[Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-autonomic-control-plane-28: (with DISCUSS and COMMENT)
Benjamin Kaduk via Datatracker <noreply@ietf.org> Wed, 12 August 2020 23:46 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: anima@ietf.org
Delivered-To: anima@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D4973A0C7B; Wed, 12 Aug 2020 16:46:31 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-anima-autonomic-control-plane@ietf.org, anima-chairs@ietf.org, anima@ietf.org, Sheng Jiang <jiangsheng@huawei.com>, jiangsheng@huawei.com
X-Test-IDTracker: no
X-IETF-IDTracker: 7.13.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <159727599109.5414.1617295798802435987@ietfa.amsl.com>
Date: Wed, 12 Aug 2020 16:46:31 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/nePa6f6splvOMfL39G-7Lz9Wuig>
Subject: [Anima] Benjamin Kaduk's Discuss on draft-ietf-anima-autonomic-control-plane-28: (with DISCUSS and COMMENT)
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Aug 2020 23:46:31 -0000
Benjamin Kaduk has entered the following ballot position for draft-ietf-anima-autonomic-control-plane-28: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-anima-autonomic-control-plane/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Hopefully just a couple easy ones... I made a pass over Ekr's ballot comments (nominally on the -16, though some of the quoted text doesn't seem to match up with that version). We're generally in good shape there, but I wanted to check on the point regarding a "downgrade defense on the meta-negotiation between the protocols", which in theory would allow an attacker to force the use of IPsec or DTLS or whatever other protocol has a weakness. It seems like there may have been some confusion about DULL vs ACP GRASP in play here, especially with respect to when there might be the possibility of multiple secure channels. My current understanding is that there is not a major issue here, but let's confirm that: DULL GRASP runs only over a local link (using link-local addresses), and as currently defined has the option of flooding advertisements that use either DTLS or IKEv2 to establish the ACP secure channel. DULL GRASP has no cryptographic protections at all, so if there is somehow (e.g., on a multi-access link) an attacker on the link, they could drop or rewrite some announcements to force either DTLS or IKEv2 to be used for secure channel establishment even if the other would normally have been preferred. On directly-connected wired links, such tampering may be unlikely (but not beyond the capabilities of, e.g., a nation-state or well-funded attacker, especially for, e.g., long fiber runs.) By itself, this is not useful, since both DTLS and IKEv2+ESP are believed to be secure, but if some future vulnerability is discovered the downgrade might allow for the vulnerability to be exploited in cases it would not otherwise have been usable. Countermeasures to allow detection of this kind of tampering are possible -- include as part of the DTLS or IKEv2 exchange (or the first operation after it) a preference-ordered list of supported secure channel mechanisms, and bail out if the mechanism being used is not the most-preferred shared mechanism -- but will still fail if the vulnerability in question is sufficiently severe to allow handshake forgery. ACP GRASP is different, in that it (1) runs over the ACP, so any on-path attack to drop/rewrite GRASP would have as a prerequisite an attacker in the ACP, and (2) unicast GRASP is protected end-to-end by TLS. However, it seems like broadcast/flooded ACP GRASP objectives will only have the hop-by-hop ACP protection and so would in theory also be subject to a downgrade attack if there was an in-ACP on-path attacker. It also seems like there's a general expectation that ACP services will run over TLS, and the option of "TLS *or* DTLS (or something else)" is not expected to be common, so the existence of a downgrade to a different protocol is rare as well. While I would like to be able to defend against downgrade attacks by an in-ACP on-path attacker, I recognize that it's a defensible position to take that we assume all entities in the ACP to remain secure and just accept the corresponding risks in the case of compromise. Similarly, for "big iron" router deployments, physical links are the norm and the DULL GRASP downgrade attack may not be a practical concern; I would again like to have the mechanisms in place to be able to detect downgrade if, for example, deployments broaden