IETF Logo Mail Archive

Re: [bess] Benjamin Kaduk's Discuss on draft-ietf-bess-datacenter-gateway-11: (with DISCUSS and COMMENT)

Adrian Farrel <adrian@olddog.co.uk> Wed, 02 June 2021 11:01 UTC

Return-Path: <adrian@olddog.co.uk>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A9313A3EDD; Wed, 2 Jun 2021 04:01:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.049
X-Spam-Level:
X-Spam-Status: No, score=-1.049 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MAY_BE_FORGED=0.846, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WXwuHsPFPQDM; Wed, 2 Jun 2021 04:01:04 -0700 (PDT)
Received: from mta8.iomartmail.com (mta8.iomartmail.com [62.128.193.158]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F00C53A3EDA; Wed, 2 Jun 2021 04:01:02 -0700 (PDT)
Received: from vs3.iomartmail.com (vs3.iomartmail.com [10.12.10.124]) by mta8.iomartmail.com (8.14.4/8.14.4) with ESMTP id 152B0xUj011460; Wed, 2 Jun 2021 12:00:59 +0100
Received: from vs3.iomartmail.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5CF604604B; Wed, 2 Jun 2021 12:00:59 +0100 (BST)
Received: from vs3.iomartmail.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 4535446054; Wed, 2 Jun 2021 12:00:59 +0100 (BST)
Received: from asmtp3.iomartmail.com (unknown [10.12.10.224]) by vs3.iomartmail.com (Postfix) with ESMTPS; Wed, 2 Jun 2021 12:00:59 +0100 (BST)
Received: from LAPTOPK7AS653V (9.185.51.84.dyn.plus.net [84.51.185.9] (may be forged)) (authenticated bits=0) by asmtp3.iomartmail.com (8.14.4/8.14.4) with ESMTP id 152B0v7u002513 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 2 Jun 2021 12:00:58 +0100
Reply-To: adrian@olddog.co.uk
From: Adrian Farrel <adrian@olddog.co.uk>
To: 'Benjamin Kaduk' <kaduk@mit.edu>
Cc: 'The IESG' <iesg@ietf.org>, draft-ietf-bess-datacenter-gateway@ietf.org, bess-chairs@ietf.org, bess@ietf.org, 'Matthew Bocci' <matthew.bocci@nokia.com>
References: <162191416295.8400.1863947061330586900@ietfa.amsl.com> <029e01d75404$df5dd570$9e198050$@olddog.co.uk> <20210602052221.GI32395@kduck.mit.edu>
In-Reply-To: <20210602052221.GI32395@kduck.mit.edu>
Date: Wed, 02 Jun 2021 12:00:57 +0100
Organization: Old Dog Consulting
Message-ID: <044201d7579e$919b43c0$b4d1cb40$@olddog.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQHEVVNu0WLsdURlsFTMfc0myKTQGwKXnRB6Amwdzemq/krVgA==
Content-Language: en-gb
X-Originating-IP: 84.51.185.9
X-Thinkmail-Auth: adrian@olddog.co.uk
X-TM-AS-GCONF: 00
X-TM-AS-Product-Ver: IMSVA-9.1.0.2034-8.6.0.1017-26194.007
X-TM-AS-Result: No--11.699-10.0-31-10
X-imss-scan-details: No--11.699-10.0-31-10
X-TMASE-Version: IMSVA-9.1.0.2034-8.6.1017-26194.007
X-TMASE-Result: 10--11.698600-10.000000
X-TMASE-MatchedRID: yebcs53SkkDxIbpQ8BhdbI61Z+HJnvsOpWOBfK9L1z+565vjVb2YJzez KlEFhGa6vPtSCmwHhL3AxbQX01Wci1XtR4OayZjVyZHnIMmQ+Dj0VPvT0zx0mAj8qRm6EUNIFF3 Is0dXYNOqnyg70yDI8BoP5F9jkdCJ5I5kwZ+AsWS3RxL+7EfzsMEgVobJ2hbenyA55XXCZGKW15 qLoPtbfgABzId91CwpXX/aG9eH04of6VTBSUcZqqVR3BrhvUgIZrlkjdOenUVX4H/AHZTAKuhtz MbEEqYeNe7yncYhXDxIsXsyRpNqMxs7n0Ur0F2YR+GtoiXVeDFUjHUEf69xHm3D6f6IpbLIKlOO NM16uHH+bBbWBYyaNVB/D9lmIvK1tGHSg65p69gW8Al79bnAD4oa3l8mzqVgu+xMRb3MShPMQMM /7vn0+JLJQDpUY8rfGxeNzJ3+44N1FYCeZMEvapK9FvwQx1hFWaKvOaBFthQtferJ/d7Abw/GhO qxMgx/fsq/oDPkBit3Acw+UNzHC6DR3oY0EpBQv4p3+B4TK3tuNR6QxOYs8w444jPMRKgTpxTYc WU3u1C2F46Y/Spw2n6hLXtY5c5fhkqQUUhtAgDjxJDUku2PNibiV/S36CI4C90qCYhaPKnSEmMw VLdkWjKr3d6KhQ60JX1oAd5cFDrI2RqSAXh33isIuzCLc2mNIVpGz/U+S0hjQ6o1zjtGHk6pgIb Vd5RELPTfV48Bhrf30nRSXQD7T6/Elphzpf1LeV/OrAAm6Gc5lSSSzBNFmJBPs9PtbzACP7NEP0 R/8mxitkrJ7ZFmlTDPPenG0NR/tvcEIGYNXX+eAiCmPx4NwNp/U3XwL5kCsOzOncrmCoOOhzOa6 g8KrSB/YEZhw1lBdLT8DcuSwGX9vGuTU/7wIFIXwvWnrkW2U3gU7khUTbk=
X-TMASE-SNAP-Result: 1.821001.0001-0-1-12:0,22:0,33:0,34:0-0
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/lva2VZx4qjyRQLeojk1tJmrwWAs>
Subject: Re: [bess] Benjamin Kaduk's Discuss on draft-ietf-bess-datacenter-gateway-11: (with DISCUSS and COMMENT)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Jun 2021 11:01:09 -0000

