Network Working Group                                          A. Barbir
Request for Comments: 3837                               Nortel Networks
Category: Informational                                       O. Batuner
                                                  Independent consultant
                                                             B. Srinivas
                                                                   Nokia
                                                              M. Hofmann
                                           Bell Labs/Lucent Technologies
                                                                H. Orman
                                               Purple Streak Development
                                                             August 2004
        
Network Working Group                                          A. Barbir
Request for Comments: 3837                               Nortel Networks
Category: Informational                                       O. Batuner
                                                  Independent consultant
                                                             B. Srinivas
                                                                   Nokia
                                                              M. Hofmann
                                           Bell Labs/Lucent Technologies
                                                                H. Orman
                                               Purple Streak Development
                                                             August 2004
        

Security Threats and Risks for Open Pluggable Edge Services (OPES)

开放式可插拔边缘服务(OPE)的安全威胁和风险

Status of this Memo

本备忘录的状况

This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.

本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (2004).

版权所有(C)互联网协会(2004年)。

Abstract

摘要

The document investigates the security threats associated with the Open Pluggable Edge Services (OPES) and discusses the effects of security threats on the underlying architecture. The main goal of this document is threat discovery and analysis. The document does not specify or recommend any solutions.

本文档调查了与开放可插拔边缘服务(OPE)相关的安全威胁,并讨论了安全威胁对底层架构的影响。本文档的主要目标是发现和分析威胁。本文件未规定或建议任何解决方案。

Table of Contents

目录

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
   2.  OPES Data Flow Threats . . . . . . . . . . . . . . . . . . . .  4
       2.1.  OPES Flow Network Level Threats  . . . . . . . . . . . .  5
             2.1.1.  Connection-Flow Denial-of-Service (DoS). . . . .  6
             2.1.2.  Threats to Network Robustness. . . . . . . . . .  6
       2.2.  OPES Flow Application Level Threats. . . . . . . . . . .  6
             2.2.1.  Unauthorized OPES Entities . . . . . . . . . . .  6
             2.2.2.  Unauthorized Actions of legitimate OPES Entities  7
             2.2.3.  Unwanted Content Transformations . . . . . . . .  7
             2.2.4.  Corrupted Content  . . . . . . . . . . . . . . .  7
             2.2.5.  Threats to Message Structure Integrity . . . . .  8
             2.2.6.  Granularity of Protection  . . . . . . . . . . .  8
             2.2.7.  Risks of Hop-by-Hop Protection . . . . . . . . .  8
             2.2.8.  Threats to Integrity of Complex Data . . . . . .  8
             2.2.9.  Denial of Service (DoS)  . . . . . . . . . . . .  9
             2.2.10. Tracing and Notification Information . . . . . .  9
             2.2.11. Unauthenticated Communication in OPES Flow . . .  9
   3.  Threats to Out-of-Band Data  . . . . . . . . . . . . . . . . .  9
       3.1.  Threats that Endanger the OPES Data Flow . . . . . . . . 10
       3.2.  Inaccurate Accounting Information  . . . . . . . . . . . 10
       3.3.  OPES Service Request Repudiation . . . . . . . . . . . . 11
       3.4.  Inconsistent Privacy Policy  . . . . . . . . . . . . . . 11
       3.5.  Exposure of Privacy Preferences  . . . . . . . . . . . . 11
       3.6.  Exposure of Security Settings  . . . . . . . . . . . . . 11
       3.7.  Improper Enforcement of Privacy and Security Policy  . . 11
       3.8.  DoS Attacks  . . . . . . . . . . . . . . . . . . . . . . 12
   4.  Security Considerations  . . . . . . . . . . . . . . . . . . . 12
   5.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 12
       5.1.  Normative References . . . . . . . . . . . . . . . . . . 12
       5.2.  Informative References . . . . . . . . . . . . . . . . . 12
   6.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 12
   7.  Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 13
   8.  Full Copyright Statement . . . . . . . . . . . . . . . . . . . 14
        
