2002-10-01 17:22:47 GMT
Draft looks good overall. Some overall comments, then an edited version cleaning up some typos and confusing phrases here and there.
Most important observation: the I-D purports to be about threats, yet mentions several times unintentional actions. To me, those are not security threats. For instance, someone who misconfigures the request routing unintentional may break things, but it's not a threat to security. Perhaps the title and abstract should change from "threat" models to "failure" models and emphasize that most of these, but not all, are from explicit intentional threats. Of course, some "threats" are not actually "failures" so perhaps that doesn't quite work... maybe "threat and failure"??
Terminology: "CDN" crept in there a few times. Should all references to "CDN" be "CN"? (I changed these in my copy.) "Resultant" appeared here and there. I had to look it up to be sure it was a word. It is, and basically means "resulting". Why use such an obscure word instead? Is there a distinction in meaning?
184.108.40.206 talks about a CN exposing passwords & credit card numbers. This seems to be supposing a lot -- are there CNs today that actually see credit card numbers?
220.127.116.11 refers to a location of a surrogate "generally transparent to the client". To me "transparent" means it is NOT seen, but it sounds here like you mean "visible", the opposite. No?
In Sec. 5 it is "recommended not to send passwords in the clear" -- why not required?
INTERNET-DRAFT draft-ietf-cdi-threat-00.txt Page 1
Network Working Group L. Amini
Internet-Draft IBM Research
Expires: March 31, 2003
Kobus van der Merwe
Status of this Memo
This document is an Internet-Draft and is in full conformance with
provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Force (IETF), its areas, and its working groups. Note that other
groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference material
or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
The list of Internet-Draft Shadow Directories can be accessed at
This Internet-Draft will expire on March 31, 2003 Copyright Notice
Copyright (C) The Internet Society (2000). All Rights Reserved.
INTERNET-DRAFT draft-ietf-cdi-threat-00.txt Page 2
Security Threats for Content Internetworking
Content internetworking (also referred to as content
internetworking, or CDI) is the technology for interconnecting content
networks. The CDI model allows for interconnecting various Content
Networks. The internetworking task requires request routing and
content distribution protocols. This document investigates the
security risks and threats associated with the content
internetworking. Proposed remedies are viewed not as design
recommendations but more as illustrations of the nature of threats.
Content internetworking (CDI) combines the resources of multiple
content networks (CN) to increase their scale and reach. At the core
of CDI are a request routing system and a distribution system. The
request-routing system (RRS) directs client requests to surrogates
and/or CNs that can best service the request. The internetworking of
CNs is performed through Content Internetworking Gateway (CIG). The
internetworking distribution system is responsible for moving content
from one Distribution CN to another Distribution CN. Finally, the
accounting infrastructure tracks and collects data on
request-routing, distribution, and delivery functions within the CN.
The details of the CDI model can be found in .
The use of CDI - as any new mechanism - introduces new security
and threats to the internetworked CNs. Some of these threats are
specific to the CDI model, some are inherited from the CN systems.
This document covers both new and inherited threats with distinctions
made where appropriate.
The security risks within CDI can be classified along
- the source of the threat ("insider" versus "outsider"),
- the level at which the attack occurs (network-level attack
- the type of harm that results from an attack (harm to content, harm
to identity, harm to finances).
INTERNET-DRAFT draft-ietf-cdi-threat-00.txt Page 3
- the elements of the architecture attacked (e.g., the
System, the Request Routing System, the Accounting System, the
clients, or publishers)
All of these dimensions are considered in this document (some in
greater detail) to develop a complete view of the threat model for
content internetworking. However, this document focuses only on those
threats specific to the content internetworking model. It does not
consider, for example, the following issues:
- The security risks within an individual CN, such as denial of
service attacks on individual surrogates, are beyond the scope of
- Content security issues, such as the integrity of transformations
or adaptations performed on content, are outside the scope of the
- This document does not specify or recommend any
solutions. In some cases however, potential threat mitigation steps
are given to help illustrate a given threat.
The remainder of this document is organized as follows. We begin by
describing the CDI Trust Model, and distinguish between "insider" and
"outsider" attacks. Next, we broadly classify attacks as occurring
at the network, content internetworking, or application level, and
detail the resultant type of harm. We refine this list by detailing
how the attacks might be perpetrated on specific components of the
CDI architecture, and potential mitigation steps.