Thanks for what you got to yesterday.

We can take this step by step.

[snip the Discuss]

>>    <t>Given that the gateways and ASBRs are connected by tunnels that may run across parts of the network that are not trusted, 
>>         data center operators using the approach set out in this network SHOULD consider using gateway-to-gateway encryption to
>
> "SHOULD consider"?  We're not even bold enough to go with just SHOULD?

I find this aspect of IETF Security considerations hard. Maybe I have a philosophical problem.
You might tell your child or another vulnerable person that they "SHOULD carry their money in a safe place". But with an adult one usually points out the risks and says that they "SHOULD consider carrying their money in a safe place."

>>    protect the data center traffic.  Additionally, due consideration SHOULD be given to encrypting end-to-end traffic as it
>>    would be for any traffic that uses a public or untrusted network for transport.</t>
>
> I am thinking that I might be in a similar situation as Warren: my
> recollection from when we processed 8402 is that nodes remotely connected
> to each other would be using secure tunnels that provide at least as much
> protection as the "secure physical network" within the local domain. 

I really don't want to be painted as someone who supports every word of 8402, but...

The essence of 8402 is that intervening transit nodes do not need to be tunnelled past.

Consider, for example, how SRv6 packets may be forwarded across regular IPv6 (i.e., not SRv6-capable) routers. The sending SRv6 router sets the IPv6 destination address to the address of the receiving SRv6 router, updates the SRH (which is just an IPv6 extension header), and forwards the packet. The transit routers simply forward the packet as an IPv6 packet without even being aware that there is an SRH present. Only when the packet arrives at the receiving SRv6 router (which sees itself in the IPv6 destination field) is SRv6 actioned. Thus, there may be a "logical tunnel" between remotely connected SRv6 nodes, but there is no tunnelling technology used. Thus, the protection is weaker than in a secure physical network.

Now, you and I might argue that this gives a strong incentive to use a secure tunnelling technology between remotely connected SR nodes. That is, however, hard for the sender to enforce for remote (sic) remotely connected nodes. Hence the consideration of GW-to-GW encryption. 

The proponents of 8402 might argue that SR is a forwarding technology and so it is no different to IP: it is up to the applications to decide whether the underlying network is safe. Thus, if a service provider decides to use SR inside their network, it has no additional security considerations over the same provider using IP inside their network.

> With
> that background, I would have gone with MUSTs here, but I am not at the
> moment finding much in 8402 to strongly support that as a requirement.

Well, I could go with "MUST consider" and "consideration MUST be given". That directs thought, but not action.

