Network Working Group                                      H. Tschofenig
Request for Comments: 4081                                D. Kroeselberg
Category: Informational                                          Siemens
                                                               June 2005
        
Network Working Group                                      H. Tschofenig
Request for Comments: 4081                                D. Kroeselberg
Category: Informational                                          Siemens
                                                               June 2005
        

Security Threats for Next Steps in Signaling (NSIS)

信令(NSIS)下一步的安全威胁

Status of This Memo

关于下段备忘

This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.

本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (2005).

版权所有(C)互联网协会(2005年)。

Abstract

摘要

This threats document provides a detailed analysis of the security threats relevant to the Next Steps in Signaling (NSIS) protocol suite. It calls attention to, and helps with the understanding of, various security considerations in the NSIS Requirements, Framework, and Protocol proposals. This document does not describe vulnerabilities of specific parts of the NSIS protocol suite.

本威胁文档详细分析了与信令(NSIS)协议套件下一步相关的安全威胁。它提请注意并帮助理解NSIS需求、框架和协议提案中的各种安全考虑因素。本文件不描述NSIS协议套件特定部分的漏洞。

Table of Contents

目录

   1. Introduction ....................................................2
   2. Communications Models ...........................................3
   3. Generic Threats .................................................7
      3.1. Man-in-the-Middle Attacks ..................................8
      3.2. Replay of Signaling Messages ..............................11
      3.3. Injecting or Modifying Messages ...........................11
      3.4. Insecure Parameter Exchange and Negotiation ...............12
   4. NSIS-Specific Threat Scenarios .................................12
      4.1. Threats during NSIS SA Usage ..............................13
      4.2. Flooding ..................................................13
      4.3. Eavesdropping and Traffic Analysis ........................15
      4.4. Identity Spoofing .........................................15
      4.5. Unprotected Authorization Information .....................17
      4.6. Missing Non-Repudiation ...................................18
      4.7. Malicious NSIS Entity .....................................19
      4.8. Denial of Service Attacks .................................20
      4.9. Disclosing the Network Topology ...........................21
      4.10. Unprotected Session or Reservation Ownership .............21
      4.11. Attacks against the NTLP .................................23
        
   1. Introduction ....................................................2
   2. Communications Models ...........................................3
   3. Generic Threats .................................................7
      3.1. Man-in-the-Middle Attacks ..................................8
      3.2. Replay of Signaling Messages ..............................11
      3.3. Injecting or Modifying Messages ...........................11
      3.4. Insecure Parameter Exchange and Negotiation ...............12
   4. NSIS-Specific Threat Scenarios .................................12
      4.1. Threats during NSIS SA Usage ..............................13
      4.2. Flooding ..................................................13
      4.3. Eavesdropping and Traffic Analysis ........................15
      4.4. Identity Spoofing .........................................15
      4.5. Unprotected Authorization Information .....................17
      4.6. Missing Non-Repudiation ...................................18
      4.7. Malicious NSIS Entity .....................................19
      4.8. Denial of Service Attacks .................................20
      4.9. Disclosing the Network Topology ...........................21
      4.10. Unprotected Session or Reservation Ownership .............21
      4.11. Attacks against the NTLP .................................23
        
   5. Security Considerations ........................................23
   6. Contributors ...................................................24
   7. Acknowledgements ...............................................24
   8. References .....................................................25
      8.1. Normative References ......................................25
      8.2. Informative References ....................................25
        
   5. Security Considerations ........................................23
   6. Contributors ...................................................24
   7. Acknowledgements ...............................................24
   8. References .....................................................25
      8.1. Normative References ......................................25
      8.2. Informative References ....................................25
        
1. Introduction
1. 介绍

Whenever a new protocol is developed or existing protocols are modified, threats to their security should be evaluated. To address security in the NSIS working group, a number of steps have been taken:

无论何时开发新协议或修改现有协议,都应评估对其安全性的威胁。为解决NSIS工作组的安全问题,已采取了若干步骤:

NSIS Analysis Activities (see [RSVP-SEC] and [SIG-ANAL])

NSIS分析活动(见[RSVP-SEC]和[SIG-ANAL])

Security Threats for NSIS

NSIS的安全威胁

NSIS Requirements (see [RFC3726])

NSIS要求(见[RFC3726])

NSIS Framework (see [RFC4080])

NSIS框架(参见[RFC4080])

NSIS Protocol Suite (see GIMPS [GIMPS], NAT/Firewall NSLP [NATFW-NSLP] and QoS NSLP [QOS-NSLP])

NSIS协议套件(参见GIMPS[GIMPS]、NAT/防火墙NSLP[NATFW-NSLP]和QoS NSLP[QoS-NSLP])

This document identifies the basic security threats that need to be addressed during the design of the NSIS protocol suite. Even if the base protocol is secure, certain extensions may cause problems when used in a particular environment.

本文件确定了NSIS协议套件设计期间需要解决的基本安全威胁。即使基本协议是安全的,某些扩展在特定环境中使用时也可能导致问题。

This document cannot provide detailed threats for all possible NSIS Signaling Layer Protocols (NSLPs). QoS [QOS-NSLP], NAT/Firewall [NATFW-NSLP], and other NSLP documents need to provide a description of their trust models and a threat assessment for their specific application domain. This document aims to provide some help for the subsequent design of the NSIS protocol suite. Investigations of security threats in a specific architecture or context are outside the scope of this document.

本文档无法提供所有可能的NSIS信令层协议(NSLP)的详细威胁。QoS[QoS-NSLP]、NAT/防火墙[NATFW-NSLP]和其他NSLP文档需要提供其信任模型的描述以及特定应用领域的威胁评估。本文档旨在为NSIS协议套件的后续设计提供一些帮助。对特定体系结构或环境中的安全威胁的调查不在本文档的范围内。

We use the NSIS terms defined in [RFC3726] and in [RFC4080].

我们使用[RFC3726]和[RFC4080]中定义的NSIS术语。

2. Communications Models
2. 通信模型

The NSIS suite of protocols is envisioned to support various signaling applications that need to install and/or manipulate state at nodes along the data flow path through the network. As such, the NSIS protocol suite involves the communication between different entities.

NSIS协议套件旨在支持需要在网络数据流路径沿线的节点上安装和/或操作状态的各种信令应用程序。因此,NSIS协议套件涉及不同实体之间的通信。

This section offers terminology for common communication models that are relevant to securing the NSIS protocol suite.

本节提供了与保护NSIS协议套件相关的通用通信模型的术语。

An abstract network topology with its administrative domains is shown in Figure 1, and in Figure 2 the relationship between NSIS entities along the path is shown. For illustrative reasons, only end-to-end NSIS signaling is depicted, yet it might be used in other variations as well. Signaling can start at any place and might terminate at any other place within the network. Depending on the trust relationship between NSIS entities and the traversed network parts, different security problems arise.

图1显示了一个抽象的网络拓扑及其管理域,图2显示了路径上NSIS实体之间的关系。出于说明性原因,仅描述了端到端NSIS信令,然而它也可以用于其他变体中。信令可以在任何地方开始,也可以在网络中的任何其他地方终止。根据NSIS实体和被穿越网络部分之间的信任关系,会出现不同的安全问题。

The notion of trust and trust relationship used in this document is informal and can best be captured by the definition provided in Section 1.1 of [RFC3756]. For completeness we include the definition of a trust relationship, which denotes a mutual a priori relationship between the involved organizations or parties wherein the parties believe that the other parties will behave correctly even in the future.

本文件中使用的信任和信任关系的概念是非正式的,最好通过[RFC3756]第1.1节中提供的定义来理解。为了完整性,我们纳入了信任关系的定义,该定义表示相关组织或各方之间的相互先验关系,其中各方相信其他各方即使在未来也会正确行事。

An important observation for NSIS is that a certain degree of trust has to be placed into intermediate NSIS nodes along the path between an NSIS Initiator and an NSIS Responder, specifically so that they perform message processing and take the necessary actions. A complete lack of trust between any of the participating entities will cause NSIS signaling to fail.

NSIS的一个重要观察结果是,必须沿NSIS启动器和NSIS响应程序之间的路径将一定程度的信任置于中间NSIS节点中,特别是这样它们才能执行消息处理并采取必要的措施。任何参与实体之间完全缺乏信任将导致NSIS信令失败。

Note that it is not possible to describe a trust model completely without considering the details and behavior of the NTLP, the NSLP (e.g., QoS NSLP), and the deployment environment. For example, securing the communication between an end host (which acts as the NSIS Initiator) and the first NSIS node (which might be in the attached network or even a number of networks away) is impacted by the trust relationships between these entities. In a corporate network environment, a stronger degree of trust typically exists than in an unmanaged network.

请注意,如果不考虑NTLP、NSLP(例如,QoS NSLP)和部署环境的细节和行为,就不可能完整地描述信任模型。例如,保护终端主机(充当NSIS启动器)和第一个NSIS节点(可能在连接的网络中,甚至可能在许多网络之外)之间的通信安全受到这些实体之间的信任关系的影响。在公司网络环境中,通常存在比非托管网络更高的信任度。

Figure 1 introduces convenient abbreviations for network parts with similar properties: first-peer, last-peer, intra-domain, or inter-domain.

图1为具有类似属性的网络部件引入了方便的缩写:第一个对等点、最后一个对等点、域内或域间。

     +------------------+   +---------------+   +------------------+
     |                  |   |               |   |                  |
     |  Administrative  |   | Intermediate  |   |  Administrative  |
     |     Domain A     |   |   Domains     |   |     Domain B     |
     |                  |   |               |   |                  |
     |                 (Inter-domain Communication)                |
     |        +-------->+---+<------------->+---+<--------+        |
     |  (Intra-domain   |   |               |   | (Intra-domain    |
     |   Communication) |   |               |   |  Communication)  |
     |        |         |   |               |   |         |        |
     |        v         |   |               |   |         v        |
     +--------+---------+   +---------------+   +---------+--------+
              ^                                           ^
              |                                           |
     First Peer Communication               Last Peer Communication
              |                                           |
              v                                           v
        +-----+-----+                               +-----+-----+
        |   NSIS    |                               |   NSIS    |
        | Initiator |                               | Responder |
        +-----------+                               +-----------+
        
     +------------------+   +---------------+   +------------------+
     |                  |   |               |   |                  |
     |  Administrative  |   | Intermediate  |   |  Administrative  |
     |     Domain A     |   |   Domains     |   |     Domain B     |
     |                  |   |               |   |                  |
     |                 (Inter-domain Communication)                |
     |        +-------->+---+<------------->+---+<--------+        |
     |  (Intra-domain   |   |               |   | (Intra-domain    |
     |   Communication) |   |               |   |  Communication)  |
     |        |         |   |               |   |         |        |
     |        v         |   |               |   |         v        |
     +--------+---------+   +---------------+   +---------+--------+
              ^                                           ^
              |                                           |
     First Peer Communication               Last Peer Communication
              |                                           |
              v                                           v
        +-----+-----+                               +-----+-----+
        |   NSIS    |                               |   NSIS    |
        | Initiator |                               | Responder |
        +-----------+                               +-----------+
        

Figure 1: Communication patterns in NSIS

图1:NSIS中的通信模式

First-Peer/Last-Peer Communication:

第一个对等方/最后一个对等方通信:

The end-to-end communication scenario depicted in Figure 1 includes the communication between the end hosts and their nearest NSIS hops. "First-peer communications" refers to the peer-to-peer interaction between a signaling message originator, the NSIS Initiator (NI), and the first NSIS-aware entity along the path. This "first-peer communications" commonly comes with specific security requirements that are especially important for addressing security issues between the end host (and a user) and the network it is attached to.