   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
   2.  OPES Data Flow Threats . . . . . . . . . . . . . . . . . . . .  4
       2.1.  OPES Flow Network Level Threats  . . . . . . . . . . . .  5
             2.1.1.  Connection-Flow Denial-of-Service (DoS). . . . .  6
             2.1.2.  Threats to Network Robustness. . . . . . . . . .  6
       2.2.  OPES Flow Application Level Threats. . . . . . . . . . .  6
             2.2.1.  Unauthorized OPES Entities . . . . . . . . . . .  6
             2.2.2.  Unauthorized Actions of legitimate OPES Entities  7
             2.2.3.  Unwanted Content Transformations . . . . . . . .  7
             2.2.4.  Corrupted Content  . . . . . . . . . . . . . . .  7
             2.2.5.  Threats to Message Structure Integrity . . . . .  8
             2.2.6.  Granularity of Protection  . . . . . . . . . . .  8
             2.2.7.  Risks of Hop-by-Hop Protection . . . . . . . . .  8
             2.2.8.  Threats to Integrity of Complex Data . . . . . .  8
             2.2.9.  Denial of Service (DoS)  . . . . . . . . . . . .  9
             2.2.10. Tracing and Notification Information . . . . . .  9
             2.2.11. Unauthenticated Communication in OPES Flow . . .  9
   3.  Threats to Out-of-Band Data  . . . . . . . . . . . . . . . . .  9
       3.1.  Threats that Endanger the OPES Data Flow . . . . . . . . 10
       3.2.  Inaccurate Accounting Information  . . . . . . . . . . . 10
       3.3.  OPES Service Request Repudiation . . . . . . . . . . . . 11
       3.4.  Inconsistent Privacy Policy  . . . . . . . . . . . . . . 11
       3.5.  Exposure of Privacy Preferences  . . . . . . . . . . . . 11
       3.6.  Exposure of Security Settings  . . . . . . . . . . . . . 11
       3.7.  Improper Enforcement of Privacy and Security Policy  . . 11
       3.8.  DoS Attacks  . . . . . . . . . . . . . . . . . . . . . . 12
   4.  Security Considerations  . . . . . . . . . . . . . . . . . . . 12
   5.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 12
       5.1.  Normative References . . . . . . . . . . . . . . . . . . 12
       5.2.  Informative References . . . . . . . . . . . . . . . . . 12
   6.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 12
   7.  Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 13
   8.  Full Copyright Statement . . . . . . . . . . . . . . . . . . . 14
        
1. Introduction
1. 介绍

The Open Pluggable Edge Services (OPES) [1] architecture enables cooperative application services (OPES services) between a data provider, a data consumer, and zero or more OPES processors. The application services under consideration analyze and possibly transform application-level messages exchanged between the data provider and the data consumer. The OPES processor can distribute the responsibility of service execution by communicating and collaborating with one or more remote callout servers. The details of the OPES architecture can be found in [1].

开放可插拔边缘服务(OPES)[1]体系结构支持数据提供者、数据使用者和零个或多个OPES处理器之间的协作应用程序服务(OPES服务)。考虑中的应用程序服务分析并可能转换数据提供者和数据使用者之间交换的应用程序级消息。OPES处理器可以通过与一个或多个远程调出服务器通信和协作来分配服务执行的责任。有关OPES体系结构的详细信息,请参见[1]。

Security threats with respect to OPES can be viewed from different angles. There are security risks that affect content consumer applications, and those that affect the data provider applications. These threats affect the quality and integrity of data that the applications either produce or consume. On the other hand, the security risks can also be categorized into trust within the system (i.e., OPES service providers) and protection of the system from threats imposed by outsiders such as hackers and attackers. Insiders are those parties that are part of the OPES system. Outsiders are those entities that are not participating in the OPES system.

关于石油输出国组织的安全威胁可以从不同的角度来看待。存在影响内容使用者应用程序和数据提供商应用程序的安全风险。这些威胁会影响应用程序生成或使用的数据的质量和完整性。另一方面,安全风险也可分为系统内的信任(即OPES服务提供商)和保护系统免受黑客和攻击者等外部威胁。内幕人士是指属于OPES体系的各方。外部机构是指未参与OPES系统的实体。

It must be noted that not everyone in an OPES delivery path is equally trusted. Each OPES administrative trust domain must protect itself from all outsiders. Furthermore, it may have a limited trust relationship with another OPES administrative domain for certain purposes.

必须注意的是,并非OPES交付路径中的每个人都是同样值得信任的。每个OPES管理信任域必须保护自己免受所有外部人员的攻击。此外,出于某些目的,它可能与另一个OPES管理域存在有限的信任关系。

OPES service providers must use authentication as the basis for building trust relationships between administrative domains. Insiders can intentionally or unintentionally inflict harm and damage on the data consumer and data provider applications. This can be through bad system configuration, execution of bad software or, if their networks are compromised, by inside or outside hackers.

OPES服务提供商必须使用身份验证作为在管理域之间建立信任关系的基础。内部人员可能有意或无意地对数据使用者和数据提供者应用程序造成伤害和损害。这可能是由于糟糕的系统配置、执行糟糕的软件,或者,如果他们的网络受到破坏,则可能是由内部或外部黑客造成的。

Depending on the deployment scenario, the trust within the OPES system is based on a set of transitive trust relationships between the data provider application, the OPES entities, and the data consumer application. Threats to OPES entities can be at the OPES flow level and/or at the network level.

根据部署场景,OPES系统内的信任基于数据提供者应用程序、OPES实体和数据使用者应用程序之间的一组可传递信任关系。对OPES实体的威胁可能在OPES流量级别和/或网络级别。

In considering threats to the OPES system, the document will follow a threat analysis model that identifies the threats from the perspective of how they will affect the data consumer and the data provider applications.

在考虑OPES系统面临的威胁时,本文件将遵循威胁分析模型,该模型从威胁如何影响数据消费者和数据提供商应用程序的角度识别威胁。

The main goal of this document is threat discovery and analysis. The document does not specify or recommend any solutions.

本文档的主要目标是发现和分析威胁。本文件未规定或建议任何解决方案。

It is important to mention that the OPES architecture has many similarities with other so called overlay networks, specifically web caches and content delivery networks (CDN) (see [2], [4]). This document focuses on threats that are introduced by the existence of the OPES processor and callout servers. Security threats specific to content services that do not use the OPES architecture are considered out-of-scope of this document. However, this document can be used as input when considering security implications for web caches and CDNs.