to the use of radio technologies, but the absence of such a mechanism does not seem like a critical flaw at this time. So, to be clear, the DISCUSS here is just to be sure that we're all on the same page as to what point Ekr was making and the current state of affairs; given my current understanding, I'm not holding a DISCUSS point for "add the downgrade-detection mechanism" (though I do encourage it). It looks like Section 6.1.3 is missing a "rule 6: verify that the acp-address/prefix in the certificate matches the address being used to talk to the peer", if I'm reading between the lines properly. (If not, and this is just skew introduced by editing, my comments about references to a non-existent rule 6 apply, see COMMENT.) ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thank you for the extensive efforts you put in to respond to the previous rounds of feedback; I'm happy to say that my discuss points on the -19 have all been resolved. I especially appreciate that you were able to continue discussions with Russ and Barry (and others) even when I myself was not being particularly responsive due to other pressing issues. I'd also like to express appreciation for the care that went into the various "sweeping changes" (renames/etc.); there was very little fallout that needed further fixup. I note that I started off reviewing the diff from -19 to -27 and then made a follow-up pass looking at the diff from -27 to -28, so there's some risk I comment on something that I saw in the -27 but is already fixed. Section 1 This document describes a modular design for a self-forming, self- managing and self-protecting ACP, which is a virtual out-of-band network designed to be as independent as possible of configuration, addressing and routing and similar self-dependency problems in current IP networks, but which is still operating in-band on the same physical network that it is controlling and managing. The ACP design nit: the antecedent for "similar self-dependency problems" seems to be intended to be the issues with in-band OAM/control-plane that were discussed a couple paragraphs prior, but grammatically we have to look for a local binding within the same list. So probably we want something more like "avoiding the self-dependency problems of current IP networks". In a fully autonomic network node without legacy control or management functions/protocols, the Data-Plane would be for example just a forwarding plane for "Data" IPv6 packets, aka: packets that are not forwarded by the ACP itself such as control or management plane packets. In such networks/nodes, there would be no non- nit: I suggest rewording to "packets other than the control and management plane packets that are forwarded by the ACP itself" to avoid ambiguity about whether the "such as" matches "forwarded by the ACP itself" or "data packets". Section 1.1 The implementation footprint of the ACP consists of Public Key Infrastructure (PKI) code for the ACP certificate, the GRASP protocol, UDP, TCP and TLS 1.2 ([RFC5246], for security and I agree with Barry that it's best to just say "TLS". Referencing both 8446 and 5246 is okay, but 8446 needs to be there. Section 5 4. For each entry in the candidate adjacency list, the node negotiates a secure tunnel using the candidate channel types. See Section 6.5. Somewhere in this procedure (not necessarily exactly here), we might want to say something about how failed authentication/negotiation/authorization/etc. means that the candidate peer adjacency is not accepted into the ACP, rejected, discarded, or something of that nature. Having the main focus be on the success case rather than the detailed error handling makes sense for an overview, but if we are listing only "candidate" adjacencies we probably ought to acknowledge that not all candidates succeed. Section 6.1.1 ACP nodes MUST NOT support certificates with RSA public keys of less than 2048 bit modulus or curves with group order of less than 256 bit. They MUST support certificates with RSA public keys with 2048 bit modulus and MAY support longer RSA keys. They MUST support certificates with ECC public keys using NIST P-256 curves and SHOULD support P-384 and P-521 curves. We probably can nail this down a bit more, particularly on the ECC side as being ECDSA signatures (but RSA as well to be signatures vs. encryption). Maybe something like: % ACP nodes MUST NOT support certificates with RSA public keys whose % modulus is less than 2048 bits, or certificates whose ECC public keys % are in groups