Re: [Anima] 2nd WGLC for draft-ietf-anima-constrained-join-proxy-12, ends September 20th 2022
Toerless Eckert <tte@cs.fau.de> Mon, 26 September 2022 19:24 UTC
Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3FA8C14CE25; Mon, 26 Sep 2022 12:24:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.661
X-Spam-Level:
X-Spam-Status: No, score=-1.661 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iYJfXS2byEh4; Mon, 26 Sep 2022 12:23:59 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3E1BC14F738; Mon, 26 Sep 2022 12:23:57 -0700 (PDT)
Received: from faui48e.informatik.uni-erlangen.de (faui48e.informatik.uni-erlangen.de [131.188.34.51]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTPS id 17F2454851D; Mon, 26 Sep 2022 21:23:52 +0200 (CEST)
Received: by faui48e.informatik.uni-erlangen.de (Postfix, from userid 10463) id 006484EBB65; Mon, 26 Sep 2022 21:23:51 +0200 (CEST)
Date: Mon, 26 Sep 2022 21:23:51 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: Esko Dijk <esko.dijk@iotconsultancy.nl>
Cc: Michael Richardson <mcr@sandelman.ca>, Anima WG <anima@ietf.org>, "anima-chairs@ietf.org" <anima-chairs@ietf.org>, stokcons <stokcons@bbhmail.nl>
Message-ID: <YzH8R88OY/kNDLxz@faui48e.informatik.uni-erlangen.de>
References: <Yxd/oBl0dmbmUI8L@faui48e.informatik.uni-erlangen.de> <DU0P190MB1978F420D478B93CE29F36D3FD4C9@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM> <46723.1663756262@dooku> <DU0P190MB1978AC04BBB22272B360984DFD4F9@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <DU0P190MB1978AC04BBB22272B360984DFD4F9@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/uv5_AfjM6CihQf_5bJQncgjDVf4>
Subject: Re: [Anima] 2nd WGLC for draft-ietf-anima-constrained-join-proxy-12, ends September 20th 2022
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Sep 2022 19:24:03 -0000
Thanks, Esko inline On Wed, Sep 21, 2022 at 10:52:47AM +0000, Esko Dijk wrote: > Thanks, > > One item I forgot to include which was also on my mind - a security consideration. If an autonomous bootstrap method like BRSKI is left "always-on" in a mesh network, it means that at any time an off-mesh attacker can contact its nearby Join Proxies and flood them with traffic. E.g. using different LL addresses to pretend it is multiple Pledges. > This will cause relayed traffic on the mesh, potentially overloading it. > > * One solution component is clearly rate-limiting of relayed traffic. But, this is not even mentioned in the security considerations. And not in 8995 as far as I can tell. For the stateful proxy, the pull request from my review i sent last friday suggests the following text: To protect itself and the Registrar against malfunctioning Pledges and or denial of service attacks, the join proxy SHOULD limit the number of simultaneous mapping states for each IP_p%IF to 2 and the number of simultaneous mapping states per interface to 10. When mapping state can not be built, the proxy SHOULD return an ICMP error (1), "Destination Port Unreachable" message with code (1), "Communication with destination administratively prohibited". Do you think these are useful numbers ? The whole idea of the stateless proxy is of course to remove the need for intellegence from the proxy and only have it on the registrar. The best DoS protection i could think of on the proxy is therefore just a total packet rate limiter. Is it possible to come up with good recommendations on such packet rate limiters ? For example 1% of the "uplink" bitrate ? Can you think of mesh networks where this would not be a good enough number ? If this (or another number) makes sense we could suggest to add it to the stateless proxy section. > * Another solution component is being able (by an admin) to "turn on" and "turn off" the entire option of BRSKI bootstrapping. This could also be mentioned as a security advice: turn it off when not needed i.e. when the operator knows for sure there are no new Pledges to be bootstrapped. The method of "turning on/off" could be implementation-specific as we don't define any APIs for control of Join Proxies. The intended behavior of any Join Proxy is then as follows: > 1. If BRSKI is "on", respond to discovery requests by Pledges as usual and do relay any (DTLS) records they may send to the join-port. > 2. If BRSKI is "off" , don't respond to discovery requests by Pledges and don't relay any data sent to the join-port. (Effectively, close it.) If the proxy does not discover a registrar, then of course it can not forward enrolment requests. We should at least specify that proxies need to correctly support that registrar (announcemenets) are switched on/off. What do you think ? > Some networks may have a "BRSKI always on" policy because it's needed for their application and for convenience, but for a majority of networks I expect that isn't needed. I can already see a BRSKI scenario