Internet Engineering Task Force (IETF) H. Moustafa Request for Comments: 5713 France Telecom Category: Informational H. Tschofenig ISSN: 2070-1721 Nokia Siemens Networks S. De Cnodder Alcatel-Lucent January 2010
Internet Engineering Task Force (IETF) H. Moustafa Request for Comments: 5713 France Telecom Category: Informational H. Tschofenig ISSN: 2070-1721 Nokia Siemens Networks S. De Cnodder Alcatel-Lucent January 2010
Security Threats and Security Requirements for the Access Node Control Protocol (ANCP)
访问节点控制协议(ANCP)的安全威胁和安全要求
Abstract
摘要
The Access Node Control Protocol (ANCP) aims to communicate Quality of Service (QoS)-related, service-related, and subscriber-related configurations and operations between a Network Access Server (NAS) and an Access Node (e.g., a Digital Subscriber Line Access Multiplexer (DSLAM)). The main goal of this protocol is to allow the NAS to configure, manage, and control access equipment, including the ability for the Access Nodes to report information to the NAS.
接入节点控制协议(ANCP)旨在在网络接入服务器(NAS)和接入节点(例如,数字用户线路接入多路复用器(DSLAM))之间传送与服务质量(QoS)相关、与服务相关和与用户相关的配置和操作。此协议的主要目标是允许NAS配置、管理和控制访问设备,包括访问节点向NAS报告信息的能力。
This present document investigates security threats that all ANCP nodes could encounter. This document develops a threat model for ANCP security, with the aim of deciding which security functions are required. Based on this, security requirements regarding the Access Node Control Protocol are defined.
本文档调查所有ANCP节点可能遇到的安全威胁。本文件为ANCP安全开发了一个威胁模型,旨在确定需要哪些安全功能。基于此,定义了关于接入节点控制协议的安全需求。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc5713.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc5713.
Copyright Notice
版权公告
Copyright (c) 2010 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2010 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction ....................................................3 2. Specification Requirements ......................................3 3. System Overview and Threat Model ................................4 4. Objectives of Attackers .........................................7 5. Potential Attacks ...............................................7 5.1. Denial of Service (DoS) ....................................7 5.2. Integrity Violation ........................................8 5.3. Downgrading ................................................8 5.4. Traffic Analysis ...........................................8 5.5. Management Attacks .........................................8 6. Attack Forms ....................................................9 7. Attacks against ANCP ...........................................10 7.1. Dynamic Access-Loop Attributes ............................11 7.2. Access-Loop Configuration .................................12 7.3. Remote Connectivity Test ..................................14 7.4. Multicast .................................................14 8. Security Requirements ..........................................16 9. Security Considerations ........................................16 10. Acknowledgments ...............................................17 11. References ....................................................17 11.1. Normative References .....................................17 11.2. Informative References ...................................17
1. Introduction ....................................................3 2. Specification Requirements ......................................3 3. System Overview and Threat Model ................................4 4. Objectives of Attackers .........................................7 5. Potential Attacks ...............................................7 5.1. Denial of Service (DoS) ....................................7 5.2. Integrity Violation ........................................8 5.3. Downgrading ................................................8 5.4. Traffic Analysis ...........................................8 5.5. Management Attacks .........................................8 6. Attack Forms ....................................................9 7. Attacks against ANCP ...........................................10 7.1. Dynamic Access-Loop Attributes ............................11 7.2. Access-Loop Configuration .................................12 7.3. Remote Connectivity Test ..................................14 7.4. Multicast .................................................14 8. Security Requirements ..........................................16 9. Security Considerations ........................................16 10. Acknowledgments ...............................................17 11. References ....................................................17 11.1. Normative References .....................................17 11.2. Informative References ...................................17
The Access Node Control Protocol (ANCP) aims to communicate QoS-related, service-related, and subscriber-related configurations and operations between a Network Access Server (NAS) and an Access Node (e.g., a Digital Subscriber Line Access Multiplexer (DSLAM)).
接入节点控制协议(ANCP)旨在在网络接入服务器(NAS)和接入节点(例如,数字用户线接入多路复用器(DSLAM))之间传送QoS相关、服务相关和用户相关的配置和操作。
[ANCP-FRAME] illustrates the framework, usage scenarios, and general requirements for ANCP. This document focuses on describing security threats and deriving security requirements for the Access Node Control Protocol, considering the ANCP use cases defined in [ANCP-FRAME] as well as the guidelines for IETF protocols' security requirements given in [RFC3365]. Section 5 and Section 6, respectively, describe the potential attacks and the different attack forms that are liable to take place within ANCP, while Section 7 applies the described potential attacks to ANCP and its different use cases. Security policy negotiation, including authentication and authorization to define the per-subscriber policy at the policy/AAA (Authentication, Authorization, and Accounting) server, is out of the scope of this work. As a high-level summary, the following aspects need to be considered:
[ANCP-FRAME]说明了ANCP的框架、使用场景和一般要求。本文件重点描述了访问节点控制协议的安全威胁和安全要求,同时考虑了[ANCP-FRAME]中定义的ANCP用例以及[RFC3365]中给出的IETF协议安全要求指南。第5节和第6节分别描述了在ANCP中可能发生的潜在攻击和不同的攻击形式,而第7节将描述的潜在攻击应用于ANCP及其不同的用例。安全策略协商(包括在policy/AAA(身份验证、授权和记帐)服务器上定义每订户策略的身份验证和授权)不在本工作范围内。作为高层总结,需要考虑以下方面:
Message Protection:
消息保护:
Signaling message content can be protected against eavesdropping, modification, injection, and replay while in transit. This applies to both ANCP headers and payloads.
在传输过程中,可以保护信令消息内容免受窃听、修改、注入和重播。这适用于ANCP标头和有效负载。
Prevention against Impersonation:
防止冒充:
It is important that protection be available against a device impersonating an ANCP node (i.e., an unauthorized device generating an ANCP message and pretending it was generated by a valid ANCP node).
