IETF Logo Mail Archive

Re: [Detnet] Magnus Westerlund's Discuss on draft-ietf-detnet-mpls-12: (with DISCUSS)

Stewart Bryant <stewart.bryant@gmail.com> Mon, 14 September 2020 14:03 UTC

Return-Path: <stewart.bryant@gmail.com>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80EEB3A0763; Mon, 14 Sep 2020 07:03:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5aoulE4b8ytX; Mon, 14 Sep 2020 07:03:10 -0700 (PDT)
Received: from mail-wm1-x341.google.com (mail-wm1-x341.google.com [IPv6:2a00:1450:4864:20::341]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 852C03A0442; Mon, 14 Sep 2020 07:03:10 -0700 (PDT)
Received: by mail-wm1-x341.google.com with SMTP id s13so133615wmh.4; Mon, 14 Sep 2020 07:03:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=SWwKw0Nc7QQfgALX9HMv+hHTfn4eDjDX2HPZzAT74Tg=; b=uzrdzYNO/QQIlUz68M5KIWUkXRRXD2HjlC6pXdy/sTuWPXWStDYmNVKl1z15Y0Wg1P fjgSwn+fS+ZD+8OzO2NF7VHNEgJJTLGR8w8QTrjRWJWZ8g3cjTeZtDVDpz2KzcXZMgCr 0FUMU2uVWKt5cJMKb38defWwUgN3MxITgLNhld2mpSxsmlPgvkMbaEf/VW192rtjBES5 +GKFwuyIRzZ6o9W1vX0RtmRELIzkEul57B+ljj48tNYhEJq9e7hQFimvKQYsslWg92MB khJBNEDKZTC57bm52+uEQ5sSN8sjWrDhkgFGDhvtvl1u8un7XNLIZJmiJwJFURhG5L0Q pCDw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=SWwKw0Nc7QQfgALX9HMv+hHTfn4eDjDX2HPZzAT74Tg=; b=S3WyaycrBnqMjTx75F8/hWewhl1SB71bjLxJraT57xdBMj1VSlHvJKk+PYbGgcY4/L ZXsX7N9h3fHt+3UZDXJ/W+PXmMAdqJhMn5t592nshmBGZNJOpGUGOKRM6RaBxYQJwKbU zFlg3qZ6AbRQ0Er9kiUysVoma2tWWvDigdiCgeSkxz6cSyW/LY7oBbuzJYk6G10oZ2rl wNGGOmU3TQI3DAUmhDBgrHctk8vIG7ZUaxWs75wGnqVXYcNMoT8Imfzn84FwLAkHGcQO l7+I/dmLo+rupfKYs5mf9DIId363REXhRYaoLWj3ceKrYtzRhuGzY+4zujW4MqNDpG9U nH2A==
X-Gm-Message-State: AOAM532bKVcMvrsYXoEXwhGC7q9viRwJ0LWSasrtMfdEitShSWWsp0FY TVSopP3y/JQRk+XBEXLMyv8=
X-Google-Smtp-Source: ABdhPJx/iCl8HtjUreZCFp4XyW8VWtwFcuj2qIHyg6NwtjoL9EoQavlrVTDT0R6YrMMpMVd7Of35QA==
X-Received: by 2002:a7b:c749:: with SMTP id w9mr14307698wmk.29.1600092188871; Mon, 14 Sep 2020 07:03:08 -0700 (PDT)
Received: from appleton.fritz.box ([62.3.64.16]) by smtp.gmail.com with ESMTPSA id m10sm18994861wmi.9.2020.09.14.07.03.07 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 14 Sep 2020 07:03:08 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
From: Stewart Bryant <stewart.bryant@gmail.com>
In-Reply-To: <d41559b152d4e4c40b491cd6d98512996f38e5c6.camel@ericsson.com>
Date: Mon, 14 Sep 2020 15:03:06 +0100
Cc: Stewart Bryant <stewart.bryant@gmail.com>, "kaduk@mit.edu" <kaduk@mit.edu>, "detnet@ietf.org" <detnet@ietf.org>, "eagros@dolby.com" <eagros@dolby.com>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-detnet-mpls@ietf.org" <draft-ietf-detnet-mpls@ietf.org>, "detnet-chairs@ietf.org" <detnet-chairs@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <955C0BBE-F326-4FF8-BB07-81492E8F645E@gmail.com>
References: <159974422465.29824.16341844595557587838@ietfa.amsl.com> <064BD15C-3668-4F93-81CE-816021E1588C@gmail.com> <20200912024423.GY89563@kduck.mit.edu> <d41559b152d4e4c40b491cd6d98512996f38e5c6.camel@ericsson.com>
To: Magnus Westerlund <magnus.westerlund@ericsson.com>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/PAtrZ8NdBRFQhYYxCZOtIWVlwWg>
Subject: Re: [Detnet] Magnus Westerlund's Discuss on draft-ietf-detnet-mpls-12: (with DISCUSS)
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Sep 2020 14:03:13 -0000


