IETF Logo Mail Archive

Re: [Detnet] Magnus Westerlund's Discuss on draft-ietf-detnet-mpls-12: (with DISCUSS)

Benjamin Kaduk <kaduk@mit.edu> Sat, 12 September 2020 02:44 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 856743A0AE9; Fri, 11 Sep 2020 19:44:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1DCFotpfkaur; Fri, 11 Sep 2020 19:44:46 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 58DC33A0AE8; Fri, 11 Sep 2020 19:44:33 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 08C2iNHP032556 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 11 Sep 2020 22:44:25 -0400
Date: Fri, 11 Sep 2020 19:44:23 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Stewart Bryant <stewart.bryant@gmail.com>
Cc: Magnus Westerlund <magnus.westerlund@ericsson.com>, draft-ietf-detnet-mpls@ietf.org, The IESG <iesg@ietf.org>, DetNet Chairs <detnet-chairs@ietf.org>, Ethan Grossman <eagros@dolby.com>, DetNet WG <detnet@ietf.org>
Message-ID: <20200912024423.GY89563@kduck.mit.edu>
References: <159974422465.29824.16341844595557587838@ietfa.amsl.com> <064BD15C-3668-4F93-81CE-816021E1588C@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <064BD15C-3668-4F93-81CE-816021E1588C@gmail.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/59zuQZXO8iMQEF3qMvOxEopHh8o>
Subject: Re: [Detnet] Magnus Westerlund's Discuss on draft-ietf-detnet-mpls-12: (with DISCUSS)
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Sep 2020 02:44:49 -0000

Hi Stewart, Magnus,

On Thu, Sep 10, 2020 at 02:37:41PM +0100, Stewart Bryant wrote:
> 
> 
> > On 10 Sep 2020, at 14:23, Magnus Westerlund via Datatracker <noreply@ietf.org> wrote:
> > 
> > D. Denial of service risk with attacker modifying sequence number or performing
> > packet injection between ingress and egrees.
> > 
> > Based on what is written in C I would also note that there exist a serious
> > Denial of Service attack on the Detnet flow.
> > 
> > If the attacker is capable of either periodically modify the sequence number of
> > an MPLS packet for a particular S-label or inject a MPLS packet into the system
> > that will traverse to the S-Labels PEF or POF at egress with a crafted sequence
> > number. In either of these cases the attacker can advance the acceptance window
> > periodically so that the actual traffic falls into the range that is discarded
> > by the PEF and POF. Thus, cheaply accomplishing a total denial of service.
> > 
> > I think this risk due to the PEF and POF should be made explicit in the
> > security considerations. Mitigations needs to be in place to prevent packet
> > modification or injection inside the MPLS network. Some of these appears to be
> > already discussed.
> 
> Where the s/n is provided outside the MPLS domain, the security issues are by definition outside the scope of this text.
> 
> Once inside the MPLS domain the normal MPLS security rules and constrains apply. An attacker inside the MPLS domain can do many things to harm the network, of which this is just one. MPLS operators know that they need to secure their network dataplanes and control planes, but but they also know that no packet gets to enter their network without their explicit permission.
> 
> There is the potential for similar threats to pseudo wires, (interference with in flight packets) but no such issue has ever been reported to the PWE3/PALS WGs.
> 
> So I think that this is at best one of many theoretical attacks that could occur, but is unlikely to ever materialise in a practical network.

I agree -- an attacker that could inject a sequence number would have to be
able to control the contents of one or more labels, which would cause much
bigger problems than DoS by trashing the sequence-number window.  It's
pretty inherent in how MPLS works that everything is tightly orchestrated
and locked-down at the boundary, so this seems basically theoretical.

-Ben

v2.29.0 | Report a Bug | By Email | System Status