值得一提的是,OPES体系结构与其他所谓的覆盖网络有许多相似之处,特别是web缓存和内容交付网络(CDN)(参见[2],[4])。本文档重点介绍OPES处理器和调用服务器的存在所带来的威胁。不使用OPES体系结构的内容服务所特有的安全威胁不在本文档范围内。但是,在考虑web缓存和CDN的安全影响时,可以将此文档用作输入。

The document is organized as follows: Section 2 discusses threats to OPES data flow on the network and application level, section 3 discusses threats to other parts of the system, and section 4 discusses security considerations.

本文件的组织结构如下:第2节讨论了网络和应用程序级别上对OPES数据流的威胁,第3节讨论了对系统其他部分的威胁,第4节讨论了安全注意事项。

2. OPES Data Flow Threats
2. OPES数据流威胁

Threats to the OPES data flow can affect the data consumer and data provider applications. At the OPES flow level, threats can occur at Policy Enforcement Points, and Policy Decision Points [3], and along the OPES flow path where network elements are used to process the data.

对OPES数据流的威胁可能会影响数据使用者和数据提供者应用程序。在OPES流级别,威胁可能发生在策略实施点和策略决策点[3],以及使用网络元素处理数据的OPES流路径沿线。

A serious problem is posed by the very fact that the OPES architecture is based on widely adopted protocols (HTTP is used as an example). The architecture document specifically requires that "the presence of an OPES processor in the data request/response flow SHALL NOT interfere with the operations of non-OPES aware clients and servers". This greatly facilitates OPES' deployment, but on the other hand a vast majority of clients (browsers) will not be able to exploit any safeguards added as base protocol extensions.

OPES体系结构基于广泛采用的协议(以HTTP为例),这一事实带来了一个严重的问题。架构(architecture)文件特别要求“数据请求/响应流中的OPES处理器不得干扰非OPES感知的客户端和服务器的操作”。这极大地促进了OPE的部署,但另一方面,绝大多数客户端(浏览器)将无法利用作为基本协议扩展添加的任何保护措施。

For the usual data consumer, who might have questions such as (Where does this content come from? Can I get it another way? What is the difference? Is it legitimate?). Even if there are facilities and technical expertise present to pursue these questions, such thorough examination of each result is prohibitively expensive in terms of time and effort. OPES-aware content providers may try to protect themselves by adding verification scripts and special page structures. OPES-aware end users may use special tools. In all other cases (non-OPES aware clients and servers) protection will rely on monitoring services and investigation of occasionally discovered anomalies.

对于通常的数据消费者,谁可能会有这样的问题(这些内容来自哪里?我可以用另一种方式获得它吗?有什么区别?它合法吗?)。即使有设施和技术专长来研究这些问题,对每个结果进行彻底的检查在时间和精力上都是非常昂贵的。运营商感知的内容提供商可能会尝试通过添加验证脚本和特殊页面结构来保护自己。了解OPES的最终用户可使用特殊工具。在所有其他情况下(不支持OPES的客户端和服务器),保护将依赖于监控服务和偶尔发现异常的调查。

An OPES system poses a special danger as a possible base for classical man-in-the-middle attacks. One of the reasons why such attacks are relatively rare is the difficulty in finding an appropriate base: a combination of a traffic interception point controlling a large flow of data and an application codebase running on a high-performance hardware with sufficient performance to analyze and possibly modify all passing data. An OPES processor meets this definition. This calls for special attention to protection measures at all levels of the system.

OPES系统构成了一种特殊的危险,可能成为传统中间人攻击的基础。此类攻击相对较少的原因之一是很难找到合适的基础:控制大量数据流的流量拦截点和运行在高性能硬件上的应用程序代码库的组合,该硬件具有足够的性能来分析和可能修改所有通过的数据。OPES处理器符合此定义。这需要特别注意系统各级的保护措施。

Any compromise of an OPES processor or remote callout server can have a ripple effect on the integrity of the affected OPES services across all service providers that use the service. To mitigate this threat, appropriate security procedures and tools (e.g., a firewall) should be applied.

OPES处理器或远程调出服务器的任何损坏都可能对使用该服务的所有服务提供商的受影响OPES服务的完整性产生连锁反应。为了缓解这种威胁,应采用适当的安全程序和工具(如防火墙)。

Specific threats can exist at the network level and at the OPES data flow level.

特定威胁可能存在于网络级别和OPES数据流级别。

2.1. OPES Flow Network Level Threats
2.1. OPES流量网络级威胁

OPES processor and callout servers are susceptible to network level attacks from outsiders or from the networks of other OPES service providers (i.e., if the network of a contracted OPES service is compromised).

OPES处理器和呼叫服务器容易受到来自外部人员或其他OPES服务提供商网络的网络级攻击(即,如果签约的OPES服务的网络受损)。

The OPES architecture is based on common application protocols that do not provide strong guarantees of privacy, authentication, or integrity. The IAB considerations [4] require that the IP address of an OPES processor be accessible to data consumer applications at the IP addressing level. This requirement limits the ability of service providers to position the OPES processor behind firewalls and may expose the OPES processor and remote callout servers to network level attacks. For example, the use of TCP/IP as a network level protocol makes OPES processors subject to many known attacks, such as IP spoofing and session stealing.