图1中描述的端到端通信场景包括端主机与其最近的NSIS跃点之间的通信。“第一对等通信”是指信令消息发起者、NSIS发起者(NI)和沿路径的第一NSIS感知实体之间的对等交互。这种“第一对等通信”通常带有特定的安全要求,对于解决终端主机(和用户)与其连接的网络之间的安全问题尤为重要。

To illustrate this, in roaming environments, it is difficult to assume the existence of a pre-established security association directly available for NSIS peers involved in first-peer communications, because these peers cannot be assumed to have any pre-existing relationship with each other. In contrast, in enterprise networks usually there is a fairly strong (pre-established) trust relationship between the peers. Enterprise network administrators usually have some degree of freedom to select the appropriate security protection and to enforce it. The choice of selecting a security mechanism is therefore often influenced by the infrastructure already

为了说明这一点,在漫游环境中,很难假设存在预先建立的安全关联,该关联可直接用于参与第一个对等通信的NSIS对等方,因为不能假设这些对等方彼此之间存在任何预先存在的关系。相比之下,在企业网络中,对等方之间通常存在相当强的(预先建立的)信任关系。企业网络管理员通常有一定程度的自由来选择和实施适当的安全保护。因此,选择安全机制的选择通常会受到基础设施的影响

available, and per-session negotiation of security mechanisms is often not required (although, in contrast, it is required in a roaming environment).

通常不需要对安全机制进行会话协商(尽管相反,在漫游环境中需要协商)。

Last-Peer communication is a variation of First-Peer communication in which the roles are reversed.

最后一个对等通信是第一个对等通信的变体,其中角色是反向的。

Intra-Domain Communication:

域内通信:

After verification of the NSIS signaling message at the border of an administrative domain, an NSIS signaling message traverses the network within the same administrative domain to which the first peer belongs. It might not be necessary to repeat the authorization procedure of the NSIS initiator again at every NSIS node within this domain. Key management within the administrative domain might also be simpler.

在管理域的边界处验证NSIS信令消息之后,NSIS信令消息在第一对等方所属的同一管理域内穿越网络。可能没有必要在该域中的每个NSIS节点上再次重复NSIS启动器的授权过程。管理域内的密钥管理也可能更简单。

Security protection is still required to prevent threats by non-NSIS nodes in this network.

仍然需要安全保护来防止此网络中非NSIS节点的威胁。

Inter-Domain Communication:

域间通信:

Inter-Domain communication deals with the interaction between administrative domains. For some NSLPs (for example, QoS NSLP), this interaction is likely to take place between neighboring domains, whereas in other NSLPs (such as the NAT/Firewall NSLP), the core network is usually not involved.

域间通信处理管理域之间的交互。对于某些NSLP(例如QoS NSLP),这种交互可能发生在相邻域之间,而在其他NSLP(例如NAT/防火墙NSLP)中,通常不涉及核心网络。

If signaling messages are conveyed transparently in the core network (i.e., if they are neither intercepted nor processed in the core network), then the signaling message communications effectively takes place between access networks. This might place a burden on authorization handling and on the key management infrastructure required between these access networks, which might not know of each other in advance.

如果信令消息在核心网络中透明地传送(即,如果它们在核心网络中既没有被截获也没有被处理),那么信令消息通信有效地在接入网络之间发生。这可能会给授权处理和这些接入网络之间所需的密钥管理基础设施带来负担,因为这些接入网络可能事先不知道彼此。

To refine the above differentiation based on the network parts that NSIS signaling may traverse, we subsequently consider relationships between involved entities. Because a number of NSIS nodes might actively participate in a specific protocol exchange, a larger number of possible relationships need to be analyzed than in other protocols. Figure 2 illustrates possible relationships between the entities involved in the NSIS protocol suite.

为了改进基于NSIS信令可以穿越的网络部分的上述区分,我们随后考虑所涉及实体之间的关系。由于许多NSIS节点可能积极参与特定的协议交换,因此需要分析比其他协议更多的可能关系。图2说明了NSIS协议套件中涉及的实体之间可能存在的关系。

                 ****************************************
                 *                                      *
            +----+-----+       +----------+        +----+-----+
      +-----+  NSIS    +-------+  NSIS    +--------+  NSIS    +-----+
      |     |  Node 1  |       |  Node 2  |        |  Node 3  |     |
      |     +----------+       +----+-----+        +----------+     |
      |                             ~                               |
      |  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~                               |
      |  ~                                                          |
   +--+--+-----+                                          +---------+-+
   |   NSIS    +//////////////////////////////////////////+   NSIS    |
   | Initiator |                                          | Responder |
   +-----------+                                          +-----------+
        
                 ****************************************
                 *                                      *
            +----+-----+       +----------+        +----+-----+
      +-----+  NSIS    +-------+  NSIS    +--------+  NSIS    +-----+
      |     |  Node 1  |       |  Node 2  |        |  Node 3  |     |
      |     +----------+       +----+-----+        +----------+     |
      |                             ~                               |
      |  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~                               |
      |  ~                                                          |
   +--+--+-----+                                          +---------+-+
   |   NSIS    +//////////////////////////////////////////+   NSIS    |
   | Initiator |                                          | Responder |
   +-----------+                                          +-----------+
        
    Legend:
     -----: Peer-to-Peer Relationship
     /////: End-to-End Relationship
     *****: Middle-to-Middle Relationship
     ~~~~~: End-to-Middle Relationship
        
    Legend:
     -----: Peer-to-Peer Relationship
     /////: End-to-End Relationship
     *****: Middle-to-Middle Relationship
     ~~~~~: End-to-Middle Relationship
        

Figure 2: Possible NSIS Relationships

图2:可能的NSIS关系

End-to-Middle Communications:

端到端通信:

The scenario in which one NSIS entity involved is an end-entity (Initiator or Responder) and the other entity is any intermediate hop other than the immediately adjacent peer is typically called the end-to-middle scenario (see Figure 2). A motivation for including this scenario can, for example, be found in SIP [RFC3261].

一个NSIS实体是终端实体(发起方或响应方),而另一个实体是除直接相邻对等方之外的任何中间跳的场景通常称为端到中间场景(见图2)。例如,在SIP[RFC3261]中可以找到包含此场景的动机。

An example of end-to-middle interaction might be an explicit authorization from the NSIS Initiator to some intermediate node. Threats specific to this scenario may be introduced by some intermediate NSIS hops that are not allowed to eavesdrop or modify certain objects.

端到端交互的一个示例可能是从NSIS启动器到某个中间节点的显式授权。特定于此场景的威胁可能由不允许窃听或修改某些对象的某些中间NSI跃点引入。

Middle-to-Middle Communications:

中到中通信:

Middle-to-middle communication refers to the exchange of information between two non-neighboring NSIS nodes along the path. Intermediate NSIS hops may have to deal with specific security threats that do not involve the NSIS Initiator or the NSIS Responder directly.

中到中通信是指沿路径的两个非相邻NSIS节点之间的信息交换。中间NSIS跃点可能必须处理不直接涉及NSIS发起方或NSIS响应方的特定安全威胁。

End-to-End Communications:

端到端通信:

NSIS aims to signal information from an Initiator to some NSIS nodes along the path to a data receiver. In the case of end-to-end NSIS signaling, the last node is the NSIS Responder, as it is the data receiver. The NSIS protocol suite is not an end-to-end protocol used to exchange information purely between end hosts.

NSIS的目标是沿着数据接收器的路径将信息从启动器发送到一些NSIS节点。在端到端NSIS信令的情况下,最后一个节点是NSIS应答器,因为它是数据接收器。NSIS协议套件不是纯粹用于在终端主机之间交换信息的端到端协议。

Typically, it is not required to protect NSIS messages cryptographically between the NSIS Initiator and the NSIS Responder. Protecting the entire signaling message end-to-end might not be feasible since intermediate NSIS nodes need to add, inspect, modify, or delete objects from the signaling message.

通常,不需要对NSIS启动器和NSIS响应程序之间的NSIS消息进行加密保护。保护整个信令消息端到端可能不可行,因为中间NSIS节点需要从信令消息中添加、检查、修改或删除对象。

3. Generic Threats
3. 一般威胁

This section provides scenarios of threats that are applicable to signaling protocols in general. Note that some of these scenarios use the term "user" instead of "NSIS Initiator". This is mainly because security protocols allow differentiation between entities that are hosts and those that are users (based on the identifiers used).

本节提供了一般适用于信令协议的威胁场景。请注意,其中一些场景使用术语“用户”而不是“NSIS启动器”。这主要是因为安全协议允许区分作为主机的实体和作为用户的实体(基于所使用的标识符)。

For the following subsections, we use the general distinction in two cases in which attacks may occur. These are according to the separate steps, or phases, normally encountered when applying protocol security (with, e.g., IPsec, TLS, Kerberos, or SSH). Therefore, this section starts by briefly describing a motivation for this separation.

在下面的小节中,我们在可能发生攻击的两种情况下使用一般区别。这些是根据应用协议安全性(例如,使用IPsec、TLS、Kerberos或SSH)时通常遇到的单独步骤或阶段进行的。因此,本节首先简要描述这种分离的动机。

Security protection of protocols is often separated into two steps. The first step primarily provides entity authentication and key establishment (which result in a persistent state often called a security association), whereas the second step provides message protection (some combination of data origin authentication, data integrity, confidentiality, and replay protection) using the previously established security association. The first step tends to be more expensive than the second, which is the main reason for the separation. If messages are transmitted infrequently, then these two steps may be collapsed into a single and usually rather costly one. One such example is e-mail protection via S/MIME. The two steps may be tightly bound into a single protocol, as in TLS, or defined in separate protocols, as with IKE and IPsec. We use this separation to cover the different threats in more detail.