whose order is less than 256 bits. RSA signing % certificates with 2048-bit public keys MUST be supported, and such % certificates with longer public keys MAY be supported. ECDSA % certificates using the NIST P-256 curve MUST be supported, and such % certificates using the P-384 and P-521 curves SHOULD be supported. Also, 2048-bit RSA is starting to look shaky; note that draft-cooley-cnsa-dtls-tls-profile insists on 3072-bit or larger at this point, which would be my own personal recommendation as well. ACP nodes MUST support SHA-256 and SHOULD support SHA-384, SHA-512 signatures for certificates with RSA key and the same RSA signatures plus ECDSA signatures for certificates with ECC key. We should probably reword this to be clearer that we're talking about the signature on the certificate, not the signatures made by the certificate. Perhaps: % ACP nodes MUST support RSA certificates that are signed by RSA % signatures over the SHA-256 digest of the contents, and SHOULD % additionally support SHA-384 and SHA-512 digests in such signatures. % The same requirements for certificate signatures apply to ECDSA % certificates, and additionally, ACP nodes MUST support ECDSA % signatures on ECDSA certificates. The ACP certificate SHOULD use an RSA key and an RSA signature when the ACP certificate is intended to be used not only for ACP authentication but also for other purposes. The ACP certificate MAY use an ECC key and an ECDSA signature if the ACP certificate is only used for ACP and ANI authentication and authorization. There may be a mismatch in the normative guidance here: we have MUST baseline guidance earlier for 2048-bit RSA and P-256, but SHOULD (stronger than MAY) for P-384/P-521 and only MAY for >2048-bit-RSA. But here, it's SHOULD use RSA and only MAY ECC, which is reversed. I know that the flexibility-of-strength question is not exactly the same as what-to-use-externally, so maybe it's fine, but I wanted to check. Any secure channel protocols used for the ACP as specified in this document or extensions of this document MUST therefore support authentication (e.g.:signing) starting with these type of certificates. See [RFC4492] for more information. Do they all have to support both RSA and ECDSA certs, or is it okay to only support one? The ACP certificate SHOULD be used for any authentication between nodes with ACP domain certificates (ACP nodes and NOC nodes) where the required authorization condition is ACP domain membership, such I suggest s/the required authorization condition/a required authorization condition/, since even if there is more fine-grained authorization needed, you still need an ACP certificate to prove you're part of the domain. In support of ECDH key establishment, ACP certificates with ECC keys MUST indicate to be Elliptic Curve Diffie-Hellman capable (ECDH) if X.509 v3 keyUsage and extendedKeyUsage are included in the certificate. nit: "if X.509 v3 keyUsage and extendedKeyUsage are included" sounds like both need to be present, but I don't think that's really what's needed. AFAICT only the non-extended keyUsage is relevant, so we would just say "if the X.509v3 keyUsage extension is present, the keyAgreement bit MUST be set". Any other field of the ACP domain certificate is to be populated as required by [RFC5280] or desired by the operator of the ACP domain ACP registrars/CA and required by other purposes that the ACP domain certificate is intended to be used for. This sentence is a bit hard to parse; it has three clauses and it's not entirely clear how they're intended to relate to each other ("populated as required by RFC5280", "desired by the operator of the ACP domain", "required by other purposes that the ACP domain certificate is intended to be used for"). certificate information can be retrieved bei neighboring nodes s/bei/by/ For diagnostic and other operational purposes, it is beneficial to copy the device identifying fields of the node's IDevID certificate into the ACP domain certificate, such as the "serialNumber" (see [I-D.ietf-anima-bootstrapping-keyinfra] section 2.3.1). This can be I suggest noting that this "serialNumber" is the X520SerialNumber name attribute, not the CertificateSerialNumber (IIUC this is the first usage of "serialNumber" in this document). IMO the quotes, while helpful to set it apart, are not enough to indicate that this is not the normal certificate serial number (of "issuer and serial number" that is supposed to uniquely identify a certificate). Note that there is no intention to