OPES体系结构基于公共应用程序协议,这些协议不提供对隐私、身份验证或完整性的有力保证。IAB注意事项[4]要求OPES处理器的IP地址可供IP寻址级别的数据使用者应用程序访问。此要求限制了服务提供商将OPES处理器放置在防火墙后面的能力,并可能使OPES处理器和远程调出服务器受到网络级攻击。例如,使用TCP/IP作为网络级协议使OPES处理器受到许多已知攻击,例如IP欺骗和会话窃取。

The OPES system is also susceptible to a number of security threats that are commonly associated with network infrastructure. These threats include snooping, denial of service, sabotage, vandalism, industrial espionage, and theft of service.

OPES系统也容易受到一些通常与网络基础设施相关的安全威胁的影响。这些威胁包括窥探、拒绝服务、蓄意破坏、故意破坏、工业间谍和盗窃服务。

There are best practice solutions to mitigate network level threats. It is recommended that the security of the OPES entities at the network level be enhanced using known techniques and methods that minimize the risks of IP spoofing, snooping, denial of service, and session stealing.

有一些最佳实践解决方案可以缓解网络级别的威胁。建议使用已知的技术和方法,最大限度地降低IP欺骗、窥探、拒绝服务和会话窃取的风险,增强网络级OPES实体的安全性。

At the OPES Flow level, connection-level security between the OPES processor and callout servers is an important consideration. For example, it is possible to spoof the OPES processor or the remote callout server. There are threats to data confidentiality between the OPES processor and the remote callout server in an OPES flow.

在OPES流级别,OPES处理器和调出服务器之间的连接级别安全性是一个重要的考虑因素。例如,可以欺骗OPES处理器或远程调出服务器。OPES流程中的OPES处理器和远程调出服务器之间存在数据机密性威胁。

The next subsections cover possible DoS attacks on an OPES processor, remote callout server or data consumer application, and network robustness.

下一小节将介绍对OPES处理器、远程调出服务器或数据使用者应用程序的可能DoS攻击,以及网络健壮性。

2.1.1. Connection-Flow Denial-of-Service (DoS)
2.1.1. 连接流拒绝服务(DoS)

OPES processors, callout servers, and data consumer applications can be vulnerable to DoS attacks. DoS attacks can be of various types. One example of a DoS attack is the overloading of OPES processors or callout servers by spurious service requests issued by a malicious node, which denies the legal data traffic the necessary resources to render service. The resources include CPU cycles, memory, network interfaces, etc. A Denial-of-Service attack can be selective, generic, or random in terms of which communication streams are affected.

OPES处理器、调用服务器和数据使用者应用程序可能容易受到DoS攻击。拒绝服务攻击可以有多种类型。DoS攻击的一个例子是恶意节点发出的虚假服务请求导致OPES处理器或调用服务器过载,从而拒绝合法数据通信提供服务所需的资源。这些资源包括CPU周期、内存、网络接口等。拒绝服务攻击可以是选择性的、一般性的,也可以是随机的,通信流会受到影响。

Distributed DoS is also possible when an attacker successfully directs multiple nodes over the network to initiate spurious service requests to an OPES processor (or callout server) simultaneously.

当攻击者成功地通过网络指示多个节点同时向OPES处理器(或调用服务器)发起虚假服务请求时,分布式DoS也是可能的。

2.1.2. Threats to Network Robustness
2.1.2. 对网络健壮性的威胁

If OPES implementation violates end-to-end addressing principles, it could endanger the Internet infrastructure by complicating routing and connection management. If it does not use flow-control principles for managing connections, or if it interferes with end-to-end flow control of connections that it did not originate, then it could cause Internet congestion.

如果OPES的实施违反了端到端寻址原则,它可能会使路由和连接管理复杂化,从而危及互联网基础设施。如果它不使用流量控制原则来管理连接,或者如果它干扰了对其未发起的连接的端到端流量控制,那么它可能会导致Internet拥塞。

An implementation that violates the IAB requirement of explicit IP level addressing (for example, by adding OPES functional capabilities to an interception proxy) may defeat some of the protective mechanisms and safeguards built into the OPES architecture.

违反IAB明确IP级寻址要求的实现(例如,通过向拦截代理添加OPES功能能力)可能会破坏OPES体系结构中内置的一些保护机制和保障措施。

2.2. OPES Flow Application Level Threats
2.2. OPES流应用程序级威胁

At the content level, threats to the OPES system can come from outsiders or insiders. The threat from outsiders is frequently intentional. Threats from insiders can be intentional or accidental. Accidents may result from programming or configuration errors that result in bad system behavior.

在内容层面,对OPES系统的威胁可能来自外部或内部。来自外界的威胁通常是有意的。来自内部人士的威胁可能是故意的,也可能是意外的。事故可能是由于编程或配置错误造成的,这些错误会导致不良的系统行为。

Application level problems and threats to the OPES systems are discussed below:

以下讨论了OPES系统的应用级问题和威胁:

2.2.1. Unauthorized OPES Entities
2.2.1. 未经授权的运营实体

Although one party authorization is mandated by the OPES architecture, such authorization occurs out-of-band. Discovering the presence of an OPES entity and verifying authorization requires special actions and may present a problem.