协议的安全保护通常分为两个步骤。第一步主要提供实体身份验证和密钥建立(这会导致通常称为安全关联的持久状态),而第二步提供消息保护(数据源身份验证、数据完整性、机密性和重播保护的某些组合)使用以前建立的安全关联。第一步往往比第二步更昂贵,这是分离的主要原因。如果消息传输不频繁,那么这两个步骤可能会合并为一个单独的步骤,而且通常成本相当高。其中一个例子是通过S/MIME的电子邮件保护。这两个步骤可以紧密绑定到一个协议(如TLS)中,也可以在单独的协议中定义(如IKE和IPsec)。我们使用这种分离来更详细地涵盖不同的威胁。

3.1. Man-in-the-Middle Attacks
3.1. 中间人攻击

This section describes both security threats that exist if two peers do not already share a security association or do not use security mechanisms at all, and threats that are applicable when a security association is already established.

本节描述了两个对等方尚未共享安全关联或根本不使用安全机制时存在的安全威胁,以及在已建立安全关联时适用的威胁。

Attacks during NSIS SA Establishment:

NSIS SA建立期间的攻击:

While establishing a security association, an adversary fools the signaling message Initiator with respect to the entity to which it has to authenticate. The Initiator authenticates to the man-in-the-middle adversary, who is then able to modify signaling messages to mount DoS attacks or to steal services that get billed to the Initiator. In addition, the adversary may be able to terminate the Initiator's NSIS messages and to inject messages to a peer itself, thereby acting as the peer to the Initiator and as the Initiator to the peer. As a result, the Initiator wrongly believes that it is talking to the "real" network, whereas it is actually attached to an adversary. For this attack to be successful, pre-conditions that are described in the following three cases have to hold:

在建立安全关联时,敌方会愚弄信令消息发起方,使其了解必须对其进行身份验证的实体。发起方向中间的对手进行身份验证,然后该对手能够修改信令消息以发起DoS攻击或窃取向发起方计费的服务。此外,对手可以终止发起方的NSIS消息并将消息注入对等方本身,从而充当发起方的对等方和对等方的发起方。因此,发起者错误地认为它正在与“真实”网络进行对话,而实际上它与对手相连。要使此攻击成功,必须满足以下三种情况中描述的先决条件:

Missing Authentication:

缺少身份验证:

In the first case, this threat can be carried out because of missing authentication between neighboring peers: without authentication, an NI, NR, or NF is unable to detect an adversary. However, in some practical cases, authentication might be difficult to accomplish, either because the next peer is unknown, because there are misbelieved trust relationships in parts of the network, or because of the inability to establish proper security protection (inter-domain signaling messages, dynamic establishment of a security association, etc.). If one of the communicating endpoints is unknown, then for some security mechanisms it is either impossible or impractical to apply appropriate security protection. Sometimes network administrators use intra-domain signaling messages without proper security. This configuration allows an adversary on a compromised non-NSIS-aware node to interfere with nodes running an NSIS signaling protocol. Note that this type of threat goes beyond those caused by malicious NSIS nodes (described in Section 4.7).

在第一种情况下,由于缺少相邻对等方之间的身份验证,可以执行此威胁:如果没有身份验证,NI、NR或NF无法检测到对手。然而,在某些实际情况下,身份验证可能很难完成,这可能是因为下一个对等方未知,可能是因为在网络的某些部分存在错误的信任关系,也可能是因为无法建立适当的安全保护(域间信令消息、动态建立安全关联等)。如果其中一个通信端点未知,则对于某些安全机制,应用适当的安全保护是不可能的或不切实际的。有时网络管理员在没有适当安全性的情况下使用域内信令消息。此配置允许受损的非NSIS感知节点上的对手进行干扰具有运行NSIS信令协议的节点。请注意,这种类型的威胁超出了恶意NSIS节点造成的威胁(在第4.7节中描述)。

Unilateral Authentication:

单边认证:

In the case of unilateral authentication, the NSIS entity that does not authenticate its peer is unable to discover a man-in-the-middle adversary. Although mutual authentication of signaling messages should take place between each peer participating in the protocol operation, special attention is given here to first-peer communications. Unilateral authentication between an end host and the first peer (just authenticating the end host) is still common today, but it opens up many possibilities for man-in-the-middle attackers impersonating either the end host or the (administrative domain represented by the) first peer.

在单边认证的情况下,不认证其对等方的NSIS实体无法发现中间对手中的人。虽然信令消息的相互认证应该在参与协议操作的每个对等方之间进行,但是这里特别注意第一对等方通信。终端主机和第一个对等方之间的单边身份验证(仅验证终端主机)在今天仍然很常见,但它为中间人攻击者模拟终端主机或(由终端主机表示的管理域)第一个对等方提供了许多可能性。

Missing or unilateral authentication, as described above, is part of a general problem of network access with inadequate authentication, and it should not be considered something unique to the NSIS signaling protocol. Obviously, there is a strong need to address this correctly in a future NSIS protocol suite. The signaling protocols addressed by NSIS are different from other protocols in which only two entities are involved. Note that first-peer authentication is especially important because a security breach there could impact nodes beyond the entities directly involved (or even beyond a local network).

如上所述,缺少或单边身份验证是身份验证不足的网络访问的一般问题的一部分,不应将其视为NSIS信令协议特有的问题。显然,在未来的NSIS协议套件中,迫切需要正确解决这一问题。NSIS处理的信令协议不同于仅涉及两个实体的其他协议。请注意,第一个对等身份验证尤其重要,因为安全漏洞可能会影响直接涉及的实体之外的节点(甚至本地网络之外的节点)。

Finally, note that the signaling protocol should be considered a peer-to-peer protocol, wherein the roles of Initiator and Responder can be reversed at any time. Thus, unilateral authentication is not particularly useful for such a protocol. However, some form of asymmetry might be needed in the authentication process, whereby one entity uses an authentication mechanism different from that of the other one. As an example, the combination of symmetric and asymmetric cryptography should be mentioned.

最后,请注意,信令协议应被视为对等协议,其中发起方和响应方的角色可以随时颠倒。因此,单边认证对于这种协议不是特别有用。然而,在认证过程中可能需要某种形式的不对称,其中一个实体使用不同于另一个实体的认证机制。例如,应该提到对称和非对称密码的结合。

Weak Authentication:

弱身份验证:

In the case of weak authentication, the threat can be carried out because information transmitted during the NSIS SA establishment process may leak passwords or allow offline dictionary attacks. This threat is applicable to NSIS for the process of selecting certain security mechanisms.

在弱身份验证的情况下,可以实施威胁,因为在NSIS SA建立过程中传输的信息可能会泄漏密码或允许脱机字典攻击。在选择某些安全机制的过程中,此威胁适用于NSI。

Finally, we conclude with a description of a man-in-the-middle (MITM) attack during the discovery phase. This attack benefits from the fact that NSIS nodes are likely to be unaware of the network

最后,我们对发现阶段的中间人(MITM)攻击进行了描述。这种攻击的好处在于NSIS节点可能不知道网络

topology. Furthermore, an authorization problem might arise if an NSIS QoS NSLP node pretends to be an NSIS NAT/Firewall-specific node or vice versa.

拓扑结构。此外,如果NSIS QoS NSLP节点冒充NSIS NAT/防火墙特定节点,或反之亦然,则可能会出现授权问题。

An adversary might inject a bogus reply message, forcing the discovery message initiator to start a messaging association establishment with either an adversary or with another NSIS node that is not along the path. Figure 3 describes the attack in more detail for peer-to-peer addressed messages with a discovery mechanism. For end-to-end addressed messages, the attack is also applicable, particularly if the adversary is located along the path and able to intercept the discovery message that traverses the adversary. The man-in-the-middle adversary might redirect to another legitimate NSIS node. A malicious NSIS node can be detected with the corresponding security mechanisms, but a legitimate NSIS node that is not the next NSIS node along the path cannot be detected without topology knowledge.

对手可能会注入虚假回复消息,迫使发现消息发起人开始与对手或不在路径上的另一NSIS节点建立消息关联。图3更详细地描述了针对具有发现机制的对等寻址消息的攻击。对于端到端寻址消息,攻击也适用,特别是当对手位于路径沿线并且能够截获穿越对手的发现消息时。中间的对手可能会重定向到另一个合法的NSIS节点。通过相应的安全机制可以检测到恶意NSIS节点,但如果没有拓扑知识,则无法检测到不是路径上下一个NSIS节点的合法NSIS节点。

                      +-----------+   Messaging Association
     Message          | Adversary |   Establishment
     Association +--->+           +<----------------+
     Establish-  |    +----+------+                 |(4)
      ment       |     IPx |                        |
              (3)|         |Discovery Reply         v
                 |         | (IPx)              +---+-------+
                 v         |  (2)               |  NSIS     |
          +------+-----+   |       /----------->+  Node B   +--------
          | NSIS       +<--+      / Discovery   +-----------+
          | Node A     +---------/  Request          IPr
          +------------+             (1)
              IPi
        
                      +-----------+   Messaging Association
     Message          | Adversary |   Establishment
     Association +--->+           +<----------------+
     Establish-  |    +----+------+                 |(4)
      ment       |     IPx |                        |
              (3)|         |Discovery Reply         v
                 |         | (IPx)              +---+-------+
                 v         |  (2)               |  NSIS     |
          +------+-----+   |       /----------->+  Node B   +--------
          | NSIS       +<--+      / Discovery   +-----------+
          | Node A     +---------/  Request          IPr
          +------------+             (1)
              IPi
        

Figure 3: MITM Attack during the Discovery Exchange

图3:发现交换期间的MITM攻击

This attack assumes that the adversary is able to eavesdrop on the initial discovery message sent by the sender of the discovery message. Furthermore, we assume that the discovery reply message by the adversary returns to the discovery message initiator faster than the real response. This represents some race condition characteristics if the next NSIS node is very close (in IP-hop terms) to the initiator. Note that the problem is self-healing since the discovery process is periodically repeated. If an adversary is unable to mount this attack with every discovery message, then the correct next NSIS node along the path will be discovered again. A ping-pong behavior might be the consequence.

此攻击假设对手能够窃听发现消息发送方发送的初始发现消息。此外,我们假设对手的发现回复消息比实际响应更快地返回到发现消息发起方。如果下一个NSIS节点离启动器非常近(用IP跃点术语),则这表示一些竞争条件特征。请注意,问题是自我修复的,因为发现过程会定期重复。如果对手无法在每次发现消息时发起此攻击,则将再次发现路径上正确的下一个NSIS节点。结果可能是乒乓球行为。

As shown in message step (2) in Figure 3, the adversary returns a discovery reply message with its own IP address as the next NSIS-aware node along the path. Without any additional information, the discovery message initiator has to trust this information. Then a messaging association is established with an entity at a given IP address IPx (i.e., with the adversary) in step (3). The adversary then establishes a messaging association with a further NSIS node and forwards the signaling message. Note that the adversary might just modify the Discovery Reply message to force NSIS Node A to establish a messaging association with another NSIS node that is not along the path. This can then be exploited by the adversary. The interworking with NSIS-unaware NATs in particular might cause additional unexpected problems.

