Re: [bess] Mirja Kühlewind's Discuss on draft-ietf-bess-mvpn-expl-track-12: (with DISCUSS and COMMENT)

"Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net> Mon, 26 November 2018 14:05 UTC

Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: "Mirja Kuehlewind (IETF)" <ietf@kuehlewind.net>
In-Reply-To: <8de86550-39cd-8c4c-75ba-8e7a033fc907@juniper.net>
Date: Mon, 26 Nov 2018 15:03:34 +0100
Cc: The IESG <iesg@ietf.org>, "draft-ietf-bess-mvpn-expl-track@ietf.org" <draft-ietf-bess-mvpn-expl-track@ietf.org>, "bess-chairs@ietf.org" <bess-chairs@ietf.org>, "stephane.litkowski@orange.com" <stephane.litkowski@orange.com>, "bess@ietf.org" <bess@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <B680F2EC-7F28-4CC5-ABE6-4547B4BDD028@kuehlewind.net>
References: <154038410206.6927.15775732681687781010.idtracker@ietfa.amsl.com> <8de86550-39cd-8c4c-75ba-8e7a033fc907@juniper.net>
To: Eric Rosen <erosen@juniper.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/frjZlhNLtBLftjiVhwSy8F2cark>
Subject: Re: [bess] Mirja Kühlewind's Discuss on draft-ietf-bess-mvpn-expl-track-12: (with DISCUSS and COMMENT)
Precedence: list

Hi Eric,

thanks for your detailed reply. Please see below.

> Am 15.11.2018 um 19:07 schrieb Eric Rosen <erosen@juniper.net>:
> 
> On 10/24/2018 8:28 AM, Mirja Kühlewind wrote:
>> ---------------------------------------------------------------------
>> DISCUSS:
>> ----------------------------------------------------------------------
>> 
>> In section 9 (security considerations):
>> Thanks for discussing network load here! However, I find this sentence a bit
>> unsatisfactory:
>>    „The specification of counter-measures for this problem is outside the scope
>>    of this document.“
>> Isn’t there any easy way to make some more recommendations for counter measures
>> that could be discussed here? E.g. implement some rate limiting or filtering.
>> Or only accept LIR-PF request from preconfigured hosts (given that LIR-PF
>> support must anyway be pre-configured)? I’m not an expert on this topic and
>> therefore don’t know if any of such recommendations make sense, however, I
>> would quickly like to discuss if it is potentially possible to say more than
>> what’s current said. Thanks!
> 
> These particular suggestions don't really work in this context.
> 
> - The set of Provider Edge routers (PEs) that attach to a given VPN is 
> always auto-discovered, never pre-configured.  That's an important part 
> of the L3VPN value proposition.   There are already mechanisms in place 
> to ensure that the S-PMSI A-D route gets sent only to the proper set of 
> egress PEs.  Also, a properly functioning egress PE will only respond 
> with a Leaf A-D route if it has already auto-discovered the ingress PE.  
> (You might want to question the security of the L3VPN mechanisms, but 
> that would certainly be outside the scope of this document .)
> 
> - Rate limiting the generation of Leaf A-D routes wouldn't work, because 
> the problem is not that one PE generates too many, but that too many PEs 
> may generate them.  Rate limiting the processing of received Leaf A-D 
> routes is also problematic.  In normal operation, you might correctly 
> get a whole bunch of them in quick succession, and if you don't process 
> them in a timely manner, the customers will see a high multicast "join 
> latency".
> 
> In the particular sort of attack mentioned in the Security 
> Considerations section, an ingress PE originates an S-PMSI A-D route 
> with LIR-pF clear, but somehow the bit gets set before the route is 
> received by the egress PEs.   As Alvaro has suggested, if an attacker 
> can modify the control messages, quite a bit of havoc can result, and 
> the particular attack under discussion is just one of many that can 
> occur if the control plane is not secure.  I can certainly put in a 
> reference to RFCS 6192 and 7454 (as Alvaro suggests), if you think that 
> is helpful.  Properly protecting the control plane should prevent this 
> kind of attack.

Okay, then I would simply suggest to say this ("Properly protecting the control plane should prevent this kind of attack“) instead of just calling it out of scope.

> 
> In the event such an attack occurs, mitigating it is unfortunately not 
> very straightforward.  The ingress node can take note of the fact that 
> it is getting Leaf A-D routes with LIR-pF set, in response to an S-PMSI 
> A-D route with LIR-pF clear.  Withdrawing the S-PMSI A-D route could put 
> a stop to the attack.  However, there are a few problems with this:
> 
> - Under normal operation, there are some race conditions that may cause 
> the ingress node to think it is being attacked, when in fact it is not.
> 
> - If some egress nodes have a bug that causes them to set LIR-pF when it 
> should be clear, withdrawing the S-PMSI A-D route will stop the flow of 
> multicast data traffic to all the egress nodes, causing an unnecessary 
> customer-visible disruption.
> 
> - The same situation that caused the S-PMSI A-D route to be originated 
> in the first place will still exist after the S-PMSI A-D route is 
> withdrawn, so the route will just be re-originated.
> 
> In other words, any action that would ameliorate the effects of this 
> sort of attack would have a negative effect during normal operation.  
> Therefore it is really better to rely on security mechanisms that 
> protect the control plane generally, rather than having a mechanism that 
> is focused on this one particular type of attack.

This suggest that there is no good counter measure which would be more appropriate  to say instead of calling it out of scope. I think it could even be helpful to add some of your explanation above to the security consideration section (instead of leaving this as an exercise to the reader).

> 
> We could say that if an ingress PE receives a Leaf A-D route with LIR-pF 
> set, and that route is a response to an S-PMSI A-D route that did not 
> have LIR-pF set, the event MUST be logged.  This would generate some 
> noise in the log during normal operation, but could provide at least a 
> hint that an attack is occurring.

I think this would be a good recommendation. I guess it actually does have to be a MUST, or you could say something like MUST be logged by default but can be configured differently if the protection mechanism used for the control plan is monitored. As I said, I’m really no expert here and you need to decide if that makes any sense though.

Mirja


> 
> What do you think?
> 
>> ----------------------------------------------------------------------
>> COMMENT:
>> ----------------------------------------------------------------------
>> 
>> Some other minor comments:
>>  1) section 2: „Use of this flag in the PTA carried by other route types is outside
>>    the scope of this document.  Use of this flag in the PTA carried by
>>    an S-PMSI A-D routes whose NLRI does not contain a wildcard is
>>    outside the scope of this document.“
>> Maybe you also want to say something like „The flag SHOULD be ignored in these cases.“..?
> 
> Agreed.
> 
>> 
>>  2) section 3
>> s/The result (if any) is the match for tracking“/The result (if any) is the “match for tracking“/
>> (missing quotes)
> 
> Fixed in the next revision.

[bess] Mirja Kühlewind's Discuss on draft-ietf-be… Mirja Kühlewind
Re: [bess] Mirja Kühlewind's Discuss on draft-iet… Alvaro Retana
Re: [bess] Mirja Kühlewind's Discuss on draft-iet… Eric Rosen
Re: [bess] Mirja Kühlewind's Discuss on draft-iet… Mirja Kuehlewind (IETF)
Re: [bess] Mirja Kühlewind's Discuss on draft-iet… Eric Rosen
Re: [bess] Mirja Kühlewind's Discuss on draft-iet… Mirja Kuehlewind (IETF)