Re: [babel] Benjamin Kaduk's Discuss on draft-ietf-babel-dtls-07: (with DISCUSS and COMMENT)
David Schinazi <dschinazi.ietf@gmail.com> Fri, 09 August 2019 23:40 UTC
Return-Path: <dschinazi.ietf@gmail.com>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E812A12027A; Fri, 9 Aug 2019 16:40:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pUrHSC8O_qTO; Fri, 9 Aug 2019 16:40:06 -0700 (PDT)
Received: from mail-lj1-x244.google.com (mail-lj1-x244.google.com [IPv6:2a00:1450:4864:20::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7D011201AA; Fri, 9 Aug 2019 16:40:05 -0700 (PDT)
Received: by mail-lj1-x244.google.com with SMTP id x4so1378312ljj.6; Fri, 09 Aug 2019 16:40:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=IrvZKzYts+a1qHmN05xVbdmLnY06TGVbLXAhw/tzjG4=; b=bTQRbY+3otYQetJPOUCPG6R6jO+kbVPOpka6+h6+/1qpC1xRLCm3EKXQkXX/lQ+F6W e+hH78SbO49CCzeYgFl2N+zwKa8L5HQTmPB0CDwRGs+IWtZuk1bm+hfW7YxLGhkHfupX Hw1JNdCli1sUiM8v7Lvz7kE9QTAHkN3l9XFsNEsowAQsxsC7mhXnE5gB8Im/D6xGwEm9 yN62otILLuaqdRKDGmE/h/MpyurSbL1ynPWWzOH/Q44spb/0f/mSOAPWCSlFjL+a+Fle tTRTH0QYC1SKz4ntDmW6UXcHfx15h2MDxIrR92Rtx9SMb1XJgmKo4mAW4XJ1Jl7j3U/H C8Vg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IrvZKzYts+a1qHmN05xVbdmLnY06TGVbLXAhw/tzjG4=; b=ab3R4YmhrPvjoWlFF7S42U1qg8KtMefaXvPpWkEV7ph8AsjUk7ByN7FQPtY8yZwRID jDuTJKdntpU0822rOgd0gRzXcU/e9Hvul8ByVZluKZ7cIeY1jfuJ3YAzSIuVOFYssZIQ 2qZ1o1bCDb4pBKZtl+jnvjy113KmpVaPeoFSMmr5qhz7KuhcHpuEoL+HbR0jURuNlOGq kNth8YLJ3vE6NL1wzTGQLDDwcpSD7w+ZyGevCB82bX4/6zvMdcW0l5BZEewtjg4n+jHS 2tzLXweaWyYzuX/40rhiSQ666JPR7ortEzlXpwqpiPdw3ztaC9CeC1I6gJ7CRSfMvjCN oZ5A==
X-Gm-Message-State: APjAAAXE4BPM6PHWtmY9KK2kAUbTRWdpwXAq5AxTm1BBrhCyZ6FboNeT UDOwJLp+diFIeKoOM9U4zMD8ZgtqvMM42L7sI1M=
X-Google-Smtp-Source: APXvYqy9bHIjdRK4sAGtRuxgUcI+MUpHOxe1LQdKbnKo9eRJTvJOdiZYArO88a7DF1wPn5CjBbh2Or/w9L2+UVihAh0=
X-Received: by 2002:a2e:7f05:: with SMTP id a5mr12722603ljd.190.1565394003872; Fri, 09 Aug 2019 16:40:03 -0700 (PDT)
MIME-Version: 1.0
References: <156521337799.8333.13258734665763149206.idtracker@ietfa.amsl.com> <CAPDSy+7ySSn2zGLwd0qsq-FzOHgBbZWmJSBatgBBn6D2TFK00A@mail.gmail.com>
In-Reply-To: <CAPDSy+7ySSn2zGLwd0qsq-FzOHgBbZWmJSBatgBBn6D2TFK00A@mail.gmail.com>
From: David Schinazi <dschinazi.ietf@gmail.com>
Date: Fri, 09 Aug 2019 16:39:52 -0700
Message-ID: <CAPDSy+5KNCUCxiQ54PXWeg9YxneUrKGePs9zqO8g8eeoQrLWuA@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: The IESG <iesg@ietf.org>, draft-ietf-babel-dtls@ietf.org, Donald Eastlake <d3e3e3@gmail.com>, babel-chairs <babel-chairs@ietf.org>, Babel at IETF <babel@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000088d304058fb7b102"
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/5172Xs3Z093RqChcQB41YYeCv7c>
Subject: Re: [babel] Benjamin Kaduk's Discuss on draft-ietf-babel-dtls-07: (with DISCUSS and COMMENT)
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Aug 2019 23:40:16 -0000
We've now submitted -08 which contains the changes discussed below. Thanks, David On Fri, Aug 9, 2019 at 2:21 PM David Schinazi <dschinazi.ietf@gmail.com> wrote: > Thanks for your review Ben! We've incorporated your comments into our > working copy <https://github.com/jech/babel-drafts> and we'll publish > a revised draft shortly. Detailed responses inline. > > Thanks, > David > > > On Wed, Aug 7, 2019 at 2:29 PM Benjamin Kaduk via Datatracker < > noreply@ietf.org> wrote: > >> ---------------------------------------------------------------------- >> DISCUSS: >> ---------------------------------------------------------------------- >> >> I support Roman's Discuss point (1) (and basically cover the same as his >> (2) below). >> >> Let's have a discussion about (DTLS) identity. >> Section 2.1 says that we use mutual authentication and that >> implementations "MUST support authenticating peers against a local store >> of credentials"; also that "if a node receives a new DTLS connection >> from a neighbour to whom it already has