针对模拟ANCP节点的设备(即,生成ANCP消息并假装由有效ANCP节点生成的未经授权设备)提供保护非常重要。
Prevention of Denial-of-Service Attacks:
防止拒绝服务攻击:
ANCP nodes and the network have finite resources (state storage, processing power, bandwidth). It is important to protect against exhaustion attacks on these resources and to prevent ANCP nodes from being used to launch attacks on other network elements.
ANCP节点和网络具有有限的资源(状态存储、处理能力、带宽)。重要的是要防止对这些资源的耗尽攻击,并防止ANCP节点被用于对其他网络元素发起攻击。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119], with the
本文件中的关键词“必须”、“不得”、“必需”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[RFC2119]中所述进行解释,并带有
qualification that, unless otherwise stated, they apply to the design of the Access Node Control Protocol (ANCP), not its implementation or application.
除非另有说明,它们适用于接入节点控制协议(ANCP)的设计,而不是其实现或应用的资格。
The relevant components are described in Section 3.
第3节介绍了相关部件。
As described in [ANCP-FRAME] and schematically shown in Figure 1, the Access Node Control system consists of the following components:
如[ANCP-FRAME]所述和图1所示,接入节点控制系统由以下部件组成:
Network Access Server (NAS):
网络访问服务器(NAS):
A NAS provides access to a service (e.g., network access) and operates as a client of the AAA protocol. The AAA client is responsible for passing authentication information to designated AAA servers and then acting on the response that is returned.
NAS提供对服务的访问(例如,网络访问)并作为AAA协议的客户端运行。AAA客户端负责将身份验证信息传递给指定的AAA服务器,然后对返回的响应执行操作。
Authentication, Authorization, and Accounting (AAA) server:
身份验证、授权和记帐(AAA)服务器:
A AAA server is responsible for authenticating users, authorizing access to services, and returning authorization information (including configuration parameters) back to the AAA client to deliver service to the user. As a consequence, service usage accounting might be enabled and information about the user's resource usage will be sent to the AAA server.
AAA服务器负责对用户进行身份验证,授权对服务的访问,并将授权信息(包括配置参数)返回给AAA客户端,以向用户提供服务。因此,可能会启用服务使用情况记帐,并将有关用户资源使用情况的信息发送到AAA服务器。
Access Node (AN):
接入节点(AN):
The AN is a network device, usually located at a service provider central office or street cabinet, that terminates access-loop connections from subscribers. In case the access loop is a Digital Subscriber Line (DSL), this is often referred to as a DSL Access Multiplexer (DSLAM).
AN是一种网络设备,通常位于服务提供商的中央办公室或街道机柜,用于终止来自用户的访问环路连接。在接入环路是数字用户线(DSL)的情况下,这通常被称为DSL接入多路复用器(DSLAM)。
Customer Premises Equipment (CPE):
客户场所设备(CPE):
A CPE is a device located inside a subscriber's premise that is connected at the LAN side of the Home Gateway (HGW).
CPE是位于用户房屋内的设备,连接在家庭网关(HGW)的LAN侧。
Home Gateway (HGW):
家庭网关(HGW):
The HGW connects the different Customer Premises Equipments (CPEs) to the Access Node and the access network. In case of DSL, the HGW is a DSL Network Termination (NT) that could either operate as a layer 2 bridge or as a layer 3 router. In the latter case, such a device is also referred to as a Routing Gateway (RG).
HGW将不同的客户场所设备(CPE)连接到接入节点和接入网络。在DSL的情况下,HGW是DSL网络终端(NT),可以作为第2层网桥或第3层路由器运行。在后一种情况下,这种设备也称为路由网关(RG)。
Aggregation Network:
聚合网络:
The aggregation network provides traffic aggregation from multiple ANs towards the NAS. ATM or Ethernet transport technologies can be used.
聚合网络提供从多个AN到NAS的流量聚合。可以使用ATM或以太网传输技术。
For the threat analysis, this document focuses on the ANCP communication between the Access Node and the NAS. However, communications with the other components (such as HGW, CPE, and the AAA server) play a role in the understanding of the system architecture and of what triggers ANCP communications. Note that the NAS and the AN might belong to two different administrative realms. The threat model and the security requirements in this document consider this latter case.
对于威胁分析,本文档重点介绍访问节点和NAS之间的ANCP通信。然而,与其他组件(如HGW、CPE和AAA服务器)的通信在理解系统体系结构和触发ANCP通信的因素方面起着重要作用。请注意,NAS和AN可能属于两个不同的管理领域。该文件中的威胁模型和安全要求考虑了后一种情况。
+--------+ | AAA | | Server | +--------+ | | +---+ +---+ +------+ +-----------+ +-----+ +--------+ |CPE|---|HGW|---| | |Aggregation| | | | | +---+ +---+ |Access| | Network | | | |Internet| | Node |----| |----| NAS |---| / | +---+ +---+ | (AN) | | | | | |Regional| |CPE|---|HGW|---| | | | | | |Network | +---+ +---+ +------+ +-----------+ +-----+ +--------+
+--------+ | AAA | | Server | +--------+ | | +---+ +---+ +------+ +-----------+ +-----+ +--------+ |CPE|---|HGW|---| | |Aggregation| | | | | +---+ +---+ |Access| | Network | | | |Internet| | Node |----| |----| NAS |---| / | +---+ +---+ | (AN) | | | | | |Regional| |CPE|---|HGW|---| | | | | | |Network | +---+ +---+ +------+ +-----------+ +-----+ +--------+
Figure 1: System Overview
图1:系统概述
In the absence of an attack, the NAS receives configuration information from the AAA server related to a CPE attempting to access the network. A number of parameters, including Quality of Service information, need to be conveyed to the Access Node in order to become effective. The Access Node Control Protocol is executed between the NAS and the AN to initiate control requests. The AN returns responses to these control requests and provides information reports.
