Re: [bess] Benjamin Kaduk's Discuss on draft-ietf-bess-datacenter-gateway-11: (with DISCUSS and COMMENT)

[Benjamin Kaduk <kaduk@mit.edu>]

Oops, this got set aside for much longer than planned (even with the
multiple reminders from the authors).
My humble apologies for the long delay and the need to be reminded.
In part it seems that I misremembered how complicated my concerns were and
thus was trying to allocate a larger chunk of time to reviewing the changes
than ended up being necessary, but that only accounts for a small part of
the delay.

Carrying on from where we left off, which is I suppose the best I can do at
this point...

On Wed, Jun 02, 2021 at 12:00:57PM +0100, Adrian Farrel wrote:
> Thanks for what you got to yesterday.
> 
> We can take this step by step.
> 
> [snip the Discuss]
> 
> >>    <t>Given that the gateways and ASBRs are connected by tunnels that may run across parts of the network that are not trusted, 
> >>         data center operators using the approach set out in this network SHOULD consider using gateway-to-gateway encryption to
> >
> > "SHOULD consider"?  We're not even bold enough to go with just SHOULD?
> 
> I find this aspect of IETF Security considerations hard. Maybe I have a philosophical problem.
> You might tell your child or another vulnerable person that they "SHOULD carry their money in a safe place". But with an adult one usually points out the risks and says that they "SHOULD consider carrying their money in a safe place."
> 
> >>    protect the data center traffic.  Additionally, due consideration SHOULD be given to encrypting end-to-end traffic as it
> >>    would be for any traffic that uses a public or untrusted network for transport.</t>
> >
> > I am thinking that I might be in a similar situation as Warren: my
> > recollection from when we processed 8402 is that nodes remotely connected
> > to each other would be using secure tunnels that provide at least as much
> > protection as the "secure physical network" within the local domain. 
> 
> I really don't want to be painted as someone who supports every word of 8402, but...
> 
> The essence of 8402 is that intervening transit nodes do not need to be tunnelled past.
> 
> Consider, for example, how SRv6 packets may be forwarded across regular IPv6 (i.e., not SRv6-capable) routers. The sending SRv6 router sets the IPv6 destination address to the address of the receiving SRv6 router, updates the SRH (which is just an IPv6 extension header), and forwards the packet. The transit routers simply forward the packet as an IPv6 packet without even being aware that there is an SRH present. Only when the packet arrives at the receiving SRv6 router (which sees itself in the IPv6 destination field) is SRv6 actioned. Thus, there may be a "logical tunnel" between remotely connected SRv6 nodes, but there is no tunnelling technology used. Thus, the protection is weaker than in a secure physical network.
> 
> Now, you and I might argue that this gives a strong incentive to use a secure tunnelling technology between remotely connected SR nodes. That is, however, hard for the sender to enforce for remote (sic) remotely connected nodes. Hence the consideration of GW-to-GW encryption. 
> 
> The proponents of 8402 might argue that SR is a forwarding technology and so it is no different to IP: it is up to the applications to decide whether the underlying network is safe. Thus, if a service provider decides to use SR inside their network, it has no additional security considerations over the same provider using IP inside their network.

That's fair, and thank you for writing it out.
(You and I might also argue that there is strong incentive to use a secure
tunnelling technology between remotely connected nodes even when non-SR IP
is in use...)

> > With
> > that background, I would have gone with MUSTs here, but I am not at the
> > moment finding much in 8402 to strongly support that as a requirement.
> 
> Well, I could go with "MUST consider" and "consideration MUST be given". That directs thought, but not action.

Right.


And as this is the end of the DISCUSS section, I'll note that the text in
the -12 does resolve my listed concerns; thank you!