>>> COMMENT:
>>> ----------------------------------------------------------------
>>>
>>> The Abstract is perhaps pushing the bounds of reasonable length for an abstract. 
>> 
>> The Style Guide recommends 25 lines or fewer. We have 18 lines of text.
>
> Er, which style guide?  I'm not seeing much in RFC 7322 ... and
> https://www.rfc-editor.org/policy.html#policy.abstract (which admittedly
> does say it has been replaced by https://www.rfc-editor.org/styleguide/)
> puts the cap at 20, with 5-10 being "typical".

Oh, I apologise. 
Either my memory is faulty or this section has been updated over the last twenty years.
Anyway, "cap at 20" tells us what to do.

[snip]

>> NEW
>>    Data centers are attached to the Internet or a backbone network by
>>    gateway routers.  One data center typically has more than one gateway
>>    for commercial, load balancing, and resiliency reasons.  Other sites,
>>    such as access networks, also need to be connected across backbone
>>    networks through gateways.
>> 
>>    This document defines a mechanism using the BGP Tunnel Encapsulation
>>    attribute to allow data center gateway routers to advertise routes to the 
>>    prefixes reachable in the site, including advertising them on behalf of 
>>    other gateways at the same site.  This allows segment routing to be used
>>    to identify multiple paths across the Internet or backbone network 
>>    between different gateways.  The paths can be selected for load-balancing,
>>    resilience, and quality purposes.   
>> END
>
> Thanks, this is an improvement over the OLD version.

And only 12 lines 😊

>>> Section 1
>>>
>>>   The solution described in this document is agnostic as to whether the
>>>   transit ASes do or do not have SR capabilities.  the solution uses SR
>>>   to stitch together path segments between GWs and through the ASBRs.
>>>   Thus, there is a requirement that the GWs and ASBRs are SR-capable.
>>>   The solution supports the SR path being extended into the ingress and
>>>   egress sites if they are SR-capable.
>>>
>>> There seem to be some nodes marked "ASBR" that are at the boundary 
>>> between the two transit ASes, in Figure 1.  This text leaves me uncertain
>>> whether they are expected to support SR (vs just the ASBRs that are 
>>> attachment points for the ingress/egress GWs).
>> 
>> Whether the interior nodes of the transit ASes support SRs doesn't really
>> matter to us. The GWs and ASBRs are interconnected by tunnels as
>> represented by links in the BGP-LS instance. SR is used to stitch these 
>> tunnels together to create an end-to-end path between an ingress site
>> and an egress site. Thus, the GWs and ASBRs must be SR capable in order
>> to participate.
>
> I think we should say something about how the ASBRs that are "abstracted
> away" by the tunnel are not relevant, since otherwise just saying "ASBR"
> would seem to include them.  (They are listed in the figure as ASBRs, after
> all.)

The tunnels are not GW to GW, they are ASBR to ASBR. So there is a concatenation of tunnels between the GWs.

It is possible that a tunnel might span several ASes, but that would be unusual: at the network layer ASes tend to terminate and restart tunnels.

I don't see anything in the document that talks about "abstracting away" ASBRs. If there is something I've missed then we should fix it.

You may find draft-spring-farrel-sr-domain-interconnect helpful to see how the SR SID list can be constructed to make all this work.

The challenge here, I think, is that this is supposed to be a short document that describes the BGP extensions, not a whole cookbook.

>>> Section 3
>>>
>>>   o  Each GW is configured with an identifier for the site.  That
>>>      identifier MUST be the same across all GWs to the site (i.e., the
>>>      same identifier is used by all GWs to the same site), and MUST be
>>>      unique across all sites that are connected (i.e., across all GWs
>>>      to all sites that are interconnected).
>>>
>>> The advice in draft-gont-numeric-ids-sec-considerations is probably 
>>> relevant here.  How should we pick these identifiers?  Which properties
>>> are necessary and which are not needed? 
>> 
>> This bullet needs to be taken along with the bullet that follows, viz.
>> 
>>    o  A route target ([RFC4360]) MUST be attached to each GW's auto-
>>       discovery route (defined below) and its value MUST be set to the
>>       site identifier.
>> 
>> We will re-jig these two bullets to say...
>> 
>>    o  A route target ([RFC4360]) MUST be attached to each GW's auto-
>>       discovery route (defined below) and its value MUST be set to a 
>>       value that identifies the site identifier.  The rules for constructing
>
> (nit) "identifies the site identifier" is probably one too many "identifie"s

Ack. "indicated the site identifier"

>>       a route target are detailed in [RFC4360].  It is RECOMMENDED that
>>       a Type x00 or x02 route target be used.
>> 
>>    o Site identifiers are set through configuration.  The site identifiers 
>>       MUST be the same across all GWs to the site (i.e., the same
>>       identifier is used by all GWs to the same site), and MUST be
>>       unique across all sites that are connected (i.e., across all GWs
>>       to all sites that are interconnected).
>
> This helps, but I still wonder if we can give some guidance to the operator
> on how to choose the value of the (configured) site identifier.  If
> everyone decides to label their sites as consecutive integers starting at
> one, for example, that is likely to end in sadness later on.