在没有攻击的情况下,NAS从AAA服务器接收与试图访问网络的CPE相关的配置信息。包括服务质量信息在内的许多参数需要传送到接入节点以便变得有效。在NAS和AN之间执行访问节点控制协议,以启动控制请求。AN返回对这些控制请求的响应,并提供信息报告。
For this to happen, the following individual steps must occur:
要实现这一点,必须执行以下单独步骤:
o The AN discovers the NAS.
o AN发现NAS。
o The AN needs to start the protocol communication with the NAS to announce its presence.
o AN需要启动与NAS的协议通信以宣布其存在。
o The AN and the NAS perform a capability exchange.
o AN和NAS执行功能交换。
o The NAS sends requests to the AN.
o NAS向AN发送请求。
o The AN processes these requests, authorizes the actions, and responds with the appropriate answer. In order to fulfill the commands, it might be necessary for the AN to communicate with the HGW or other nodes, for example, as part of a keep-alive mechanism.
o AN处理这些请求,授权这些操作,并以适当的答案作出响应。为了实现这些命令,AN可能需要与HGW或其他节点通信,例如,作为保持活动机制的一部分。
o The AN provides status reports to the NAS.
o AN向NAS提供状态报告。
Attackers can be:
攻击者可以是:
o off-path, i.e., they cannot see the messages exchanged between the AN and the NAS;
o 非路径,即他们看不到AN和NAS之间交换的消息;
o on-path, i.e., they can see the messages exchanged between the AN and the NAS.
o 在路径上,即他们可以看到AN和NAS之间交换的消息。
Both off-path and on-path attackers can be:
路径外和路径内攻击者都可能:
o passive, i.e., they do not participate in the network operation but rather listen to all transfers to obtain the maximum possible information;
o 被动的,即他们不参与网络操作,而是监听所有传输以获取尽可能多的信息;
o active, i.e., they participate in the network operation and can inject falsified packets.
o 主动的,即它们参与网络操作并可以注入伪造的数据包。
We assume the following threat model:
我们假设以下威胁模型:
o An off-path adversary located at the CPE or the HGW.
o 位于CPE或HGW的非路径对手。
o An off-path adversary located on the Internet or a regional network that connects one or more NASes and associated access networks to Network Service Providers (NSPs) and Application Service Providers (ASPs).
o 位于Internet或区域网络上的一种非路径对手,将一个或多个NASE和相关接入网络连接到网络服务提供商(NSP)和应用服务提供商(ASP)。
o An on-path adversary located at network elements between the AN and the NAS.
o 位于An和NAS之间的网元上的路径上对手。
o An on-path adversary taking control over the NAS.
o 控制NAS的路径上对手。
o An on-path adversary taking control over the AN.
o 控制An的途中对手。
Attackers may direct their efforts either against an individual entity or against a large portion of the access network. Attacks fall into three classes:
攻击者可以针对单个实体或访问网络的大部分进行攻击。攻击分为三类:
o Attacks to disrupt the communication for individual customers.
o 破坏单个客户通信的攻击。
o Attacks to disrupt the communication of a large fraction of customers in an access network. These also include attacks to the network itself or a portion of it, such as attacks to disrupt the network services or attacks to destruct the network functioning.
o 干扰接入网络中大部分客户通信的攻击。这些攻击还包括对网络本身或其一部分的攻击,例如破坏网络服务的攻击或破坏网络功能的攻击。
o Attacks to gain profit for the attacker through modifying the QoS settings. Also, through replaying old packets (of another privileged client, for instance), an attacker can attempt to configure a better QoS profile on its own DSL line, increasing its own benefit.
o 通过修改QoS设置为攻击者获取利润的攻击。此外,通过重放旧数据包(例如,另一个特权客户端的数据包),攻击者可以尝试在其自己的DSL线路上配置更好的QoS配置文件,从而增加其自身的好处。
This section discusses the different types of attacks against ANCP, while Section 6 describes the possible means of their occurrence.
本节讨论了针对ANCP的不同类型的攻击,而第6节描述了可能的攻击方式。
ANCP is mainly susceptible to the following types of attacks:
ANCP主要易受以下类型的攻击:
A number of denial-of-service (DoS) attacks can cause ANCP nodes to malfunction. When state is established or certain functions are performed without requiring prior authorization, there is a chance to mount denial-of-service attacks. An adversary can utilize this fact to transmit a large number of signaling messages to allocate state at nodes and to cause consumption of resources. Also, an adversary, through DoS, can prevent certain subscribers from accessing certain services. Moreover, DoS can take place at the AN or the NAS themselves, where it is possible for the NAS (or the AN) to intentionally ignore the requests received from the AN (or the NAS) through not replying to them. This causes the sender of the request to retransmit the request, which might allocate additional state at the sender side to process the reply. Allocating more state may result in memory depletion.
许多拒绝服务(DoS)攻击都会导致ANCP节点出现故障。当建立状态或在不需要事先授权的情况下执行某些功能时,有可能发起拒绝服务攻击。对手可以利用这一事实来传输大量信令消息,以在节点上分配状态并导致资源消耗。此外,敌方可通过DoS阻止某些订户访问某些服务。此外,拒绝服务可能发生在AN或NAS本身,NAS(或AN)可能会故意忽略从AN(或NAS)接收到的请求,而不回复这些请求。这会导致请求的发送者重新传输请求,这可能会在发送者端分配额外的状态来处理回复。分配更多状态可能会导致内存耗尽。
Adversaries gaining illegitimate access on the transferred messages can act on these messages, causing integrity violation. Integrity violation can cause unexpected network behavior, leading to a disturbance in the network services as well as in the network functioning.
非法访问传输消息的对手可以对这些消息采取行动,从而导致完整性破坏。完整性违反会导致意外的网络行为,从而导致网络服务和网络功能受到干扰。
Protocols may be useful in a variety of scenarios with different security and functional requirements. Different parts of a network (e.g., within a building, across a public carrier's network, or over a private microwave link) may need different levels of protection. It is often difficult to meet these (sometimes conflicting) requirements with a single mechanism or fixed set of parameters; thus, often a selection of mechanisms and parameters is offered. A protocol is required to agree on certain (security) mechanisms and parameters. An insecure parameter exchange or security negotiation protocol can give an adversary the opportunity to mount a downgrading attack to force selection of mechanisms weaker than those mutually desired. Thus, without binding the negotiation process to the legitimate parties and protecting it, ANCP might only be as secure as the weakest mechanism provided (e.g., weak authentication) and the benefits of defining configuration parameters and a negotiation protocol are lost.
