Re: [conex] Kathleen Moriarty's Discuss on draft-ietf-conex-destopt-09: (with DISCUSS and COMMENT)

[Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch>]

Hi Suresh, hi Bob, hi Kathleen,

first of all happy new year!

@Kathleen: not exactly sure which bit you are taking about but I’ve now applied all changes for the IPSec section Bob proposed below. However, I don’t think there are actual issues on confidentiality itself because the ConEx information is meant to be read by the network (however it should just not be altered) and a decision to encrypt or not is independent of ConEx. The only important thing probably is, that if you choose to encrypt, ConEx still works and that’s now clarified I believe.

Other than that, I removed section 6 on auditing as discuss at the lats IETF meeting (@Bob: we did NOT submit an update since we discuss this.) However, based on our discussion I have slightly extended the paragraph that we already had on credits in section 4:

OLD:
A transport sends credits prior to the occurrence of congestion (loss
   or ECN-CE marks) and the amount of credits should cover the
   congestion risk.  This is further specified in
   [I-D.ietf-conex-abstract-mech] and described in detail for the case
   of TCP in [I-D.ietf-conex-tcp-modifications].  Note, the maximum
   congestion risk is that all packets in flight get lost or ECN marked.

NEW:
The credit signal represents potential for congestion.
    If a congestion event occurs, a corresponding amount of credit is consumed, as
    outlined in <xref target="I-D.ietf-conex-abstract-mech"/>.
    A ConEx-enabled sender SHOULD, therefore, signal sufficient credit in advance to any
    congestion event to cover the (estimated maximum) amount of lost or CE-marked bytes
    that could occur in such a congestion event. This estmation depends on the heuristics 
    used and aggressiveness of the sender whening deciding about the apropriate sending rate
    (congestion control). Note, the maximum congestion risk is that all packets in flight
    get lost or CE-marked, and therefore this would be the most conservative estimation for the
    congestion risk. After a congestion event, if the sender intends to take the same
    risk again, it just needs to replace the consumed credit as non-consumed
    credit does not expire. For the case of TCP, this is described in detail in
    <xref target="I-D.ietf-conex-tcp-modifications"/>.

Let me know if that’s okay/sufficient for you, or if I need to add more or potentially even remove some stuff again!

I also added Bob as an author.