1.1 Conventions used in this document
Key terms in ALL CAPS, except those qualified with explicit
citations, are defined in .
2. Content Internetworking Trust model
Relationships between CN's in the CDI model can be decomposed
relationships between individual pairs comprising a CONTENT SOURCE and
a CONTENT DESTINATION. The ORIGIN refers to the point at which
CONTENT enters the CDI model, and therefore is a specific type of
CONTENT SOURCE. The trust model utilized within CDI is based on a
transitive trust between a CONTENT SOURCE and a CONTENT DESTINATION.
The transitive nature of the trust originates from the need of an
ORIGIN to rely on one or more CONTENT SOURCE - CONTENT DESTINATION
INTERNET-DRAFT draft-ietf-cdi-threat-00.txt Page 4
pairs to deliver CONTENT to CLIENTs on the ORIGIN's behalf.
The trust model involves the following parties in trust relationships:
- CONTENT SOURCE and CONTENT DESTINATION
- CONTENT SOURCE and CLIENT
- CONTENT DESTINATION and CLIENT
We will use the term TRUSTED PARTY to refer to a party involved in
We begin by classifying security risks into two main categories:
threats from "insiders," and threats from "outsiders." Outsiders are
those entities that have not established a trust relationship within
the content internetworking system. Insiders are TRUSTED PARTIES
that are participating in a trust relationship within the content
Threats from within the system may be intentional or
Intentional threats refer to the ability of a TRUSTED PARTY of a CDI
relationship to mislead, or harm, the party with which it has a trust
relationship. For example, the TRUSTED PARTY, a CONTENT DESTINATION,
might misrepresent quality or quantity of the service provided to the
trusting party, a CONTENT SOURCE. This is distinct from the case when
a TRUSTED PARTY's system is compromised by an outsider, which is
covered as an "outsider" threat.
Unintentional threats refer to the ability of a TRUSTED PARTY,
improper implementation or configuration resulting in bad system
behavior, to mislead or harm the party with which it has a trust
Content internetworking allows for relationships whose terms
conditions are partially or completely established outside the
context of the content internetworking protocols, and refers to these
relationships as NEGOTIATED RELATIONSHIPS. Just as trust
relationships established completely within the context of content
internetworking protocols, NEGOTIATED RELATIONSHIPS can result in
intentional or unintentional threats.
Threats from outside the system, or outsiders, may also be intentional
or unintentional. Since unintentional threats from outsiders do not
rely on the trust model, and are not specific to the content
internetworking model, this document will consider only outsider
threats that are intentionally perpetrated.
In this document, we will focus on intentional and unintentional
threats from within the system, and intentional threats from outside
INTERNET-DRAFT draft-ietf-cdi-threat-00.txt Page 5
3. Threat classification by architectural level
In this section, we broadly classify threats according the
architectural level -- network, content internetworking, or
application -- at which the threat occurs. We refer to threats
exploiting design or implementation weaknesses of internetworking and
transport protocols (i.e., layer 3 and below of the TCP/IP protocol
suite) as network-level threats. We refer to threats exploiting
weaknesses in content internetworking protocols as content
internetworking-level threats. We include in content internetworking
level attacks, threats against CONTENT distributed using CDI-specific
protocols. Finally, we refer to threats to applications that utilize
a content internetworking system as application-level threats.
Where appropriate, the type of harm that can result from an attack
provided to show the complex interaction between different threats
and/or attacks. For example, harm to content in the form of content
degradation or content substitution might harm the finances of the
content provider, which might in turn harm the finances of the service
provider. A denial of service attack or theft of identity might have a
similar effect on parties involved with CDI.
3.1 Network-level Threats.
The content internetworking model comprises CONTENT NETWORKs, which
turn comprise CONTENT NETWORK ELEMENTS. A CONTENT NETWORK ELEMENT is
a network device that performs at least some of its processing by
examining CONTENT-related parts of network messages. Examples of
CONTENT NETWORK ELEMENTS include CONTENT INTERNETWORKING GATEWAYs
(CIG) and SURROGATES.
In IP-based networks, a CONTENT NETWORK ELEMENT is a device
processing depends on examining some or all of an IP packet's body.