> >>> COMMENT:
> >>> ----------------------------------------------------------------
> >>>
> >>> The Abstract is perhaps pushing the bounds of reasonable length for an abstract. 
> >> 
> >> The Style Guide recommends 25 lines or fewer. We have 18 lines of text.
> >
> > Er, which style guide?  I'm not seeing much in RFC 7322 ... and
> > https://www.rfc-editor.org/policy.html#policy.abstract (which admittedly
> > does say it has been replaced by https://www.rfc-editor.org/styleguide/)
> > puts the cap at 20, with 5-10 being "typical".
> 
> Oh, I apologise. 
> Either my memory is faulty or this section has been updated over the last twenty years.
> Anyway, "cap at 20" tells us what to do.
> 
> [snip]
> 
> >> NEW
> >>    Data centers are attached to the Internet or a backbone network by
> >>    gateway routers.  One data center typically has more than one gateway
> >>    for commercial, load balancing, and resiliency reasons.  Other sites,
> >>    such as access networks, also need to be connected across backbone
> >>    networks through gateways.
> >> 
> >>    This document defines a mechanism using the BGP Tunnel Encapsulation
> >>    attribute to allow data center gateway routers to advertise routes to the 
> >>    prefixes reachable in the site, including advertising them on behalf of 
> >>    other gateways at the same site.  This allows segment routing to be used
> >>    to identify multiple paths across the Internet or backbone network 
> >>    between different gateways.  The paths can be selected for load-balancing,
> >>    resilience, and quality purposes.   
> >> END
> >
> > Thanks, this is an improvement over the OLD version.
> 
> And only 12 lines 😊
> 
> >>> Section 1
> >>>
> >>>   The solution described in this document is agnostic as to whether the
> >>>   transit ASes do or do not have SR capabilities.  the solution uses SR
> >>>   to stitch together path segments between GWs and through the ASBRs.
> >>>   Thus, there is a requirement that the GWs and ASBRs are SR-capable.
> >>>   The solution supports the SR path being extended into the ingress and
> >>>   egress sites if they are SR-capable.
> >>>
> >>> There seem to be some nodes marked "ASBR" that are at the boundary 
> >>> between the two transit ASes, in Figure 1.  This text leaves me uncertain
> >>> whether they are expected to support SR (vs just the ASBRs that are 
> >>> attachment points for the ingress/egress GWs).
> >> 
> >> Whether the interior nodes of the transit ASes support SRs doesn't really
> >> matter to us. The GWs and ASBRs are interconnected by tunnels as
> >> represented by links in the BGP-LS instance. SR is used to stitch these 
> >> tunnels together to create an end-to-end path between an ingress site
> >> and an egress site. Thus, the GWs and ASBRs must be SR capable in order
> >> to participate.
> >
> > I think we should say something about how the ASBRs that are "abstracted
> > away" by the tunnel are not relevant, since otherwise just saying "ASBR"
> > would seem to include them.  (They are listed in the figure as ASBRs, after
> > all.)
> 
> The tunnels are not GW to GW, they are ASBR to ASBR. So there is a concatenation of tunnels between the GWs.
> 
> It is possible that a tunnel might span several ASes, but that would be unusual: at the network layer ASes tend to terminate and restart tunnels.
> 
> I don't see anything in the document that talks about "abstracting away" ASBRs. If there is something I've missed then we should fix it.
> 
> You may find draft-spring-farrel-sr-domain-interconnect helpful to see how the SR SID list can be constructed to make all this work.
> 
> The challenge here, I think, is that this is supposed to be a short document that describes the BGP extensions, not a whole cookbook.

I think I have finally managed to get what is going on here through my
thick skull.  Thank you for your patience while I did so; I now think the
current text is fine as-is.

> >>> Section 3
> >>>
> >>>   o  Each GW is configured with an identifier for the site.  That
> >>>      identifier MUST be the same across all GWs to the site (i.e., the
> >>>      same identifier is used by all GWs to the same site), and MUST be
> >>>      unique across all sites that are connected (i.e., across all GWs
> >>>      to all sites that are interconnected).
> >>>
> >>> The advice in draft-gont-numeric-ids-sec-considerations is probably 
> >>> relevant here.  How should we pick these identifiers?  Which properties
> >>> are necessary and which are not needed? 
> >> 
> >> This bullet needs to be taken along with the bullet that follows, viz.
> >> 
> >>    o  A route target ([RFC4360]) MUST be attached to each GW's auto-
> >>       discovery route (defined below) and its value MUST be set to the
> >>       site identifier.
> >> 
> >> We will re-jig these two bullets to say...
> >> 
> >>    o  A route target ([RFC4360]) MUST be attached to each GW's auto-
> >>       discovery route (defined below) and its value MUST be set to a 
> >>       value that identifies the site identifier.  The rules for constructing
> >
> > (nit) "identifies the site identifier" is probably one too many "identifie"s
> 
> Ack. "indicated the site identifier"
> 
> >>       a route target are detailed in [RFC4360].  It is RECOMMENDED that
> >>       a Type x00 or x02 route target be used.
> >> 
> >>    o Site identifiers are set through configuration.  The site identifiers 
> >>       MUST be the same across all GWs to the site (i.e., the same
> >>       identifier is used by all GWs to the same site), and MUST be
> >>       unique across all sites that are connected (i.e., across all GWs
> >>       to all sites that are interconnected).
> >
> > This helps, but I still wonder if we can give some guidance to the operator
> > on how to choose the value of the (configured) site identifier.  If
> > everyone decides to label their sites as consecutive integers starting at
> > one, for example, that is likely to end in sadness later on.
> 
> You are asking us to give guidance on how to set route target values.
> 4360 says...
>    When the value of the high-order octet of the Type field is 0x00 or
>    0x02, the Local Administrator sub-field contains a number from a
>    numbering space that is administered by the organization to which the
>    Autonomous System number carried in the Global Administrator sub-
>    field has been assigned by an appropriate authority.
> 
>    When the value of the high-order octet of the Type field is 0x01, the
>    Local Administrator sub-field contains a number from a numbering
>    space that is administered by the organization to which the IP
>    address carried in the Global Administrator sub-field has been
>    assigned by an appropriate authority.
> ...This is carefully set up so that clashes of RT value can only arise from misconfiguration within an administration.
> We are recommending using type 0 or 2, so that the RT is scoped by AS and easily administered by the AS operator. 