协议在具有不同安全性和功能需求的各种场景中可能很有用。网络的不同部分(例如,建筑物内、公共运营商网络上或专用微波链路上)可能需要不同级别的保护。使用单一机制或固定参数集通常很难满足这些(有时相互冲突的)要求;因此,通常会提供机构和参数的选择。协议需要就某些(安全)机制和参数达成一致。不安全的参数交换或安全协商协议可能会给对手机会发起降级攻击,以迫使选择比双方期望的机制更弱的机制。因此,如果不将协商过程约束到合法各方并对其进行保护,ANCP可能只会像提供的最弱机制(例如弱身份验证)一样安全,而且定义配置参数和协商协议的好处也会丢失。
An adversary can be placed at the NAS, the AN, or any other network element capturing all traversing packets. Adversaries can thus have unauthorized information access. As well, they can gather information relevant to the network and then use this information in gaining later unauthorized access. This attack can also help adversaries in other malicious purposes -- for example, capturing messages sent from the AN to the NAS announcing that a DSL line is up and containing some information related to the connected client. This could be any form of information about the client and could also be an indicator of whether or not the DSL subscriber is at home at a particular moment.
可以将对手放置在NAS、An或任何其他捕获所有穿越数据包的网元上。因此,对手可以进行未经授权的信息访问。此外,他们还可以收集与网络相关的信息,然后利用这些信息获取以后未经授权的访问。此攻击还可以帮助对手实现其他恶意目的——例如,捕获从AN发送到NAS的消息,宣布DSL线路已开通,并包含一些与连接的客户端相关的信息。这可以是关于客户端的任何形式的信息,也可以是DSL订户在特定时刻是否在家的指示符。
Since the ANCP sessions are configured in the AN and not in the NAS [ANCP-FRAME], most configurations of ANCP are done in the AN. Consequently, the management attacks to ANCP mainly concern the AN configuration phase. In this context, the AN MIB module could create disclosure- and misconfiguration-related attacks. [ANCP-MIB] defines
由于ANCP会话是在AN中配置的,而不是在NAS[ANCP-FRAME]中配置的,所以ANCP的大多数配置都是在AN中完成的。因此,对ANCP的管理攻击主要涉及配置阶段。在这种情况下,AN MIB模块可能会创建与泄露和错误配置相关的攻击。[ANCP-MIB]定义
the vulnerabilities on the management objects within the AN MIB module. These attacks mainly concern the unauthorized changes of the management objects, leading to a number of attacks such as session deletion, a session using an undesired/unsupported protocol, disabling certain ANCP capabilities or enabling undesired capabilities, ANCP packets being sent out to the wrong interface (and thus being received by an unintended receiver), harming the synchronization between the AN and the NAS, and impacting traffic in the network other than ANCP.
MIB模块内管理对象上的漏洞。这些攻击主要涉及未经授权更改管理对象,导致大量攻击,例如会话删除、使用不需要/不支持的协议的会话、禁用某些ANCP功能或启用不需要的功能、将ANCP数据包发送到错误的接口(因此被非预期的接收器接收),损害an和NAS之间的同步,并影响网络中除ANCP以外的流量。
The attacks mentioned above in Section 5 can be carried out through the following means:
第5节中提到的攻击可以通过以下方式进行:
Message Replay:
消息重播:
This threat scenario covers the case in which an adversary eavesdrops, collects signaling messages, and replays them at a later time (or at a different place or in a different way; e.g., cut-and-paste attacks). Through replaying signaling messages, an adversary might mount denial-of-service and theft-of-service attacks.
此威胁场景包括敌方窃听、收集信号消息并在稍后时间(或在不同地点或以不同方式,例如剪切粘贴攻击)重播这些消息的情况。通过重播信令消息,对手可能发起拒绝服务和窃取服务攻击。
Faked Message Injection:
伪消息注入:
An adversary may be able to inject false error or response messages, causing unexpected protocol behavior and succeeding with a DoS attack. This could be achieved at the signaling-protocol level, at the level of specific signaling parameters (e.g., QoS information), or at the transport layer. An adversary might, for example, inject a signaling message to request allocation of QoS resources. As a consequence, other users' traffic might be impacted. The discovery protocol, especially, exhibits vulnerabilities with regard to this threat scenario.
对手可能会注入错误或响应消息,导致意外的协议行为,并成功实施DoS攻击。这可以在信令协议级别、特定信令参数级别(例如,QoS信息)或传输层实现。例如,对手可以注入信令消息以请求QoS资源的分配。因此,其他用户的流量可能会受到影响。尤其是发现协议显示了与此威胁场景相关的漏洞。
Messages Modification:
消息修改:
This involves integrity violation, where an adversary can modify signaling messages in order to cause unexpected network behavior. Possible related actions an adversary might consider for its attack are the reordering and delaying of messages, causing a protocol's process failure.
这涉及到完整性破坏,对手可以修改信令消息以引起意外的网络行为。对手可能考虑的攻击可能是消息的重新排序和延迟,导致协议的进程失败。
Man-in-the-Middle:
中间人:
An adversary might claim to be a NAS or an AN, acting as a man-in-the-middle to later cause communication and services disruption. The consequence can range from DoS to fraud. An adversary acting as a man-in-the-middle could modify the intercepted messages, causing integrity violation, or could drop or truncate the intercepted messages, causing DoS and a protocol's process failure. In addition, a man-in-the-middle adversary can signal information to an illegitimate entity in place of the right destination. In this case, the protocol could appear to continue working correctly. This may result in an AN contacting a wrong NAS. For the AN, this could mean that the protocol failed for unknown reasons. A man-in-the-middle adversary can also cause downgrading attacks through initiating faked configuration parameters and through forcing selection of weak security parameters or mechanisms.