a connection, the node MUST NOT >> discard the older connection until it has completed the handshake of the >> new one and validated the identity of the peer". But how does this >> authentication occur, and what constitutes the identity of the peer. We >> will frequently have (D)TLS consumers cite RFC 6125 and say that (e.g.) >> DNS-ID or SRV-ID must match the name obtained in some fashion. But for >> Babel, we are authenticating routers -- router identity is usually in >> the form of just an IP address on a loopback interface! Are we expected >> to get certificates that certify IP addresses as identity, or use some >> sort of PSK or password-based TLS authentication? (The last two are not >> really compatible with the "MUST send a CertificateRequest", BTW.) Raw >> public keys? I think we can give a more clear picture of how to build a >> secure system. >> > > Our intent in this document was to leave the complex question of identity > to deployment profiles. For example, the homenet working group is > interested > in potentially using Babel over DTLS to protect routing inside the home. > The idea there being that each router you buy has an identity, and then > there > would be some process to let your existing routers know about the new > router you just bought. However, homenet has not yet solved how to do this. > They may choose to use self-signed certificates and develop a provisioning > mechanism to share them. They could also decide to use raw keys. Our > goal with the present draft is to define how one runs Babel over DTLS. > I imagine that if homenet decides to use Babel over DTLS, they'll publish > another document explaining how to manage identities. > > I would prefer not having this document be too prescriptive with regards > to identities, because that could prevent some deployment profiles. > But I'm happy to add guidance for writers of deployment profiles. Do you > have thoughts on what such guidance would look like? > > That said I've removed the mention of CertificateRequest since as you > pointed out that's too restrictive. > > Relatedly, once DTLS authenticates an identity, what level of >> authorization checks are performed? Are we still in a single >> authorization domain, where any router that authenticates as being part >> of a given domain is implictily authorized to be a babel peer and convey >> any and all routing information? >> > > It's a single authentication domain. We've added text in the document to > clarify that. > > >> We should also give some guidance on ciphers and algorithms where we >> discuss the DTLS details (BCP 195 is probably the safest bet here, even >> if it's a little in need of an update). >> > > We have a reference to BCP195, did you have anything else in mind? > > >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> Section 1.2 >> >> The protocol described in this document protects Babel packets with >> DTLS. As such, it inherits the features offered by DTLS, notably >> authentication, integrity, replay protection, confidentiality and >> asymmetric keying. It is therefore expected to be applicable in a >> >> replay protection is not an inherent feature of DTLS, so I suggest >> "optional replay protection" to emphasize that an implementation of >> babel may need to explicitly configure it. >> > > We already have this text in section 2.1: > Nodes MUST use DTLS replay protection to prevent attackers > from replaying stale information. > Is there something we should add to that? > > >> There exists another mechanism for securing Babel, namely Babel HMAC >> authentication [BABEL-HMAC]. HMAC only offers basic features, namely >> authentication, integrity and replay protection with a small number >> of symmetric keys. A comparison of Babel security mechanisms and >> >> Even the authentication is limited, as it is group authentication, not >> true per-entity authentication. >> > > That is true. We've