in the USA, where the manager of the east-coast NOC went home at 5PM and some IT folks on the west coast still want enroll new equipment in an installation and wonder what happens. But if this is what customers want (and i think you say some of them likely will want this), then i would like to see appropriate disagnostics for the local installer: Instead of stopping service announcements (registrar and proxy), i would then love to see the service announcements witth some "service status" flag/field. For example "off hours" or the like. Workflow: Device to be enrolled has single color LED. You connect it (west coast) to the network, and it would indicate "off hours" through eg.: repeating three short blinks. This validates that network connectivity works, and that enrolment will proceed once someone switches "BRSKI on" (next morning). Does that make sense ? > Maybe such practical security related solutions are already described in other documents e.g. 6TiSCH joining or GRASP documents but unfortunately I didn't read enough of those documents to know this. If so we can also refer to it as security consideration. > For a mesh network, avoiding an outsider to be able to "load" the mesh links with random data is especially important. Indeed. Hopefully the #state and rate limiters proposed above would be sufficient to get past this point ? Cheers Toerless > > Regards > Esko > > -----Original Message----- > From: Michael Richardson <mcr@sandelman.ca> > Sent: Wednesday, September 21, 2022 12:31 > To: Esko Dijk <esko.dijk@iotconsultancy.nl> > Cc: Anima WG <anima@ietf.org>; anima-chairs@ietf.org; stokcons <stokcons@bbhmail.nl> > Subject: Re: [Anima] 2nd WGLC for draft-ietf-anima-constrained-join-proxy-12, ends September 20th 2022 > > Okay, thank you. I'll crunch through your comments on Friday. -- --- tte@cs.fau.de
- [Anima] 2nd WGLC for draft-ietf-anima-constrained… Toerless Eckert
- Re: [Anima] 2nd WGLC for draft-ietf-anima-constra… Esko Dijk
- Re: [Anima] 2nd WGLC for draft-ietf-anima-constra… Michael Richardson
- Re: [Anima] 2nd WGLC for draft-ietf-anima-constra… Esko Dijk
- Re: [Anima] 2nd WGLC for draft-ietf-anima-constra… Esko Dijk
- Re: [Anima] 2nd WGLC for draft-ietf-anima-constra… Toerless Eckert
- Re: [Anima] 2nd WGLC for draft-ietf-anima-constra… Esko Dijk
- Re: [Anima] 2nd WGLC for draft-ietf-anima-constra… Michael Richardson
- Re: [Anima] 2nd WGLC for draft-ietf-anima-constra… Michael Richardson
- Re: [Anima] 2nd WGLC for draft-ietf-anima-constra… Michael Richardson
- Re: [Anima] 2nd WGLC for draft-ietf-anima-constra… Michael Richardson
- [Anima] ANIMA constrained-join proxy revision to … Michael Richardson
- Re: [Anima] [core] ANIMA constrained-join proxy r… Esko Dijk
- Re: [Anima] [core] ANIMA constrained-join proxy r… Michael Richardson
- Re: [Anima] [core] ANIMA constrained-join proxy r… Esko Dijk
- Re: [Anima] [core] ANIMA constrained-join proxy r… Carsten Bormann
- Re: [Anima] [core] ANIMA constrained-join proxy r… Michael Richardson
- Re: [Anima] [core] ANIMA constrained-join proxy r… Michael Richardson
- Re: [Anima] [core] ANIMA constrained-join proxy r… Carsten Bormann
- Re: [Anima] [core] ANIMA constrained-join proxy r… Toerless Eckert
- Re: [Anima] [core] ANIMA constrained-join proxy r… Carsten Bormann
- Re: [Anima] [core] ANIMA constrained-join proxy r… Esko Dijk
- Re: [Anima] [core] ANIMA constrained-join proxy r… Esko Dijk
- Re: [Anima] [core] ANIMA constrained-join proxy r… Michael Richardson
- Re: [Anima] [core] ANIMA constrained-join proxy r… Esko Dijk
- Re: [Anima] [core] ANIMA constrained-join proxy r… Toerless Eckert
- Re: [Anima] [core] ANIMA constrained-join proxy r… Esko Dijk
- Re: [Anima] [core] ANIMA constrained-join proxy r… Michael Richardson
- Re: [Anima] [core] ANIMA constrained-join proxy r… Toerless Eckert
- Re: [Anima] [core] ANIMA constrained-join proxy r… Brian E Carpenter
- Re: [Anima] [core] ANIMA constrained-join proxy r… Brian E Carpenter
- Re: [Anima] [core] ANIMA constrained-join proxy r… Michael Richardson
- [Anima] constrained-join-proxy registration of BR… Michael Richardson
- Re: [Anima] [core] ANIMA constrained-join proxy r… Michael Richardson
- Re: [Anima] [core] ANIMA constrained-join proxy r… Michael Richardson
- [Anima] constrained-join-proxy registration of BR… Michael Richardson
- Re: [Anima] [core] ANIMA constrained-join proxy r… Esko Dijk
- Re: [Anima] [core] ANIMA constrained-join proxy r… Esko Dijk
- Re: [Anima] constrained-join-proxy registration o… Brian E Carpenter
- Re: [Anima] 2nd WGLC for draft-ietf-anima-constra… Toerless Eckert
- Re: [Anima] 2nd WGLC for draft-ietf-anima-constra… Michael Richardson
- Re: [Anima] 2nd WGLC for draft-ietf-anima-constra… Toerless Eckert
- Re: [Anima] 2nd WGLC for draft-ietf-anima-constra… Michael Richardson
- Re: [Anima] 2nd WGLC for draft-ietf-anima-constra… Esko Dijk