IETF Logo Mail Archive

Re: [Anima] Secdir last call review of draft-ietf-anima-grasp-api-07

Brian E Carpenter <brian.e.carpenter@gmail.com> Wed, 28 October 2020 01:59 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7735D3A09EA; Tue, 27 Oct 2020 18:59:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.346
X-Spam-Level:
X-Spam-Status: No, score=-2.346 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.247, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id egVs9s2_OCG1; Tue, 27 Oct 2020 18:59:01 -0700 (PDT)
Received: from mail-pj1-x1035.google.com (mail-pj1-x1035.google.com [IPv6:2607:f8b0:4864:20::1035]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 918173A09EB; Tue, 27 Oct 2020 18:58:58 -0700 (PDT)
Received: by mail-pj1-x1035.google.com with SMTP id az3so1750153pjb.4; Tue, 27 Oct 2020 18:58:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:organization:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=TKQPg2jna8LEXY2S9D008aZgL7XQIZFhJpLkfmjYj74=; b=ogfoBXgt9hbC37ORJJA1IXgzQTdNhEiplbcNC3xPPn1SuOU9dd/esqF5kKn5wb2uC6 K6aoYu2cl7cabVaGAfmUo+d841sIAAOkrRZCPAjfO8g9R2a4BBlGoOLJ+ElbkrzUf2wv vBvN6dDXU603ZftmvYsaJa/nVZYFnBbIhc+6xpgDRr5EtcTgHE+BUMzQZO5JODwaMqVI zAnCM0TGbnhQ66ofW79+FZa8WbSQlF3v6CfNs/YHxvBdzlO9bN2i4/cPi1WvJxr75hcw ZKbvaUVD4077vue+icQIlFvLvLDrwe16ROq08hDIGZhG8PK/PR9+FGHOmEnrK+SpiTgb Wo9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:organization :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=TKQPg2jna8LEXY2S9D008aZgL7XQIZFhJpLkfmjYj74=; b=Or089ieiLm9rgDr34bl7MCnrmpYHN5L9jfkhnUD+2xP5tUlWxdmec3RcmhZ1Nz0k+X OLoiHoGfrsIIoKAfbjC2kBXOvvS+2sifVHL1SfHawPsh+QowPhQLex+vWbe4EqxUGsws TXxggzO3tg8jASDwyr7bYKbkmAfJotZ1BdA0CX9h8zXVoxPw4M7SdKXivVyJNAPlFML8 /VfycWZvJc08B/ZPXevmX6mxiLoJNLkX0tFGnY5wFsyz3uxn3S4ULKhEmNOKec+SkNIe zTXAqQ+JRpmh0CLiX0sHwcm5mIN1AALjnzWjsTZD7kHGEYIWkGbRF6MeOc9TqnNPHQcX ePjg==
X-Gm-Message-State: AOAM531nr42xb0xew1XPVBbjvrejNfSy/9VLLdhpH1VQu95xsA/yKZiH dk57yiTPm1GnUYgKJa5tshBo44LI7Vc=
X-Google-Smtp-Source: ABdhPJzlG3bVOmEP7oa7FQtX5fzNZokDx+rGzUoVK5CBAAisH8A1wm8LyKsP26Hob0Bqdvt76JTxag==
X-Received: by 2002:a17:902:9347:b029:d3:7c08:86c6 with SMTP id g7-20020a1709029347b02900d37c0886c6mr5056474plp.84.1603850337222; Tue, 27 Oct 2020 18:58:57 -0700 (PDT)
Received: from [192.168.178.20] ([151.210.130.0]) by smtp.gmail.com with ESMTPSA id mn15sm2548429pjb.21.2020.10.27.18.58.53 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 27 Oct 2020 18:58:55 -0700 (PDT)
To: Joseph Salowey <joe@salowey.net>, secdir@ietf.org
Cc: last-call@ietf.org, anima@ietf.org, draft-ietf-anima-grasp-api.all@ietf.org
References: <160381954432.30121.9559007698502161410@ietfa.amsl.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
Message-ID: <b132bb6d-4a5b-5388-6f0d-0f94c71bc51b@gmail.com>
Date: Wed, 28 Oct 2020 14:58:52 +1300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <160381954432.30121.9559007698502161410@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/YS8vk43BeYGiFps9OaGExnYx4xc>
Subject: Re: [Anima] Secdir last call review of draft-ietf-anima-grasp-api-07
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Oct 2020 01:59:04 -0000

Hi Joseph,

Thanks for the review. Comments in line...

On 28-Oct-20 06:25, Joseph Salowey via Datatracker wrote:
> Reviewer: Joseph Salowey
> Review result: Has Issues
> 
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
> 
> The summary of the review is Has issues.  The document does needs a bit more
> discussion of the security implications.
> 
> 1. Authorization
> 
> In the security considerations section the document says that authorization is
> left for future work.  I would expect that the section should at least describe
> what the implications of no authorizations are. 