对手可能声称自己是NAS或An,扮演中间人的角色,从而导致通信和服务中断。其后果可能从拒绝履行义务到欺诈。作为中间人的对手可以修改截获的消息,导致完整性破坏,或者删除或截断截获的消息,导致拒绝服务和协议进程失败。此外,中间人的对手可以将信息发送给非法实体,以代替正确的目的地。在这种情况下,协议可能会继续正常工作。这可能会导致联系错误的NAS。对于AN,这可能意味着协议因未知原因而失败。中间人对手还可以通过启动伪造的配置参数和强制选择弱安全参数或机制来导致降级攻击。
Eavesdropping:
窃听:
This is related to adversaries that are able to eavesdrop on transferred messages. The collection of the transferred packets by an adversary may allow traffic analysis or be used later to mount replay attacks. The eavesdropper might learn QoS parameters, communication patterns, policy rules for firewall traversal, policy information, application identifiers, user identities, NAT bindings, authorization objects, network configuration, performance information, and more.
这与能够窃听传输消息的对手有关。对手收集传输的数据包可能允许进行流量分析,或稍后用于发起重播攻击。窃听者可能会了解QoS参数、通信模式、防火墙遍历的策略规则、策略信息、应用程序标识符、用户身份、NAT绑定、授权对象、网络配置、性能信息等。
ANCP is susceptible to security threats, causing disruption/ unauthorized access to network services, manipulation of the transferred data, and interference with network functions. Based on the threat model given in Section 3 and the potential attacks presented in Section 5, this section describes the possible attacks against ANCP, considering the four use cases defined in [ANCP-FRAME].
ANCP易受安全威胁的影响,导致对网络服务的中断/未经授权的访问、对传输数据的操纵以及对网络功能的干扰。基于第3节中给出的威胁模型和第5节中提出的潜在攻击,考虑到[ANCP-FRAME]中定义的四个用例,本节描述了针对ANCP的可能攻击。
Although ANCP is not involved in the communication between the NAS and the AAA/policy server, the secure communication between the NAS and the AAA/policy server is important for ANCP security. Consequently, this document considers the attacks that are related to the ANCP operation associated with the communication between the NAS and the AAA/Policy server. In other words, the threat model and security requirements in this document take into consideration the data transfer between the NAS and the AAA server, when this data is used within the ANCP operation.
尽管ANCP不参与NAS和AAA/策略服务器之间的通信,但NAS和AAA/策略服务器之间的安全通信对于ANCP安全性非常重要。因此,本文档考虑与NAS和AAA/策略服务器之间的通信相关的ANCP操作相关的攻击。换句话说,本文档中的威胁模型和安全要求考虑了NAS和AAA服务器之间的数据传输,当这些数据在ANCP操作中使用时。
Besides the attacks against the four ANCP use cases described in the following subsections, ANCP is susceptible to a number of attacks that can take place during the protocol-establishment phase. These attacks are mainly on-path attacks, taking the form of DoS or man-in-the-middle attacks, which could be as follows:
除了以下小节中描述的针对四个ANCP用例的攻击外,ANCP还容易受到协议建立阶段可能发生的许多攻击的影响。这些攻击主要针对路径攻击,采取DoS或中间人攻击的形式,可能如下所示:
o Attacks during the session initiation from the AN to the NAS: DoS attacks could take place affecting the session-establishment process. Also, man-in-the-middle attacks could take place, causing message truncation or message modification and leading to session-establishment failure.
o 从AN到NAS的会话启动期间发生的攻击:DoS攻击可能会影响会话建立过程。此外,还可能发生中间人攻击,导致消息截断或消息修改,并导致会话建立失败。
o Attacks during the peering establishment: DoS attacks could take place during state synchronization between the AN and the NAS. Also, man-in-the-middle attacks could take place through message modification during identity discovery, which may lead to loss of contact between the AN and the NAS.
o 对等建立期间的攻击:在AN和NAS之间的状态同步期间可能发生DoS攻击。此外,中间人攻击可能通过身份发现期间的消息修改而发生,这可能导致AN和NAS之间失去联系。
o Attacks during capabilities negotiation: Message replay could take place, leading to DoS. Also, man-in-the-middle attacks could take place, leading to message modification, message truncation, or downgrading through advertising lesser capabilities.
o 能力协商期间的攻击:可能发生消息重播,导致拒绝服务。此外,还可能发生中间人攻击,导致消息修改、消息截断或通过广告功能降低级别。
This use case concerns the communication of access-loop attributes for dynamic, access-line topology discovery. Since the access-loop rate may change over time, advertisement is beneficial to the NAS to gain knowledge about the topology of the access network for QoS scheduling. Besides data rates and access-loop links identification, other information may also be transferred from the AN to the NAS (examples in case of a DSL access loop are DSL type, maximum achievable data rate, and maximum data rate configured for the access loop). This use case is thus vulnerable to a number of on-path and off-path attacks that can be either active or passive.
此用例涉及访问环路属性的通信,用于动态的访问线拓扑发现。由于接入环路速率可以随时间而改变,因此广告有利于NAS获得关于接入网络拓扑的知识以用于QoS调度。除了数据速率和接入环路链路标识之外,还可以将其他信息从AN传输到NAS(在DSL接入环路的情况下的示例是DSL类型、最大可实现数据速率和为接入环路配置的最大数据速率)。因此,该用例容易受到许多路径上和路径外攻击的攻击,这些攻击可以是主动的,也可以是被动的。
On-path attacks can take place between the AN and the NAS, on the AN or on the NAS, during the access-loop attributes transfer. These attacks may be:
在访问环路属性传输期间,AN和NAS之间、AN上或NAS上可能会发生路径攻击。这些攻击可能是:
o Active, acting on the transferred attributes and injecting falsified packets. The main attacks here are:
o 活动,作用于传输的属性并注入伪造的数据包。这里的主要攻击是:
* Man-in-the-middle attacks can cause access-loop attributes transfer between the AN and a forged NAS or a forged AN and the NAS, which can directly cause faked attributes and message modification or truncation.