如图3中的消息步骤(2)所示,敌方返回一条发现回复消息,其自身的IP地址作为路径上的下一个NSIS感知节点。在没有任何其他信息的情况下,发现消息启动器必须信任此信息。然后,在步骤(3)中,与给定IP地址IPx处的实体(即,与对手)建立消息传递关联。然后,对手与另一NSIS节点建立消息关联,并转发信令消息。请注意,对手可能只是修改发现回复消息,以强制NSIS节点A与不在路径上的另一个NSIS节点建立消息关联。这就可以被对手利用。特别是与NSIS不知道NAT的互通可能会导致额外的意外问题。

As a variant of this attack, an adversary not able to eavesdrop on transmitted discovery requests could flood a node with bogus discovery reply messages. If the discovery message sender accidentally accepts one of those bogus messages, then a MITM attack as described in Figure 3 is possible.

作为这种攻击的一种变体,无法窃听传输的发现请求的对手可能会向节点发送虚假的发现回复消息。如果发现消息发送方意外地接受了其中一条虚假消息,则可能发生图3所示的MITM攻击。

3.2. Replay of Signaling Messages
3.2. 信令消息的重播

This threat scenario covers the case in which an adversary eavesdrops, collects signaling messages, and replays them at a later time (or at a different place, or uses parts of them at a different place or in a different way; e.g., cut-and-paste attacks). Without proper replay protection, an adversary might mount man-in-the-middle, denial of service, and theft of service attacks.

此威胁场景包括敌方窃听、收集信号消息,并在稍后时间(或在不同地点,或在不同地点或以不同方式使用部分消息;例如剪切和粘贴攻击)重播这些消息的情况。如果没有适当的重播保护,对手可能会发起中间人攻击、拒绝服务攻击和窃取服务攻击。

A more difficult attack (that may cause problems even if there is replay protection) requires that the adversary crash an NSIS-aware node, causing it to lose state information (sequence numbers, security associations, etc.), and then replay old signaling messages. This attack takes advantage of re-synchronization deficiencies.

更困难的攻击(即使存在重放保护也可能导致问题)要求对手使NSIS感知节点崩溃,导致其丢失状态信息(序列号、安全关联等),然后重放旧的信令消息。此攻击利用了重新同步的缺陷。

3.3. Injecting or Modifying Messages
3.3. 注入或修改消息

This type of threat involves integrity violations, whereby an adversary modifies signaling messages (e.g., by acting as a man-in-the-middle) in order to cause unexpected network behavior. Possible actions an adversary might consider for its attack are reordering, delaying, dropping, injecting, truncating, and otherwise modifying messages.

这种类型的威胁涉及完整性侵犯,对手通过修改信令消息(例如,通过充当中间人)来引起意外的网络行为。对手可能考虑的攻击可能是重新排序、延迟、删除、注入、截断和修改消息。

An adversary may inject a signaling message requesting a large amount of resources (possibly using a different user's identity). Other resource requests may then be rejected. In combination with identity

对手可以注入请求大量资源的信令消息(可能使用不同用户的身份)。然后可能会拒绝其他资源请求。与身份相结合

spoofing, it is possible to carry out fraud. This attack is only feasible in the absence of authentication and signaling message protection.

欺骗,有可能进行欺诈。这种攻击只有在没有身份验证和信令消息保护的情况下才可行。

Some threats directly related to these are described in Sections 4.4, 4.7, and 4.8.

第4.4节、第4.7节和第4.8节描述了与这些直接相关的一些威胁。

3.4. Insecure Parameter Exchange and Negotiation
3.4. 不安全参数交换与协商

First, protocols may be useful in a variety of scenarios with different security requirements. Second, different users (e.g., a university, a hospital, a commercial enterprise, or a government ministry) have inherently different security requirements. Third, different parts of a network (e.g., within a building, across a public carrier's network, or over a private microwave link) may need different levels of protection. It is often difficult to meet these (sometimes conflicting) requirements with a single security mechanism or fixed set of security parameters, so often a selection of mechanisms and parameters is offered. Therefore, a protocol is required to agree on certain security mechanisms and parameters. An insecure parameter exchange or security negotiation protocol can help an adversary to mount a downgrading attack to force selection of mechanisms weaker than those mutually desired. Thus, without binding the negotiation process to the legitimate parties and protecting it, an NSIS protocol suite might only be as secure as the weakest mechanism provided (e.g., weak authentication), and the benefits of defining configuration parameters and a negotiation protocol are lost.

首先,协议可能在具有不同安全需求的各种场景中有用。其次,不同的用户(例如,大学、医院、商业企业或政府部门)具有固有的不同安全要求。第三,网络的不同部分(例如,建筑物内、公共运营商网络上或专用微波链路上)可能需要不同级别的保护。使用单个安全机制或一组固定的安全参数通常很难满足这些(有时相互冲突的)需求,因此通常会提供一系列机制和参数。因此,需要一个协议来商定某些安全机制和参数。不安全的参数交换或安全协商协议可以帮助对手发起降级攻击,迫使选择比双方期望的机制更弱的机制。因此,如果不将协商过程约束到合法各方并对其进行保护,NSIS协议套件可能只与提供的最薄弱的机制(例如弱身份验证)一样安全,并且定义配置参数和协商协议的好处也就失去了。

4. NSIS-Specific Threat Scenarios
4. NSIS特定威胁场景

This section describes eleven threat scenarios in terms of attacks on and security deficiencies in the NSIS signaling protocol. A number of security deficiencies might enable an attack. Fraud is an example of an attack that might be enabled by missing replay protection, missing protection of authorization tokens, identity spoofing, missing authentication, and other deficiencies that help an adversary steal resources. Different threat scenarios based on deficiencies that could enable an attack are addressed in this section.

本节根据NSIS信令协议中的攻击和安全缺陷描述了11种威胁场景。许多安全缺陷可能导致攻击。欺诈是攻击的一个例子,可能是由于缺少重播保护、缺少授权令牌保护、身份欺骗、缺少身份验证以及其他帮助对手窃取资源的缺陷而启用的。本节讨论了基于可能导致攻击的缺陷的不同威胁场景。

The threat scenarios are not independent. Some of them (e.g., denial of service) are well-established security terms and, as such, need to be addressed, but they are often enabled by one or more deficiencies described under other scenarios.

威胁场景不是独立的。其中一些(例如,拒绝服务)是公认的安全术语,因此需要加以解决,但它们通常是由其他场景中描述的一个或多个缺陷造成的。

4.1. Threats during NSIS SA Usage
4.1. NSIS SA使用期间的威胁

Once a security association is established (and used) to protect signaling messages, many basic attacks are prevented. However, a malicious NSIS node is still able to perform various attacks as described in Section 4.7. Replay attacks may be possible when an NSIS node crashes, restarts, and performs state re-establishment. Proper re-synchronization of the security mechanism must therefore be provided to address this problem.

一旦建立(并使用)安全关联来保护信令消息,就可以防止许多基本攻击。但是,恶意NSIS节点仍然能够执行第4.7节所述的各种攻击。当NSIS节点崩溃、重新启动并执行状态重建时,可能会发生重播攻击。因此,必须提供安全机制的适当重新同步以解决此问题。

4.2. Flooding
4.2. 泛滥的

This section describes attacks that allow an adversary to flood an NSIS node with bogus signaling messages to cause a denial of service attack.

本节描述了允许对手向NSIS节点发送虚假信令消息以引起拒绝服务攻击的攻击。

We will discuss this threat at different layers in the NSIS protocol suite:

我们将在NSIS协议套件的不同层讨论此威胁:

Processing of Router Alert Options:

路由器警报选项的处理:

The processing of Router Alert Option (RAO) requires that a router do some additional processing by intercepting packets with IP options, which might lead to additional delay for legitimate requests, or even rejection of some of them. A router being flooded with a large number of bogus messages requires resources before finding out that these messages have to be dropped.

路由器警报选项(RAO)的处理要求路由器通过拦截具有IP选项的数据包来进行一些额外的处理,这可能会导致合法请求的额外延迟,甚至拒绝其中一些请求。被大量虚假消息淹没的路由器在发现必须丢弃这些消息之前需要资源。

If the protocol is based on using interception for message delivery, this threat cannot be completely eliminated, but the protocol design should attempt to limit the processing that has to be done on the RAO-bearing packet so that it is as similar as possible to that for an arbitrary packet addressed directly to one of the router interfaces.

如果协议基于使用拦截进行消息传递,则无法完全消除此威胁,但协议设计应尝试限制必须在RAO承载数据包上进行的处理,以使其尽可能类似于直接寻址到路由器接口之一的任意数据包的处理。

Attacks against the Transport Layer Protocol:

针对传输层协议的攻击:

Certain attacks can be mounted against transport protocols by flooding a node with bogus requests, or even to finish the handshake phase to establish a transport layer association. These types of threats are also addressed in Section 4.11.

某些针对传输协议的攻击可以通过向节点发送虚假请求,甚至通过完成握手阶段来建立传输层关联来实施。第4.11节也讨论了这些类型的威胁。

Force NTLP to Do More Processing:

强制NTLP执行更多处理:

Some protocol fields might allow an adversary to force an NTLP node to perform more processing. Additionally it might be possible to interfere with the flow control or the congestion control procedure. These types of threats are also addressed in Section 4.11.

某些协议字段可能允许对手强制NTLP节点执行更多处理。此外,可能会干扰流量控制或拥塞控制程序。第4.11节也讨论了这些类型的威胁。

Furthermore, it might be possible to force the NTLP node to perform some computations or signaling message exchanges by injecting "trigger" events (which are unprotected).

此外,可以通过注入“触发器”事件(未受保护)强制NTLP节点执行某些计算或信令消息交换。

Force NSLP to Do More Processing:

强制NSLP执行更多处理:

An adversary might benefit from flooding an NSLP node with messages that must be stored (e.g., due to fragmentation handling) before verifying the correctness of signaling messages.

在验证信令消息的正确性之前,用必须存储的消息(例如,由于碎片处理)淹没NSLP节点可能会使对手受益。

Furthermore, causing memory allocation and computational efforts might allow an adversary to harm NSIS entities. If a signaling message contains, for example, a digital signature, then some additional processing is required for the cryptographic verification. An adversary can easily create a random bit sequence instead of a digital signature to force an NSIS node into heavy computation.

