Re: [bess] Roman Danyliw's Discuss on draft-ietf-bess-datacenter-gateway-10: (with DISCUSS and COMMENT)
Adrian Farrel <adrian@olddog.co.uk> Wed, 19 May 2021 21:04 UTC
Return-Path: <adrian@olddog.co.uk>
X-Original-To: bess@ietfa.amsl.com
Delivered-To: bess@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6B9B3A1EFF; Wed, 19 May 2021 14:04:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.049
X-Spam-Level:
X-Spam-Status: No, score=-1.049 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MAY_BE_FORGED=0.846, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TiDKp9PIwXkR; Wed, 19 May 2021 14:04:17 -0700 (PDT)
Received: from mta8.iomartmail.com (mta8.iomartmail.com [62.128.193.158]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 079873A1EFD; Wed, 19 May 2021 14:04:16 -0700 (PDT)
Received: from vs3.iomartmail.com (vs3.iomartmail.com [10.12.10.124]) by mta8.iomartmail.com (8.14.4/8.14.4) with ESMTP id 14JL48vT005240; Wed, 19 May 2021 22:04:08 +0100
Received: from vs3.iomartmail.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 49AAD22075; Wed, 19 May 2021 22:04:08 +0100 (BST)
Received: from asmtp3.iomartmail.com (unknown [10.12.10.224]) by vs3.iomartmail.com (Postfix) with ESMTPS id 3223122077; Wed, 19 May 2021 22:04:08 +0100 (BST)
Received: from LAPTOPK7AS653V (65.151.51.84.dyn.plus.net [84.51.151.65] (may be forged)) (authenticated bits=0) by asmtp3.iomartmail.com (8.14.4/8.14.4) with ESMTP id 14JL47qp027201 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 19 May 2021 22:04:07 +0100
Reply-To: adrian@olddog.co.uk
From: Adrian Farrel <adrian@olddog.co.uk>
To: 'Roman Danyliw' <rdd@cert.org>, 'The IESG' <iesg@ietf.org>
Cc: draft-ietf-bess-datacenter-gateway@ietf.org, bess-chairs@ietf.org, bess@ietf.org, 'Matthew Bocci' <matthew.bocci@nokia.com>
References: <162145456955.28529.8072971663484949985@ietfa.amsl.com>
In-Reply-To: <162145456955.28529.8072971663484949985@ietfa.amsl.com>
Date: Wed, 19 May 2021 22:04:06 +0100
Organization: Old Dog Consulting
Message-ID: <04f501d74cf2$820e70a0$862b51e0$@olddog.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQKM7RiB33YvIfE6qBqqq4p2fEzRjql//yFw
Content-Language: en-gb
X-Originating-IP: 84.51.151.65
X-Thinkmail-Auth: adrian@olddog.co.uk
X-TM-AS-GCONF: 00
X-TM-AS-Product-Ver: IMSVA-9.0.0.1623-8.2.0.1013-26168.003
X-TM-AS-Result: No--14.554-10.0-31-10
X-imss-scan-details: No--14.554-10.0-31-10
X-TMASE-Version: IMSVA-9.0.0.1623-8.2.1013-26168.003
X-TMASE-Result: 10--14.554300-10.000000
X-TMASE-MatchedRID: 8HTFlOrbAtHxIbpQ8BhdbPHkpkyUphL9Lyiv/vFzEkQr43ibMlqrGD6y zEmkViqrXg0hLrbb2bY0MbRTy4WbQOWvWGhVgVn0C8FMH3T6F76ne/hS5IAzq2GVufr+eY4va3A 6hcNu8nBgPnjCwYdUCLt39bs8Ghvy4oAGa7RCJRJcrmR4Jr5uaGOJthub07Sw61WlA7aRGtdY5R QofTDVW5ZhwPMbvFznC8tbCVqCE5m9d+A0qEUj9MFY+9G+fhHz2FA7wK9mP9dEm2z04jGoE1l4x fTSs3QpwMxgKrnf4+hiSVnIdboij/tIATh0nKq8P5o2cGwpYkq9WWLhrQZuGsVsL38cyo+7asSU SFzN1tlgYWutzp9Uz6Hhp3cPK0DFcdV1fv9AzTD4FqzGb25nhylayzmQ9QV0CPfqTTvyKbgAwlw c7PMO40cU9FepBuC3O9Tqj7IHQjFqaZzGGPWrB6EtILqFekmXE84OITRIYTONj8G9K4SpvSq8E5 UVZHXYAYtBWP5lvec+zSA4ac3nl8fHRu+QUWH+ikdH3EQaETWrXHPgDIHtLSPbpmcKzKmQDN2gp U0rAlYeiFQL2XCGlCilIhDwkzlwQeV53N5Ljrvece0aRiX9WonC8e7dgeyIaq7Dr1BRCssQZraA lGpxLyfZAJqlx/jL85moj59OrGiq3UKZudv5456N6jXWJbQ3aG4bbCZgLReyqIqVgElDGNzl2Q1 lhh3GGc1R8G+ow1nxUNamz7ZAL6s6DzU+kvSGHRZwmrxiRkZlu8AJBkPNMOtVJHkjzh1dU9a6zf LFA1bw6OOxM5DL4RNc61JVSPY2fTF5ARmYvFaeAiCmPx4NwFkMvWAuahr8m5N2YHMD0b8MyrfP9 j+C1SAHAopEd76v1Ec/cVLxWyyKlYqSn1vnbZtSxtETtiYzIKdnUtFFlkfYW45st+UmMQ==
X-TMASE-SNAP-Result: 1.821001.0001-0-1-12:0,22:0,33:0,34:0-0
Archived-At: <https://mailarchive.ietf.org/arch/msg/bess/vND1-nD7vuTF4Ne8SVDOleVqyDE>
Subject: Re: [bess] Roman Danyliw's Discuss on draft-ietf-bess-datacenter-gateway-10: (with DISCUSS and COMMENT)