* 中间人攻击可导致AN和伪造NAS之间或伪造AN和NAS之间的访问环路属性传输,从而直接导致伪造属性和消息修改或截断。
* Signaling replay, by an attacker between the AN and the NAS, on the AN or on the NAS itself, causing DoS.
* 攻击者在an和NAS之间、在an上或NAS本身上进行信号重播,导致拒绝服务。
* An adversary acting as man-in-the-middle can cause downgrading through changing the actual data rate of the access loop, which impacts the downstream shaping from the NAS.
* 作为中间人的对手可以通过改变接入环路的实际数据速率导致降级,从而影响NAS的下游成形。
o Passive, only learning these attributes. The main attacks here are caused by:
o 被动,只学习这些属性。这里的主要攻击是由以下原因引起的:
* Eavesdropping through learning access-loop attributes and information about the clients' connection state, and thus impacting their privacy protection.
* 通过学习访问循环属性和有关客户端连接状态的信息进行窃听,从而影响其隐私保护。
* Traffic analysis allowing unauthorized information access, which could allow later unauthorized access to the NAS.
* 允许未经授权的信息访问的流量分析,这可能允许以后对NAS进行未经授权的访问。
Off-path attacks can take place on the Internet, affecting the access-loop attribute sharing between the NAS and the AAA/policy server. These attacks may be:
非路径攻击可能发生在Internet上,影响NAS和AAA/policy服务器之间的访问环路属性共享。这些攻击可能是:
o Active attacks, which are mainly concerning:
o 主动攻击,主要涉及:
* DoS through flooding the communication links to the AAA/policy server, causing service disruption.
* DoS通过淹没AAA/策略服务器的通信链路,导致服务中断。
* Man-in-the-middle, causing access-loop configuration retrieval by an illegitimate NAS.
* 中间人,导致非法NAS检索访问环路配置。
o Passive attacks, gaining information on the access-loop attributes. The main attacks in this case are:
o 被动攻击,获取有关访问循环属性的信息。这种情况下的主要攻击是:
* Eavesdropping through learning access-loop attributes and learning information about the clients' connection states, and thus impacting their privacy protection.
* 通过学习访问循环属性和客户机连接状态信息进行窃听,从而影响其隐私保护。
* Traffic analysis allowing unauthorized information access, which could allow later unauthorized access to the NAS.
* 允许未经授权的信息访问的流量分析,这可能允许以后对NAS进行未经授权的访问。
This use case concerns the dynamic, local-loop line configuration through allowing the NAS to change the access-loop parameters (e.g., rate) in a dynamic fashion. This allows for centralized, subscriber-related service data. This dynamic configuration can be achieved, for instance, through profiles that are pre-configured on ANs. This use case is vulnerable to a number of on-path and off-path attacks.
此用例通过允许NAS以动态方式更改访问环路参数(例如速率)来关注动态本地环路配置。这允许集中化、与订户相关的服务数据。例如,可以通过在ANs上预先配置的配置文件来实现这种动态配置。这种用例容易受到许多路径上和路径外攻击。
On-path attacks can take place where the attacker is between the AN and the NAS, is on the AN, or is on the NAS. These can be as follows:
当攻击者位于AN和NAS之间、在AN上或在NAS上时,可能会发生路径攻击。这些措施可以如下:
o Active attacks, taking the following forms:
o 主动攻击,采取以下形式:
* DoS attacks of the AN can take place by an attacker, through replaying the Configure Request messages.
* 攻击者可以通过重播配置请求消息来对进行DoS攻击。
* An attacker on the AN can prevent the AN from reacting on the NAS request for the access-loop configuration, leading to the NAS continually sending the Configure Request message and, hence, allocating additional states.
* An上的攻击者可以阻止An对NAS访问环路配置请求作出反应,从而导致NAS不断发送配置请求消息,从而分配其他状态。
* Damaging clients' profiles at ANs can take place by adversaries that gained control on the network through discovery of users' information from a previous traffic analysis.
* 在ANs上,通过发现先前流量分析中的用户信息而获得网络控制权的对手可能会破坏客户端的配置文件。
* An adversary can replay old packets, modify messages, or inject faked messages. Such adversary can also be a man-in-the-middle. These attack forms can be related to a privileged client profile (having more services) in order to configure this profile on the adversary's own DSL line, which is less privileged. In order that the attacker does not expose its identity, he may also use these attack forms related to the privileged client profile to configure a number of illegitimate DSL lines. The adversary can also force configuration parameters other than the selected ones, leading to, for instance, downgrading the service for a privileged client.
* 对手可以重放旧数据包、修改消息或注入伪造消息。这样的对手也可以是中间人。这些攻击形式可能与特权客户端配置文件(具有更多服务)相关,以便在对手自己的DSL线路上配置该配置文件,而该线路的特权较低。为了使攻击者不暴露其身份,他还可以使用这些与特权客户端配置文件相关的攻击形式来配置大量非法DSL线路。对手还可以强制使用所选参数以外的配置参数,例如,导致降级特权客户端的服务。
o Passive attacks, where the attacker listens to the ANCP messages. This can take place as follows:
o 被动攻击,攻击者监听ANCP消息。这可以按如下方式进行:
* Learning configuration attributes is possible during the update of the access-loop configuration. An adversary might profit to see the configuration that someone else gets (e.g., one ISP might be interested to know what the customers of another ISP get and therefore might break into the AN to see this).