You are asking us to give guidance on how to set route target values.
4360 says...
   When the value of the high-order octet of the Type field is 0x00 or
   0x02, the Local Administrator sub-field contains a number from a
   numbering space that is administered by the organization to which the
   Autonomous System number carried in the Global Administrator sub-
   field has been assigned by an appropriate authority.

   When the value of the high-order octet of the Type field is 0x01, the
   Local Administrator sub-field contains a number from a numbering
   space that is administered by the organization to which the IP
   address carried in the Global Administrator sub-field has been
   assigned by an appropriate authority.
...This is carefully set up so that clashes of RT value can only arise from misconfiguration within an administration.
We are recommending using type 0 or 2, so that the RT is scoped by AS and easily administered by the AS operator. 

>>> o  Each GW MUST construct an import filtering rule to import any
>>>      route that carries a route target with the same site identifier
>>>      that the GW itself uses.  This means that only these GWs will
>>>      import those routes, and that all GWs to the same site will import
>>>      each other's routes and will learn (auto-discover) the current set
>>>      of active GWs for the site.
>>>
>>> This seems pretty fragile in the face of identifier collisions; I hope there
>>> is some good text in the security considerations that covers the risks here.
>>> [ed. it seems we cover other aspects relating to identifier selection but not
>>> this one] Is there any filtering that can be done other than by site identifier,
>>> e.g., to know that a certain peer would never be able to advertise something
>>> that validly has the same site identifier?
>> 
>> This mechanism to control the importing of routes (using route targets) has
>> been in use in BGP networks for a while (more than 15 years since RFC 4360).
>> 
>> One of the big uses for route targets is in identifying which sites belong to the
>> same VPN (see RFC 4364). There is the potential to misconfigure the route
>> target used to identify a set of VPN sites by giving one site the wrong value.
>> That would mean that it:
>> - fails to import the relevant routes
>> - doesn't get its routes imported by its peers
>> - may accidentally import false routes
>> - may accidentally have its routes imported by other sites in different VPNs
>> That is all "bad stuff" and 4364 contains no mechanisms to handle what happens
>> if there is a misconfiguration (it's not an attack vector unless BGP or a router is
>> compromised - in which case far worse stuff happens). Basically, if you mess up
>> the configuration, expect the unexpected.
>
> Agreed, this is all "bad stuff", and the latter two are more what I had in
> mind when I wrote the comment.  It's part of my job to wonder about the
> potential scope of fallout if BGP or a router is compromised, even if we
> expect that to not actually happen much in practice :)

I don't make any claims about whether a BGP router might be compromised. But I do say that if it is, then some really bad stuff will happen, not just some site traffic being misdelivered.
Perhaps we should spend more time worrying about compromised routers - it's not a new discussion! 

We seem to have survived the possibility of VPN misconfiguration for a number of years. There may be some work that could be done to "autodetect" such misconfiguration.

[snip]

>>>   As described in Section 1, each GW will include a Tunnel
>>>   Encapsulation attribute with the GW encapsulation information for
>>>   each of the site's active GWs (including itself) in every route
>>>   advertised externally to that site.  [...]
>>>
>>> (I assume this is not intended to preclude the usual route filtering/split-
>>> horizon type stuff.)
>> 
>> Definitely doesn't preclude it. In fact that rule remains key to the way 
>> GWs behave - they don't re-advertise routes they have learned from
>> other GWs. But (of course) all the GWs to a site advertise the same
>> routes. 
>
> I had to read this twice just to make sure I'm picking up on the details:
> the GWs of a site do *not* advertise the *routes* they learn from each
> other; the only re-advertising is of GW encapsulation information.
> I assume that John has covered the case of intra-site connectivity issues
> whereby this could entail a site advertising a route with encapsulation
> information that couldn't actually get to that prefix, and will not think
> about it further.

Yes, that was part of the discussion with John.

Thanks,
Adrian

v2.23.0 | Report a Bug | By Email