X-BeenThere: bess@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: BGP-Enabled ServiceS working group discussion list <bess.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bess>, <mailto:bess-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bess/>
List-Post: <mailto:bess@ietf.org>
List-Help: <mailto:bess-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bess>, <mailto:bess-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 May 2021 21:04:22 -0000
Hi Roman, > DISCUSS: > ------------------------------------------------------------------ > > RFC8402 tells us: > > (a)“Segment Routing domain (SR domain): the set of nodes participating > in the source-based routing model … > > (a.1) “These nodes may be connected to the same physical infrastructure > (e.g., a Service Provider's network).” > > (a.2) “They may as well be remotely connected to each other (e.g., an > enterprise VPN or an overlay).” > > (b) “By default, SR operates within a trusted domain. Traffic MUST be > filtered at the domain boundaries.” > > My understanding of this document is that it is an enabling capability > to help establish SR domains of the like described in (a.2). What I see > missing is text that provides the confidence suggested by the language > of “trusted domain” in (b). So, recalibrating to the whole "we meant site when we said domain" thing in many of the conversations with other ADs... You're right. This document provides a mechanism for connecting participating nodes that are remote. I never understood, "By default, SR operates within a trusted domain." To me that reads like, "If you want to, you can configure your domain to be untrusted" as if that is something someone might choose to do when they have the option of a trusted domain. But I digress! I am not sufficiently a security expert to know what language would provide confidence. And, actually, I'm not quite sure what the question is. Are you asking "What stops a rogue gateway advertising itself, effectively impersonating a site in the SR domain?" To continue... > -- Section 1 hints at various VPN technologies perhaps being used “The various > ASes that provide connectivity between the Ingress and Egress Domains could > each be constructed differently and use different technologies such as IP, MPLS > with global table routing native BGP to the edge, MPLS IP VPN, SR-MPLS IP VPN, > or SRv6 IP VPN.” However, the security properties of all of those aren’t clear > to a degree that would seem consistent with being a “trusted domain”. For > example, saying “IP” might suggest that naked IP packets with SR headers (with > no additional security primitives) could be dropped onto the open Internet, or > at least through networks not under the control the “data centers” use case > suggested by the name of the document. I would have thought the security properties of the routing protocol (in this case BGP) more important than the properties of the core network data plane protocols. I wonder whether there is a misconception of the applicability of SR in the wider Internet, and the definition of "SR domain" from 8402. For example, in SRv6, the SR nodes may form part of a trusted domain, but the packets are just IP packets that happen to carry an SRH, so the packets can be (and are!) forwarded through a native IP network. This is a form of tunnelling (because the SRH is not examined except at the addressed destination), but the packets are "out there". But back to the VPN model. The VPN sites may run a proprietary protocol that could be considered dangerous if released to the Internet. The VPN sites form a trusted domain because they will not leak that protocol into the Internet. However, the VPN shares packets across the Internet by tunnelling them. The VPN can be supported by a whole host of tunnelling protocols (MPLS, IPsec, GRE, IP-in-IP, etc.). All of these tunnelling mechanisms rely on: - the integrity of the tunnels - the security of the