openslp_security_whitepaper.html

SLP协议在linux下的实现。此版本为1.2.1版。官方网站为www.openslp.org

<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
<head>
   <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
   <meta name="GENERATOR" content="Mozilla/4.76C-CCK-MCD Caldera Systems OpenLinux [en] (X11; U; Linux 2.4.2 i686) [Netscape]">
   <title>OpenSLP Programmers Guide - Security Whitepaper</title>
</head>
<body text="#000000" bgcolor="#FFFFFF" link="#0000EE" vlink="#551A8B" alink="#FF0000">

<h1>

<hr WIDTH="100%"></h1>

<h1>
OpenSLP and SLPv2 Authentication</h1>
February 6, 2001
<p>Matthew Peterson&nbsp; &lt;matt@caldera.com>
<p>
<hr WIDTH="100%">
<h3>
Abstract</h3>
This document is summary of SLPv2 security discussions along with some
conclusions that suggest direction for future Caldera sponsored development
of the
<a href="www.openslp.org">OpenSLP</a> implementation of Service
Location Protocol.
<br>&nbsp;
<h3>
Introduction</h3>
Early in December 2000, it was suggested that OpenSLP be submitted for
security review by noted security expert Olaf Kirch.&nbsp;&nbsp; Olaf offered
some very useful feedback including a suggestion to implement optional
SLPv2 authentication as specified by <a href="http://www.openslp.org/doc/rfc/rfc2608.txt">RFC
2608 section 9.2.</a>&nbsp;&nbsp;&nbsp; Olaf was worried that in the absence
of SLPv2 authentication,&nbsp; users of OpenSLP might unknowingly trust
malicious services that have been setup to "masquerade" as legitimate services.&nbsp;&nbsp;
In Olaf's estimation leaving out SLP authentication opens a security hole
that is not&nbsp; acceptable.&nbsp; With respect to <i>Volution</i>'s use
of SLP to locate services Olaf wrote the following:
<blockquote><tt>"Not authenticating registration and deregistration requests
is clearly inacceptable in an environment where there's a non-zero security
awareness. If everyone is able to change the LDAP server Volution uses
to obtain its information from, then we might as well replace /bin/login
with a symlink to /bin/bash"&nbsp; -- Olaf Kirch</tt></blockquote>
The initial response to Olaf's security review was one of complete compliance.&nbsp;&nbsp;
Code changes were quickly made for the next release of OpenSLP (ver 0.8.1)
to resolve all security issues <i>except</i> implementation of SLPv2 authentication
which was expected to be an involved change that would take several days
to complete.&nbsp;&nbsp;&nbsp; After a couple days of research, it became
obvious that the addition of SLPv2 security would be much more complex
than simply writing several hundred lines of security enabling code.&nbsp;&nbsp;
The final conflict eventually boiled down to a fundamental security / usability
tradeoff that would be unresolvable even with a perfect implementation.
<br>&nbsp;
<h3>
Objective of SLP</h3>
SLP can be thought of as a very simple global service registry (or directory).&nbsp;&nbsp;
Software entities that provide services register with SLP so that software
entities that want to use a services can locate them.&nbsp;&nbsp;&nbsp;
SLP offers a very simple mapping of service types (or characteristics)
to service URLs.&nbsp;&nbsp; This means that only the <i>type or characteristics</i>
of a service need to be known in order for a user or application to locate
a service for&nbsp; use.&nbsp;&nbsp;&nbsp; The major feature SLP provides
is usability.&nbsp;&nbsp; Basically, SLP allows application developers
to write more usable and manageable software.&nbsp;&nbsp; With SLP users
no longer need to memorize network addresses, host names or other information
to configure their client applications and administrators do not have to
set up elaborate means to supply this information.
<p>In discussing security problems associated with SLP it is important
to note two things&nbsp; from <a href="http://www.openslp.org/doc/rfc/rfc2608.txt">section
1 of RFC 2608</a>:
<ul>
<li>
SLP is designed for enterprise networks not as a solution for the global
Internet</li>

<li>
The goal of SLP is to provide a framework that allows developers to write
software that is user friendly and easily managed.</li>
</ul>