* 在更新访问环路配置期间,可以学习配置属性。对手可能会因为看到其他人获得的配置而获利(例如,一个ISP可能有兴趣知道另一个ISP的客户获得了什么,因此可能会闯入An来查看这一点)。
Off-path attacks can take place as follows:
路径外攻击可能发生如下情况:
o An off-path passive adversary on the Internet can exert eavesdropping during the access-loop configuration retrieval by the NAS from the AAA/policy server.
o 在NAS从AAA/策略服务器检索访问环路配置期间,Internet上的非路径被动对手可以实施窃听。
o An off-path active adversary on the Internet can threaten the centralized subscribers-related service data in the AAA/policy server through, for instance, making subscribers' records inaccessible.
o Internet上的非路径主动对手可以威胁AAA/策略服务器中与集中式订阅者相关的服务数据,例如,使订阅者的记录不可访问。
In this use case, the NAS can carry out a Remote Connectivity Test using ANCP to initiate an access-loop test between the AN and the HGW. Thus, multiple access-loop technologies can be supported. This use case is vulnerable to a number of active attacks. Most of the attacks in this use case concern the network operation.
在此用例中,NAS可以使用ANCP执行远程连接测试,以启动an和HGW之间的访问环路测试。因此,可以支持多址环路技术。此用例容易受到许多主动攻击。本用例中的大多数攻击都与网络操作有关。
On-path active attacks can take place in the following forms:
路径上的主动攻击可以以以下形式发生:
o Man-in-the-middle attack during the NAS's triggering to the AN to carry out the test, where an adversary can inject falsified signals or can truncate the triggering.
o NAS触发AN执行测试期间,中间人攻击,对手可以注入伪造信号或截断触发。
o Message modification can take place during the Subscriber Response message transfer from the AN to the NAS announcing the test results, causing failure of the test operation.
o 在从AN到NAS的订户响应消息传输过程中,可能会发生消息修改,从而宣布测试结果,从而导致测试操作失败。
o An adversary on the AN can prevent the AN from sending the Subscriber Response message to the NAS announcing the test results, and hence the NAS will continue triggering the AN to carry out the test, which results in more state being allocated at the NAS. This may result in unavailability of the NAS to the ANs.
o An上的对手可以阻止An向NAS发送订户响应消息,宣布测试结果,因此NAS将继续触发An执行测试,从而在NAS上分配更多状态。这可能导致NAS对ANs不可用。
Off-path active attacks can take place as follows:
非路径主动攻击的发生方式如下:
o An adversary can cause DoS during the access-loop test, in case of an ATM-based access loop, when the AN generates loopback cells. This can take place through signal replaying.
o 在基于ATM的接入环路的情况下,当An生成环回信元时,对手可以在接入环路测试期间导致拒绝服务。这可以通过信号重放来实现。
o Message truncating can take place by an adversary during the access-loop test, which can lead to service disruption due to assumption of test failures.
o 在访问环路测试期间,对手可能会进行消息截断,这可能会由于假设测试失败而导致服务中断。
In this use case, ANCP could be used in exchanging information between the AN and the NAS, allowing the AN to perform replication inline with the policy and configuration of the subscriber. Also, this allows the NAS to follow subscribers' multicast (source, group) membership and control replication performed by the AN. Four multicast use cases are expected to take place, making use of ANCP; these are typically multicast conditional access, multicast admission
在此用例中,ANCP可用于在AN和NAS之间交换信息,从而允许AN根据订阅服务器的策略和配置内联执行复制。此外,这允许NAS跟踪订阅服务器的多播(源、组)成员身份,并控制由AN执行的复制。利用ANCP,预计将发生四个多播用例;这些通常是多播条件接收、多播许可
control, multicast accounting, and spontaneous admission response. This section gives a high-level description of the possible attacks that can take place in these cases. Attacks that can occur are mostly active attacks.
控制、多播记帐和自发接纳响应。本节从较高的层次描述了在这些情况下可能发生的攻击。可能发生的攻击大多是主动攻击。
On-path active attacks can be as follows:
路径上的主动攻击可以如下所示:
o DoS attacks, causing inability for certain subscribers to access particular multicast streams or only access the multicast stream at a reduced bandwidth, impacting the quality of the possible video stream. This can take place through message replay by an attacker between the AN and the NAS, on the AN or on the NAS. Such DoS attacks can also be done by tempering, for instance, with white/black list configuration or by placing attacks to the bandwidth-admission-control mechanism.
o DoS攻击,导致某些订户无法访问特定的多播流,或者只能以较低的带宽访问多播流,从而影响可能的视频流的质量。攻击者可以通过在an和NAS之间、在an上或NAS上重播消息来实现这一点。此类DoS攻击也可以通过调节(例如)白/黑列表配置或通过对带宽许可控制机制进行攻击来实现。
o An adversary on the NAS can prevent the NAS from reacting on the AN requests for white/black/grey lists or for admission control for the access line. The AN in this case would not receive a reply and would continue sending its requests, resulting in more states being allocated at the AN. A similar case happens for admission control when the NAS can also send requests to the AN. When the NAS does not receive a response, it could also retransmit requests, resulting in more state being allocated at the NAS side to process responses. This may result in the unavailability of the NAS to the ANs.
o NAS上的对手可以阻止NAS对An请求的白/黑/灰列表或接入线准入控制作出反应。在这种情况下,AN将不会收到答复,并将继续发送其请求,从而在AN上分配更多的国家。当NAS也可以向AN发送请求时,许可控制也会发生类似的情况。当NAS没有收到响应时,它还可以重新传输请求,从而在NAS端分配更多的状态来处理响应。这可能导致NAS对ANs不可用。
o Man-in-the-middle, causing the exchange of messages between the AN and a forged NAS or a forged AN and the NAS. This can lead to the following:
o 中间人,导致AN和伪造NAS或伪造AN和NAS之间的消息交换。这可能导致以下情况:
* Message modification, which can cause service downgrading for legitimate subscribers -- for instance, an illegitimate change of a subscriber's policy.
* 消息修改,这可能导致合法订户的服务降级——例如,订户策略的非法更改。
* Message truncation between the AN and the NAS, which can result in the non-continuity of services.
* AN和NAS之间的消息截断,这可能导致服务不连续。
* Message replay between the AN and the NAS, on the AN or on the NAS, leading to a DoS or services fraud.
