Re: [bess] Roman Danyliw's Discuss on draft-ietf-bess-datacenter-gateway-10: (with DISCUSS and COMMENT)
Adrian Farrel <adrian@olddog.co.uk> Fri, 28 May 2021 21:25 UTC
Return-Path: <adrian@olddog.co.uk>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9480F3A3640; Fri, 28 May 2021 14:25:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6uEIOALYzUXy; Fri, 28 May 2021 14:25:30 -0700 (PDT)
Received: from mta7.iomartmail.com (mta7.iomartmail.com [62.128.193.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9079D3A363A; Fri, 28 May 2021 14:25:28 -0700 (PDT)
Received: from vs4.iomartmail.com (vs4.iomartmail.com [10.12.10.122]) by mta7.iomartmail.com (8.14.4/8.14.4) with ESMTP id 14SLPLf1012500; Fri, 28 May 2021 22:25:21 +0100
Received: from vs4.iomartmail.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 691174604C; Fri, 28 May 2021 22:25:21 +0100 (BST)
Received: from vs4.iomartmail.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4F1FE4604B; Fri, 28 May 2021 22:25:21 +0100 (BST)
Received: from asmtp3.iomartmail.com (unknown [10.12.10.224]) by vs4.iomartmail.com (Postfix) with ESMTPS; Fri, 28 May 2021 22:25:21 +0100 (BST)
Received: from LAPTOPK7AS653V ([84.93.2.147]) (authenticated bits=0) by asmtp3.iomartmail.com (8.14.4/8.14.4) with ESMTP id 14SLPJNE031403 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 28 May 2021 22:25:19 +0100
Reply-To: adrian@olddog.co.uk
From: Adrian Farrel <adrian@olddog.co.uk>
To: adrian@olddog.co.uk, 'Roman Danyliw' <rdd@cert.org>, 'The IESG' <iesg@ietf.org>
Cc: draft-ietf-bess-datacenter-gateway@ietf.org, bess-chairs@ietf.org, bess@ietf.org, 'Matthew Bocci' <matthew.bocci@nokia.com>
References: <162145456955.28529.8072971663484949985@ietfa.amsl.com> <04f501d74cf2$820e70a0$862b51e0$@olddog.co.uk>
In-Reply-To: <04f501d74cf2$820e70a0$862b51e0$@olddog.co.uk>
Date: Fri, 28 May 2021 22:25:19 +0100
Organization: Old Dog Consulting
Message-ID: <02a301d75407$f70d30a0$e52791e0$@olddog.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQKM7RiB33YvIfE6qBqqq4p2fEzRjgIBq5akqX4kcoA=
Content-Language: en-gb
X-Originating-IP: 84.93.2.147
X-Thinkmail-Auth: adrian@olddog.co.uk
X-TM-AS-GCONF: 00
X-TM-AS-Product-Ver: IMSVA-9.1.0.2034-8.6.0.1017-26186.003
X-TM-AS-Result: No--18.514-10.0-31-10
X-imss-scan-details: No--18.514-10.0-31-10
X-TMASE-Version: IMSVA-9.1.0.2034-8.6.1017-26186.003
X-TMASE-Result: 10--18.514000-10.000000
X-TMASE-MatchedRID: yebcs53SkkDxIbpQ8BhdbIVMtEwAWsdcWaKvOaBFthTxiuLXNGbfqAVM 9kPsaYx46WKaWsN/2KtrcqARJF0SDALVKd9+SfprLXqeYLb/NKr5qGeseGYAlPz8/tFdCtAAhm6 h8PqvGs6aJfo0dDvh7ohJUX5c5pgUQgqc6IJEGNBZMZ6MZ0H1UoIWSprjdsebsR73pvMuk69uEW auQb36M8+Df4TN8IMw/2slwbHvkAZAeNM98bIejGpno6KlGnd6abYs3kh9rOvG6KjwOvvPJB1Gp r+gjMUYyR4vuIAZpDJiolrizjubb1cQX8v9FvpJqYbcxZiaPqJMkOX0Uoduuf2ZU/fHYSOZ4qJy hpxKH/2gAf82rrv132LFVA4AlWOfQiPGO2IbLAbo5fsYXP0fUPNkoMDX+kiuK4YqHgCSopX93/6 7jEnCkdDaNZpK9gNYXXdVbuABHZR6b2PdxZQa8KJVTu7sjgg1RI5KsZYqrTgM74Nf6tTB9sAGpP rzIdGXrOOppPTYnnjdwGqnn8NgLChL+0wtRVj1no3qNdYltDe36rOEul8OH59xUnxwvxk7dGaJM mPvEyw8pFPqy0o9i3J8+GFti29t5ZDQBqP32VqBHa1GVWRIc536VxirDiI/a0TOsL14A2my58Z+ 3TejVoUHLvxFN01VBXWbGCrDv7BwyAmzxb7Z055yABJz6moFBePf1P4ER8DWeQtrcncLfUbWfpH 9ixpZGJHE/NlKoGTpAl7gzmbsCoUQYZaXGU/5zLo88rvlvYEU/rbDiDYaoyGD+Fp3vZHUkTTjaQ xxq6geGFujsWTAi/RYCTlQ6m1aDTtJ9doVsvaeAiCmPx4NwNp/U3XwL5kCsOzOncrmCoOOhzOa6 g8KrZnPTVvnZLkE2CN3y5PBFVjGXbAcI0Dp8COdaMAFjEHBhlqnSBLag6I=
X-TMASE-SNAP-Result: 1.821001.0001-0-1-12:0,22:0,33:0,34:0-0
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/fAfn2oLvntg70W4CZJguDMBjerU>
Subject: Re: [bess] Roman Danyliw's Discuss on draft-ietf-bess-datacenter-gateway-10: (with DISCUSS and COMMENT)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 May 2021 21:25:35 -0000