> On 14 Sep 2020, at 07:33, Magnus Westerlund <magnus.westerlund@ericsson.com> wrote:
> 
> Hi,
> 
> On Fri, 2020-09-11 at 19:44 -0700, Benjamin Kaduk wrote:
>> Hi Stewart, Magnus,
>> 
>> On Thu, Sep 10, 2020 at 02:37:41PM +0100, Stewart Bryant wrote:
>>> 
>>> 
>>>> On 10 Sep 2020, at 14:23, Magnus Westerlund via Datatracker <
>>>> noreply@ietf.org> wrote:
>>>> 
>>>> D. Denial of service risk with attacker modifying sequence number or
>>>> performing
>>>> packet injection between ingress and egrees.
>>>> 
>>>> Based on what is written in C I would also note that there exist a serious
>>>> Denial of Service attack on the Detnet flow.
>>>> 
>>>> If the attacker is capable of either periodically modify the sequence
>>>> number of
>>>> an MPLS packet for a particular S-label or inject a MPLS packet into the
>>>> system
>>>> that will traverse to the S-Labels PEF or POF at egress with a crafted
>>>> sequence
>>>> number. In either of these cases the attacker can advance the acceptance
>>>> window
>>>> periodically so that the actual traffic falls into the range that is
>>>> discarded
>>>> by the PEF and POF. Thus, cheaply accomplishing a total denial of service.
>>>> 
>>>> I think this risk due to the PEF and POF should be made explicit in the
>>>> security considerations. Mitigations needs to be in place to prevent
>>>> packet
>>>> modification or injection inside the MPLS network. Some of these appears
>>>> to be
>>>> already discussed.
>>> 
>>> Where the s/n is provided outside the MPLS domain, the security issues are
>>> by definition outside the scope of this text.
>>> 
>>> Once inside the MPLS domain the normal MPLS security rules and constrains
>>> apply. An attacker inside the MPLS domain can do many things to harm the
>>> network, of which this is just one. MPLS operators know that they need to
>>> secure their network dataplanes and control planes, but but they also know
>>> that no packet gets to enter their network without their explicit
>>> permission.
>>> 
>>> There is the potential for similar threats to pseudo wires, (interference
>>> with in flight packets) but no such issue has ever been reported to the
>>> PWE3/PALS WGs.
>>> 
>>> So I think that this is at best one of many theoretical attacks that could
>>> occur, but is unlikely to ever materialise in a practical network.
>> 
>> I agree -- an attacker that could inject a sequence number would have to be
>> able to control the contents of one or more labels, which would cause much
>> bigger problems than DoS by trashing the sequence-number window.  It's
>> pretty inherent in how MPLS works that everything is tightly orchestrated
>> and locked-down at the boundary, so this seems basically theoretical.
>> 
> 
> Okay, so your view that this is so theoretical that it doesn't even need to be
> mentioned? 
> 
> Cheers
> 
> Magnus Westerlund 
> 


I think the standard precautions used to protect an MPLS network would prevent this attack, and so it serves no purpose to highlight the issue in the RFC.

Stewart

v2.23.0 | Report a Bug | By Email