constrain authorization within the ACP or autonomic networks using the ACP to just the ACP domain membership check as defined in this document. It can be extended or modified with future requirements. Such future authorizations can use and require additional elements in certificates or policies or even additional certificates. For an example, see Appendix A.10.5. It might be worth noting that we already have the id-kp-cmcRA check for EST servers, in addition to the "domain membership" check. Section 6.1.2 HEXLC = DIGIT / "a" / "b" / "c" / "d" / "e" / "f" ; DIGIT as of RFC5234 section B.1 Note that (if I remember my ABNF right), this is not restricted to just "lower case" hex digits, since matching is case-insensitive. (Of course, "LC" could stand for something else...) In order to get the case sensitivity, the %s"a" construction from RFC 7405 (or bare %x61) would be needed. extension = ; future standard definition. ; Must fit RFC5322 simple dot-atom format. I think there's a different convention than "empty definition" for extensibility points and am hoping that my colleagues will chime in about it. acp-node-name = fd89b714F3db00000200000064000000 +area51.research@acp.example.com [has upper-case hex digit, if that ends up mattering] Nodes complying with this specification MUST also be able to authenticate nodes as ACP domain members or ACP secure channel peers when they have a 0-value acp-address field and as ACP domain members (but not as ACP secure channel peers) when they have an empty acp- address field. See Section 6.1.3. An "empty acp-address field" would seem to mean "", the empty string, which is not allowed by the ABNF. It is, however, allowed to omit the acp-address, so I think that it's better to talk about the acp-address field being "absent" rather than "empty" (and there are many subsequent mentions of an "empty acp-address" in the document; I tried to point out most of them as they occur. To keep the encoding simple, there is no consideration for internationalized acp-domain-names. The acp-node-name is not intended for end user consumption, and there is no protection against someone not owning a domain name to simpy choose it. Instead, it We should presumably say somewhere (not necessarily here) that if someone does maliciously try to choose a domain name they don't own as the acp-domain-name, they won't be able to pass a domain-membership test unless it's signed by the real domain's CA, and the CA should know enough to not issue such certs to unauthorized entities. In other words, the combination of acp-domain-name and root CA identify the domain, so collisions of acp-domain-name are not fatal (which is good, since they're trivial to produce). 1.2 If "acp-address" is empty, and "rsub" is empty too, the "local-part" will have the format ":++extension(s)". The two plus characters are necessary so the node can nit: there's no ":" in the ABNF. 2.4 Addresses of the form <local><@domain> have become the nit(?): is the '@' intended to be outside the angle brackets? 3.1 It should be possible to use the ACP certificate as an LDevID certificate on the system for other uses beside the ACP. Therefore, the information element required for the ACP should be encoded so that it minimizes the possibility of creating incompatibilities with such other uses. The subjectName is for example often used as an entity identifier in non-ACP uses of a the ACP certificate. There's not a "subjectName" field in a PKIX certificate, and I'm not sure if this is intended to refer to subjectAltName (so as to say that the ACP name can be used for non-ACP uses) or to some other field (commonName?) (so as to say that we are leaving that field unoccupied for other uses). In light of the surrounding context, I'd guess the former, but please clarify. Section 6.1.3 3: If the node certificate indicates a Certificate Revocation List (CRL) Distribution Point (CRLDP) ([RFC5280], section 4.2.1.13) or Online Certificate Status Protocol (OCSP) responder ([RFC5280], section 4.2.2.1), then the peer's certificate MUST be valid according to those mechanisms when they are available: An OCSP check for the peer's certificate across the ACP must succeed or the peer certificate must not be listed in the CRL retrieved from the CRLDP. These mechanisms are not available when the node has IIUC, the "node certificate" in the first line is the same as the "peer's certificate" thereafter; we should probably use "peer node's certificate" the first time as well, for consistency. peer if there are