IETF Logo Mail Archive

Re: [Anima-signaling] GRASP issue 52: Insecure instance text

"Max Pritikin (pritikin)" <pritikin@cisco.com> Wed, 17 August 2016 22:49 UTC

Return-Path: <pritikin@cisco.com>
X-Original-To: anima-signaling@ietfa.amsl.com
Delivered-To: anima-signaling@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 408E712B074 for <anima-signaling@ietfa.amsl.com>; Wed, 17 Aug 2016 15:49:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.768
X-Spam-Level:
X-Spam-Status: No, score=-15.768 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.247, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mVqPQI482TMp for <anima-signaling@ietfa.amsl.com>; Wed, 17 Aug 2016 15:49:38 -0700 (PDT)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2516A12B016 for <anima-signaling@ietf.org>; Wed, 17 Aug 2016 15:49:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5388; q=dns/txt; s=iport; t=1471474178; x=1472683778; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=bMD9LsSwzo5yoorFcz1f98y903sHqaMOLHUbcXOatHA=; b=bT74U7GzLMs+OSZybo1n6RUlYLSigWlyyE+dFJLAb9X5NjSCNqTOSQOy ypiw+8tl34z2fKVjWDDllGK854CkzeUcjkBSqSC1V3enLJylnEq+90OFV fD0cjsy1rpY2pEIXUDEy8yyu6Pt9jd6IarEh0PJBVD6fDzcC6Zrn1Unno c=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CAAgA66bRX/5JdJa1eg0OBUgerH4odg?= =?us-ascii?q?g+BfYYdAhyBUDgUAgEBAQEBAQFeJ4ReAQEEASMRRQULAgEIEQMBAgECAiYCAgI?= =?us-ascii?q?fERUICAIEDgWIFwMPCK1pi3ANhBsBAQEBAQEBAQEBAQEBAQEBAQEBAQEcgQGHI?= =?us-ascii?q?QiCTYJDgVkkF4JqK4IvBZNUhTw0AYxagkMKjz+IM4QIg3cBHjaDem4BhWhGfwE?= =?us-ascii?q?BAQ?=
X-IronPort-AV: E=Sophos;i="5.28,536,1464652800"; d="scan'208";a="312185581"
Received: from rcdn-core-10.cisco.com ([173.37.93.146]) by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 17 Aug 2016 22:49:37 +0000
Received: from XCH-RCD-013.cisco.com (xch-rcd-013.cisco.com [173.37.102.23]) by rcdn-core-10.cisco.com (8.14.5/8.14.5) with ESMTP id u7HMnb6q003378 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 17 Aug 2016 22:49:37 GMT
Received: from xch-aln-013.cisco.com (173.36.7.23) by XCH-RCD-013.cisco.com (173.37.102.23) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Wed, 17 Aug 2016 17:49:36 -0500
Received: from xch-aln-013.cisco.com ([173.36.7.23]) by XCH-ALN-013.cisco.com ([173.36.7.23]) with mapi id 15.00.1210.000; Wed, 17 Aug 2016 17:49:36 -0500
From: "Max Pritikin (pritikin)" <pritikin@cisco.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Thread-Topic: [Anima-signaling] GRASP issue 52: Insecure instance text
Thread-Index: AQHR+NmhF18H8rwLa0yahWRS/TFfIw==
Date: Wed, 17 Aug 2016 22:49:36 +0000
Message-ID: <EA0227F3-BFF3-4537-82CC-2B92A0B1497F@cisco.com>
References: <9d8a40ff-f646-c745-c77f-da4682704b21@gmail.com> <44fa4245-7c07-4175-c5fb-f1bff474e844@gmail.com>
In-Reply-To: <44fa4245-7c07-4175-c5fb-f1bff474e844@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.99.106.10]
Content-Type: text/plain; charset="utf-8"
Content-ID: <944DC7A52FCB3A4D883787FF540ECEBA@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima-signaling/tibQJ8-Mc3vmPYP3at6fFdBrAJ8>
Cc: Anima signaling DT <anima-signaling@ietf.org>
Subject: Re: [Anima-signaling] GRASP issue 52: Insecure instance text
X-BeenThere: anima-signaling@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Mailing list for the signaling design team of the ANIMA WG <anima-signaling.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima-signaling>, <mailto:anima-signaling-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima-signaling/>
List-Post: <mailto:anima-signaling@ietf.org>
List-Help: <mailto:anima-signaling-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima-signaling>, <mailto:anima-signaling-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Aug 2016 22:49:39 -0000