This isn't really an issue for the API itself, but for the underlying protocol
and for the ANIMA ecosystem. It's an issue that the WG explicitly deferred
(and it's now a chartered work item). Let me quote here what the GRASP spec
says in its security considerations:

>>    - Authorization and Roles
>> 
>>       The GRASP protocol is agnostic about the roles and capabilities of
>>       individual ASAs and about which objectives a particular ASA is
>>       authorized to support.  An implementation might support
>>       precautions such as allowing only one ASA in a given node to
>>       modify a given objective, but this may not be appropriate in all
>>       cases.  For example, it might be operationally useful to allow an
>>       old and a new version of the same ASA to run simultaneously during
>>       an overlap period.  These questions are out of scope for the
>>       present specification.

and what draft-carpenter-anima-asa-guidelines says:

>> Authorization of ASAs is a subject for future study. At present, ASAs are trusted by virtue of being installed on a node that has successfully joined the ACP. In the general case, a node may have mutltiple roles and a role may use multiple ASAs, each using multiple GRASP objectives. Additional mechanisms for the authorization of nodes and ASAs to manipulate specific GRASP objectives could be designed.

That draft is on the verge of WG adoption. The point is that the current
trust model is that we trust any node that has successfully joined the ACP,
and therefore we trust any ASA in such a node. We should state that clearly
in the text.

IMHO it would be out of scope for the API to say more but we should add a
reference to the GRASP Security Considerations.

> What risks are not being
> mitigated?   What modes of operations should not be used? 

Those are good questions for the WG to look at.

> In general leaving
> security items out suggests that the work is not ready for wide deployment. 
> Perhaps this is OK because the work is informational, but the document should
> probably say this.


Personally I don't think we have left a hole here, because there's a well-defined
trust boundary, but we should indeed state that as well as citing the GRASP spec's
security considerations.

> 
> 2. Authentication
> 
> Section 2.3.1.4 discusses the ASA_locator.  How is is the entity accessed by
> the locator authenticated?  How does the caller of the API know they are
> talking to the right entity?  I don't see any discussion of this in this
> document and there is very little in draft-ietf-anima-grasp-15 on this.    Is
> there a section in one of these documents I should be looking for?

No, you're not missing anything. The trust boundary is the ACP, and that takes
us back to the previous point. If we do decide that we need a fine-grained
trust model inside the ACP, we'll presumably need to extend GRASP itself
to add some form of authentication option beyond what GRASP over TLS can
provide. 

> 
> 3. ASA_Nonce
> 
> The ASA nonce is described as a security mechanism.  It is only 4 bytes long. 
> This seems short, making the ASA_Nonce vulnerable to collisions.  Why is this
> not a problem?

This isn't used on the wire, just locally within the GRASP instance,
so collisions can be excluded.

> How long is the ASA nonce supposed to be valid?  How often does registration
> happen?

At the moment, there is no sensible answer to those questions. When we develop
the authorization model, we'd definitely have to answer those questions and maybe
the nonce would have to be replaced by a crypto object.

> 
> 4. Session Nonce
> 
> Are there security implications of revealing the session nonce to the caller as
> suggested in section 2.3.1.7?  Could it allow for the ASA to bypass
> authorization if it knows this value?   Perhaps forming the nonce from the
> underlying session ID is not the best guidance?  Also it seems the underlying
> protocol session ID is only 4 bytes and collisions are likely and may be a
> problem for the protocol.

No, the collision risk is avoided because the session nonce includes the
ACP IPv6 address of the session originator. We should explain that
more clearly.

> 
> 5. Error Codes
> 
> In general, the list of API codes in the appendix is not described in the API. 
> It seems they should be.  Some of the error codes seem related to
> authorization, which is out of scope?

Our hope was the the WG could move faster on that topic, but the
incredible delays on BRSKI and the ACP made that impossible.
Our idea is certainly that register_asa() and register_objective()
should include authorization in the longer term.

> It seems that some of the error code could lead to disclosure of information,
> for example:
> 
> notYourASA       7 "ASA registered but not by you"  might reveal a valid nonce
> from an invalid nonce

Hmm... I don't think so. Let me glance at the code...

The only place where I found that error code useful was in deregister_asa()
and that doesn't return anything else. It could be used in an exhaustive
search attack to deregister an ASA, but in the current trust model that
doesn't seem like a significant risk. 

> 
> 6. Denial of service
> 
> are there protections in the underlying protocol for denial of service with
> respect to Flood(), Synchronize() or any other method?

There are recommendations about rate throttling for relaying GRASP Flood and
Discover multicasts, which should confine any multicast abuse to a single
link-layer segment. That's one good reason for using link-layer multicast only.
We also have recommendations for exponential backoff in the GRASP spec, but
of course a malicious sender could ignore those. In any case we can put a
specific pointer to that subsection of the GRASP Security Considerations.

DoS against the Negotiate or Synchronize parts of GRASP seems to be like
any other client/server protocol. I'm not sure what we can say in the
API spec about that. In my implementation (which is not intended to be
production quality) I've simply put finite queues for all the request
handlers, with silent discard if the queue overflows.

We'll collate updates to all reviews after the LC expires.

Thanks again
    Brian

v2.23.0 | Report a Bug | By Email