此外,造成内存分配和计算工作可能会让对手伤害NSIS实体。如果信令消息包含例如数字签名,则需要一些额外的处理来进行密码验证。对手可以轻松创建随机位序列而不是数字签名,以迫使NSIS节点进行繁重的计算。

Idempotent signaling messages are particularly vulnerable to this type of attack. The term "idempotent" refers to messages that contain the same amount of information as the original message. An example would be a refresh message that is equivalent to a create message. This property allows a refresh message to create state along a new path, where no previous state is available. For this to work, specific classes of cryptographic mechanisms supporting this behavior are needed. An example is a scheme based on digital signatures, which, however, should be used with care due to possible denial of service attacks.

幂等信令消息特别容易受到这种类型的攻击。术语“幂等元”指的是包含与原始消息相同信息量的消息。例如,刷新消息相当于创建消息。此属性允许刷新消息沿新路径创建状态,而以前的状态不可用。要使其工作,需要支持此行为的特定类型的加密机制。一个例子是基于数字签名的方案,但是,由于可能存在拒绝服务攻击,因此应谨慎使用。

Problems with the usage of public-key-based cryptosystems in protocols are described in [AN97] and in [ALN00].

[AN97]和[ALN00]中描述了协议中使用基于公钥的密码系统的问题。

In addition to the threat scenario described above, an incoming signaling message might trigger communication with third-party nodes such as policy servers, LDAP servers, or AAA servers. If an adversary is able to transmit a large number of signaling messages (for example, with QoS reservation requests) with invalid credentials, then the verifying node may not be able to process other reservation messages from legitimate users.

除了上述威胁场景外,传入的信令消息还可能触发与第三方节点(如策略服务器、LDAP服务器或AAA服务器)的通信。如果对手能够传输大量具有无效凭据的信令消息(例如,具有QoS保留请求),则验证节点可能无法处理来自合法用户的其他保留消息。

4.3. Eavesdropping and Traffic Analysis
4.3. 窃听与流量分析

This section covers threats whereby an adversary is able to eavesdrop on signaling messages. The signaling packets collected may allow traffic analysis or be used later to mount replay attacks, as described in Section 3.2. The eavesdropper might learn QoS parameters, communication patterns, policy rules for firewall traversal, policy information, application identifiers, user identities, NAT bindings, authorization objects, network configuration and performance information, and more.

本节介绍敌方能够窃听信号消息的威胁。如第3.2节所述,收集的信令包可允许进行流量分析,或稍后用于发起重播攻击。窃听者可能会了解QoS参数、通信模式、防火墙遍历的策略规则、策略信息、应用程序标识符、用户身份、NAT绑定、授权对象、网络配置和性能信息等。

An adversary's capability to eavesdrop on signaling messages might violate a user's preference for privacy, particularly if unprotected authentication or authorization information (including policies and profile information) is exchanged.

敌方窃听信令消息的能力可能会违反用户对隐私的偏好,特别是在交换未受保护的身份验证或授权信息(包括策略和配置文件信息)的情况下。

Because the NSIS protocol signals messages through a number of nodes, it is possible to differentiate between nodes actively participating in the NSIS protocol and those that do not. For certain objects or messages, it might be desirable to permit actively participating intermediate NSIS nodes to eavesdrop. On the other hand, it might be desirable that only the intended end points (NSIS Initiator and NSIS Responder) be able to read certain other objects.

由于NSIS协议通过多个节点发送消息信号,因此可以区分积极参与NSIS协议的节点和不参与NSIS协议的节点。对于某些对象或消息,可能需要允许积极参与的中间NSIS节点进行窃听。另一方面,可能希望只有预期的端点(NSIS发起方和NSIS响应方)能够读取某些其他对象。

4.4. Identity Spoofing
4.4. 身份欺骗

Identity spoofing relevant for NSIS occurs in three forms: First, identity spoofing can happen during the establishment of a security association based on a weak authentication mechanism. Second, an adversary can modify the flow identifier carried within a signaling message. Third, it can spoof data traffic.

与NSI相关的身份欺骗有三种形式:首先,身份欺骗可以在基于弱身份验证机制的安全关联建立过程中发生。其次,对手可以修改信令消息中携带的流标识符。第三,它可以欺骗数据流量。

In the first case, Eve, acting as an adversary, may claim to be the registered user Alice by spoofing Alice's identity. Eve thereby causes the network to charge Alice for the network resources consumed. This type of attack is possible if authentication is based on a simple username identifier (i.e., in absence of cryptographic authentication), or if authentication is provided for hosts, and multiple users have access to a single host. This attack could also be classified as theft of service.

在第一种情况下,Eve作为对手,可能通过欺骗Alice的身份声称自己是注册用户Alice。Eve因此导致网络向Alice收取所消耗网络资源的费用。如果身份验证基于简单的用户名标识符(即,在没有加密身份验证的情况下),或者如果为主机提供身份验证,并且多个用户可以访问单个主机,则可能发生这种类型的攻击。这起攻击也可归类为盗窃服务。

In the second case, an adversary may be able to exploit the established flow identifiers (required for QoS and NAT/FW NSLP). These identifiers are, among others, IP addresses, transport protocol type (UDP, TCP), port numbers, and flow labels (see [RFC1809] and [RFC3697]). Modification of these flow identifiers allows adversaries to exploit or to render ineffective quality of service

在第二种情况下,对手可能能够利用已建立的流标识符(QoS和NAT/FW NSLP所需)。这些标识符包括IP地址、传输协议类型(UDP、TCP)、端口号和流标签(请参见[RFC1809]和[RFC3697])。修改这些流标识符允许对手利用或提供无效的服务质量

reservations or policy rules at middleboxes. An adversary could mount an attack by modifying the flow identifier of a signaling message.

中间箱的预订或保单规则。对手可以通过修改信令消息的流标识符发起攻击。

In the third case, an adversary may spoof data traffic. NSIS signaling messages contain some sort of flow identifier that is associated with a specified behavior (e.g., a particular flow experiences QoS treatment or allows packets to traverse a firewall). An adversary might, therefore, use IP spoofing and inject data packets to benefit from previously installed flow identifiers.

在第三种情况下,对手可以欺骗数据流量。NSIS信令消息包含某种与指定行为相关联的流标识符(例如,特定流经历QoS处理或允许数据包穿越防火墙)。因此,对手可能使用IP欺骗并注入数据包,以从先前安装的流标识符中获益。

We will provide an example of the latter threat. After NSIS nodes along the path between the NSIS initiator and the NSIS receiver processes a properly protected reservation request, transmitted by the legitimate user Alice, a QoS reservation is installed at the corresponding NSIS nodes (for example, the edge router). The flow identifier is used for flow identification and allows data traffic originated from a given source to be assigned to this QoS reservation. The adversary Eve now spoofs Alice's IP address. In addition, Alice's host may be crashed by the adversary with a denial of service attack or may lose connectivity (for example, because of mobility). If Eve is able to perform address spoofing, then she is able to receive and transmit data (for example, RTP data traffic) that receives preferential QoS treatment based on the previous reservation. Depending on the installed flow identifier granularity, Eve might have more possibilities to exploit the QoS reservation or a pin-holed firewall. Assuming the soft state paradigm, whereby periodic refresh messages are required, Alice's absence will not be detected until a refresh message is required, forcing Eve to respond with a protected signaling message. Again, this attack is applicable not only to QoS traffic, but also to a Firewall control protocol, with a different consequence.

我们将提供后一种威胁的例子。在沿着NSIS发起方和NSIS接收方之间的路径的NSIS节点处理由合法用户Alice发送的适当保护的保留请求之后,在相应的NSIS节点(例如,边缘路由器)处安装QoS保留。流标识符用于流标识,并允许将来自给定源的数据流量分配给该QoS保留。对手Eve现在欺骗Alice的IP地址。此外,Alice的主机可能会因拒绝服务攻击而被对手崩溃,或者可能会失去连接(例如,由于移动性)。如果Eve能够执行地址欺骗,则她能够接收和发送数据(例如,RTP数据通信量),该数据基于先前的保留接收优先QoS处理。根据安装的流标识符粒度,Eve可能有更多的机会利用QoS保留或针孔防火墙。假设软状态范例需要定期刷新消息,则在需要刷新消息之前不会检测到Alice的缺席,从而迫使Eve使用受保护的信令消息进行响应。同样,这种攻击不仅适用于QoS流量,也适用于防火墙控制协议,但后果不同。

The ability for an adversary to inject data traffic that matches a certain flow identifier established by a legitimate user and to get some benefit from injecting that traffic often also requires the ability to receive the data traffic or to have one's correspondent receive it. For example, an adversary in an unmanaged network observes a NAT/Firewall signaling message towards a corporate network. After the signaling message exchange was successful, the user Alice is allowed to traverse the company firewall based on the establish packet filter in order to contact her internal mail server. Now, the adversary Eve, who was monitoring the signaling exchange, is able to build a data packet towards this mail server that will pass the company firewall. The packet will hit the mail server and cause some actions, and the mail server will reply with some response messages. Depending on the exact location of the adversary and the

对手能够注入与合法用户建立的特定流标识符匹配的数据流量,并从注入该流量中获得一些好处,这通常还需要能够接收数据流量或让其对应方接收数据流量。例如,非托管网络中的对手观察到NAT/防火墙向公司网络发送的信令消息。信令消息交换成功后,允许用户Alice基于建立数据包过滤器穿越公司防火墙,以便联系其内部邮件服务器。现在,监视信令交换的对手Eve能够向该邮件服务器构建一个数据包,该数据包将通过公司防火墙。数据包将命中邮件服务器并导致一些操作,邮件服务器将用一些响应消息进行回复。取决于对手和目标的确切位置

degree of routing asymmetry, the adversary might even see the response messages. Note that for this attack to work, Alice does not need to participate in the exchange of signaling messages.

在路由不对称程度上,对手甚至可能看到响应消息。请注意,要使此攻击起作用,Alice不需要参与信令消息的交换。

We could imagine using attributes of a flow identifier that is not related to source and destination addresses. For example, we could think of a flow identifier for which only the 21-bit Flow ID is used (without source and destination IP address). Identity spoofing and injecting traffic is much easier since a packet only needs to be marked and an adversary can use a nearly arbitrary endpoint identifier to achieve the desired result. Obviously, though, the endpoint identifiers are not irrelevant, because the messages have to hit some nodes in the network where NSIS signaling messages installed state (in the above example, they would have to hit the same firewall).

我们可以想象使用与源地址和目标地址无关的流标识符的属性。例如,我们可以考虑只使用21位流ID的流标识符(没有源和目标IP地址)。身份欺骗和注入流量要容易得多,因为数据包只需要标记,对手可以使用几乎任意的端点标识符来实现所需的结果。显然,端点标识符并非无关,因为消息必须到达NSIS信令消息已安装状态的网络中的某些节点(在上面的示例中,它们必须到达相同的防火墙)。

Data traffic marking based on DiffServ is such an example. Whenever an ingress router uses only marked incoming data traffic for admission control procedures, various attacks are possible. These problems have been known in the DiffServ community for a long time and have been documented in various DiffServ-related documents. The IPsec protection of DiffServ Code Points is described in Section 6.2 of [RFC2745]. Related security issues (for example denial of service attacks) are described in Section 6.1 of the same document.