尽管OPES体系结构规定了一方授权,但此类授权发生在带外。发现OPES实体的存在并验证授权需要采取特殊措施,可能会出现问题。

Adding notification and authorization information to the data messages (by using base protocol extensions) may help, especially if the data consumer's software is aware of such extensions.

向数据消息中添加通知和授权信息(通过使用基本协议扩展)可能会有所帮助,尤其是当数据使用者的软件知道此类扩展时。

2.2.2. Unauthorized Actions of Legitimate OPES Entities
2.2.2. 合法OPES实体未经授权的行为

According to the OPES architecture, the authorization is not tightly coupled with specific rules and procedures triggered by the rules. Even if a requirement to approve each particular rule and procedure was set, it looks at least impractical, if not impossible, to request such permission from the end user. Authorization granularity extends to transformation classes, but not to individual rules or transformations. The actual rules and triggered procedures may (maliciously or due to a programming error) perform actions that they are not authorized for.

根据OPES架构,授权与规则触发的特定规则和程序没有紧密耦合。即使设定了批准每个特定规则和程序的要求,从最终用户处请求此类许可,即使不是不可能,至少也是不切实际的。授权粒度扩展到转换类,但不扩展到单个规则或转换。实际规则和触发的过程可能(恶意或由于编程错误)执行未经授权的操作。

2.2.3. Unwanted Content Transformations
2.2.3. 不需要的内容转换

An authorized OPES service may perform actions that do not adhere to the expectations of the party that gave the authorization for the service. Examples may include ad flooding by a local ad insertion service or use of inappropriate policy by a content filtering service.

授权的OPES服务可能会执行不符合服务授权方期望的操作。示例可包括本地广告插入服务的广告泛洪或内容过滤服务使用不适当的策略。

On the other hand, an OPES entity acting on behalf of one party may perform transformations that another party deems inappropriate. Examples may include replacing ads initially inserted by the content provider or applying filtering transformations that change the meaning of the text.

另一方面,代表一方行事的OPES实体可以执行另一方认为不合适的转换。示例可能包括替换最初由内容提供商插入的广告或应用过滤转换来改变文本的含义。

2.2.4. Corrupted Content
2.2.4. 损坏的内容

The OPES system may deliver outdated or otherwise distorted information due to programming problems or as a result of malicious attacks. For example, a compromised server, instead of performing an OPES service, may inject bogus content. Such an action may be an act of cyber-vandalism (including virus injection) or intentional distribution of misleading information (such as manipulations with financial data).

由于编程问题或恶意攻击,OPES系统可能会提供过时或扭曲的信息。例如,受损服务器可能会注入虚假内容,而不是执行OPES服务。此类行为可能是网络故意破坏行为(包括病毒注射)或故意传播误导性信息(如操纵金融数据)。

A compromised OPES server or malicious entity in the data flow may introduce changes specifically intended to cause improper actions in the OPES server or callout server. These changes may be in the message body, headers, or both. This type of threat is discussed in more detail below.

数据流中受损的OPES服务器或恶意实体可能会引入专门用于在OPES服务器或callout服务器中导致不正确操作的更改。这些更改可能在消息体、消息头或两者中。下面将更详细地讨论这类威胁。

2.2.5. Threats to Message Structure Integrity
2.2.5. 对消息结构完整性的威胁

An OPES server may add, remove, or delete certain headers in a request and/or response message (for example, to implement additional privacy protection or assist in content filtering). Such changes may violate end-to-end integrity requirements or defeat services that use information provided in such headers (for example, some local filtering services or reference-based services).

OPES服务器可以在请求和/或响应消息中添加、删除或删除某些标题(例如,实施额外的隐私保护或协助内容过滤)。此类更改可能违反端到端完整性要求,或使使用此类标头中提供的信息的服务失效(例如,某些本地筛选服务或基于引用的服务)。

2.2.6. Granularity of Protection
2.2.6. 保护粒度

OPES services have implicit permission to modify content. However, the permissions generally apply only to portions of the content, for example, URL's between particular HTML tags, text in headlines, or URL's matching particular patterns. In order to express such policies, one must be able to refer to portions of messages and to detect modifications to message parts.

OPES服务具有修改内容的隐式权限。但是,权限通常只应用于内容的一部分,例如,特定HTML标记之间的URL、标题中的文本或与特定模式匹配的URL。为了表达这样的策略,必须能够引用消息的部分并检测对消息部分的修改。

Because there is currently very little support for policies that are expressed in terms of message parts, it will be difficult to attribute any particular modification to a particular OPES processor, or to automatically detect policy violations.

由于目前很少支持以消息部分表示的策略,因此很难将任何特定修改归因于特定的OPES处理器,或自动检测策略冲突。

A fine-grained policy language should be devised, and it could be enforced using digital signatures. This would avoid the problems inherent in hop-by-hop data integrity measures (see next section).

