Re: [Bier] Eric Rescorla's Discuss on draft-ietf-bier-ospf-bier-extensions-13: (with DISCUSS)
Jeff Tantsura <jefftant.ietf@gmail.com> Thu, 15 March 2018 18:13 UTC
Return-Path: <jefftant.ietf@gmail.com>
X-Original-To: bier@ietfa.amsl.com
Delivered-To: bier@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BB4F12DA06; Thu, 15 Mar 2018 11:13:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RRMXa24XUY82; Thu, 15 Mar 2018 11:13:52 -0700 (PDT)
Received: from mail-pf0-x230.google.com (mail-pf0-x230.google.com [IPv6:2607:f8b0:400e:c00::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2DFE12D80E; Thu, 15 Mar 2018 11:13:52 -0700 (PDT)
Received: by mail-pf0-x230.google.com with SMTP id f80so3127239pfa.8; Thu, 15 Mar 2018 11:13:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :references:in-reply-to:mime-version; bh=dg1X/EljB9qs+mnX7lInyNAQXMSOwLTN0Zl206moOR8=; b=BhoVi05hqjfN8oj9p5VI58W1Ax5lXNB8NS2El09ZYjTWFhsLde19gcPzWqTZQXkPix rCzKCW0NZbIZ3bxCj9JPoHvY5OcvQPfAdJYU6TiD7RZRG1ptlTQEcSs1exf3JbOpvNdT a8uyGirpRwpcsQeM1+gLrfmoW6RIS93TmLrTdBn7eFNuGiTh8pcVzYYvqJaAsMUYp05h aBE3lcm53tqvr9oyGHGrQp1ejkQZotY5LSlmvGxN9sjHqhrObE+EEr/jPe8+W4E7d/T2 c0pX+CsoPd/jI8LgqdqhC+1DqzFJYn7B0VtTJVbm9GlosLoJXX4pABu+W54DWLCQ0iDX ixEw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version; bh=dg1X/EljB9qs+mnX7lInyNAQXMSOwLTN0Zl206moOR8=; b=nKsouvA3CPljs7mc7jlcxL4Q9bPmfLBXNiNmG23N3mF3ShK6xWyjrR/63KHFPb6seA 6lKHlQu4uVGrFz11RM3bj/MBPMh+ikG7ChlSWak+Hq2SC9gF7DJQzRo//cywLbgmmsib QjuRmxOZF/354cJXcV4mx0yf+YwGk/KehHUFcTR0fycYpZeEqyPDONDO9hm82D1Bm/yw UCpz4w9KiN9kcZ+lB+YqZpBiCDYWklCBb49zF7hLh2YOA5Z07vKKWbxfQKsV0c9x4Z16 Xj+GAPFRLBVtVOPjbBE7/B55h+7GYSjnuuyHMKtmUvVcubLICpRK1ex8LFlAPwmLltOL Ca6w==
X-Gm-Message-State: AElRT7HArd8AUYdIV5b9N57uF4+VWNnrcNuFaztFh+SXXTOujQ7WaB4r PeAxtyBRNGFe6XFHd4/bsBw=
X-Google-Smtp-Source: AG47ELsUWy+7KEo9Gvm1rZH8FC5gAC8MMCTmYv2TG+LsoFj97VQT79sacakmI2OR15hBUO3qySjovQ==
X-Received: by 10.99.117.68 with SMTP id f4mr5806434pgn.437.1521137632155; Thu, 15 Mar 2018 11:13:52 -0700 (PDT)
Received: from [192.168.1.7] ([76.126.247.72]) by smtp.gmail.com with ESMTPSA id o128sm12588072pfg.96.2018.03.15.11.13.50 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 15 Mar 2018 11:13:51 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/10.a.0.180210
Date: Thu, 15 Mar 2018 11:13:49 -0700
From: Jeff Tantsura <jefftant.ietf@gmail.com>
To: "Acee Lindem (acee)" <acee@cisco.com>, Alia Atlas <akatlas@gmail.com>, Eric Rescorla <ekr@rtfm.com>
CC: "Reshad Rahman (rrahman)" <rrahman@cisco.com>, "bier-chairs@ietf.org" <bier-chairs@ietf.org>, BIER WG <bier@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-bier-ospf-bier-extensions@ietf.org" <draft-ietf-bier-ospf-bier-extensions@ietf.org>
Message-ID: <E9E9E7FF-3E5F-44D9-B12B-0B1C11FBAE6A@gmail.com>
Thread-Topic: [Bier] Eric Rescorla's Discuss on draft-ietf-bier-ospf-bier-extensions-13: (with DISCUSS)
References: <151923384986.9826.9021725692873708788.idtracker@ietfa.amsl.com> <CABcZeBMsdAShgwUZQDqQgn7TgP=m0zv=h8dm5_T7dCL_o-n0Ew@mail.gmail.com> <CAG4d1rfN9ON2=8kOj7X5K62OT2qyxUuuy=vsqpakcUSn8hoeWg@mail.gmail.com> <E8456E09-EA8F-4F70-98CC-8AFA70528241@cisco.com>
In-Reply-To: <E8456E09-EA8F-4F70-98CC-8AFA70528241@cisco.com>
Mime-version: 1.0
Content-type: multipart/alternative; boundary="B_3603957231_1211672548"
Archived-At: <https://mailarchive.ietf.org/arch/msg/bier/kfCjiHXGpW0aTzeIKik7peG9n6I>
Subject: Re: [Bier] Eric Rescorla's Discuss on draft-ietf-bier-ospf-bier-extensions-13: (with DISCUSS)
X-BeenThere: bier@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"Bit Indexed Explicit Replication discussion list\"" <bier.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bier>, <mailto:bier-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bier/>
List-Post: <mailto:bier@ietf.org>
List-Help: <mailto:bier-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bier>, <mailto:bier-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Mar 2018 18:13:58 -0000