<h3>
SLP Security</h3>
Imagine now that in an enterprise environment there is a malicious or overly
curious individual that would like to obtain confidential information.&nbsp;&nbsp;&nbsp;
SLP could be exploited to obtain information from software that was otherwise
secured by virtue of manual configuration.&nbsp;&nbsp;&nbsp; For example,
an OpenSource help desk application consisting of "server" and "client"
software is SLP enabled because the network administrators got tired of
helping employees set up the "client" software with location and configuration
information used to connect with the "server" software.
<p>Since the source code is readily available, a sneaky employee makes
a few modifications to the server code that allows him to obtain user names
and passwords.&nbsp; He recompiles the source and brings up the "rogue"
help desk server.&nbsp; Since the "rogue" help desk server and the real
help desk server both have similar SLP registerations, it is possible that
clients may connect to the "rogue" server instead of the real one.&nbsp;
When the users log in, the "rogue" server saves off a copies of user names
and passwords.&nbsp; The malicious employee can use these user names and
passwords later to impersonate other people.
<p>In order to prevent this type of attack, SLP is designed so that services
registrations and requests can be made with authentication information.&nbsp;&nbsp;
When properly implemented, SLP requests can be issued that will only return
registrations made by trusted services.&nbsp;&nbsp;&nbsp; With SLP Security
enabled developers could trust that the service information returned by
the SLP API&nbsp; (URLs and configuration information).&nbsp; They do not
have to question (as much) whether the service at the other end of the
provided URL is a rogue because SLP can guarantee that services have been
"blessed" by administrators by virtue of key information.
<br>&nbsp;
<h3>
SLP Security vs SLP Usability</h3>
It is a well known fact that any increase in security inevitable reduces
usability for the legitimate user.&nbsp; This is especially true with&nbsp;
SLP security -- establishment of trust is unacceptable barrier to SLP usability.&nbsp;&nbsp;&nbsp;
The whole reason for using SLP in the first place is to allow "plug and
play" features to be built into applications!
<p>Due to the lack of PKI standards, establishing the trust needed to ensure
that service registrations can be authenticated would require manual distribution
of key material.&nbsp;&nbsp; One solution would be to have the administrator
verify the authenticity of a single SLP host key or certificate which would
authenticate all services provided from a given host, but this would not
prevent an attacker from masquerading services if they have access to the
authenticated machine.&nbsp;&nbsp; A more secure approach is to provide
per service or per user keys at the expense of increased manual intervention
to establish authenticity of numerous keys or certificates.&nbsp;&nbsp;
Wait... even with SLP secured, there is still the possiblity of DNS, DHCP
or ARP spoofing, so you are still not secure.
<p>After a few minutes of meditation it becomes evident that in order to
be totally safe, applications need to establish the security of their own
end to end communications.&nbsp; Two very good examples are PGP and SSH.&nbsp;
Neither application makes any assumptions about the reliability of intermediate
protocols.&nbsp; Everything is suspect from DNS to ARP.&nbsp;&nbsp; Suppose
that a specialized application was written that used PGP encrypted messages
to communicate.&nbsp;&nbsp; SLP is chosen to locate remote users of the
same application.&nbsp;&nbsp;&nbsp; Now, assume that none of the SLP security
features are implemented, is the application at risk?&nbsp; The answer
is no because care was taken by the application developer to secure his
own end to end communication.
<br>&nbsp;
<h3>
IETF Workgroup (srvloc) Discussion</h3>
The idea that authentication belongs in the application itself and not
in the location protocol (or other intermediate protocols) was brought
up for discussion on the IETF Service Location workgroup mailing list with
the following post entitled "Theoretical SLP security discussion (long)":
<blockquote><tt>SLPv2 is designed to be able to authenticate agents. In
other words, SLPV2 can guarantee that SAs and DAs are trustworthy. With
a proper SLPv2 implementation and installation, UAs can be sure that replies
to SLP requests come from trustworthy agents. There is no need to wonder
if a responding agent is representing malicious services. For example,
with SLPv2 authentication, I can request a service of type "service:ldap"
and implicitly trust that the service urls I receive in return are ldap
servers that are considered trustworthy by whoever set up the SLP installations.</tt>
<p><tt>Sounds pretty nice doesn't it -- at least until you start thinking
about what is required to deliver key information (certificates) that makes
trust relationships possible. I think I'm safe in saying that without exception,
no automated delivery of key information is secure unless it requires actual
validation by a human that results in some form of real-life action (phone
call, hand delivery, etc).</tt>
<p><tt>Administration of trust relationships are completely un-addressed
by the SLPv2 and SLP API specs -- which is probably why authentication
is considered an optional feature. One might even take the position that
SLPv2 Authentication invalidates the SLP's claim to reduce administrative
workload as there is no way to deploy secure SLP without significant (manual)
administrative overhead to establish certificate or key information trust.</tt>
<p><tt>In contemplating implementation and use of SLPv2 authentication
in OpenSLP we found that there is nearly nothing in the way of standardized
certificate delivery mechanisms that might actually make SLPv2 authentication
possible. We did find bits and pieces from OpenSSL and various signing