Mirja


> Am 17.12.2015 um 13:01 schrieb Bob Briscoe <ietf@bobbriscoe.net>:
> 
> Kathleen, Suresh,
> 
> I've tried to reload state to get this sorted (I had to check back over the last 4 sets of diffs)...
> 
> Kathleen's right - the encryption text shouldn't have been removed. I thought we merely agreed it needed to clarify that it was talking about where to put the CDO to ensure it is not encrypted, if IPsec is being used to encrypt other data.
> 
> Reading the IPSec section afresh, I could not make sense of it. The logical flow is missing - it's not clear which parts of each para are explaining a problem, and which parts are solving the problem.
> 
> Here's my attempts to fix this:
> 
> OLD:
> 
>   If the endpoints are using the IPsec Authentication Header (AH)
>   [RFC4302] to detect alteration of IP headers along the path, AH will
>   also ensure the e2e integrity of the CDO header.  A network-based
>   attacker could alter ConEx information to fool an audit function in a
>   downstream network into discarding packets.  However, other existing
>   attacks from one network on another such a TTL expiry attacks are
>   more damaging (because ConEx audit discards silently) and less
>   traceable (because TTL is meant to change, whereas CDO is not).
> 
> NEW;
> 
>   A network-based
>   attacker could alter ConEx information to fool an audit function in a
>   downstream network into discarding packets.
>   If the endpoints are using the IPsec Authentication Header (AH)
>   [RFC4302] to detect alteration of IP headers along the path, AH will
>   also detect alteration of the CDO header. Nonetheless, AH protection
>   will rarely need to be introduced for ConEx, because attacks by one
>   network on another are rare if they are traceable. Other known
>   attacks from one network on another such a TTL expiry attacks are
>   more damaging to the innocent network (because ConEx audit discards silently) and less
>   traceable (because TTL is meant to change, whereas CDO is not).
> 
> REASONING:
> Stated the current position and the problem before the solution.
> AH does not ensure integrity, it only detects lack of integrity.
> Added sentence to explain why we're only talking about existing use of AH, not adding it, which also better justifies the last sentence, which Stephen Farrell didn't really like, but grudgingly accepted.
> s/existing/known/ to avoid implying networks are routinely attacking other networks with TTL expiry attacks.
> Added "to the innocent network", to make it clear that the damage being discussed is the shift of blame to another network, not the resultant lack of e2e delivery.
> 
> OLD:
> 
>   Inside an IPv6 packet, a Destination Option header can be placed in
>   two possible positions, either before the Routing header or after the
>   ESP/AH headers as described in Section 4.1 of [RFC2460].  When the
>   CDO is placed in the destination option header before the AH and/or
>   ESP, it is not encrypted in transport mode [RFC4301].  Otherwise, if
>   the CDO were placed in the latter position and an ESP header was used
>   with encryption, the CDO cannot be viewed and interpreted by ConEx-
>   aware intermediate nodes effectively rendering it useless.
> 
> 
> NEW;
> 
>   Section 4 specifies that CDO is placed in the destination option header
>   before the AH and/or ESP headers so that ConEx information remains
>   in the clear if ESP is being used to encrypt other transmitted information
>   in transport mode [RFC4301].
>   Inside an IPv6 packet, a Destination Option header can be placed in
>   two possible positions, either before the Routing header or after the
>   ESP/AH headers as described in Section 4.1 of [RFC2460]. If
>   the CDO were placed in the latter position and an ESP header was used
>   with encryption, ConEx-aware intermediate nodes would not
>   be able to view and interpret the CDO, effectively rendering it useless.
> 
> REASONING:
> Stated the current position and the problem before the solution.
> Kept the sentence "an ESP header was used with encryption" to exclude the null encryption case.
> 
> 
> 6. Audit
> While I had ConEx state loaded in my brain, I also checked the new Audit section.
> 
> I thought we agreed we only needed a couple of these sentences in section 3 of this doc, not a whole section.
> All that has to be done is to specify what will be considered sufficient L, E and C signals (another way of saying this is to specify the semantics that an audit would reasonably be expected to enforce).
> It doesn't have to define what an audit device is or does.
> 
> Here's a reminder of the para in conex-abstract-mech [RFC7713-to-be] that this spec has to address:
> "  The general goal of an auditor is to make sure that any ConEx-enabled
>   traffic is sent with sufficient ConEx-Re-Echo and ConEx-Credit
>   signals.  A concrete definition of the ConEx protocol MUST define
>   what sufficient means.
> "
> You seem to be getting hung up on defining "audit". You only have to define "sufficient". You don't even have to mention audit.
> 
