of
              TESLA in the ALC and NORM Protocols",
              draft-ietf-msec-tesla-for-alc-norm-00.txt (work in
              progress), June 2006.

   [draft-ietf-rmt-pi-alc-revised-03]
              Luby, M., Watson, M., and L. Vicisano, "Asynchronous
              Layered Coding (ALC) Protocol Instantiation",
               draft-ietf-rmt-pi-alc-revised-03.txt (work in progress),
              April 2006.


Authors' Addresses

   Brian Adamson
   Naval Research Laboratory
   Washington, DC  20375
   USA

   Email: adamson@itd.nrl.navy.mil
   URI:   http://cs.itd.nrl.navy.mil


   Vincent Roca
   INRIA
   655, av. de l'Europe
   Zirst; Montbonnot, ST ISMIER cedex  38334
   France

   Email: vincent.roca@inrialpes.fr
   URI:   http://planete.inrialpes.fr/~roca/








Adamson & Roca            Expires April 7, 2007                [Page 20]


Internet-Draft         Security and RMT Protocols           October 2006


Full Copyright Statement

   Copyright (C) The Internet Society (2006).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Acknowledgment

   Funding for the RFC Editor function is provided by the IETF
   Administrative Support Activity (IASA).





Adamson & Roca            Expires April 7, 2007                [Page 21]


Html markup produced by rfcmarkup 1.123, available from https://tools.ietf.org/tools/rfcmarkup/