fleshed out the text in RFC6126bis that compares both > mechanisms. > > >> Section 2.1 >> >> information last longer. If a node receives a new DTLS connection >> from a neighbour to whom it already has a connection, the node MUST >> NOT discard the older connection until it has completed the handshake >> of the new one and validated the identity of the peer. >> >> (Does the validated identity of the peer have to match the one from the >> previous handshake?) >> > > It doesn't. Conceptually there is a single security domain so as long as > the credentials are valid you're free to stomp on previous connections > from other IPs. > > >> Section 2.3 >> >> I agree with the RtgDir reviewer that unprotected (multicast) Hellos are >> at risk of tampering by an attacker, who could drop them or modify the >> seqno/interval, for DoS purposes. >> I see the text about use of multicast Hellos for discovery and the >> acknowledgment that an out-of-band neighbor discovery mechanism may be >> available. Are there any such discovery mechanism under development? >> > > There aren't, at least not as standards. This text is there to accommodate > implementations/deployments that already have a non-standard out-of-band > discovery mechanism. > > >> Regardless, I think we should consider mandating/suggesting (to some >> strength; maybe SHOULD is enough) the use of protected unicast Hellos >> instead of just stating that nodes can either rely on multicast or send >> protected unicast Hellos. When unicast (protected) Hellos are in use, >> even tampering with multicast Hellos will not be enough to cause a DoS >> attack, since a node must be detected as down on both unicast and >> multicast to be considered gone. (Of course, a sufficiently powerful >> attacker can still just drop all traffic and cause DoS.) >> > > The issue here is that multicast and unicast don't behave the same way > at the link layer. We've found empirically that ETX is a great way to > assess wireless link quality but that requires sending hellos over > multicast. > https://tools.ietf.org/html/draft-ietf-babel-rfc6126bis-12#appendix-A.2.2 > That said, we added the following text to security considerations: > Babel over DTLS allows sending multicast Hellos unprotected; attackers > can > therefore tamper with them. For example, an attacker could send > erroneous > values for the Seqno and Interval fields, causing bidirectional > reachability detection to fail. While implementations MAY use > multicast Hellos > for link quality estimation, they SHOULD also emit protected unicast > Hellos to > prevent this class of denial-of-service attack. > > Section 2.4 >> >> Note that receiving an unprotected packet can still be used to >> discover new neighbours, even when all TLVs in that packet are >> silently ignored. >> >> Is this going to cause a lot of spurious DTLS handshake attempts if we >> ever end up with a babel-dtls implementation adjacent to a >> classic-babel-only implementation? Is there any rate limiting on that? >> > > Good point. We've added a "Simultaneous operation of both Babel over > DTLS and unprotected Babel on a Network" section containing: > If Babel over DTLS and unprotected Babel are both operated on the same > network, the Babel over DTLS implementation will receive unprotected > multicast > Hellos and attempt to initiate a DTLS connection. These connection > attempts > can be sent to nodes that only run unprotected Babel, who will not > respond. Babel over DTLS implementations SHOULD therefore rate-limit > their > DTLS connection attempts to avoid causing undue load on the network. > > >> Section 2.5 >> >> Do we want to talk about the potential consequences of an attacker >> arbitrarily delaying valid content (to justify the need for a timeout)? >> > > The section currently states: > This attack could be used to make a node believe it has bidirectional > reachability to a neighbour