* AN和NAS之间、AN上或NAS上的消息重播会导致DoS或服务欺诈。
* Message modification to temper with accounting information, for example, in order to avoid service charges or, conversely, in order to artificially increase service charges on other users.
* 修改消息以调整会计信息,例如,为了避免服务费用,或者相反,为了人为增加其他用户的服务费用。
An off-path active attack is as follows:
非路径主动攻击如下所示:
o DoS could take place through message replay of join/leave requests by the HGW or CPE, frequently triggering the ANCP activity between the AN and the NAS. DoS could also result from generating heaps of IGMP join/leaves by the HGW or CPE, leading to very high rate of ANCP query/response.
o 拒绝服务可通过HGW或CPE对加入/离开请求的消息重播发生,经常触发AN和NAS之间的ANCP活动。拒绝服务也可能是由于HGW或CPE生成大量IGMP加入/离开,从而导致ANCP查询/响应率非常高。
This section presents a number of requirements motivated by the different types of attacks defined in the previous section. These requirements are as follows:
本节介绍了由上一节中定义的不同类型的攻击激发的许多需求。这些要求如下:
o The protocol solution MUST offer authentication of the AN to the NAS.
o 协议解决方案必须向NAS提供AN的身份验证。
o The protocol solution MUST offer authentication of the NAS to the AN.
o 协议解决方案必须向AN提供NAS身份验证。
o The protocol solution MUST allow authorization to take place at the NAS and the AN.
o 协议解决方案必须允许在NAS和AN上进行授权。
o The protocol solution MUST offer replay protection.
o 协议解决方案必须提供重播保护。
o The protocol solution MUST provide data-origin authentication.
o 协议解决方案必须提供数据源身份验证。
o The protocol solution MUST be robust against denial-of-service (DoS) attacks. In this context, the protocol solution MUST consider a specific mechanism for the DoS that the user might create by sending many IGMP messages.
o 协议解决方案必须能够抵御拒绝服务(DoS)攻击。在这种情况下,协议解决方案必须考虑通过发送许多IGMP消息来为用户创建的DOS的特定机制。
o The protocol solution SHOULD offer confidentiality protection.
o 协议解决方案应提供保密保护。
o The protocol solution SHOULD ensure that operations in default configuration guarantees a low number of AN/NAS protocol interactions.
o 协议解决方案应确保默认配置下的操作可保证低数量的AN/NAS协议交互。
o The protocol solution SHOULD ensure the access control of the management objects and possibly encrypt the values of these objects when sending them over the networks.
o 协议解决方案应确保管理对象的访问控制,并在通过网络发送时可能加密这些对象的值。
This document focuses on security threats, deriving a threat model for ANCP and presenting the security requirements to be considered for the design of ANCP.
本文件着重于安全威胁,推导了ANCP的威胁模型,并提出了设计ANCP时应考虑的安全要求。
Many thanks go to Francois Le Faucher for reviewing this document and for all his useful comments. The authors would also like to thank Philippe Niger, Curtis Sherbo, and Michael Busser for reviewing this document. Other thanks go to Bharat Joshi, Mark Townsley, Wojciech Dec, and Kim Hylgaard who have had valuable comments during the development of this work.
非常感谢Francois Le Faucher审阅本文件并提出了所有有用的意见。作者还要感谢Philippe Niger、Curtis Sherbo和Michael Busser对本文件的审阅。还要感谢巴拉特·乔希、马克·汤斯利、沃伊切赫·德克和金·海加尔德,他们在这项工作的发展过程中提出了宝贵的意见。
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[RFC3365] Schiller, J., "Strong Security Requirements for Internet Engineering Task Force Standard Protocols", BCP 61, RFC 3365, August 2002.
[RFC3365]Schiller,J.“互联网工程任务组标准协议的强大安全要求”,BCP 61,RFC 3365,2002年8月。
[ANCP-FRAME] Ooghe, S., Voigt, N., Platnic, M., Haag, T., and S. Wadhwa, "Framework and Requirements for an Access Node Control Mechanism in Broadband Multi-Service Networks", Work in Progress, October 2009.
[ANCP-FRAME]Ooghe,S.,Voigt,N.,Platnic,M.,Haag,T.,和S.Wadhwa,“宽带多业务网络中接入节点控制机制的框架和要求”,正在进行的工作,2009年10月。
[ANCP-MIB] De Cnodder, S. and M. Morgenstern, "Access Node Control Protocol (ANCP) MIB module for Access Nodes", Work in Progress, July 2009.
[ANCP-MIB]De Cnodder,S.和M.Morgenstern,“用于接入节点的接入节点控制协议(ANCP)MIB模块”,正在进行的工作,2009年7月。
Authors' Addresses
作者地址
Hassnaa Moustafa France Telecom 38-40 rue du General Leclerc Issy Les Moulineaux, 92794 Cedex 9 France
Hassnaa Moustafa法国电信公司Leclerc Issy Les Moulineaux路38-40号,92794 Cedex 9法国
EMail: hassnaa.moustafa@orange-ftgroup.com
EMail: hassnaa.moustafa@orange-ftgroup.com
Hannes Tschofenig Nokia Siemens Networks Linnoitustie 6 Espoo 02600 Finland
Hannes Tschofenig诺基亚西门子网络公司芬兰Linnoitustie 6 Espoo 02600
Phone: +358 (50) 4871445 EMail: Hannes.Tschofenig@gmx.net URI: http://www.tschofenig.priv.at
Phone: +358 (50) 4871445 EMail: Hannes.Tschofenig@gmx.net URI: http://www.tschofenig.priv.at
Stefaan De Cnodder Alcatel-Lucent Copernicuslaan 50 B-2018 Antwerp, Belgium
Stefaan De Cnodder Alcatel-Lucent Copernicuslaan 50 B-2018比利时安特卫普
Phone: +32 3 240 85 15 EMail: stefaan.de_cnodder@alcatel-lucent.com
Phone: +32 3 240 85 15 EMail: stefaan.de_cnodder@alcatel-lucent.com