基于DiffServ的数据流量标记就是这样一个例子。当入口路由器仅将标记的传入数据流量用于准入控制过程时,各种攻击都是可能的。这些问题在DiffServ社区中已经存在很长时间了,并在各种DiffServ相关文档中进行了记录。[RFC2745]第6.2节描述了区分服务代码点的IPsec保护。相关安全问题(例如拒绝服务攻击)在同一文档的第6.1节中进行了描述。

4.5. Unprotected Authorization Information
4.5. 未受保护的授权信息

Authorization is an important criterion for providing resources such as QoS reservations, NAT bindings, and pinholes through firewalls. Authorization information might be delivered to the NSIS-participating entities in a number of ways.

授权是通过防火墙提供资源(如QoS保留、NAT绑定和针孔)的重要标准。授权信息可以通过多种方式传递给NSIS参与实体。

Typically, the authenticated identity is used to assist during the authorization procedure (as described in [RFC3182], for example). Depending on the chosen authentication protocol, certain threats may exist. Section 3 discusses a number of issues related to this approach when the authentication and key exchange protocol is used to establish session keys for signaling message protection.

通常,认证身份用于在授权过程中提供帮助(例如,如[RFC3182]中所述)。根据选择的身份验证协议,可能存在某些威胁。第3节讨论了在使用身份验证和密钥交换协议建立会话密钥以进行信令消息保护时与此方法相关的一些问题。

Another approach is to use some sort of authorization token. The functionality and structure of such an authorization token for RSVP is described in [RFC3520] and [RFC3521].

另一种方法是使用某种授权令牌。[RFC3520]和[RFC3521]中描述了这种RSVP授权令牌的功能和结构。

Achieving secure interaction between different protocols based on authorization tokens, however, requires some care. By using such an authorization token, it is possible to link state information between different protocols. Returning an unprotected authorization token to the end host might allow an adversary (for example, an eavesdropper)

然而,实现基于授权令牌的不同协议之间的安全交互需要一些注意。通过使用这样的授权令牌,可以在不同协议之间链接状态信息。将未受保护的授权令牌返回到终端主机可能会允许对手(例如,窃听者)

to steal resources. An adversary might also use the token to monitor communication patterns. Finally, an untrustworthy end host might also modify the token content.

窃取资源。对手也可以使用令牌来监视通信模式。最后,不可信的终端主机也可能修改令牌内容。

The Session/Reservation Ownership problem can also be regarded as an authorization problem. Details are described in Section 4.10. In enterprise networks, authorization is often coupled with membership in a particular class of users or groups. This type of information either can be delivered as part of the authentication and key agreement procedure or has to be retrieved via separate protocols from other entities. If an adversary manages to modify information relevant to determining authorization or the outcome of the authorization process itself, then theft of service might be possible.

会话/保留所有权问题也可以视为授权问题。详情见第4.10节。在企业网络中,授权通常与特定类别的用户或组的成员资格相结合。这类信息可以作为身份验证和密钥协议过程的一部分提供,也可以通过与其他实体不同的协议检索。如果对手设法修改与确定授权或授权过程本身的结果相关的信息,则可能发生服务盗窃。

4.6. Missing Non-Repudiation
4.6. 不可抵赖性缺失

Signaling for QoS often involves three parties: the user, a network that offers QoS reservations (referred to as "service provider") and a third party that guarantees that the party making the reservation actually receives a financial compensation (referred to as "trusted third party").

QoS信令通常涉及三方:用户、提供QoS保留的网络(称为“服务提供商”)和保证作出保留的一方实际收到经济补偿的第三方(称为“可信第三方”)。

In this context,"repudiation" refers to a problem where either the user or the service provider later deny the existence or some parameters (e.g., volume or price) of a QoS reservation towards the trusted third party. Problems stemming from a lack of non-repudiation appear in two forms:

在这种情况下,“拒绝”指的是用户或服务提供商随后拒绝向受信任的第三方提供QoS保留的存在或某些参数(例如,数量或价格)的问题。由于缺乏不可抵赖性而产生的问题以两种形式出现:

Service provider's point-of-view: A user may deny having issued a reservation request for which it was charged. The service provider may then want to be able to prove that a particular user issued the reservation request in question.

服务提供商的观点:用户可能会否认发出了预订请求,并为此收取了费用。然后,服务提供商可能希望能够证明特定用户发出了有问题的预订请求。

User's point-of-view: A service provider may claim to have received a number of reservation requests from a particular user. The user in question may want to show that such reservation requests have never been issued and may want to see correct service usage records for a given set of QoS parameters.

用户的观点:服务提供商可能声称已收到来自特定用户的多个预订请求。有问题的用户可能希望表明从未发出过此类保留请求,并且可能希望查看给定QoS参数集的正确服务使用记录。

In today's networks, non-repudiation is not provided. Therefore, it might be difficult to introduce with NSIS signaling. The user has to trust the network operator to meter the traffic correctly, to collect and merge accounting data, and to ensure that no unforeseen problems

在当今的网络中,不提供不可否认性。因此,可能很难引入NSIS信令。用户必须信任网络运营商正确计量流量,收集和合并会计数据,并确保没有不可预见的问题

occur. If a signaling protocol with the non-repudiation property is desired for establishing QoS reservations, then it certainly impacts the protocol design.

发生如果需要具有不可否认性的信令协议来建立QoS预留,那么它肯定会影响协议设计。

Non-repudiation functionality places additional requirements on the security mechanisms. Thus, a solution would normally increase the overhead of a security solution. Threats related to missing non-repudiation are only considered relevant in certain specific scenarios and for specific NSLPs.

不可否认性功能对安全机制提出了额外的要求。因此,解决方案通常会增加安全解决方案的开销。与不可抵赖性缺失相关的威胁仅在特定场景和特定NSLP中被视为相关。

4.7. Malicious NSIS Entity
4.7. 恶意NSIS实体

Network elements within a domain (intra-domain) experience a different trust relationship with regard to the security protection of signaling messages from that of edge NSIS entities. It is assumed that edge NSIS entities are responsible for performing cryptographic processing (authentication, integrity and replay protection, authorization, and accounting) for signaling messages arriving from the outside. This prevents unprotected signaling messages from appearing within the internal network. If, however, an adversary manages to take over an edge router, then the security of the entire network is compromised. An adversary is then able to launch a number of attacks, including denial of service; integrity violations; replay and reordering of objects and messages; bundling of messages; deletion of data packets; and various others. A rogue firewall can harm other firewalls by modifying policy rules. The chain-of-trust principle applied in peer-to-peer security protection cannot protect against a malicious NSIS node. An adversary with access to an NSIS router is also able to get access to security associations and to transmit secured signaling messages. Note that even non-peer-to-peer security protection might not be able to prevent this problem fully. Because an NSIS node might issue signaling messages on behalf of someone else (by acting as a proxy), additional problems need to be considered.

域(域内)内的网络元件在信令消息的安全保护方面与边缘NSIS实体的安全保护方面经历不同的信任关系。假定边缘NSIS实体负责对从外部到达的信令消息执行加密处理(身份验证、完整性和重播保护、授权和记帐)。这可防止未受保护的信令消息出现在内部网络中。但是,如果对手成功接管边缘路由器,则整个网络的安全性将受到威胁。然后,对手就可以发起一系列攻击,包括拒绝服务;违反诚信;对象和消息的重播和重新排序;信息捆绑;删除数据包;以及各种其他的。恶意防火墙可以通过修改策略规则来损害其他防火墙。对等安全保护中应用的信任链原则无法抵御恶意NSIS节点。能够访问NSIS路由器的对手还能够访问安全关联并传输安全信令消息。请注意,即使是非对等安全保护也可能无法完全防止此问题。由于NSIS节点可能代表其他人(通过代理)发出信令消息,因此需要考虑其他问题。

An NSIS-aware edge router is a critical component that requires strong security protection. A strong security policy applied at the edge does not imply that other routers within an intra-domain network do not need to verify signaling messages cryptographically. If the chain-of-trust principle is deployed, then the security protection of the entire path (in this case, within the network of a single administrative domain) is only as strong as the weakest link. In the case under consideration, the edge router is the most critical component of this network, and it may also act as a security gateway or firewall for incoming and outgoing traffic. For outgoing traffic, this device has to implement the security policy of the local domain and to apply the appropriate security protection.

支持NSIS的边缘路由器是需要强大安全保护的关键组件。在边缘应用的强安全策略并不意味着域内网络中的其他路由器不需要以加密方式验证信令消息。如果部署了信任链原则,那么整个路径(在本例中,在单个管理域的网络中)的安全保护只与最薄弱的环节一样强大。在所考虑的情况下,边缘路由器是该网络最关键的组件,它还可以充当传入和传出流量的安全网关或防火墙。对于传出流量,此设备必须实施本地域的安全策略并应用适当的安全保护。

For an adversary to mount this attack, either an existing NSIS-aware node along the path has to be attacked successfully, or an adversary must succeed in convincing another NSIS node to make it the next NSIS peer (man-in-the-middle attack).

要让对手发起此攻击,必须成功攻击路径上现有的NSIS感知节点,或者对手必须成功说服另一个NSIS节点使其成为下一个NSIS对等节点(中间人攻击)。

4.8. Denial of Service Attacks
4.8. 拒绝服务攻击

A number of denial of service (DoS) attacks can cause NSIS nodes to malfunction. Other attacks that could lead to DoS, such as man-in-the-middle attacks, replay attacks, and injection or modification of signaling messages, etc., are mentioned throughout this document.

许多拒绝服务(DoS)攻击可导致NSIS节点出现故障。其他可能导致拒绝服务的攻击,如中间人攻击、重播攻击、信号消息的注入或修改等,在本文档中均有提及。

Path Finding:

路径查找:

Some signaling protocols establish state (e.g., routing state) and perform some actions (e.g., querying resources) at a number of NSIS nodes without requiring authorization (or even proper authentication) based on a single message (e.g., PATH message in RSVP).

一些信令协议基于单个消息(例如,RSVP中的路径消息)在多个NSIS节点上建立状态(例如,路由状态)并执行一些操作(例如,查询资源),而无需授权(甚至正确的身份验证)。

An adversary can utilize this fact to transmit a large number of signaling messages to allocate state at nodes along the path and to cause resource consumption.

对手可以利用这一事实来传输大量信令消息,以便在路径上的节点上分配状态,并导致资源消耗。

An NSIS responder might not be able to determine the NSIS initiator and might even tend to respond to such a signaling message with a corresponding reservation message.