> On Aug 17, 2016, at 4:44 PM, Brian E Carpenter <brian.e.carpenter@gmail.com> wrote:
> 
> Oops, I'm not sure Max will have seen this. Waiting for comments.

thanks for the heads up Brian. I’ll look at this later this evening or tomorrow morning. Unable to get to it just now,
- max


> 
>    Brian
> 
> -------- Forwarded Message --------
> Subject: Re: [Anima-signaling] GRASP issue 52: Insecure instance text
> Date: Wed, 3 Aug 2016 14:42:02 +1200
> From: Brian E Carpenter <brian.e.carpenter@gmail.com>
> Organization: University of Auckland
> To: Toerless Eckert <eckert@cisco.com>
> CC: Anima signaling DT <anima-signaling@ietf.org>
> 
> OK, here is what I got from Max's notes and the discussion with
> Toerless. This is a new section proposed for the GRASP spec. (It also
> covers Issue 49.) Comments?
> 
>   Brian
> 
> 3.3.2.  Limited Security Instances
> 
>   This section describes three cases where additional instances of
>   GRASP are appropriate.
> 
>   1) As mentioned in Section 3.2, some GRASP operations might be
>   performed across an administrative domain boundary by mutual
>   agreement.  Such operations MUST be confined to a separate instance
>   of GRASP with its own copy of all GRASP data structures.  Messages
>   MUST be authenticated and SHOULD be encrypted.  TLS is RECOMMENDED
>   for this purpose.
> 
>   2) During initialisation, before a node has joined the applicable
>   trust infrastructure, [I-D.ietf-anima-bootstrapping-keyinfra], it is
>   impossible to secure messages.  Thus, the security bootstrap process
>   needs to use insecure GRASP discovery, response and flood messages.
>   Such usage MUST be limited to link-local operations and MUST be
>   confined to a separate insecure instance of GRASP with its own copy
>   of all GRASP data structures.  This instance is nicknamed DULL -
>   Discovery Unsolicited Link Local.
> 
>   The detailed rules for the DULL instance of GRASP are as follows:
> 
>   o  An initiator MUST only send Discovery or Flood Synchronization
>      link-local multicast messages with a loop count of 1.  A
>      responder MAY send a Discovery Response message. Other GRASP
>      message types MUST NOT be sent.
> 
>   o  A responder MUST silently discard any message whose loop count is
>      not 1.
> 
>   o  A responder MUST silently discard any message referring to a GRASP
>      Objective that is not directly part of the bootstrap creation
>      process.
> 
>   o  A responder MUST NOT relay any multicast messages.
> 
>   o  A Discovery Response MUST indicate a link-local address.
> 
>   o  A Discovery Response MUST NOT include a Divert option.
> 
>   o  A node MUST silently discard any message whose source address is
>      not link-local.
> 
>   3) During ACP formation [I-D.ietf-anima-autonomic-control-plane], a
>   separate instance of GRASP is used, with unicast messages secured by
>   TLS, and with its own copy of all GRASP data structures.  This
>   instance is nicknamed SONN - Secure Only Neighbor Negotiation.
> 
>   The detailed rules for the SONN instance of GRASP are as follows:
> 
>   o  Any type of GRASP message MAY be sent.
> 
>   o  An initiator MUST send any Discovery or Flood Synchronization
>      link-local multicast messages with a loop count of 1.
> 
>   o  A responder MUST silently discard any Discovery or Flood
>      Synchronization message whose loop count is not 1.
> 
>   o  A responder MUST silently discard any message referring to a GRASP
>      Objective that is not directly part of the ACP creation process.
> 
>   o  A responder MUST NOT relay any multicast messages.
> 
>   o  A Discovery Response MUST indicate a link-local address.
> 
>   o  A Discovery Response MUST NOT include a Divert option.
> 
>   o  A node MUST silently discard any message whose source address is
>      not link-local.

v2.8.7 | Report a Bug | By Email