What's in the -12 (which I think is basically what's quoted here) works
well.

The below stuff all sounds good, too; thanks for all the responses and
updates.

Now to go finish up going through the rest of your initial reply, which
should have been done a month or two ago :(

-Ben

> >>> o  Each GW MUST construct an import filtering rule to import any
> >>>      route that carries a route target with the same site identifier
> >>>      that the GW itself uses.  This means that only these GWs will
> >>>      import those routes, and that all GWs to the same site will import
> >>>      each other's routes and will learn (auto-discover) the current set
> >>>      of active GWs for the site.
> >>>
> >>> This seems pretty fragile in the face of identifier collisions; I hope there
> >>> is some good text in the security considerations that covers the risks here.
> >>> [ed. it seems we cover other aspects relating to identifier selection but not
> >>> this one] Is there any filtering that can be done other than by site identifier,
> >>> e.g., to know that a certain peer would never be able to advertise something
> >>> that validly has the same site identifier?
> >> 
> >> This mechanism to control the importing of routes (using route targets) has
> >> been in use in BGP networks for a while (more than 15 years since RFC 4360).
> >> 
> >> One of the big uses for route targets is in identifying which sites belong to the
> >> same VPN (see RFC 4364). There is the potential to misconfigure the route
> >> target used to identify a set of VPN sites by giving one site the wrong value.
> >> That would mean that it:
> >> - fails to import the relevant routes
> >> - doesn't get its routes imported by its peers
> >> - may accidentally import false routes
> >> - may accidentally have its routes imported by other sites in different VPNs
> >> That is all "bad stuff" and 4364 contains no mechanisms to handle what happens
> >> if there is a misconfiguration (it's not an attack vector unless BGP or a router is
> >> compromised - in which case far worse stuff happens). Basically, if you mess up
> >> the configuration, expect the unexpected.
> >
> > Agreed, this is all "bad stuff", and the latter two are more what I had in
> > mind when I wrote the comment.  It's part of my job to wonder about the
> > potential scope of fallout if BGP or a router is compromised, even if we
> > expect that to not actually happen much in practice :)
> 
> I don't make any claims about whether a BGP router might be compromised. But I do say that if it is, then some really bad stuff will happen, not just some site traffic being misdelivered.
> Perhaps we should spend more time worrying about compromised routers - it's not a new discussion! 
> 
> We seem to have survived the possibility of VPN misconfiguration for a number of years. There may be some work that could be done to "autodetect" such misconfiguration.
> 
> [snip]
> 
> >>>   As described in Section 1, each GW will include a Tunnel
> >>>   Encapsulation attribute with the GW encapsulation information for
> >>>   each of the site's active GWs (including itself) in every route
> >>>   advertised externally to that site.  [...]
> >>>
> >>> (I assume this is not intended to preclude the usual route filtering/split-
> >>> horizon type stuff.)
> >> 
> >> Definitely doesn't preclude it. In fact that rule remains key to the way 
> >> GWs behave - they don't re-advertise routes they have learned from
> >> other GWs. But (of course) all the GWs to a site advertise the same
> >> routes. 
> >
> > I had to read this twice just to make sure I'm picking up on the details:
> > the GWs of a site do *not* advertise the *routes* they learn from each
> > other; the only re-advertising is of GW encapsulation information.
> > I assume that John has covered the case of intra-site connectivity issues
> > whereby this could entail a site advertising a route with encapsulation
> > information that couldn't actually get to that prefix, and will not think
> > about it further.
> 
> Yes, that was part of the discussion with John.
> 
> Thanks,
> Adrian
>