IETF Logo Mail Archive

Re: [Bier] Eric Rescorla's Discuss on draft-ietf-bier-ospf-bier-extensions-13: (with DISCUSS)

Eric Rescorla <ekr@rtfm.com> Thu, 15 March 2018 18:32 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: bier@ietfa.amsl.com
Delivered-To: bier@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCF3412DA14 for <bier@ietfa.amsl.com>; Thu, 15 Mar 2018 11:32:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WaJEM4hXp58K for <bier@ietfa.amsl.com>; Thu, 15 Mar 2018 11:32:41 -0700 (PDT)
Received: from mail-qt0-x236.google.com (mail-qt0-x236.google.com [IPv6:2607:f8b0:400d:c0d::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D8D412D80E for <bier@ietf.org>; Thu, 15 Mar 2018 11:32:38 -0700 (PDT)
Received: by mail-qt0-x236.google.com with SMTP id h4so2494213qtn.13 for <bier@ietf.org>; Thu, 15 Mar 2018 11:32:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=q08bfau2/F7LJiRaYok89x+UtXHTId/+tcIkbZMpoAs=; b=Lq9Wiui9hfnT0pIED2Uv5NOKT9aW9YMUvQKH9JIw4o25IEfa7S46qQ+H1RGkrnzLv8 NaGrxFv0mTUyWuhQ0CpA8d3fVBzy46iaj7ALDpAGwDDLsbPghQwVZ+Gk8cGYrQuu+I7D jH8qvxy9UeEWwdy24nGB3pm+rSiY4awsMslFZ2NC3EJuuajwEEVCMDYRTDKLRMOTVYz6 Zl6wFPUG+h+F7e4nBQKycxm1782NWsQAbDnZM2tzcagNmRSk6dBvn3ezg4GiabBGmg+R vWod6k1hvnM7ptOOqGYjHOw10PZYYlTh42uerr7K18yEbtsSo+BG52EOGcTJkVACBq+0 3Vnw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=q08bfau2/F7LJiRaYok89x+UtXHTId/+tcIkbZMpoAs=; b=ErsYyXv+seCtnDtK3sTRYLFR3/nVj2bq/HSETKJO4l+JhOs9aRQ1JP4tSKodgDX4wu mjtjk+eGzzgh3CbOzVyBBvu6+mioabTWr+rOHiyhWQERRZeMh9PDYPky8N/6Pnjv2aFa TdM5/rIyPqPpBSJPwGxgNRS/ZD8AkNJ+N/baKlAx7jg2kvJz+DvTr8eB0oMqtqnELUqk i+ACr1HfEAG4fPwBv9kAA3u5wZD0kJqs3VlJxQzjFA3hdjHNL3RWq9msyqsaVXxKzNZI pTXem4wjv+V6o12jCG192QN0Hxp9ykhLH+JJ4RG0bJP+Jiis8j9jrTakDa0FBIq7hJH8 yQzA==
X-Gm-Message-State: AElRT7GTPZe1fokHUB+OgXj/w8ns4+GrAueOsHHamq8IYjRQ6AT1FUzW ufmoXpAqSK2j7/4aT4Ln7yG+eZGJSTaJ5cJGODIrpQ==
X-Google-Smtp-Source: AG47ELsw73loU/znY2o3JrRabZmyj3U0yxP1KEGvfDKEwuL7N1rAJD1oh1FWdwfReB9AiLtpvJx7+HOWFmWTk8Yjsfg=
X-Received: by 10.200.42.177 with SMTP id b46mr14816512qta.321.1521138757331; Thu, 15 Mar 2018 11:32:37 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.200.37.234 with HTTP; Thu, 15 Mar 2018 11:31:56 -0700 (PDT)
In-Reply-To: <CA+wi2hOZ-KuwA9xHnTW1dY9jNXhcRg9rxz682bPHZ2yQuhgMbg@mail.gmail.com>
References: <151923384986.9826.9021725692873708788.idtracker@ietfa.amsl.com> <CABcZeBMsdAShgwUZQDqQgn7TgP=m0zv=h8dm5_T7dCL_o-n0Ew@mail.gmail.com> <CA+wi2hOZ-KuwA9xHnTW1dY9jNXhcRg9rxz682bPHZ2yQuhgMbg@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 15 Mar 2018 18:31:56 +0000
Message-ID: <CABcZeBMpUem5ePEkae5TrpAWLwyTv1x5WKea9GnS2Dmc7EdRyw@mail.gmail.com>
To: Tony Przygienda <tonysietf@gmail.com>
Cc: The IESG <iesg@ietf.org>, Reshad <rrahman@cisco.com>, BIER WG <bier@ietf.org>, draft-ietf-bier-ospf-bier-extensions@ietf.org, bier-chairs@ietf.org
Content-Type: multipart/alternative; boundary="001a113b032848fe25056777b7c7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/bier/jHMXdSEEvOSg-QtDJSNo2NCdZIs>
Subject: Re: [Bier] Eric Rescorla's Discuss on draft-ietf-bier-ospf-bier-extensions-13: (with DISCUSS)
X-BeenThere: bier@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"Bit Indexed Explicit Replication discussion list\"" <bier.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bier>, <mailto:bier-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bier/>
List-Post: <mailto:bier@ietf.org>
List-Help: <mailto:bier-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bier>, <mailto:bier-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Mar 2018 18:32:44 -0000

On Thu, Mar 15, 2018 at 3:09 PM, Tony Przygienda <tonysietf@gmail.com>
wrote:

>
>
> On Thu, Mar 15, 2018 at 1:26 AM, Eric Rescorla <ekr@rtfm.com> wrote:
>
>> Thanks for updating the security considerations. I have two concerns about
>> the following section:
>>
>>    It is assumed that both BIER and OSPF layer is under a single
>>    administrative domain.  There can be deployments where potential
>>    attackers have access to one or more networks in the OSPF routing
>>    domain.  In these deployments, stronger authentication mechanisms
>>    such as those specified in [RFC7474] SHOULD be used.
>>
>> First, why are you assuming that BIER will be run within a single
>> administrative domain. That's not generally the case for multicast
>> now, is it? Or is it merely that OSPF will generally be run within
>> a single administrative domain and if you are to run BIER outside
>> a single administrative domain you won't want to use OSPF?
>>
>
> Eric,
>
> OSPF is normally run within a single AD (at least I never saw it
> stretching
> ADs unless we talk about DMZ as such a thing
> or consider overlays running OSPF though
> the overlays are their own ADs) due to the way the protocol is designed.
>
In fact, it does not carry AS as a concept anywhere (modulo some
> corner-cases
> such as 4577 where AS is encoded in tags), instead it talks about
> ASBR which is the AS border OSPF touches (and where AS
> external routes can be injected). So I don't think any inter-AS
> considerations for this draft are relevant as they may have to in
> IDR extensions.
>

Thanks. This makes the situation somewhat better, though if the
routing traffic traverses insecure links, then there is still a risk.


>
>
>> It's
>> hard to tell from the BIER security considerations how severe
>> the situation is if routing is subverted, but given the uses to
>> which multicast is put, it seems like it could result in some
>> fairly large volumes of diverted traffic.
>>
>> Second, even within an administrative domain, it's not safe to assume
>> that the links are in fact safe, so generally one would expect that
>> you would run communications security on at the routing protocol to
>> ensure integrity. It seems like there are two ways to look at this:
>>
>> 1. We are just extending OSPF to do a new thing, so the previous
>>    (weak) standards apply.
>>
>> 2. We are basically designing routing for an entirely new kind of
>>    thing (BIER), even though it happens to use OSPF, so modern
>>    standards should apply
>>
>>
>
>> At present, I lean towards the second interpretation, especially, but
>> I'd like to hear what the other members of the IESG think, especially
>> my security co-ADs.
>>
>
>
> I would be interested why you lean towards the 2nd interpretation.
> In my view, BIER is a very lightweight addition on top of OSPF and does
> not
> extend any of its primitives at all except using the standard way to
> add some sub-TLVs using RFC7684 and RFC4915, both long
> established OSPF concepts. In a sense it uses OSPF as
> light-weight signalling only (and currently uses its computation results
> to derive a set of BIER next-hops). Neither represents any
> change in OSPF architecture or threat model IMO.
>

I agree that from an OSPF perspective, the changes are trivial,
but that's not the question. As I understand BIER, the traffic
pattern is significantly different from conventional unicast routing
and therefore it's at minimum important to determine whether
what we considered acceptable -- though regrettable -- properties
of the routing system are in fact acceptable with BIER as well.

I don't see any analysis of this in the document, or in the BIER
architecture document. Is there some?


If your concern is addressing what you describe as "weak" standard
> OSPF security then I would venture to say that trying to put that into a
> BIER OSPF signalling draft would be a poor choice of locus.  Same for
> BIER as forwarding plane/architecture security considerations.
>

What's weak here is that the document doesn't require that one *use* 7474,
even in settings where the document acknowledges that it's insecure not
to:

   It is assumed that both BIER and OSPF layer is under a single
   administrative domain.  There can be deployments where potential
   attackers have access to one or more networks in the OSPF routing
   domain.  In these deployments, stronger authentication mechanisms
   such as those specified in [RFC7474] SHOULD be used.

As I said, that's not ideal, but it's the state we're in.

-Ekr


So, if we have to spell out that BIER OSPF signalling has the same
> security profile as OSPF, yes, a good reference "boilerplate" would be
> nice and
> same for BIER as forwarding paradigm/architecture.
>
> thanks
>
> -- tony
>
>
>
>
>>
>> -Ekr
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On Wed, Feb 21, 2018 at 5:24 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>>
>>> Eric Rescorla has entered the following ballot position for
>>> draft-ietf-bier-ospf-bier-extensions-13: Discuss
>>>
>>> When responding, please keep the subject line intact and reply to all
>>> email addresses included in the To and CC lines. (Feel free to cut this
>>> introductory paragraph, however.)
>>>
>>>
>>> Please refer to https://www.ietf.org/iesg/stat
>>> ement/discuss-criteria.html
>>> for more information about IESG DISCUSS and COMMENT positions.
>>>
>>>
>>> The document, along with other ballot positions, can be found here:
>>> https://datatracker.ietf.org/doc/draft-ietf-bier-ospf-bier-extensions/
>>>
>>>
>>>
>>> ----------------------------------------------------------------------
>>> DISCUSS:
>>> ----------------------------------------------------------------------
>>>
>>> Document: draft-ietf-bier-ospf-bier-extensions-12.txt
>>>
>>> I have not yet reviewed this document in detail:
>>>
>>>    Implementations must assure that malformed TLV and Sub-TLV
>>>    permutations do not result in errors which cause hard OSPF failures.
>>>
>>> This is not an adequate security considerations section. What is your
>>> threat model? What attacks are possible? What are not? It may be the
>>> case that this is all covered in other documents, and you just need to
>>> point to them, but the reader doesn't know that, so this needs to be
>>> documented. Adam Montville's SECDIR review which makes some of the
>>> same points and lists a few specific items to examine.
>>>
>>>
>>>
>>>
>>>
>>
>> _______________________________________________
>> BIER mailing list
>> BIER@ietf.org
>> https://www.ietf.org/mailman/listinfo/bier
>>
>>
>

v2.23.0 | Report a Bug | By Email