multiple. The ACP secure channel connection MUST be retried periodically to support the case that the neighbor acquires a new, valid certificate. (I forget if we already give guidance somewhere about the order of magnitude for "periodically"; if not, we might want some here.) 5: The candidate peer certificate's acp-node-name has a non-empty acp-address field (either 32HEXLC or 0, according to Figure 2). nit: per the ABNF, we should probably refer to the acp-address field being absent rather than being empty. Steps 1...4 do not include verification of any pre-existing form of non-public-key-only based identity elements of a certificate such as a web servers domain name prefix often encoded in certificate common name. Steps 5 and 6 are the equivalent steps. I think we only have a step 5 (no 6) now? Steps 1...5 authorize to build any secure connection between members of the same ACP domain except for ACP secure channels. Step 6 is the additional verification of the presence of an ACP address. Steps 1...6 authorize to build an ACP secure channel. (ditto) Section 6.1.3.1 node SHOULD obtain the current time in a secured fashion I note with excitement that draft-ietf-ntp-using-nts-for-ntp is in the RFC Editor's queue! Section 6.1.5.3 A CRLDP can be reachable across the ACP either by running it on a node with ACP or by connecting its node via an ACP connect interface (see Section 8.1). The CRLDP SHOULD use an ACP certificate for its HTTPs connections. The connecting ACP node SHOULD verify that the CRLDP certificate used during the HTTPs connection has the same ACP address as indicated in the CRLDP URL of the node's ACP certificate if the CRLDP URL uses an IPv6 address. CRLDPs typically run over HTTP, not HTTPS, so this SHOULD is surprising. That said, if there is to be a certificate check, why SHOULD vs MUST verify that the IPv6 address matches? Section 6.1.5.5 Maintaining existing TA information is especially important when enrollment mechanisms are used that unlike BRSKI do not leverage a voucher mechanism to authenticate the ACP registrar and where therefore the injection of certificate failures could otherwise make the ACP node easily attackable remotely. We should probably not say that you SHOULD immediatelly fall back to forgetting the remembered TAs on the first TLS failure. Some kind of retry mechanism would give a bit more resilience against this attack. Section 6.3 Note that the use of the IPv6 link-local multicast address (ALL_GRASP_NEIGHBORS) implies the need to use Multicast Listener Discovery Version 2 (MLDv2, see [RFC3810]) to announce the desire to receive packets for that address. Otherwise DULL GRASP could fail to operate correctly in the presence of MLD snooping, non-ACP enabled L2 switches ([RFC4541]) - because those would stop forwarding DULL GRASP packets. Switches not supporting MLD snooping simply need to operate nit: I suggest putting the 4541 reference right after "MLD snooping" (i.e., before "non-ACP-enabled L2 switches"). Section 6.7.3.1.1 It's a bit surprising to see ENCR_AES_CCM_8 as a "MAY", since the 8-byte authentication tag may be significantly weaker than the strength of the other primitives being used for ACP secure channels. If ENCR_AES_CBC is listed, we probably want to say something about the ESP Authentication Algorithm used with it (the AUTH_HMAC_SHA2_256_128 that's a MUST in 8221 would be fine). o There is no MTI requirement against support of ENCR_AES_CBC because ENCR_AES_GCM_16 is assumed to be feasible with less cost/ higher performance in modern devices hardware accelerated implementations compared to ENCR-AES_CBC. I'm not sure what "against support of ENCR_AES_CBC" is intended to mean. It sounds like it's saying "we don't forbid AES-CBC" but the rest of the sentence doesn't really support that. Section 6.7.3.1.2 ACP nodes SHOULD set up IKEv2 to only use the ACP certificate and TA when acting as an IKEv2 responder on the IPv6 link local address and port number indicated in the AN_ACP DULL GRASP announcements (see Section 6.3). There's a subtlety of English here -- "to only use <X> when <Y>" means that the only time X is used is when Y, whereas "to use only <X> when <Y>" means that X is the only thing that is used when Y, which I think is the intent of this statement. (But I could be wrong!) In IKEv2, ACP nodes are identified by their ACP address. The ID_IPv6_ADDR IKEv2 identification payload MUST be used and MUST convey the ACP address. If the peer's ACP certificate includes a 32HEXLC ACP address in the