Re: [Anima] Robert Wilton's No Objection on draft-ietf-anima-autonomic-control-plane-28: (with COMMENT)

[Brian E Carpenter <brian.e.carpenter@gmail.com>]

And I have improved that code, so that it really does make all GRASP
calls fail if the ACP reports that it is insecure and there is no
other security in place. It's still not production code, of course.

https://github.com/becarpenter/graspy/commit/c6d2270aea723baa4076cf8db34f8dcf14c9bd34

Regards
   Brian Carpenter

On 12-Sep-20 09:12, Brian E Carpenter wrote:
> (CC trimmed to avoid distracting the IESG.)
> 
>> With ACP, the data-plane for "internal" config could immediately be shut down
>> as soon as there is no ACP neighbor.
>>
>> Nice short term, small one pager ASA idea ;-))
> 
> Oh, I think every ASA should have this logic. In my prototype code, the ACP
> module provides a status function acp.status() and really that should be polled
> regularly, or there should be an event handler for "ACP down". My intention was
> that GRASP calls would fail with a "noSecurity" error code in that case.
> 
> Actually the code is there but inactive, absent a real ACP.
> 
> Regards
>    Brian
> 
> On 11-Sep-20 22:45, Toerless Eckert wrote:
>> On Sun, Aug 23, 2020 at 05:39:14PM -0400, Michael Richardson wrote:
>>>
>>> Robert Wilton via Datatracker <noreply@ietf.org> wrote:
>>>     > 6.10.1.  Fundamental Concepts of Autonomic Addressing
>>>
>>>     > For a PE device or NID, how does it know which interfaces to run ACP
>>>     > over?
>>>
>>> I think that "PE" here means "Provider Edge"?
>>> The answer is that it runs the GRASP DULL on *ALL* interfaces, because it the
>>> device may have no idea it is a Provider Edge device on that Interface.
>>>
>>> A Provider might want to turn this off, and they could well do that once the
>>> device has joined the ACP and gotten management control.  But, the risk of
>>> doing that is that the cables will get plugged in wrong, and the operator
>>> will lose access to the device.
>>
>> In addition to loosing access to the device, the authenticated presence of
>> an ACP neighbor on an interface should also result in the appropriate configuratoin
>> of the data plane, and in reverse the absence as well:
>>
>> When someone mis-plugs a cable, a CE facing interface might be miscabled to
>> a PE interface assumed to be inside the provider domain - and now the customer
>> could gain access to the SP infrastructure. Very often that infra is so fragile
>> that one might be able to inject a virus in short time. A malicious attacker
>> today likely needs to get some insight into the SP network from someone and
>> then bribe a lowly paid worker to accidentially misplug a cable for 10 minutes...
>>
>> With ACP, the data-plane for "internal" config could immediately be shut down
>> as soon as there is no ACP neighbor.
>>
>> Nice short term, small one pager ASA idea ;-))
>>
>> Cheers
>>     Toerless
>>
>>> In this case, I think that ANIMA's ACP prefers connectivity over the small
>>> amount of privacy lost by indicating that an IKEv2 is listening on an IPv6
>>> Link-Local address.  There is no security breach possible because the IKEv2
>>> (or DTLS) connection will not complete without the right trust anchors present.
>>>
>>> A smart heuristic might be to include some kind of dead-man's switch.
>>> The management interface might turn the DULL off on some interfaces for a
>>> period of time, and if the management interface is lost, then the interfaces
>>> would stop being suppressed.  This falls into the quality of implementation
>>> category at this point.
>>>
>>> --
>>> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
>>>  -= IPv6 IoT consulting =-
>>
>>
>>