As such, CONTENT NETWORK ELEMENTs are vulnerable to many types of
network-level attacks. Examples of TCP/IP attacks include IP
spoofing and session stealing. The CERT Coordination Center 
maintains an extensive repository of Internet Security
Harm specific to CONTENT NETWORK ELEMENTS, such as a CIG,
by hijacking a TCP/IP session includes the ability of outsiders to
inject believable content distribution and request routing messages
into the communication between CIG peers. This may lead to the
injection of bogus content or bogus routing information that may lead
to the breaking of the peer-to-peer connection. Any break in the
INTERNET-DRAFT draft-ietf-cdi-threat-00.txt Page 6
peer-to-peer communication can have a ripple effect on the request
routing system or the distribution system that could lead to
disrupted services to end users.
CONTENT NETWORK ELEMENTS are also susceptible to a number of
threats commonly associated with network infrastructure. These
threats include snooping, denial of service, sabotage, vandalism,
industrial espionage, theft of service and inadequate system
configuration that leaves unneeded ports and services open to the
3.2 . Content Internetworking-level Threats.
Content internetworking-level threats generally belong to one or more of
- denial of service
- content distortion
- threats to identity
- threats to privacy
- content theft
- security threats
- threats to finances
In the following subsections we elaborate on these threats and
3.2.1 Denial of service threats.
At the Content Internetworking-level, a denial of service (DoS) threat
can be perpetrated on a number of levels. For example, an attack
could be launched:
- specifically against a CONTENT SOURCE, thereby preventing any
from taking place
- against a content set, causing all CNs servicing this content set to be
- against all SURROGATES of a specific CN.
A CONTENT SOURCE distributing streaming content, due to its
bandwidth nature and, in the case of live streaming, limited
injection points, are likely to be especially vulnerable to DoS
Misuse of a CN may make its facilities unavailable or available
at reduced functionality. Denial of service attacks can be targeted
at a CN accounting system, distribution system, or request-routing
INTERNET-DRAFT draft-ietf-cdi-threat-00.txt Page 7
18.104.22.168. "Complexity threat": both CN and CDI introduce many
components and complex infrastructure. Malfunctioning of these
components and infrastructure may result in DoS.
22.214.171.124. Misconfigured request routing (unintentional or malicious)
may cause request loss or looping and result in DoS.
126.96.36.199. Conflicts between request routing and accounting mechanisms
may create a DoS threat: a CN may refuse to deliver content because
the authorization system treats a valid request as invalid (not
coming from an authorized customer).
188.8.131.52. By redistributing the load between CNs CDI may cause DoS
unintentionally overloading one of CNs. Usually CNs have a specific
(proprietary) adaptive mechanisms for load balancing. CDI load
balancing mechanisms may be inadequate/malfunction or be incompatible
with corresponding CN load balancing.
184.108.40.206. A CN may cause problems in another CN by sending
(unintentionally or with malicious intent) more content than
advertised capacity permits.
220.127.116.11. Corruption (intentional or non intentional) of security
related metadata (authentication data) might result in DoS: CN or CDI
may refuse to perform a legitimate service.
18.104.22.168. False advertisement (unintentional or malicious)
nonexistent distribution/coverage capacity may result in failure of
several CNs. Same problems may result when advertisement and usage
policy do not reflect dynamic conditions.
22.214.171.124. Incompatible request routing systems may cause problems
resulting in DoS.
126.96.36.199. Peering agreements may be vital for CN functionality.
makes peering reliability a security issue. CIGs (distribution CIG and
request routing CIG) may introduce a single point of failure. Attack
on (or malfunctioning of) a CIG may result in system disintegration
and DoS for both CNs.
3.2.2 Content distortion threats.
188.8.131.52 An attacker may cause a CN to advertise bogus content,
e.g. replacing proper content with bogus content either at the
injection point of the system (CN or CDI) or inside elements of the
system (e.g. surrogates inside the CN).
INTERNET-DRAFT draft-ietf-cdi-threat-00.txt Page 8
184.108.40.206. A CN may provide bogus information, e.g. a rogue "CN"
inserting itself in the distribution path between two CNs to monitor
and/or modify the content that they exchange.
220.127.116.11. A CN may advertise the availability of content which it
doesn't have and can not distribute. This attack can be the result
of a malicious CIG taking over the identity of a CIG to be able to
inject bogus info into system, or a CIG that is compromised.