acp-node-name (not "0" or empty), the [another case of "empty" vs "absent" for acp-address] Section 6.7.4 nit: s/negoting/negotiating/ An ACP node announces its ability to support DTLS v1.2 compliant with the requirements defined in this document as an ACP secure channel protocol in GRASP through the "DTLS" objective-value in the "AN_ACP" objective. To run ACP via UDP and DTLS v1.2 [RFC6347], a locally assigned UDP [...] As previously, we probably want the "DTLS" objective value to be version-agnostic; the 1.2 minimum/MTI can be specified in the following paragraphs. Unlike for IPsec, no attempts are made to simplify the requirements of the BCP 195 recommendations because the expectation is that DTLS would be using software-only implementations where the ability to reuse of widely adopted implementations is more important than minizing the complexity of a hardware accelerated implementation which is known to be important for IPsec. (side note: hardware TLS support is becoming more common these days, though only for the record encryption and not the handshake protocol, as I understand it. Analogous to supporting ESP but not IKEv2 in hardware, basically.) Section 6.8.2 TLS for GRASP MUST offer TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 and TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 and MUST NOT offer options with less than 256 bit symmetric key strength or hash strength of less han SHA384. [...] Those are TLS 1.2 ciphers; do you want to also say "when TLS 1.3 is supported, TLS_AES_256_GCM_SHA384 MUST be offered and TLS_CHACHA20_POLY1305_SHA256 MAY be offered"? less han SHA384. TLS for GRASP MUST also include the "Supported Elliptic Curves" extension, it MUST support support the NIST P-256 (secp256r1) and P-384 (secp384r1(24)) curves [RFC4492]. In addition, GRASP TLS clients SHOULD send an ec_point_formats extension with a single element, "uncompressed". For further interoperability recommendations, GRASP TLS implementations SHOULD follow [RFC7525]. Note that RFC 8446 retconned "Supported Elliptic Curves" to being "Supported Groups". (It also obviated the need for "ec_point_formats", but since ACP mandates ability to use TLS 1.2, you still have to send that one.) Section 6.10.2 o When creating a new routing-subdomain for an existing autonomic network, it MUST be ensured, that rsub is selected so the resulting hash of the routing-subdomain does not collide with the hash of any pre-existing routing-subdomains of the autonomic network. This ensures that ACP addresses created by registrars for different routing subdomains do not collide with each others. Ensured by whom? What if the domain uses a "public CA" as a trust anchor that might also be used by some other autonomic domain -- does the CA also need to be checking? Section 6.10.3 o Node-Number: Number to make the Node-ID unique. This can be sequentially assigned by the ACP Registrar owning the Registrar- ID. I see "can be sequentially assigned" and immediately think of draft-gont-numeric-identifiers-sec-considerations, which I'm AD-sponsoring for publication. I don't have an obvious attack handy against sequential assignment, but it may be worth a closer look. Section 6.10.7.1 Any protocols or mechanisms may be used as ACP registrars, as long as the resulting ACP certificate and TA certificate(s) allow to perform nit(?): the ACP registrar is a PKI registration authority, i.e., a specific entity that plays a role in certificate issuance. I don't see how a "protocol or mechanism" can fulfil that role. Is s/as/by/ (or similar) intended? Section 6.10.7.3 The choice of addressing sub-scheme and prefix-length in the Vlong address sub-scheme is subject to ACP registrar policy. It could be an ACP domain wide policy, or a per ACP node or per ACP node type policy. For example, in BRSKI, the ACP registrar is aware of the IDevID certificate of the candidate ACP node, which contains a "serialNnumber" that is typically indicating the node's vendor and [...] address scheme for ACP nodes based on the "serialNumber" of the IDevID certificate, for example by the PID (Product Identifier) part which identifies the product type, or the complete "serialNumber". The PID for example could identify nodes that allow for specialized ASA requiring multiple addresses or non-autonomic VMs for services and those nodes could receive Vlong sub-address scheme ACP addresses. [same "serialNumber" comment as in Section 6.1.1, also s/Nn/N/] Section 6.11.1.7 When using ACP multi-access virtual interfaces, local repair