NSIS响应者可能无法确定NSIS启动器,甚至可能倾向于使用相应的保留消息响应此类信令消息。

Discovery Phase:

发现阶段:

Conveying signaling information to a large number of entities along a data path requires some sort of discovery. This discovery process is vulnerable to a number of attacks because it is difficult to secure. An adversary can use the discovery mechanisms to convince one entity to signal information to another entity that is not along the data path, or to cause the discovery process to fail. In the first case, the signaling protocol could appear to continue correctly, except that policy rules are installed at the incorrect firewalls or QoS resource reservations take place at the wrong entities. For an end host, this means that the protocol failed for unknown reasons.

沿着数据路径向大量实体传送信令信息需要某种发现。此发现过程容易受到多种攻击,因为它很难保护。对手可以使用发现机制说服一个实体向不在数据路径上的另一个实体发送信息,或者导致发现过程失败。在第一种情况下,信令协议似乎可以正常继续,但策略规则安装在错误的防火墙上,或者QoS资源保留发生在错误的实体上。对于终端主机,这意味着协议因未知原因失败。

Faked Error or Response Messages:

伪造的错误或响应消息:

An adversary may be able to inject false error or response messages as part of a DoS attack. This could be at the signaling message protocol layer (NTLP), the layer of each client layer protocol (e.g., QoS NSLP or NAT/Firewall NSLP), or the transport protocol layer. An adversary might cause unexpected protocol behavior or might succeed with a DoS attack. The discovery protocol, especially, exhibits vulnerabilities with regard to this threat scenario (see the above discussion on discovery). If no separate discovery protocol is used and signaling messages are addressed to end hosts only (with a Router Alert Option to intercept message as NSIS aware nodes), an error message might be used to indicate a path change. Such a design combines a discovery protocol with a signaling message exchange protocol.

作为DoS攻击的一部分,对手可能会注入错误或响应消息。这可能在信令消息协议层(NTLP)、每个客户端层协议(例如,QoS NSLP或NAT/防火墙NSLP)的层或传输协议层。对手可能会导致意外的协议行为,或者可能会成功进行DoS攻击。尤其是发现协议显示了与此威胁场景相关的漏洞(请参阅上面关于发现的讨论)。如果未使用单独的发现协议,且信令消息仅发往终端主机(使用路由器警报选项截获NSIS感知节点的消息),则可能会使用错误消息指示路径更改。这种设计将发现协议与信令消息交换协议相结合。

4.9. Disclosing the Network Topology
4.9. 公开网络拓扑

In some organizations or enterprises there is a desire not to reveal internal network structure (or other related information) outside of a closed community. An adversary might be able to use NSIS messages for network mapping (e.g., discovering which nodes exist, which use NSIS, what version, what resources are allocated, what capabilities nodes along a path have, etc.). Discovery messages, traceroute, diagnostic messages (see [RFC2745] for a description of diagnostic message functionality for RSVP), and query messages, in addition to record route and route objects, provide potential assistance to an adversary. Thus, the requirement of not disclosing a network topology might conflict with other requirements to provide means for discovering NSIS-aware nodes automatically or to provide diagnostic facilities (used for network monitoring and administration).

在一些组织或企业中,不希望在封闭社区之外透露内部网络结构(或其他相关信息)。对手可能能够使用NSIS消息进行网络映射(例如,发现存在哪些节点、哪些节点使用NSIS、哪个版本、分配了哪些资源、路径上的节点具有哪些能力等)。发现消息、跟踪路由、诊断消息(请参见[RFC2745]了解RSVP诊断消息功能的说明)和查询消息,以及记录路由和路由对象,为敌方提供潜在帮助。因此,不公开网络拓扑的要求可能与提供自动发现NSIS感知节点的方法或提供诊断设施(用于网络监视和管理)的其他要求相冲突。

4.10. Unprotected Session or Reservation Ownership
4.10. 未受保护的会话或保留所有权

Figure 4 shows an NSIS Initiator that has established state information at NSIS nodes along a path as part of the signaling procedure. As a result, Access Router 1, Router 3, and Router 4 (and other nodes) have stored session-state information, including the Session Identifier SID-x.

图4显示了作为信令过程的一部分,在NSIS节点沿路径建立状态信息的NSIS启动器。结果,接入路由器1、路由器3和路由器4(以及其他节点)存储了会话状态信息,包括会话标识符SID-x。

                                             Session ID(SID-x)
                                       +--------+
                     +-----------------+ Router +------------>
    Session ID(SID-x)|                 |   4    |
                 +---+----+            +--------+
                 | Router |
          +------+   3    +*******
          |      +---+----+      *
          |                      *
          | Session ID(SID-x)    * Session ID(SID-x)
      +---+----+             +---+----+
      | Access |             | Access |
      | Router |             | Router |
      |   1    |             |   2    |
      +---+----+             +---+----+
          |                      *
          | Session ID(SID-x)    * Session ID(SID-x)
     +----+------+          +----+------+
     |  NSIS     |          | Adversary |
     | Initiator |          |           |
     +-----------+          +-----------+
        
                                             Session ID(SID-x)
                                       +--------+
                     +-----------------+ Router +------------>
    Session ID(SID-x)|                 |   4    |
                 +---+----+            +--------+
                 | Router |
          +------+   3    +*******
          |      +---+----+      *
          |                      *
          | Session ID(SID-x)    * Session ID(SID-x)
      +---+----+             +---+----+
      | Access |             | Access |
      | Router |             | Router |
      |   1    |             |   2    |
      +---+----+             +---+----+
          |                      *
          | Session ID(SID-x)    * Session ID(SID-x)
     +----+------+          +----+------+
     |  NSIS     |          | Adversary |
     | Initiator |          |           |
     +-----------+          +-----------+
        

Figure 4: Session or Reservation Ownership

图4:会话或预订所有权

The Session Identifier is included in signaling messages to reference to the established state.

会话标识符包括在信令消息中以参考所建立的状态。

If an adversary were able to obtain the Session Identifier (for example, by eavesdropping on signaling messages), it would be able to add the same Session Identifier SID-x to a new signaling message. When the new signaling message hits Router 3 (as shown in Figure 4), existing state information can be modified. The adversary can then modify or delete the established reservation and cause unexpected behavior for the legitimate user.

如果对手能够获得会话标识符(例如,通过窃听信令消息),那么它将能够向新信令消息添加相同的会话标识符SID-x。当新的信令消息到达路由器3时(如图4所示),可以修改现有的状态信息。然后,对手可以修改或删除已建立的保留,并对合法用户造成意外行为。

The source of the problem is that Router 3 (a cross-over router) is unable to decide whether the new signaling message was initiated from the owner of the session or reservation.

问题的根源在于路由器3(交叉路由器)无法确定新的信令消息是从会话的所有者发起的还是从保留发起的。

In addition, nodes other than the initial signaling message originator are allowed to signal information during the lifetime of an established session. As part of the protocol, any NSIS-aware node along the path (and the path might change over time) could initiate a signaling message exchange. It might, for example, be necessary to provide mobility support or to trigger a local repair procedure. If only the initial signaling message originator were allowed to trigger signaling message exchanges, some protocol behavior would not be possible.

此外,除了初始信令消息发起者之外的节点被允许在已建立会话的生存期内发送信息。作为协议的一部分,路径上的任何NSIS感知节点(路径可能随时间变化)都可以启动信令消息交换。例如,可能需要提供机动支持或触发局部维修程序。如果只允许初始信令消息发起者触发信令消息交换,则某些协议行为将是不可能的。

If this threat scenario is not addressed, an adversary can launch DoS, theft of service, and various other attacks.

如果不解决此威胁场景,对手可以发起DoS、窃取服务和各种其他攻击。

4.11. Attacks against the NTLP
4.11. 对NTLP的攻击

In [2LEVEL], a two-level architecture is proposed, that would split an NSIS protocol into layers: a signaling message transport-specific layer and an application-specific layer. This is further developed in the NSIS Framework [RFC4080]. Most of the threats described in this threat analysis are applicable to the NSLP application-specific part (e.g., QoS NSLP). There are, however, some threats that are applicable to the NTLP.

在[2层]中,提出了一种两层架构,将NSIS协议分为两层:信令消息传输特定层和应用程序特定层。这在NSIS框架[RFC4080]中得到进一步发展。本威胁分析中描述的大多数威胁适用于NSLP应用程序特定部分(例如,QoS NSLP)。然而,存在一些适用于NTLP的威胁。

Network and transport layer protocols lacking protection mechanisms are vulnerable to certain attacks, such as header manipulation, DoS, spoofing of identities, session hijacking, unexpected aborts, etc. Malicious nodes can attack the congestion control mechanism to force NSIS nodes into a congestion avoidance state.

缺乏保护机制的网络和传输层协议容易受到某些攻击,如报头操纵、DoS、身份欺骗、会话劫持、意外中止等。恶意节点可以攻击拥塞控制机制,迫使NSIS节点进入拥塞避免状态。

Threats that address parts of the NTLP that are not related to attacks against the use of transport layer protocols are covered in various sections throughout this document, such as Section 4.2.

本文件各节(如第4.2节)涵盖了与攻击传输层协议使用无关的NTLP部分相关的威胁。

If existing transport layer protocols are used for exchanging NSIS signaling messages, security vulnerabilities known for these protocols need to be considered. A detailed threat description of these protocols is outside the scope of this document.

如果现有传输层协议用于交换NSIS信令消息,则需要考虑这些协议已知的安全漏洞。这些协议的详细威胁描述不在本文件范围内。

5. Security Considerations
5. 安全考虑

This entire memo discusses security issues relevant for NSIS protocol design. It begins by identifying the components of a network running NSIS (Initiator, Responder, and different Administrative Domains between them). It then considers five cases in which communications take place between these components, and it examines the trust relationships presumed to exist in each case: First-Peer Communications, End-to-Middle Communications, Intra-Domain Communications, Inter-Domain Communications, and End-to-End Communications. This analysis helps determine the security needs and the relative seriousness of different threats in the different cases.