应该设计一种细粒度的策略语言,并且可以使用数字签名来实施。这将避免逐跳数据完整性度量中固有的问题(参见下一节)。

2.2.7. Risks of Hop-by-Hop Protection
2.2.7. 逐跳保护的风险

Generally, OPES services cannot be applied to data protected with end-to-end encryption methods because the decryption key cannot be shared with OPES processors without compromising the intended confidentiality of the data. This means that if the endpoint policies permit OPES services, the data must either be transmitted without confidentiality protections or an alternative model to end-to-end encryption must be developed, one in which the confidentiality is guaranteed hop-by-hop. Extending the end-to-end encryption model is out of scope of this work.

通常,OPES服务不能应用于使用端到端加密方法保护的数据,因为解密密钥不能与OPES处理器共享,而不会损害数据的预期机密性。这意味着,如果端点策略允许OPES服务,则必须在没有保密保护的情况下传输数据,或者必须开发端到端加密的替代模型,在该模型中,逐跳保证机密性。扩展端到端加密模型超出了本文的工作范围。

OPES services that modify data are incompatible with end-to-end integrity protection methods, and this work will not attempt to define hop-by-hop integrity protection methods.

修改数据的OPES服务与端到端完整性保护方法不兼容,本工作不会尝试定义逐跳完整性保护方法。

2.2.8. Threats to Integrity of Complex Data
2.2.8. 对复杂数据完整性的威胁

The OPES system may violate data integrity by applying inconsistent transformations to interrelated data objects or references within the data object. Problems may range from a broken reference structure

OPES系统可能会对数据对象内的相关数据对象或引用应用不一致的转换,从而破坏数据完整性。问题可能包括参考结构损坏

(modified/missing targets, references to wrong locations or missing documents) to deliberate replacement/deletion/insertion of links that violate intentions of the content provider.

(修改/缺少目标、引用错误位置或缺少文档)故意替换/删除/插入违反内容提供商意图的链接。

2.2.9. Denial of Service (DoS)
2.2.9. 拒绝服务(DoS)

The data consumer application may not be able to access data if the OPES system fails for any reason.

如果OPES系统因任何原因出现故障,数据使用者应用程序可能无法访问数据。

A malicious or malfunctioning node may be able to block all traffic. The data traffic destined for the OPES processor (or callout server) may not be able to use the services of the OPES device. The DoS may be achieved by preventing the data traffic from reaching the processor or the callout server.

恶意或故障节点可能会阻止所有通信。发送给OPES处理器(或呼叫服务器)的数据通信可能无法使用OPES设备的服务。DoS可通过防止数据流量到达处理器或调出服务器来实现。

2.2.10. Tracing and Notification Information
2.2.10. 追踪和通知信息

Inadequate or vulnerable implementation of the tracing and notification mechanisms may defeat safeguards built into the OPES architecture.

追踪和通知机制的实施不充分或脆弱,可能会破坏OPES体系结构中的保障措施。

Tracing and notification facilities may become a target of malicious attack. Such an attack may create problems in discovering and stopping other attacks.

跟踪和通知设施可能成为恶意攻击的目标。此类攻击可能会在发现和阻止其他攻击时产生问题。

The absence of a standard for tracing and notification information may present an additional problem. This information is produced and consumed by the independent entities (OPES servers/user agents/ content provider facilities). This calls for a set of standards related to each base protocol in use.

缺乏跟踪和通知信息的标准可能会带来另一个问题。这些信息由独立实体(运营商服务器/用户代理/内容提供商设施)生成和使用。这需要一套与所使用的每个基本协议相关的标准。

2.2.11. Unauthenticated Communication in OPES Flow
2.2.11. OPES流程中未经验证的通信

There are risks and threats that could arise from unauthenticated communication between the OPES server and callout servers. Lack of use of strong authentication between OPES processors and callout servers may open security holes whereby DoS and other types of attacks (see sections [2 and 3]) can be performed.

OPES服务器和callout服务器之间未经验证的通信可能会产生风险和威胁。在OPES处理器和调用服务器之间缺乏强身份验证可能会打开安全漏洞,从而可以执行DoS和其他类型的攻击(参见第[2和3]节)。

3. Threats to Out-of-Band Data
3. 对带外数据的威胁

The OPES architecture separates a data flow from a control information flow (loading rulesets, trust establishment, tracing, policy propagation, etc.). There are certain requirements set for the latter, but no specific mechanism is prescribed. This gives more flexibility for implementations, but creates more burden for implementers and potential customers to ensure that each specific

OPES体系结构将数据流与控制信息流分离(加载规则集、信任建立、跟踪、策略传播等)。对后者有一定的要求,但没有规定具体的机制。这为实现提供了更大的灵活性,但为实现者和潜在客户带来了更大的负担,以确保每个特定的

implementation meets all requirements for data security, entity authentication, and action authorization.

实现满足数据安全、实体身份验证和操作授权的所有要求。

In addition to performing correct actions on the OPES data flow, any OPES implementation has to provide an adequate mechanism to satisfy requirements for out-of-band data and signaling information integrity.

除了对OPES数据流执行正确的操作外,任何OPES实施都必须提供足够的机制,以满足带外数据和信令信息完整性的要求。

Whatever the specific mechanism may be, it inevitably becomes subject to multiple security threats and possible attacks. The way the threats and attacks may be realized depends on implementation specifics but the resulting harm generally falls into two categories: threats to OPES data flow and threats to data integrity.