can be directly by peer breakage, see Section 6.12.5.2.2. nit: is there a missing word like "triggered" in here (e.g., "can be triggered directly by peer breakage")? Section 6.11.1.14 As this requirement raises additional Data-Plane, it does not apply to nodes where the administrative parameter to become root (Section 6.11.1.12) can always only be 0b001, e.g.: the node does not support explicit configuration to be root, or to be ACP registrar or to have ACP-connect functionality. If an ACP network is degraded to the point where there are no nodes that could be configured roots, ACP registrars or ACP-connect nodes, traffic to unknown destinations could not be diagnosed, but in the absence of any intelligent nodes supporting other than 0b001 administrative preference, there is likely also no diagnostic function possible. Some nits here. Maybe: % As this requirement places additional constraints on the Data-Plane % functionality of the RPL root, it does not apply to "normal" nodes % that are not configured to have special functionality (i.e., the % adminstrative parameter from Section 6.11.1.12 has value 0b001). If % the ACP network is degraded to the point where there are no nodes that % could be configured as root, registrar, or ACP-connect nodes, it is % possible that the RPL root ( and thus the ACP as a whole) would be % unable to detect traffic to unknown destinations. However, in the % absence of nodes with administrative preference other than 0b001, % there is also unlikely to be a way to get diagnostic information out % of the ACP, so detection of traffic to unknown destinations would not % be actionable anyway. Section 6.12.5.1 8. Using global scope addresses for subnets between nodes is unnecessary if those subnets only connect routers, such as ACP secure channels because they can communicate to remote nodes via nit: comma after "such as ACP secure channels". Section 6.12.5.2 Note that all the considerations described here are assuming point- to-point secure channel associations. Mapping multi-party secure channel associations such as [RFC6407] is out of scope (but would be easy to add). Let's drop the "but would be easy to add" parenthetical, please. Section 7.2 This is sufficient when p2p ACP virtual interfaces are established to every ACP peer. When it is desired to create multi-access ACP virtual interfaces (see Section 6.12.5.2.2), it is REQIURED not to coalesce all the ACP secure channels on the same L3 VLAN interface, but only all those on the same L2 port. This requirement that ACP devices know whether multi-access virtual interfaces are expected or not is a bit hidden here, and might benefit from being more prominent in an overall requirements list. Section 8.1.1 "ACP connect" is an interface level configured workaround for connection of trusted non-ACP nodes to the ACP. The ACP node on which ACP connect is configured is called an "ACP edge node". With ACP connect, the ACP is accessible from those non-ACP nodes (such as NOC systems) on such an interface without those non-ACP nodes having to support any ACP discovery or ACP channel setup. This is also called "native" access to the ACP because to those NOC systems the interface looks like a normal network interface (without any encryption/novel-signaling). It's "native access" (and I see later that there's discussion of how the NMS routes into the ACP and of RPF filtering, and much later about the ability of ACP connect channels to participate in ACP GRASP), but what kind of services are accessible and how? Do we need to make TLS connections to ACP addresses, or is it at some other layer? (If TLS, are those services going to let us do anything with no client authentication?) ACP Edge nodes SHOULD have a configurable option to filter packets with RPI headers (xsee Section 6.11.1.13 across an ACP connect interface. These headers are outside the scope of the RPL profile in this specification but may be used in future extensions of this specification. Does "filter" just mean "drop anything with an RPI" or something more fine-grained? (Also, s/xsee/see/.) Section 8.2.2 I think we want to require (or at least strongly suggest) that the tunnel used to produce a "L2 adjacent" interface provide some sort of cryptographic protection, as otherwise the security properties that we expect from the L2-adjacent nature can be violated by an attacker on the path of the tunnel. Section 9.1.1 Another example case is the intended or accidental re-activation of equipment whose TA certificate has long