整个备忘录讨论了与NSIS协议设计相关的安全问题。它首先确定运行NSIS的网络组件(启动器、响应程序以及它们之间的不同管理域)。然后,本文考虑了这些组件之间发生通信的五种情况,并分析了每种情况下假定存在的信任关系:第一对等通信、端到端通信、域内通信、域间通信和端到端通信。这种分析有助于确定不同情况下不同威胁的安全需求和相对严重性。

The document points out the need for different protocol security measures: authentication, key exchange, message integrity, replay protection, confidentiality, authorization, and some precautions against denial of service. The threats are subdivided into generic ones (e.g., man-in-the-middle attacks, replay attacks, tampering and forgery, and attacks on security negotiation protocols) and eleven threat scenarios that are particularly applicable to the NSIS

该文件指出需要采取不同的协议安全措施:身份验证、密钥交换、消息完整性、重播保护、机密性、授权以及一些防止拒绝服务的预防措施。这些威胁细分为一般威胁(例如中间人攻击、重放攻击、篡改和伪造以及对安全协商协议的攻击)和11种特别适用于NSIS的威胁场景

protocol. Denial of service, for example, is covered in the NSIS-specific section, not because it cannot be carried out against other protocols, but because the methods used to carry out denial of service attacks tend to be protocol specific. Numerous illustrative examples provide insight into what can happen if these threats are not mitigated.

协议例如,NSIS特定章节中涉及拒绝服务,这并不是因为它不能针对其他协议执行,而是因为用于执行拒绝服务攻击的方法往往是特定于协议的。许多示例提供了如果这些威胁得不到缓解可能发生的情况。

This document repeatedly points out that not all of the threats are equally serious in every context. It does attempt to identify the scenarios in which security failures may have the highest impact. However, it is difficult for the protocol designer to foresee all the ways in which NSIS protocols will be used or to anticipate the security concerns of a wide variety of likely users. Therefore, the protocol designer needs to offer a full range of security capabilities and ways for users to negotiate and select what they need, on a case-by-case basis. To counter these threats, security requirements have been listed in [RFC3726].

这份文件一再指出,并非所有威胁在所有情况下都同样严重。它确实试图确定安全故障可能产生最大影响的场景。然而,协议设计者很难预测NSIS协议的所有使用方式,也很难预测各种可能用户的安全问题。因此,协议设计者需要为用户提供全方位的安全功能和方式,以便用户根据具体情况进行协商和选择所需内容。为了应对这些威胁,[RFC3726]中列出了安全要求。

6. Contributors
6. 贡献者

We especially thank Richard Graveman, who provided text for the security considerations section, as well as a detailed review of the document.

我们特别感谢Richard Graveman,他为安全考虑部分提供了文本,并对该文件进行了详细审查。

7. Acknowledgements
7. 致谢

We would like to thank (in alphabetical order) Marcus Brunner, Jorge Cuellar, Mehmet Ersue, Xiaoming Fu, and Robert Hancock for their comments on an initial version of this document. Jorge and Robert gave us an extensive list of comments and provided information on additional threats.

我们要感谢(按字母顺序)Marcus Brunner、Jorge Cuellar、Mehmet Ersue、付晓明和Robert Hancock对本文件初始版本的评论。Jorge和Robert给了我们一个广泛的评论列表,并提供了关于其他威胁的信息。

Jukka Manner, Martin Buechli, Roland Bless, Marcus Brunner, Michael Thomas, Cedric Aoun, John Loughney, Rene Soltwisch, Cornelia Kappler, Ted Wiederhold, Vishal Sankhla, Mohan Parthasarathy, and Andrew McDonald provided comments on more recent versions of this document. Their input helped improve the content of this document. Roland Bless, Michael Thomas, Joachim Kross, and Cornelia Kappler, in particular, provided good proposals for regrouping and restructuring the material.

朱卡·韦德、马丁·布赫利、罗兰·布莱斯、马库斯·布伦纳、迈克尔·托马斯、塞德里克·奥恩、约翰·洛尼、雷内·索尔特维奇、科妮莉亚·卡普勒、特德·维德霍尔德、维沙尔·桑赫拉、莫汉·帕塔萨拉西和安德鲁·麦克唐纳对本文件的最新版本发表了评论。他们的投入有助于改进本文件的内容。罗兰·布莱斯、迈克尔·托马斯、约阿希姆·克罗斯和科妮莉亚·卡普勒尤其为材料的重组提供了很好的建议。

A final review was given by Michael Richardson. We thank him for his detailed comments.

迈克尔·理查森作了最后的评论。我们感谢他的详细评论。

8. References
8. 工具书类
8.1. Normative References
8.1. 规范性引用文件

[RFC4080] Hancock, R., Karagiannis, G., Loughney, J., and S. van den Bosch, "Next Steps in Signaling (NSIS): Framework", RFC 4080, June 2005.

[RFC4080]Hancock,R.,Karagiannis,G.,Loughney,J.,和S.van den Bosch,“信号的下一步(NSIS):框架”,RFC 40802005年6月。

[RFC3726] Brunner, M., "Requirements for Signaling Protocols", RFC 3726, April 2004.

[RFC3726]Brunner,M.,“信令协议的要求”,RFC 3726,2004年4月。

8.2. Informative References
8.2. 资料性引用

[ALN00] Aura, T., Leiwo, J., and P. Nikander, "Towards Network Denial of Service Resistant Protocols, In Proceedings of the 15th International Information Security Conference (IFIP/SEC 2000), Beijing, China", August 2000.

[ALN00]Aura,T.,Leiwo,J.,和P.Nikander,“网络拒绝服务抵抗协议,第15届国际信息安全会议论文集(IFIP/SEC 2000),中国北京,2000年8月。

[AN97] Aura, T. and P. Nikander, "Stateless Connections", In Proceedings of the International Conference on Information and Communications Security (ICICS'97), Lecture Notes in Computer Science 1334, Springer", 1997.

[AN97]Aura,T.和P.Nikander,“无状态连接”,载于《信息和通信安全国际会议记录》(ICICS'97),计算机科学讲稿1334,Springer,1997年。

[2LEVEL] Braden, R. and B. Lindell, "A Two-Level Architecture for Internet Signaling", Work in Progress, November 2002.

[2级]Braden,R.和B.Lindell,“互联网信令的两级架构”,正在进行的工作,2002年11月。

[RFC3697] Rajahalme, J., Conta, A., Carpenter, B., and S. Deering, "IPv6 Flow Label Specification", RFC 3697, March 2004.

[RFC3697]Rajahalme,J.,Conta,A.,Carpenter,B.,和S.Deering,“IPv6流标签规范”,RFC 36972004年3月。

[NATFW-NSLP] Stiemerling, M., "A NAT/Firewall NSIS Signaling Layer Protocol (NSLP)", Work in Progress, February 2005.

[NATFW-NSLP]Stiemerling,M.“NAT/防火墙NSIS信令层协议(NSLP)”,正在进行的工作,2005年2月。

[GIMPS] Schulzrinne, H., "GIMPS: General Internet Messaging Protocol for Signaling", Work in Progress, February 2005.

[GIMPS]Schulzrinne,H.,“GIMPS:信令的通用互联网消息协议”,正在进行的工作,2005年2月。

[QOS-NSLP] Bosch, S., Karagiannis, G., and A. McDonald, "NSLP for Quality-of-Service signaling", Work in Progress, February 2005.

[QOS-NSLP]Bosch,S.,Karagiannis,G.,和A.McDonald,“服务质量信令NSLP”,正在进行的工作,2005年2月。

[RSVP-SEC] Tschofenig, H., "RSVP Security Properties", Work in Progress, February 2005.

[RSVP-SEC]Tschofenig,H.,“RSVP安全属性”,正在进行的工作,2005年2月。

[SIG-ANAL] Manner, J. and X. Fu, "Analysis of Existing Quality-of-Service Signaling Protocols", RFC 4094, May 2005.

[SIG-ANAL]Way,J.和X.Fu,“现有服务质量信令协议分析”,RFC 4094,2005年5月。

[RFC1809] Partridge, C., "Using the Flow Label Field in IPv6", RFC 1809, June 1995.

[RFC1809]帕特里奇,C.,“在IPv6中使用流标签字段”,RFC1809,1995年6月。

[RFC2745] Terzis, A., Braden, B., Vincent, S., and L. Zhang, "RSVP Diagnostic Messages", RFC 2745, January 2000.

[RFC2745]Terzis,A.,Braden,B.,Vincent,S.,和L.Zhang,“RSVP诊断信息”,RFC 27452000年1月。

[RFC3182] Yadav, S., Yavatkar, R., Pabbati, R., Ford, P., Moore, T., Herzog, S., and R. Hess, "Identity Representation for RSVP", RFC 3182, October 2001.

[RFC3182]Yadav,S.,Yavatkar,R.,Pabbati,R.,Ford,P.,Moore,T.,Herzog,S.,和R.Hess,“RSVP的身份表示”,RFC 31822001年10月。

[RFC3261] Rosenberg, J., Schulzrinne, H., Camarillo, G., Johnston, A., Peterson, J., Sparks, R., Handley, M., and E. Schooler, "SIP: Session Initiation Protocol", RFC 3261, June 2002.

[RFC3261]Rosenberg,J.,Schulzrinne,H.,Camarillo,G.,Johnston,A.,Peterson,J.,Sparks,R.,Handley,M.,和E.Schooler,“SIP:会话启动协议”,RFC 3261,2002年6月。

[RFC3520] Hamer, L-N., Gage, B., Kosinski, B., and H. Shieh, "Session Authorization Policy Element", RFC 3520, April 2003.

[RFC3520]Hamer,L-N.,Gage,B.,Kosinski,B.,和H.Shieh,“会话授权策略元素”,RFC 3520,2003年4月。

[RFC3521] Hamer, L-N., Gage, B., and H. Shieh, "Framework for Session Set-up with Media Authorization", RFC 3521, April 2003.

[RFC3521]Hamer,L-N.,Gage,B.,和H.Shieh,“通过媒体授权建立会话的框架”,RFC 35212003年4月。

[RFC3756] Nikander, P., Kempf, J., and E. Nordmark, "IPv6 Neighbor Discovery (ND) Trust Models and Threats", RFC 3756, May 2004.

[RFC3756]Nikander,P.,Kempf,J.,和E.Nordmark,“IPv6邻居发现(ND)信任模型和威胁”,RFC 37562004年5月。

Authors' Addresses

作者地址

Hannes Tschofenig Siemens Otto-Hahn-Ring 6 Munich, Bavaria 81739 Germany

德国巴伐利亚州慕尼黑第6环汉内斯·茨霍芬尼西门子奥托·哈恩81739

   EMail: Hannes.Tschofenig@siemens.com
        
   EMail: Hannes.Tschofenig@siemens.com
        

Dirk Kroeselberg Siemens Otto-Hahn-Ring 6 Munich, Bavaria 81739 Germany

德国巴伐利亚州慕尼黑6环德克·克罗塞尔伯格西门子奥托·哈恩81739

   EMail: Dirk.Kroeselberg@siemens.com
        
   EMail: Dirk.Kroeselberg@siemens.com
        

Full Copyright Statement

完整版权声明

Copyright (C) The Internet Society (2005).

版权所有(C)互联网协会(2005年)。

This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.

本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。

This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Intellectual Property

知识产权

The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.

IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。

Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.

向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.

The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.

IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。