无论具体的机制是什么,它都不可避免地受到多重安全威胁和可能的攻击。威胁和攻击的实现方式取决于实施细节,但由此产生的危害通常分为两类:对OPES数据流的威胁和对数据完整性的威胁。

The specific threats are:

具体威胁包括:

3.1. Threats that Endanger the OPES Data Flow
3.1. 危及OPES数据流的威胁

Any weakness in the implementation of a security, authentication, or authorization mechanism may open the door to the attacks described in section 2.

安全、身份验证或授权机制实现中的任何弱点都可能为第2节所述的攻击打开大门。

An OPES system implementation should address all these threats and prove its robustness and ability to withstand malicious attacks or networking and programming problems.

OPES系统实施应解决所有这些威胁,并证明其鲁棒性和抵御恶意攻击或网络和编程问题的能力。

3.2. Inaccurate Accounting Information
3.2. 会计信息不准确

Collecting and reporting accurate accounting data may be vital when OPES servers are used to extend a business model of a content provider, service provider, or as a basis for third party service. The ability to collect and process accounting data is an important part of OPES' system functionality. This functionality may be challenged by distortion or destruction of base accounting data (usually logs), processed accounting data, accounting parameters, and reporting configuration.

当OPES服务器用于扩展内容提供商、服务提供商的业务模型或作为第三方服务的基础时,收集和报告准确的会计数据可能至关重要。收集和处理会计数据的能力是OPES系统功能的重要组成部分。基本会计数据(通常是日志)、已处理会计数据、会计参数和报告配置的失真或破坏可能会挑战此功能。

As a result a data consumer may be inappropriately charged for viewing content that was not successfully delivered, or a content provider or independent OPES services provider may not be compensated for the services performed.

因此,数据消费者可能会因观看未成功交付的内容而被不适当地收取费用,或者内容提供商或独立OPES服务提供商可能不会因提供的服务而获得补偿。

The OPES system may use accounting information to distribute resources between different consumers or limit resource usage by a specific consumer. In this case an attack on the accounting system (by distortion of data or issuing false configuration commands) may result in incorrect resource management and DoS by artificial resource starvation.

OPES系统可使用会计信息在不同消费者之间分配资源,或限制特定消费者使用资源。在这种情况下,对记帐系统的攻击(通过数据失真或发出错误的配置命令)可能会导致不正确的资源管理和人为的资源匮乏。

3.3. OPES Service Request Repudiation
3.3. OPES服务请求拒绝

An entity (producer or consumer) might make an authorized request and later claim that it did not make that request. As a result, an OPES entity may be held liable for unauthorized changes to the data flow, or will be unable to receive compensation for a service.

一个实体(生产者或消费者)可能会提出一个授权请求,然后声称它没有提出该请求。因此,OPES实体可能会对未经授权的数据流更改承担责任,或者无法获得服务补偿。

There should be a clear request that this service is required and there should be a clear course of action on behalf of all parties. This action should have a request, an action, a non-repudiable means of verifying the request, and a means of specifying the effect of the action.

应明确要求提供这项服务,并代表所有各方制定明确的行动方案。此操作应该有一个请求、一个操作、一个验证请求的不可否认方法以及一个指定操作效果的方法。

3.4. Inconsistent Privacy Policy
3.4. 不一致的隐私政策

The OPES entities may have privacy policies that are not consistent with the data consumer application or content provider application.

OPES实体可能具有与数据消费者应用程序或内容提供商应用程序不一致的隐私策略。

Privacy related problems may be further complicated if OPES entities, content providers, and end users belong to different jurisdictions with different requirements and different levels of legal protection. As a result, the end user may not be aware that he or she does not have the expected legal protection. The content provider may be exposed to legal risks due to a failure to comply with regulations of which he is not even aware.

如果运营商实体、内容提供商和最终用户属于不同的司法管辖区,具有不同的要求和不同的法律保护级别,则与隐私相关的问题可能会进一步复杂化。因此,最终用户可能不知道他或她没有预期的法律保护。内容提供商可能因未能遵守其甚至不知道的法规而面临法律风险。

3.5. Exposure of Privacy Preferences
3.5. 暴露隐私偏好

The OPES system may inadvertently or maliciously expose end user privacy settings and requirements.

OPES系统可能无意或恶意暴露最终用户隐私设置和要求。

3.6. Exposure of Security Settings
3.6. 公开安全设置

There are risks that the OPES system may expose end user security settings when handling the request and responses. The user data must be handled as sensitive system information and protected against accidental and deliberate disclosure.

在处理请求和响应时,OPES系统可能会暴露最终用户的安全设置。用户数据必须作为敏感系统信息处理,并防止意外和故意泄露。

3.7. Improper Enforcement of Privacy and Security Policy
3.7. 隐私和安全政策执行不当

OPES entities are part of the content distribution system and as such take on certain obligations to support security and privacy policies mandated by the content producer and/or end user. However there is a danger that these policies are not properly implemented and enforced. The data consumer application may not be aware that its protections are no longer in effect.