routing protocol used to determine the tunnel end points - the security of the signaling protocols used to establish the tunnels - the security of the routing protocols used to determine the site membership But the core network does not form part of the trust domain. Except! In a multi-AS case, the ASBRs are tunnel end points (or tunnel stitching points) and do participate in the trust model. Now I have to ask: in what way is what we are suggesting different from the multi-AS VPN trust model? > -- The discussion at > https://mailarchive.ietf.org/arch/msg/bess/zY783PgnXSCp6GNSRF4kY0diLYs/ around > the forwarding plane trust model is also informative. It is noted that that > the “transit nodes of the AS are not part of the domain.” I could agree, but > only to the degree that the SR packets are tunneled in such as way that > suggested a trusted domain at least of equal security as (a.1). So, a tunnel is not as secure as a physical link. Indeed, a router is not as secure as a physical link. Yet we route traffic and use tunnels. I am obviously not seeing the problem! How do networks stop traffic from being injected into tunnels? Largely speaking, they do it by noting that traffic from outside the network is not allowed to enter the network using tunnel addresses (or encapsulations). Why is what we are describing any different from any type of tunnelling technology? Or maybe "trusted domain" means an entirely different thing to you than it meant to the authors of 8402 in the SR context where, I believe, they meant "everyone in the domain is believed to be playing SR in the same way, and that SR traffic will not be injected into the SR domain from outside." > I think language is needed to describe the normative security requirements of > the tunnels that will be created on top of the routes enables by this work to > substantiate the claim that at a “trusted domain” is being maintained. This > has some overlap with John’s text about clarify the proposed trust model. This brings me back to the idea that a packet might be injected into the SR domain from outside. To do this, a packet containing an SRH would have to be introduced into one of the tunnels. Obviously a rogue router can always introduce traffic, and this particular weakness is generally discarded because a rogue router can do far worse things, and because end-to-end protections are assumed to provide adequate protection. So we're left with packets being somehow forwarded into the network in a way that they will be introduced into the tunnel and appear to be genuine. There are three cases: 1. The packet reaches a router in disguise, the outer encapsulation is stripped, and the packet is forwarded onto the tunnel. As far as I am aware all tunnelling technologies prohibit the concept of a "discovered interface." For example, if an IP destination (a router) discovers that the payload of an IP packet is an MPLS packet that it is not configured to expect, it will blow a whistle and stamp its foot. 2. The packet enters the network using the tunnelling encapsulation so that it is routed into the tunnel. I believe that networks generally filter at the edges for exactly this (just as the SR domain does). 3. The packet is a native IP packet carrying an SRH and is routed into the network to a destination that will process the SRH. But in this case, the packet has come from outside the SR domain, so the packet will be filtered. I wish I could come up with a simple normative security requirement that would satisfy you, but I lack the skill. Best, Adrian
- [bess] Roman Danyliw's Discuss on draft-ietf-bess… Roman Danyliw via Datatracker
- Re: [bess] Roman Danyliw's Discuss on draft-ietf-… Adrian Farrel
- Re: [bess] Roman Danyliw's Discuss on draft-ietf-… Adrian Farrel
- Re: [bess] Roman Danyliw's Discuss on draft-ietf-… Roman Danyliw