Re: [Detnet] Magnus Westerlund's Discuss on draft-ietf-detnet-mpls-12: (with DISCUSS)
Toerless Eckert <tte@cs.fau.de> Mon, 14 September 2020 15:38 UTC
Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83CA23A0BCD; Mon, 14 Sep 2020 08:38:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.87
X-Spam-Level:
X-Spam-Status: No, score=-0.87 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UgDXvy9PqwLs; Mon, 14 Sep 2020 08:38:46 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D3223A0BD1; Mon, 14 Sep 2020 08:38:43 -0700 (PDT)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [131.188.34.52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 6D9B0548624; Mon, 14 Sep 2020 17:38:38 +0200 (CEST)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id 65770440059; Mon, 14 Sep 2020 17:38:38 +0200 (CEST)
Date: Mon, 14 Sep 2020 17:38:38 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Stewart Bryant <stewart.bryant@gmail.com>, Magnus Westerlund <magnus.westerlund@ericsson.com>, draft-ietf-detnet-mpls@ietf.org, The IESG <iesg@ietf.org>, DetNet Chairs <detnet-chairs@ietf.org>, Ethan Grossman <eagros@dolby.com>, DetNet WG <detnet@ietf.org>
Message-ID: <20200914153838.GE45828@faui48f.informatik.uni-erlangen.de>
References: <159974422465.29824.16341844595557587838@ietfa.amsl.com> <064BD15C-3668-4F93-81CE-816021E1588C@gmail.com> <20200912024423.GY89563@kduck.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20200912024423.GY89563@kduck.mit.edu>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/N0_GV2OZkyOXFky3FGv_t8x71fk>
Subject: Re: [Detnet] Magnus Westerlund's Discuss on draft-ietf-detnet-mpls-12: (with DISCUSS)
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Sep 2020 15:38:49 -0000
A bit of hopefully fun rante:
There has been a lot of opinion politics around how easily an MPLS vs. e.g.: an IPv6
domain can be isolated. In the past, some MPLS proponents liked to produce FUD against
SRv6 by claiming that an SRv6 domain would never be as easily isolated than an MPLS domain
because it is so much easier for IPv6 packets to be crossing isolation boundaries.
In todays realities, where MPLS is equally supported in linux for VMs in data centers
as IPv6/SRv6 is, i think one should not assume a pragmatic difference, and the
easy hardware isolation we might have had in the past in MPLS domains when all routers
where physical boxes do IMHO not exist today anymore when everything is a hidgepodge of
VMs/containes/lamdas orchestrated by SDN provisioning systems so complex, nobody
understand anymore how they work.
yada yada:
PREOF is _the_ core contribution of DetNet IMHO, so it actually makes that contribution
stronger if its security aspects are well documented. Especially given how attacks
against a state-machinery like the one that has to buffer & reorder packets is something
that really as not existed in the type of nodes we hope to get DetNet into, so its
novel, good information for the developer / deployment community. Even if ultimately
the main learning point is probably more about building PREOF that is resilient
against unintentional malfunctions than malicious attacks.
Cheers
Toerless
On Fri, Sep 11, 2020 at 07:44:23PM -0700, Benjamin Kaduk wrote:
> Hi Stewart, Magnus,
>
> On Thu, Sep 10, 2020 at 02:37:41PM +0100, Stewart Bryant wrote:
> >
> >
> > > On 10 Sep 2020, at 14:23, Magnus Westerlund via Datatracker <noreply@ietf.org> wrote:
> > >
> > > D. Denial of service risk with attacker modifying sequence number or performing
> > > packet injection between ingress and egrees.
> > >
> > > Based on what is written in C I would also note that there exist a serious
> > > Denial of Service attack on the Detnet flow.
> > >
> > > If the attacker is capable of either periodically modify the sequence number of
> > > an MPLS packet for a particular S-label or inject a MPLS packet into the system
> > > that will traverse to the S-Labels PEF or POF at egress with a crafted sequence
> > > number. In either of these cases the attacker can advance the acceptance window
> > > periodically so that the actual traffic falls into the range that is discarded
> > > by the PEF and POF. Thus, cheaply accomplishing a total denial of service.
> > >
> > > I think this risk due to the PEF and POF should be made explicit in the
> > > security considerations. Mitigations needs to be in place to prevent packet
> > > modification or injection inside the MPLS network. Some of these appears to be
> > > already discussed.
> >
> > Where the s/n is provided outside the MPLS domain, the security issues are by definition outside the scope of this text.
> >
> > Once inside the MPLS domain the normal MPLS security rules and constrains apply. An attacker inside the MPLS domain can do many things to harm the network, of which this is just one. MPLS operators know that they need to secure their network dataplanes and control planes, but but they also know that no packet gets to enter their network without their explicit permission.
> >
> > There is the potential for similar threats to pseudo wires, (interference with in flight packets) but no such issue has ever been reported to the PWE3/PALS WGs.
> >
> > So I think that this is at best one of many theoretical attacks that could occur, but is unlikely to ever materialise in a practical network.
>
> I agree -- an attacker that could inject a sequence number would have to be
> able to control the contents of one or more labels, which would cause much
> bigger problems than DoS by trashing the sequence-number window. It's
> pretty inherent in how MPLS works that everything is tightly orchestrated
> and locked-down at the boundary, so this seems basically theoretical.
>
> -Ben
>
> _______________________________________________
> detnet mailing list
> detnet@ietf.org
> https://www.ietf.org/mailman/listinfo/detnet
--
---
tte@cs.fau.de
- [Detnet] Magnus Westerlund's Discuss on draft-iet… Magnus Westerlund via Datatracker
- Re: [Detnet] Magnus Westerlund's Discuss on draft… Stewart Bryant
- Re: [Detnet] Magnus Westerlund's Discuss on draft… Benjamin Kaduk
- Re: [Detnet] Magnus Westerlund's Discuss on draft… Magnus Westerlund
- Re: [Detnet] Magnus Westerlund's Discuss on draft… Stewart Bryant
- Re: [Detnet] Magnus Westerlund's Discuss on draft… Magnus Westerlund
- Re: [Detnet] Magnus Westerlund's Discuss on draft… Toerless Eckert