运营商实体是内容分发系统的一部分,因此承担某些义务,以支持内容生产者和/或最终用户强制执行的安全和隐私政策。然而,这些政策有可能没有得到适当的实施和执行。数据使用者应用程序可能不知道其保护不再有效。

There is also the possibility of security and privacy leaks due to the accidental misconfiguration or, due to misunderstanding what rules are in effect for a particular user or request.

由于意外的错误配置,或者由于误解对特定用户或请求有效的规则,还可能存在安全和隐私泄露的可能性。

Privacy and security related parts of the systems can be targeted by malicious attacks and the ability to withstand such attacks is of paramount importance.

系统的隐私和安全相关部分可能成为恶意攻击的目标,抵御此类攻击的能力至关重要。

3.8. DoS Attacks
3.8. 拒绝服务攻击

DoS attacks can be of various types. One type of DoS attack takes effect by overloading the client. For example, an intruder can direct an OPES processor to issue numerous responses to a client. There is also additional DoS risk from a rule misconfiguration that would have the OPES processor ignore a data consumer application.

拒绝服务攻击可以有多种类型。一种类型的DoS攻击通过使客户端过载而生效。例如,入侵者可以指示OPES处理器向客户端发出大量响应。由于规则配置错误,OPES处理器可能会忽略数据使用者应用程序,这也会带来额外的拒绝服务风险。

4. Security Considerations
4. 安全考虑

This document discusses multiple security and privacy issues related to the OPES services.

本文档讨论与OPES服务相关的多个安全和隐私问题。

5. References
5. 工具书类
5.1. Normative References
5.1. 规范性引用文件

[1] Barbir, A., Penno, R., Chen, R., Hofmann, M., and H. Orman, "An Architecture for Open Pluggable Edge Services (OPES)", RFC 3835, August 2004.

[1] Barbir,A.,Penno,R.,Chen,R.,Hofmann,M.,和H.Orman,“开放可插拔边缘服务(OPES)的体系结构”,RFC 38352004年8月。

[2] Barbir, A., Burger, E., Chen, R., McHenry, S., Orman, H., and R. Penno, "OPES Use Cases and Deployment Scenarios", RFC 3752, April 2004.

[2] Barbir,A.,Burger,E.,Chen,R.,McHenry,S.,Orman,H.,和R.Penno,“OPES用例和部署场景”,RFC 3752,2004年4月。

[3] Barbir, A., Batuner, O., Beck, A., Chan, T., and H. Orman, "Policy, Authorization, and Enforcement Requirements of Open Pluggable Edge Services (OPES)", RFC 3838, August 2004.

[3] Barbir,A.,Batuner,O.,Beck,A.,Chan,T.,和H.Orman,“开放可插拔边缘服务(OPES)的政策、授权和实施要求”,RFC 3838,2004年8月。

5.2. Informative References
5.2. 资料性引用

[4] Floyd, S. and L. Daigle, "IAB Architectural and Policy Considerations for Open Pluggable Edge Services", RFC 3238, January 2002.

[4] Floyd,S.和L.Daigle,“开放可插拔边缘服务的IAB架构和政策考虑”,RFC 3238,2002年1月。

6. Acknowledgements
6. 致谢

Many thanks to T. Chan (Nokia) and A. Beck (Lucent).

非常感谢T.Chan(诺基亚)和A.Beck(朗讯)。

7. Authors' Addresses
7. 作者地址

Abbie Barbir Nortel Networks 3500 Carling Avenue Nepean, Ontario K2H 8E9 Canada

加拿大安大略省内皮恩卡林大道3500号北电网络有限公司K2H 8E9

   Phone: +1 613 763 5229
   EMail: abbieb@nortelnetworks.com
        
   Phone: +1 613 763 5229
   EMail: abbieb@nortelnetworks.com
        

Oskar Batuner Independent consultant

奥斯卡·巴图纳独立顾问

   EMail: batuner@attbi.com
        
   EMail: batuner@attbi.com
        

Bindignavile Srinivas Nokia 5 Wayside Road Burlington, MA 01803 USA

美国马萨诸塞州伯灵顿市Bindingavile Srinivas诺基亚5号路边路01803

   EMail: bindignavile.srinivas@nokia.com
        
   EMail: bindignavile.srinivas@nokia.com
        

Markus Hofmann Bell Labs/Lucent Technologies Room 4F-513 101 Crawfords Corner Road Holmdel, NJ 07733 US

Markus Hofmann Bell实验室/朗讯科技公司4F-513室美国新泽西州霍姆德尔克劳福德角路101号07733

   Phone: +1 732 332 5983
   EMail: hofmann@bell-labs.com
        
   Phone: +1 732 332 5983
   EMail: hofmann@bell-labs.com
        

Hilarie Orman Purple Streak Development

Hilarie Orman紫色条纹发育

   EMail: ho@alum.mit.edu
        
   EMail: ho@alum.mit.edu
        
8. Full Copyright Statement
8. 完整版权声明

Copyright (C) The Internet Society (2004). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.

版权所有(C)互联网协会(2004年)。本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。

This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件及其包含的信息是按“原样”提供的,贡献者、他/她所代表或赞助的组织(如有)、互联网协会和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Intellectual Property

知识产权

The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.

IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。

Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.

向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.

The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.

IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。