3.2.3 Threats to user identity.
Identity/authentication threats may result from third party getting
access to authentication data of end user or system component
(surrogate, CIG) and this data permits unauthorized actions to be
performed. Note that the last condition is essential: interception of
session initiation packets of replay-resistant secure authentication
protocol does not create such a threat.
Storage of security related data (user identities, passwords,
creates an additional security threat.
3.2.4 Threats to privacy. Privacy threats may result in personal
information made available to third party without a user's consent.
18.104.22.168. A CN may inadvertently or maliciously expose
information (passwords, buying patterns, page views, and credit card
numbers) as it collects it and transits from surrogate to origin
22.214.171.124. Accounting information transfer may jeopardize privacy.
126.96.36.199. Privacy threats may result from differences in privacy
of Publisher, CN and CDI.
188.8.131.52. Privacy and security threats from crossing
boundaries: transfer and storage of sensitive privacy-related data
(accounting, logs), transfer and storage of (secure) content and
distribution of content from a different jurisdiction may create a
security threat due to different level of legal protection.
3.2.5. Legal threats: by extending activities through
boundaries CN and CDI may unintentionally violate local regulations
(privacy and security policies).
3.2.6 Content theft.
Unauthorized access to non-public (secure or non-secure) content. For
INTERNET-DRAFT draft-ietf-cdi-threat-00.txt Page 9
secure content such unauthorized access clearly violates intention of
security system and usually constitutes a content theft (paid content,
An example of unauthorized access to non-secure content is
interception of form data in not-secure transmission or direct access
to a URL that is not supposed to be publicly available.
3.2.7 Security threats
184.108.40.206 Unauthorized access to metadata that is not supposed to
publicly available. This may include access to logs and accounting
data containing private user's information, access to configuration
data that may be used to facilitate future attacks and so on.
220.127.116.11 Exposure of Security Settings: There may be risks that
client's security settings when content is served from surrogates as
opposed to origin servers. Since the location of the surrogate is
generally transparent to the client, the client may be aware that its
protections are no longer enforced.
18.104.22.168 Improper enforcement of Security Policy
Policy information regarding security of the client may not
properly propagated when the requests are directed to surrogates in a
CN that are different from the origin server. Client passwords and
personal information may be less secure.
3.2.8. Improper Carriage of Security Policies
Surrogate may not employ the same security policies and procedures as
the origin server. This may expose the client private information to
access by unauthorized entities. The same threat may also result if
the legal jurisdiction of the surrogate is different from that of the
22.214.171.124. Different implementation of security at Publisher, CN and
CDI level may create security threats
126.96.36.199. Distribution of content from a different network location
create a security threat if client security policy depends on network
location ("Internet Web Content Zone").
188.8.131.52. Transfer and storage of secure content create additional
184.108.40.206. The process of propagation of security policy and
related data (user identities, passwords, etc.) creates security
INTERNET-DRAFT draft-ietf-cdi-threat-00.txt Page 10
threats both at CN and CDI level.
3.2.9 Threats to finances
Delivery of inaccurate accounting information or malicious distortion
of this information may cause financial harm to all participating
220.127.116.11 The client may be inappropriately charged for viewing content
that was not successfully accessed or delivered according to some QoS
18.104.22.168 If a CN or Publisher is unable to collect or receive
accounting information they may be unable to collect compensation for
3.3 Application-level threats.
TBD (section should include attacks targeting applications
utilize the content internetworking system)
4. Threats against specific elements of the CDI architecture
In this section, we refine the list of threats by detailing how
attacks might be perpetrated on specific components of the CDI
architecture. This section is intended to be used input to specify
the security requirements for the content distribution and request
Along the dimension of threats against specific elements of
architecture, threats against the accounting system should also be
noted. A detailed analysis of the threats against the accounting
system can however only be done within the framework of a specific
accounting system and is considered outside the scope of this document.
4.1 Threats to the Content Internetworking Gateway The CIG is the
connecting point for the CNs that are participating in the CDI
model. CIGs from various CNs establish peer-to-peer relationships in
order to exchange content distribution and request routing
information. Threats on the CIG can be perpetrated at all levels, the
network, content internetworking, and application level.