Hi again Roman, Just a couple of additional comments in line. Hoping to find a way forward. Thanks, Adrian >> DISCUSS: >> ------------------------------------------------------------------ >> >> RFC8402 tells us: >> >> (a)“Segment Routing domain (SR domain): the set of nodes participating >> in the source-based routing model … >> >> (a.1) “These nodes may be connected to the same physical infrastructure >> (e.g., a Service Provider's network).” >> >> (a.2) “They may as well be remotely connected to each other (e.g., an >> enterprise VPN or an overlay).” >> >> (b) “By default, SR operates within a trusted domain. Traffic MUST be >> filtered at the domain boundaries.” >> >> My understanding of this document is that it is an enabling capability >> to help establish SR domains of the like described in (a.2). What I see >> missing is text that provides the confidence suggested by the language >> of “trusted domain” in (b). > > So, recalibrating to the whole "we meant site when we said domain" > thing in many of the conversations with other ADs... Note that -11 has moved over to the "site" terminology. I believe this substantially helps clarify the contrast between an 8402 "SR domain" (the collection of all participating SR nodes), and "site" (the end networks akin to VPN sites). > You're right. This document provides a mechanism for connecting participating > nodes that are remote. > > I never understood, "By default, SR operates within a trusted domain." To me > that reads like, "If you want to, you can configure your domain to be untrusted" > as if that is something someone might choose to do when they have the option > of a trusted domain. But I digress! > > I am not sufficiently a security expert to know what language would provide > confidence. And, actually, I'm not quite sure what the question is. Are you > asking "What stops a rogue gateway advertising itself, effectively impersonating > a site in the SR domain?" So, please look at the Security considerations section in -11. But also have a skim of the response to Ben just sent. I think this may also help with your Discuss because it adds some clarity on trusted domains. In particular, the domains (ASes) between GWs and ASBRs are tunnels, and encryption can be run over tunnels. Further, GW-to-GW encryption can be used. And, lastly, end-to-end encryption can be used. > To continue... > >> -- Section 1 hints at various VPN technologies perhaps being used “The various >> ASes that provide connectivity between the Ingress and Egress Domains could >> each be constructed differently and use different technologies such as IP, MPLS >> with global table routing native BGP to the edge, MPLS IP VPN, SR-MPLS IP VPN, >> or SRv6 IP VPN.” However, the security properties of all of those aren’t clear >> to a degree that would seem consistent with being a “trusted domain”. For >> example, saying “IP” might suggest that naked IP packets with SR headers (with >> no additional security primitives) could be dropped onto the open Internet, or >> at least through networks not under the control the “data centers” use case >> suggested by the name of the document. > > I would have thought the security properties of the routing protocol (in this case > BGP) more important than the properties of the core network data plane protocols. As above: tunnels and encryption. But... > I wonder whether there is a misconception of the applicability of SR in the wider > Internet, and the definition of "SR domain" from 8402. For example, in SRv6, the > SR nodes may form part of a trusted domain, but the packets are just IP packets > that happen to carry an SRH, so the packets can be (and are!) forwarded through > a native IP network. This is a form of tunnelling (because the SRH is not examined > except at the addressed destination), but the packets are "out there". > > But back to the VPN model. The VPN sites may run a proprietary protocol that > could be considered dangerous if released to the Internet. The VPN sites form > a trusted domain because they will not leak that protocol into the Internet. > However, the VPN shares packets across the Internet by tunnelling them. The > VPN can be supported by a whole host of tunnelling protocols (MPLS, IPsec, > GRE, IP-in-IP, etc.). All of these tunnelling mechanisms rely