even though that neighbour has disconnected > from the network. > What more did you have in mind? > > >> Section 2.6 >> >> A node MAY allow configuration options to allow unprotected Babel on >> some interfaces but not others; this effectively gives nodes on that >> interface the same access as authenticated nodes, and SHOULD NOT be >> done unless that interface has a mechanism to authenticate nodes at a >> lower layer (e.g., IPsec). >> >> I'm unhappy that this SHOULD NOT is not a MUST NOT, but cannot quite >> justify making it a Discuss-level point. >> > > The rationale for the SHOULD was to allow deployments that we hadn't > thought of. I think the text makes it clear what will go wrong if you do > this. > > >> Section 3 >> >> IP, UDP and DTLS. Nodes MUST NOT send Babel packets larger than the >> attached interface's MTU adjusted for known lower-layer headers (at >> least UDP and IP) or 512 octets, whichever is larger, but not >> exceeding 2^16 - 1 adjusted for lower-layer headers. Every Babel >> speaker MUST be able to receive packets that are as large as any >> >> Aren't these requirements just duplicating what's in 6126bis? We >> probably don't need to repeat the normative language, at least, even if >> there's a desire to repeat the content. >> > > These requirements mimic the ones in 6126bis, but with the addition of DTLS > in the list of underlying layers that add overhead. This section > references the > appropriate section in 6126bis so readers can compare them if need be. > > >> Note that distinct DTLS connections can use different ciphers, which >> can have different amounts of overhead per packet. Therefore, the >> >> nit: I think the intention here was "per-packet overhead", though the >> statement is true as currently written (due to variable length padding >> for block ciphers). >> > > I'm not sure I understand, are you saying there is a difference between > the terms "overhead per packet" and "per-packet overhead" ? > > >> Section 5 >> >> The RFC 7525 ref is probably better spelled as BCP 195, and arguably >> moved earlier in the text (i.e., where I mentioned it previously). >> > > Done. > > >> A malicious client might attempt to perform a high number of DTLS >> handshakes with a server. As the clients are not uniquely identified >> by the protocol and can be obfuscated with IPv6 temporary addresses, >> a server needs to mitigate the impact of such an attack. Such >> >> nit: they're not uniquely identified by the protocol *until the >> handshake completes* -- our requirement for mutual authentication will >> cause all valid clients to be identified. However, the DoS risk does >> not require the client to let the handshake complete, so the core >> statement here remains valid. It may also be worth mentioning >> "Slowloris"-style attacks that keep handshake state active for as long >> as possible to increase resource consumption. >> > > Agreed. Added "until the handshake completes" and reference to Slowloris. > > Section 6.2 >> >> DTLS-CID needs to be normative if it is a MAY-level feature. (See >> https://www6.ietf.org/iesg/statement/normative-informative.html .) >> > > I've replaced "MAY" with "could" and kept this informative. DTLS-CID > is not an optional feature of Babel over DTLS, it's just an informative > pointer to a DTLS feature. (I don't want to make this normative as that > would create a blocking dependency on publication of that draft.) > > >> RFC 7525 (i.e., BCP 195) definitely needs to be normative, as a >> MUST-level requirement! >> > > Good catch, done. >
- [babel] Benjamin Kaduk's Discuss on draft-ietf-ba… Benjamin Kaduk via Datatracker
- Re: [babel] Benjamin Kaduk's Discuss on draft-iet… David Schinazi
- Re: [babel] Benjamin Kaduk's Discuss on draft-iet… David Schinazi
- Re: [babel] Benjamin Kaduk's Discuss on draft-iet… Benjamin Kaduk
- Re: [babel] Benjamin Kaduk's Discuss on draft-iet… David Schinazi