> IMO, the required definitional sentences should be placed within section 4, not in an audit section.
> 
> 
> <POINTLESS TEXT>
> If, despite the above, you do still want an audit section, I started correcting it below, before I realised it shouldn't be there at all.
> 
> Move these two sentences to the start of the section:
> "  This
>   document does not mandate a particular audit design. Implementation
>   considerations are further discussed in [I-D.wagner-conex-audit].
> "
> 
> OLD:
> An audit element shall be a shadow device in the network, i.e. its
>   presence should not be detectable for well-behaving senders.
> NEW:
>   An audit element will typically be a stealth device in the network,
>   i.e. it will not need to notify end systems that discards are due to audit failure.
> 
> s/senders correctly signals/
> /senders correctly signal/
> 
> OLD:
>   For this, the audit
>   element has to maintain state for any active ConEx-enabled flow.
>   Flows must be audited independently, as there are no dependencies.
> NEW:
>   For this, the audit
>   element is likely to have to maintain state for at least a sample of active ConEx-enabled flows.
> REASONING:
> This section is meant to suggest, not mandate, a design.
> There is no reason to mandate that flows have to be audited independently - so sentence removed.
> 
> DELETE this last para:
>   The CDO MUST only be used alongside protocols that provide a way to
>   audit loss in the network.  Any protocol specification that uses the
>   CDO MUST define how an audit device can detect loss on the forward
>   path (e.g. sequence number monitoring) and the means for protecting
>   against likely attacks on such mechanisms.
> REASONING:
> conex-abstract-mech already sets all the requirements on other docs that address this point.
> In particular, the above para contradicts the point in conex-abstract-mech that even if the fields of a transport protocol that reveal losses are invisible to an audit function, there are still reasonable scenarios where audit will work (the "Predominant bottleneck loss auditing" case).
> 
> </POINTLESS TEXT>
> 
> 
> 
> Bob
> 
> On 16/12/15 14:08, Kathleen Moriarty wrote:
>> Hi Suresh,
>> 
>> On Mon, Dec 14, 2015 at 11:27 PM, Suresh Krishnan
>> <suresh.krishnan@ericsson.com> wrote:
>>> Hi Kathleen,
>>>    I added the text to address the DISCUSSes from you and Stephen. But Mirja
>>> and Bob were in the process of reworking text concerning audit and that might
>>> lead to some changes to this text. That is why the text has been removed. I
>>> am waiting for the new text from Bob/Mirja to send the draft further.
>> My leave may start sooner than planned, so if it is possible to get
>> this wrapped up today, that would be great.  I don't want this to get
>> held up while I am on leave and am not sure when that will start,
>> sometime int he next 1-2 weeks.
>> 
>> Thanks!
>> Kathleen
>> 
>>> Thanks
>>> Suresh
>>> 
>>> On 12/14/2015 09:56 PM, Kathleen Moriarty wrote:
>>>> I see the diff has the text added then removed on confidentiality, but
>>>> don't see why it was removed.  I'd like to see if we can wrap this up,
>>>>   Can you explain why the change that was requested was removed?
>>>> 
>>>> Thanks,
>>>> Kathleen
>>>> 
>>>> On Thu, Oct 1, 2015 at 10:43 AM, Bob Briscoe <research@bobbriscoe.net> wrote:
>>>>> Suresh, Kathleen,
>>>>> 
>>>>> (I'm jumping in because I contributed this IPsec section originally)
>>>>> 
>>>>> I think the new sentence about encryption is confusing. It talks about
>>>>> authentication of ConEx information, then it says "similarly confidentiality
>>>>> of transmitted information might be desired". It needs to be clearer that
>>>>> "transmitted information" means the rest of the packet, not the ConEx
>>>>> information. Suggested improvements inline...
>>>>> 
>>>>> 
>>>>> On 01/10/15 02:41, Suresh Krishnan wrote:
>>>>>> Hi Kathleen,
>>>>>>      Thanks a lot for your comments. Please find responses inline.
>>>>>> 
>>>>>> 
>>>>>> On 09/30/2015 03:22 PM, Kathleen Moriarty wrote:
>>>>>>> Kathleen Moriarty has entered the following ballot position for
>>>>>>> draft-ietf-conex-destopt-09: Discuss
>>>>>>> 
>>>>>>> When responding, please keep the subject line intact and reply to all
>>>>>>> email addresses included in the To and CC lines. (Feel free to cut this
>>>>>>> introductory paragraph, however.)
>>>>>>> 
>>>>>>> 
>>>>>>> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
>>>>>>> for more information about IESG DISCUSS and COMMENT positions.
>>>>>>> 
>>>>>>> 
>>>>>>> The document, along with other ballot positions, can be found here:
>>>>>>> https://datatracker.ietf.org/doc/draft-ietf-conex-destopt/
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> ----------------------------------------------------------------------
>>>>>>> DISCUSS:
>>>>>>> ----------------------------------------------------------------------
>>>>>>> 
>>>>>>> I think this should be easy to address, but wanted to discuss options for
>>>>>>> the text in section 7.  Since there is text that says IPsec
>>>>>>> Authentication should be used when integrity protection and the section