A CIG must be accessible at the network level from many other
CIGs. The CIG is vulnerable to any of the network-level attacks
specified in Section 3.1. The CIG is susceptible to network level
INTERNET-DRAFT draft-ietf-cdi-threat-00.txt Page 11
attacks from outsiders, which may or may not be posing as the CIG of
a TRUSTED PARTY, and from CIGs of TRUSTED PARTIES.
4.2 Threats to Distribution System
Threats to distribution system from insiders can be intentional or
result of bad implementation. Outsiders can pose the same threats if
they acquire access to the distribution system. The threats include:
4.2.1 Advertising of unavailable content.
4.2.3 Advertising of bad metrics that are associated with a given content.
4.2.4 Delivery of bad content to surrogates in the connected CN
4.2.5 Using badly formed messages for advertisements
4.3 Threats to Request Routing System
Threats to the request routing system from insiders or outsiders include:
4.3.1 Advertising of wrong metrics to force unfair or
redirection to a given CN.
4.3.2 Redirection to a CN that does not have the content.
4.3.3 The introduction of loops in the requesting routing system.
4.3.4 Redirection to an inappropriate surrogate.
4.3.5 Forwarding request when no forwarding is appropriate.
4.3.6 Failing to forward requests when forwarding is appropriate.
4.3.7 Using badly formed messages for advertisements
5. CDI Security Threat Mitigation
The main security issues for the CDI model are focused on the
model. Insiders are TRUSTED PARTIES, while outsiders are not.
Threats from outsiders are primarily at the network level. There are
well known solutions to network-level threats that are practiced in
the industry. In this work, it is recommended that the security of the
CONTENT NETWORK ELEMENTs at the network level be enhanced using
standard techniques and methods that minimize the risks of IP
spoofing, snooping, denial of service and session stealing.
Threats at the content internetworking and application levels can
mitigated by using strong authentication and encryption
techniques. Therefore, there may be the need to make strong
authentication and encryption a requirement for the CDI model. IPSec
INTERNET-DRAFT draft-ietf-cdi-threat-00.txt Page 12
and TLS are solutions for this requirement. Regardless of the choice
of the protocol, the solution must scale to accommodate large number
of interconnected CNs. Furthermore, it is recommended not to send
passwords in the clear.
To mitigate threats from insiders CDI must implement
monitoring, signaling, logging, dynamic authorization and
verification mechanisms. The following sections provide more detailed
guidelines for development of request routing and distribution
protocols for content internetworking.
5.1 Treatment of malformed messages
Malformed message can be the result of bad implementation or a
consequence of an outside attack on a given CN whereby, the attacker
gains access of the peering system. A Malformed messages is a message
that does not comply with the message format for the distribution (or
request routing) protocol. A malformed message may be a message that
has wrong content attributes in it or wrong IP footprint. A malformed
IP or IPSec packet is not considered a malformed message.
In the event that a CN detect malformed messages terminating the
session appears to be the only safe way to handle it. Terminating a
session does not mean terminating the peering relationship. The
session can be restarted after termination. If the problem of
malformed messages persists, the interconnected CNs must verify the
cause of the problem and proceed with a solution.
The treatment of malformed messages is different than the case where
peer intentionally or unintentionally sends incorrect advertisements
which might lead to incorrect selections. For example, a CN might
incorrectly advertise low load, low cost and good coverage and
therefore attract a large proportion of traffic. This problem can be
somewhat mitigated through filtering of advertisements and local
policies but ultimately comes down to a trust relationship between
5.2 General Distribution and Request Routing Protocol Requirements
Based on the security threats that are faced by other
based protocols such as BGP, this section provide some guidelines
that should be used during the design of the request routing and
content distribution protocols.
5.2.1 There should be a mechanism that provides strong protection of
the integrity, freshness and source authenticity of the messages in
INTERNET-DRAFT draft-ietf-cdi-threat-00.txt Page 13
the protocol. Techniques such as digital signature may be used.
5.2.2 There should be a mechanism to validate the authenticity of
5.2.3 There should be a mechanism to use IP-level protection that can
be used to provide connectionless integrity, data origin
authentication, and secure authentication.
5.2.4 There should be a mechanism to protect the peer-to-peer
connection by applying cryptographic protection at the TCP level to
provide connectionless integrity and data origin authentication.
 Day, M., Cain, B. and G. Tomlinson, "A Model for
Distribution Internetworking", January 2001.
 CERT Coordination Center (CERT/CC).