Eric, I support Acee’ and Alia’ comments specifically wrt BIER extensions to IGPs and would like this discussion to lead to IGP security consideration discussion in LSR , rather than to “overloading” BIER. Cheers, Jeff From: BIER <bier-bounces@ietf.org> on behalf of "Acee Lindem (acee)" <acee@cisco.com> Date: Thursday, March 15, 2018 at 11:02 To: Alia Atlas <akatlas@gmail.com>, Eric Rescorla <ekr@rtfm.com> Cc: "Reshad Rahman (rrahman)" <rrahman@cisco.com>, "bier-chairs@ietf.org" <bier-chairs@ietf.org>, BIER WG <bier@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-bier-ospf-bier-extensions@ietf.org" <draft-ietf-bier-ospf-bier-extensions@ietf.org> Subject: Re: [Bier] Eric Rescorla's Discuss on draft-ietf-bier-ospf-bier-extensions-13: (with DISCUSS) Hi Eric, I agree with Tony and Alia that OSPF is defined within a single administrative domain – the “I” in “IGP” is for “Internal”. In some deployments, the BIER information may be exported between protocols and domains. However, this would all more into the realm of IDR. With respect to OSPF Security, I don’t know why using OSPF for discovery of BIER parameters requires any more or less security than the underlay over which the multicast forwarding is deployed. I agree that the exposures are different (as Peter conveyed in the updated text). I see a reference to (weak) OSPF security below. Rather than levying tangential DISCUSS’es on LSR documents advertising additional information, perhaps a better tact would be to define precisely what you think is weak about OSPF (and IS-IS) security and take it to the LSR WG as requirements. I agree it would be good to consolidate generic OSPF (and IS-IS) security considerations into new document(s) but I’m not sure that we need new mechanism. Please clear this DISCUSS ASAP. Thanks, Acee From: Alia Atlas <akatlas@gmail.com> Date: Thursday, March 15, 2018 at 10:24 AM To: Eric Rescorla <ekr@rtfm.com>, Acee Lindem <acee@cisco.com> Cc: The IESG <iesg@ietf.org>, "Reshad Rahman (rrahman)" <rrahman@cisco.com>, BIER WG <bier@ietf.org>, "draft-ietf-bier-ospf-bier-extensions@ietf.org" <draft-ietf-bier-ospf-bier-extensions@ietf.org>, "bier-chairs@ietf.org" <bier-chairs@ietf.org> Subject: Re: [Bier] Eric Rescorla's Discuss on draft-ietf-bier-ospf-bier-extensions-13: (with DISCUSS) Hi Eric, On Thu, Mar 15, 2018 at 4:26 AM, Eric Rescorla <ekr@rtfm.com> wrote: Thanks for updating the security considerations. I have two concerns about the following section: It is assumed that both BIER and OSPF layer is under a single administrative domain. There can be deployments where potential attackers have access to one or more networks in the OSPF routing domain. In these deployments, stronger authentication mechanisms such as those specified in [RFC7474] SHOULD be used. First, why are you assuming that BIER will be run within a single administrative domain. That's not generally the case for multicast now, is it? Or is it merely that OSPF will generally be run within a single administrative domain and if you are to run BIER outside a single administrative domain you won't want to use OSPF? It's hard to tell from the BIER security considerations how severe the situation is if routing is subverted, but given the uses to which multicast is put, it seems like it could result in some fairly large volumes of diverted traffic. Practical deployments of multicast are in single forwarding domains today. If there is desire to support multicast between administrative domains, it would likely extend BGP for the inter-domain interactions. OSPF is an IGP which is always a single administrative domain. It has complete shared trust in the distributed routing database to support the distributed SPF computation. Second, even within an administrative domain, it's not safe to assume that the links are in fact safe, so generally one would expect that you would run communications security on at the routing protocol to ensure integrity. It seems like there are two ways to look at this: I believe that RFC 7474 is providing an authentication mechanism that provides integrity-protection and prevents against replay. It isn't private - but untrusted links for listening are very different than being able to inject packets. Regardless, RFC 7474 provides that protection. One of the challenges with routing protocols is the bootstrapping aspects of some of the general security mechanisms, that depend on having network connectivity to reach resources that simply isn't available before routing is functional. 