>>>>>>> goes on to also discuss encryption, shouldn't there be a similar
>>>>>>> statement that says IPsec encryption should be used when there is a need
>>>>>>> to protect confidentiality?
>>>>>> Yes. We were worried more about the authentication because tampering of
>>>>>> the packet to scrub the markings would cause audit devices to penalize
>>>>>> the connection. Encryption on the other hand would be counterproductive
>>>>>> as the intermediate nodes would be unable to observe the markings.
>>>>>> 
>>>>>>> Also, in reading this, I think because of the selected wording, I was
>>>>>>> thinking that it wasn't clear enough on the need/recommendation for
>>>>>>> authentication or encryption with IPsec since there are options for both
>>>>>>> to be set to NULL/none.  You can have a NULL cipher-suite and you can
>>>>>>> also have authentication set to none to allow for opportunistic security
>>>>>>> negotiations (fairly new RFC for the latter).  There's no need to mention
>>>>>>> these options explicitly, but rather to make it clear that IPsec can be
>>>>>>> used to provide authentication and encryption.  So I think one additional
>>>>>>> sentence and some possible rewording in this section would be helpful.
>>>>>> I have added a new sentence about encryption and reworded some of the
>>>>>> text to clarify. Does this text change work for you?
>>>>>> 
>>>>>> OLD:
>>>>>> 
>>>>>> If the transport network cannot be trusted, IPsec Authentication
>>>>>> should be used to ensure integrity of the ConEx information.  If an
>>>>>> attacker would be able to remove the ConEx marks, this could cause an
>>>>>> audit device to penalize the respective connection, while the sender
>>>>>> cannot easily detect that ConEx information is missing.
>>>>>> 
>>>>>> In IPv6 a Destination Option header can be placed in two possible
>>>>>> position in the order of possible headers, either before the Routing
>>>>>> header or after the Encapsulating Security Payload (ESP) header
>>>>>> [RFC2460].  As the CDO is placed in the destination option header
>>>>>> before the AH and/or ESP, it is not encrypted in transport mode
>>>>>> [RFC4301].  Otherwise, if the CDO were placed in the latter position
>>>>>> and an ESP header were used, the CDO would also be encrypted and
>>>>>> could not be interpreted by ConEx-aware devices.
>>>>>> 
>>>>>> NEW:
>>>>>> 
>>>>>> If the transport network cannot be trusted, the IPsec Authentication
>>>>>> Header (AH) [RFC4302] should be used to ensure integrity of the ConEx
>>>>>> information.
>>>>> I suggest this is stated the other way round:
>>>>> 
>>>>> If the transport network cannot be trusted, to ensure integrity of the ConEx
>>>>> information the IPsec Authentication Header (AH) [RFC4302] should be used.
>>>>> 
>>>>> 
>>>>>> If an attacker would be able to remove the ConEx marks,
>>>>>> this could cause an audit device to penalize the respective connection,
>>>>>> while the sender cannot easily detect that ConEx information is missing.
>>>>> 
>>>>>> Similarly, if confidentiality of the transmitted information is desired,
>>>>>> the IPsec Encapsulating Security Payload (ESP) [RFC4303] should be used.
>>>>> Suggest replace above sentence with:
>>>>> 
>>>>> If confidentiality of the transmitted packet is desired,
>>>>> the IPsec Encapsulating Security Payload (ESP) [RFC4303] can be used,
>>>>> However, the CDO header is intended to be visible to
>>>>> devices along the path, therefore it will need to be located so that it is
>>>>> not
>>>>> encrypted as well.
>>>>> 
>>>>> 
>>>>> 
>>>>>> Inside an IPv6 packet, a Destination Option header can be placed in two
>>>>>> possible positions, either before the Routing header or after the ESP/AH
>>>>>> headers as described in Section 4.1 of [RFC2460].  When the CDO is
>>>>>> placed in the destination option header before the AH and/or ESP, it is
>>>>>> not encrypted in transport mode [RFC4301].  Otherwise, if the CDO were
>>>>>> placed in the latter position and an ESP header was used with
>>>>>> encryption, the CDO cannot be viewed and interpreted by ConEx-aware
>>>>>> intermediate nodes effectively rendering it useless.
>>>>>> 
>>>>>>> ----------------------------------------------------------------------
>>>>>>> COMMENT:
>>>>>>> ----------------------------------------------------------------------
>>>>>>> 
>>>>>>> For the Security Considerations section, I'd just ask that you add in
>>>>>>> "IPsec" when AH and ESP are first mentioned so this is clear.
>>>>>> Does the above wording change work to resolve this as well?
>>>>>> 
>>>>>> Cheers
>>>>>> Suresh
>>>>>> 
>>>>>> 
>>>>>> _______________________________________________
>>>>>> conex mailing list
>>>>>> conex@ietf.org
>>>>>> https://www.ietf.org/mailman/listinfo/conex
>>>>> 
>>>>> --
>>>>> ________________________________________________________________
>>>>> Bob Briscoe                               http://bobbriscoe.net/
>>>>> 
>>>> 
>>>> 
>> 
>> 
>> 
>> -- 
>> ________________________________________________________________
>> Bob Briscoe                               http://bobbriscoe.net/