on: > - the integrity of the tunnels > - the security of the routing protocol used to determine the tunnel end points > - the security of the signaling protocols used to establish the tunnels > - the security of the routing protocols used to determine the site membership > But the core network does not form part of the trust domain. > > Except! In a multi-AS case, the ASBRs are tunnel end points (or tunnel stitching > points) and do participate in the trust model. > > Now I have to ask: in what way is what we are suggesting different from the > multi-AS VPN trust model? > >> -- The discussion at >> https://mailarchive.ietf.org/arch/msg/bess/zY783PgnXSCp6GNSRF4kY0diLYs/ around >> the forwarding plane trust model is also informative. It is noted that that >> the “transit nodes of the AS are not part of the domain.” I could agree, but >> only to the degree that the SR packets are tunneled in such as way that >> suggested a trusted domain at least of equal security as (a.1). > > So, a tunnel is not as secure as a physical link. Indeed, a router is not as secure > as a physical link. Yet we route traffic and use tunnels. > > I am obviously not seeing the problem! > > How do networks stop traffic from being injected into tunnels? Largely speaking, > they do it by noting that traffic from outside the network is not allowed to enter > the network using tunnel addresses (or encapsulations). Why is what we are > describing any different from any type of tunnelling technology? > > Or maybe "trusted domain" means an entirely different thing to you than it > meant to the authors of 8402 in the SR context where, I believe, they meant > "everyone in the domain is believed to be playing SR in the same way, and > that SR traffic will not be injected into the SR domain from outside." > >> I think language is needed to describe the normative security requirements of >> the tunnels that will be created on top of the routes enables by this work to >> substantiate the claim that at a “trusted domain” is being maintained. This >> has some overlap with John’s text about clarify the proposed trust model. > > This brings me back to the idea that a packet might be injected into the SR > domain from outside. To do this, a packet containing an SRH would have to > be introduced into one of the tunnels. Obviously a rogue router can always > introduce traffic, and this particular weakness is generally discarded because > a rogue router can do far worse things, and because end-to-end protections > are assumed to provide adequate protection. So we're left with packets being > somehow forwarded into the network in a way that they will be introduced > into the tunnel and appear to be genuine. > > There are three cases: > 1. The packet reaches a router in disguise, the outer encapsulation is stripped, > and the packet is forwarded onto the tunnel. As far as I am aware all > tunnelling technologies prohibit the concept of a "discovered interface." For > example, if an IP destination (a router) discovers that the payload of an IP > packet is an MPLS packet that it is not configured to expect, it will blow a > whistle and stamp its foot. > 2. The packet enters the network using the tunnelling encapsulation so that it > is routed into the tunnel. I believe that networks generally filter at the edges > for exactly this (just as the SR domain does). > 3. The packet is a native IP packet carrying an SRH and is routed into the > network to a destination that will process the SRH. But in this case, the > packet has come from outside the SR domain, so the packet will be filtered. > > I wish I could come up with a simple normative security requirement that would > satisfy you, but I lack the skill.
- [bess] Roman Danyliw's Discuss on draft-ietf-bess… Roman Danyliw via Datatracker
- Re: [bess] Roman Danyliw's Discuss on draft-ietf-… Adrian Farrel
- Re: [bess] Roman Danyliw's Discuss on draft-ietf-… Adrian Farrel
- Re: [bess] Roman Danyliw's Discuss on draft-ietf-… Roman Danyliw