expired, such as redundant gear taken from storage after years. Potentially without following the correct process set up for such cases. nit: sentence fragment. Section 9.2.2 Policies if candidate ACP nodes should receive a domain certificate or not, for example based on the devices IDevID certificate as in BRSKI. The ACP registrar may have a whitelist or blacklist of devices "serialNumbers" from their IDevID certificate. [Same comment about serialNumber as Section 6.1.1] Section 9.2.5 Which candidate ACP node is permitted or not permitted into an ACP domain. This may not be a decision to be taken upfront, so that a per-"serialNumber" policy can be loaded into every ACP registrar. Instead, it may better be decided in real-time including potentially a human decision in a NOC. (ditto) Section 9.3.5.1 Automatically setting "ANI enable" on brownfield nodes where the operator is unaware of BRSKI and MASA operations could also be an unlikely but then critical security issue. If an attacker could impersonate the operator and register as the operator at the MASA or otherwise get hold of vouchers and can get enough physical access to the network so pledges would register to an attacking registrar, then the attacker could gain access to the network through the ACP that the attacker then has access to. nit(?): this last bit ("gain access ... then has access to") is easy to read as being a tautology. Maybe "attacker could gain access to the ACP, and through the ACP gain access to the data plane"? Section 9.3.5.2 Attempts for BRSKI pledge operations in greenfield state should terminate automatically when another method of configuring the node is used. Methods that indicate some form of physical possession of the device such as configuration via the serial console port could lead to immediate termination of BRSKI, while other parallel auto configuration methods subject to remote attacks might lead to BRSKI termination only after they were successful. Details of this may vary widely over different type of nodes. [...] Most of this seems appropriate for, and (IIRC) already in, BRSKI itself and may not need repetition here. Section 9.4 Note that the non-autonomous ACP-Core VPN would require additional extensions to propagate GRASP messages when GRASP discovery is desired across the zones. For example, one could set up on each Zone edge router remote ACP tunnel to an appplication level implemented GRASP hub running in the networks NOC that is generating GRASP announcements for NOC services into the ACP Zones or propagating them between ACP Zones. There's enough nits here that I've lost the intended meaning. Is it: % For example, one could set up on each Zone edge router a remote ACP % tunnel to a GRASP hub, implemented at the application level, that runs % in the NOC for the network and serves to propagage GRASP announcements % between ACP Zones and/or generate GRASP announcements for NOC services Section 10.1 Merging two networks with different TA requires the ACP nodes to trust the union of TA. As long as the routing-subdomain hashes are different, the addressing will not overlap, which only happens in the unlikely event of a 40-bit hash collision in SHA256 (see Section 6.10). Note that the complete mechanisms to merge networks is out of scope of this specification. Maybe "only happens accidentally"? 40 bits of work is not terribly hard if you're trying to make a collision... Section 10.2.1 nit: s/ectracting/extracting/ Using RFC 3596 ("DNS Extensions to Support IP Version 6") as the sole reference for "DNS" seems surprising. Section 15.2 Usually we put RFC 2119 as normative as well as 8174; the two together comprise BCP 14, after all. We seem to say that you MUST offer the TLS elliptic curve ciphers from RFC 4492, which would make it a normative reference. (It's also been obsoleted by RFC 8422 at this point...) Appendix A.7 Note that RPL scales very well. It is not necessary to use multiple routing subdomains to scale ACP domains in a way it would be possible if other routing protocols where used. They exist only as options for the above mentioned reasons. nit(?) s/it would be possible/that would be required/?
- [Anima] Benjamin Kaduk's Discuss on draft-ietf-an… Benjamin Kaduk via Datatracker
- Re: [Anima] Benjamin Kaduk's Discuss on draft-iet… Toerless Eckert
- Re: [Anima] Benjamin Kaduk's Discuss on draft-iet… Benjamin Kaduk
- Re: [Anima] Benjamin Kaduk's Discuss on draft-iet… Toerless Eckert
- Re: [Anima] Benjamin Kaduk's Discuss on draft-iet… Benjamin Kaduk