Hi I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments. TL;DR: Ready (with a question) Note that I have already reviewed version -06 of this draft in June. My review and a response by Christian Huitema are attached below.  Verstion -07 addresses Christian’s concern about the lack of advice about the proper TTL to set on the packets. I’m not sure it *properly* addresses his concerns, because what they’ve added is “methods for choosing an appropriate TTL value ... is beyond the scope of this document" Regards, Yoav Begin forwarded message: From: "Christian Huitema" < huitema at huitema.net > Subject: RE: [secdir] SecDir Review of draft-ietf-pcp-anycast-06 Date: June 10, 2015 at 12:33:30 AM GMT+3 To: "'Yoav Nir'" < ynir.ietf at gmail.com >, "'secdir'" < secdir at ietf.org >, "'The IESG'" < iesg at ietf.org >, < draft-ietf-pcp-anycast.all at tools.ietf.org > There are two specific concerns about this method (other than the usual anycast or pcp concerns). The first is that information about the internal network might leak to a PCP service outside the network. In fact, it is almost guaranteed to leak outside of the network. In the initial deployments, first hop routers will not be aware of the anycast address... ... Whereas a failure of a service whose address is given in DHCP will result in black-holed packets, failure of a service with an anycast address will cause the packets to be forwarded to some random PCP server on the Internet. Section 5.1 discusses this and recommends filtering in perimeter gateways and reduced TTL. I believe this addresses that threat adequately. I would find the TTL mitigation would be more convincing if the draft actually specified a recommended TTL value. -- Christian Huitema Begin forwarded message: From: Yoav Nir < ynir.ietf at gmail.com > Subject: SecDir Review of draft-ietf-pcp-anycast-06 Date: June 8, 2015 at 6:00:38 PM GMT+3 To: secdir < secdir at ietf.org >, The IESG < iesg at ietf.org >, draft-ietf-pcp-anycast.all at tools.ietf.org Hi. I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments. TL;DR: Ready (with a question) The document describes an alternative method for nodes behind a middlebox (such as NAT device or firewall) to contact the middlebox in order to manage port allocation. Existing methods (described in RFC 6887 and 7291 respectively) are to either assume that the default router is the device (suitable for small networks) or specify the middlebox address in a DHCP option (suitable for larger networks). This document proposes a third alternative: use of a well-known anycast address. Sending a request to that anycast address will ensure delivery to the closest service address (which may or may not be co-located with the middlebox) by the routing on the network, supported by either BGP or IGP. There are two specific concerns about this method (other than the usual anycast or pcp concerns). The first is that information about the internal network might leak to a PCP service outside the network. Whereas a failure of a service whose address is given in DHCP will result in black-holed packets, failure of a service with an anycast address will cause the packets to be forwarded to some random PCP server on the Internet. Section 5.1 discusses this and recommends filtering in perimeter gateways and reduced TTL. I believe this addresses that threat adequately. The other specific concern is that a rogue machine would push routes to advertise itself as a PCP service, hijacking PCP traffic and causing network outages. Section 5.2 deals with this issue. The section makes the claim that within the first network segment, the nodes do not use dynamic routing protocols, so an attack there is equivalent to impersonating the default router. Outside the first segment, routing protocols are used, and there is a need for routing security anyway. In both cases an attacker capable of conducting these attacks can do a lot worse than impersonating a PCP service. I find this argument almost convincing. What is still bothering me is the question of whether the more damaging attacks would be discovered immediately, whereas simply advertising a route to the anycast address can “fly under the radar” so that the attacker can become the PCP server undetected. I don’t have a firm attack in mind, just a mild concern. Yoav