1. We are just extending OSPF to do a new thing, so the previous (weak) standards apply. 2. We are basically designing routing for an entirely new kind of thing (BIER), even though it happens to use OSPF, so modern standards should apply. I personally do not know what more would be desired practically for OSPF security. Acee, of course, will have more focused opinions - but it isn't clear to me what would be desirable to add. I think KARP dealt with OSPF as practically as possible. As for "should modern standards apply" - it's a mixture and depends on what types of attacks are truly of concern. Deborah has taken up looking for a Design Team to try to better articulate what is there for security and the trade-offs. BIER is based on MPLS and Ethernet. For Ethernet, there is the existence of MAC Security. For MPLS, there have been no market motivators for having hop-by-hop encryption; for example, a draft describing how to do this sat adopted in the MPLS WG for several years - but could not find anyone interested in even implementing it for experimental. When one examines the data in the BIER header, it is fundamentally expected to change at every hop and is network data. The user-data in the packets, can, of course be protected by the end-to-end applications. Regards, Alia At present, I lean towards the second interpretation, especially, but I'd like to hear what the other members of the IESG think, especially my security co-ADs. -Ekr On Wed, Feb 21, 2018 at 5:24 PM, Eric Rescorla <ekr@rtfm.com> wrote: Eric Rescorla has entered the following ballot position for draft-ietf-bier-ospf-bier-extensions-13: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-bier-ospf-bier-extensions/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Document: draft-ietf-bier-ospf-bier-extensions-12.txt I have not yet reviewed this document in detail: Implementations must assure that malformed TLV and Sub-TLV permutations do not result in errors which cause hard OSPF failures. This is not an adequate security considerations section. What is your threat model? What attacks are possible? What are not? It may be the case that this is all covered in other documents, and you just need to point to them, but the reader doesn't know that, so this needs to be documented. Adam Montville's SECDIR review which makes some of the same points and lists a few specific items to examine. _______________________________________________ BIER mailing list BIER@ietf.org https://www.ietf.org/mailman/listinfo/bier _______________________________________________ BIER mailing list BIER@ietf.org https://www.ietf.org/mailman/listinfo/bier
- [Bier] Eric Rescorla's Discuss on draft-ietf-bier… Eric Rescorla
- Re: [Bier] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [Bier] Eric Rescorla's Discuss on draft-ietf-… Alia Atlas
- Re: [Bier] Eric Rescorla's Discuss on draft-ietf-… Tony Przygienda
- Re: [Bier] Eric Rescorla's Discuss on draft-ietf-… Eric C Rosen
- Re: [Bier] Eric Rescorla's Discuss on draft-ietf-… Acee Lindem (acee)
- Re: [Bier] Eric Rescorla's Discuss on draft-ietf-… Jeff Tantsura
- Re: [Bier] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [Bier] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [Bier] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [Bier] Eric Rescorla's Discuss on draft-ietf-… Eric C Rosen
- Re: [Bier] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [Bier] Eric Rescorla's Discuss on draft-ietf-… Les Ginsberg (ginsberg)
- Re: [Bier] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [Bier] Eric Rescorla's Discuss on draft-ietf-… Les Ginsberg (ginsberg)
- Re: [Bier] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [Bier] Eric Rescorla's Discuss on draft-ietf-… Nagendra Kumar Nainar (naikumar)
- Re: [Bier] Eric Rescorla's Discuss on draft-ietf-… Les Ginsberg (ginsberg)
- Re: [Bier] Eric Rescorla's Discuss on draft-ietf-… Eric Rescorla
- Re: [Bier] Eric Rescorla's Discuss on draft-ietf-… Alvaro Retana