IETF Logo Mail Archive

Re: [Detnet] Secdir last call review of draft-ietf-detnet-mpls-05

Stewart Bryant <stewart.bryant@gmail.com> Wed, 11 March 2020 15:30 UTC

Return-Path: <stewart.bryant@gmail.com>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 233453A0942; Wed, 11 Mar 2020 08:30:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9-UXaBFWW-EK; Wed, 11 Mar 2020 08:30:03 -0700 (PDT)
Received: from mail-wr1-x42e.google.com (mail-wr1-x42e.google.com [IPv6:2a00:1450:4864:20::42e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 027303A09B2; Wed, 11 Mar 2020 08:29:59 -0700 (PDT)
Received: by mail-wr1-x42e.google.com with SMTP id p2so3189584wrw.7; Wed, 11 Mar 2020 08:29:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=iOj0onZgPXZm47Uu9KnHAkgVUvpE1kEM/6HFzh6/XRQ=; b=NnKv0g2frFKoFanc7PhVBkyr2XSaE5WPoxsHBwdssmqaJlhRkfa5dudkc8YCDrdJEG xoNDbexkTltj6BM9NsX1JJkz6k/disF03sWPp4UqRW4qNuLwDMbWfHj/mI4Zc2vp2wSg cTGfUPL7mHKYyuYwi84I29PQGlPYgRh0yzQi3Bai/VTyyM/umrMUBffpZLdPbFWtlxI6 hKmsG3+kQ4u2AlBolRU6SLwCM5opiCasde8bp6fFA4m6YpGXGX/HOpHm3bjxn/QkotFH XOzvDc4qNwAf9Ac5ifQ8Bp+iXhdZnCtH8Vb9lQZ3U2Qm8BOBMqNsCccZhDOnYzsSiKv9 9Gxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=iOj0onZgPXZm47Uu9KnHAkgVUvpE1kEM/6HFzh6/XRQ=; b=kvTh++FTQqUl3KX2BF1H06315U+gEkpliL+iHlkVNb8xINZR+EpufGrLs6L2RfgonI T5ol1GK7Py1SlaAOxsrbHAEmyfsdPMzRq47ndrJxCeJvudz4BDjC4uBw/YGSFxiVRxaI ajWUSD7TiK83/4JLX/9OJ7jpaMEBL0Sm1o7quFk/wd0LNzrf+R5zj4gO/JTV6gpEbs8m rc41gca/7cb4N7NR9MbIugYbcufe6Lt+TXGMFVazLHVNo5noASOZ7KQuCajc5tfS1RST oqrN41NZnMoS3Vrk9Ou5XpSzwuXGXdzi3B2/egxY8cMLaB/DLwQkUVXJhjMKYcu7NoTV UO6A==
X-Gm-Message-State: ANhLgQ3KkHDpDo6kWIIZSZy/sGW+xwG0VuQl22TJJ1r81/5ZPAZmdS9x MYmDRkUrKtRs8SGpOYkr7GI=
X-Google-Smtp-Source: ADFU+vub8pZtZMD7SrBfSh5NSXYrWpbpyp/RfUZ2hzcHnKjCaYfqHBi+9KILMaIpTL2I1wgZUiZQLQ==
X-Received: by 2002:adf:e911:: with SMTP id f17mr4824324wrm.87.1583940598246; Wed, 11 Mar 2020 08:29:58 -0700 (PDT)
Received: from broadband.bt.com ([2a00:23a8:4140:0:58e6:6b0b:ad19:fc8b]) by smtp.gmail.com with ESMTPSA id e26sm7034021wmk.9.2020.03.11.08.29.56 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 11 Mar 2020 08:29:57 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\))
From: Stewart Bryant <stewart.bryant@gmail.com>
In-Reply-To: <158389693039.16158.6977515080330200081@ietfa.amsl.com>
Date: Wed, 11 Mar 2020 15:29:55 +0000
Cc: Stewart Bryant <stewart.bryant@gmail.com>, secdir@ietf.org, DetNet WG <detnet@ietf.org>, draft-ietf-detnet-mpls.all@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <E15E2A3F-5EAA-4B86-B39A-14521AD762D5@gmail.com>
References: <158389693039.16158.6977515080330200081@ietfa.amsl.com>
To: Watson Ladd <watsonbladd@gmail.com>
X-Mailer: Apple Mail (2.3608.60.0.2.5)
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/XFOeFrSYU8apyAJzUVX6ix_kvi0>
Subject: Re: [Detnet] Secdir last call review of draft-ietf-detnet-mpls-05
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2020 15:30:05 -0000


> On 11 Mar 2020, at 03:22, Watson Ladd via Datatracker <noreply@ietf.org> wrote:
> 
> Reviewer: Watson Ladd
> Review result: Not Ready
> 
> This is the secdir review of draft-ietf-detnet-mpls-05. Authors should treat
> these as any other Last Call comments.
> 
> Apologies for the delays in completing this review.
> 
> I am concerned that this document (and the related work) introduces some
> substantial differences from existing Internet architecture, and that
> inadequate attention is paid to the consequent security implications.

I disagree with the proposition that this is a substantial change to the existing Internet architecture.

This MPLS DetNet design is, if anything, a development of pseudowires, a widely deployed technology that for many years was the standard method of carrying IP from the customer premise to the ISP. It is a close cousin to MPLS VPN which has been a stable of provider network deployments.

MPLS is designed to be run in a tightly controlled environment. This is something that all competent MPLS operators do as a matter of course, and I do not see this being much of an additional issue. The special  problem here is the need to police ingress traffic for dynamic issues. That is quite a significant body of work, and is being tackled in a separate document.

We can add a reference to general MPLS security, and to the security of pseudowires running over MPLS, but these are well known by anyone operating an MPLS network, and the clutter will distract the reader from the unique issues that apply to this design.

> Pointing
> to a separate, in progress draft I don't think is an adequate security
> consideration section.

Adding all the text from that draft would imbalance this draft, and referring to it is normally a better idea, particularly as the same text applies to a number of the DetNet drafts.

> That's particularly true when we're discussing the
> network providing functions like duplicate packet dropping that are potentially
> quite expensive and which attackers may exploit to consume large amounts of
> resources.

The expensive process of duplicate dropping is a cost of that aspect of the service. Obviously if your forwarder is incapable of offering that service you would not offer the service. Now we know that a lot of forwarder designs cannot do this, and to do so would require a rebalance of processing between the ingress and the egress interface, but that should not stop us designing such a system. It is simply a mark of progress that we upgrade the forwarding system to add new features.

Now if you are worried about an attacker injecting such packets, I would ask you to remember that no competent MPLS operator will allow any MPLS packets in their network that they have not put there themselves, or have accepted from a highly trusted peer. There is over 20 years of experience in securing MPLS networks. As far as I am aware there has never been an MPLS injection attack brought to the attention of the MPLS WG or the PALS (ne PWE3) WGs. I am not loosing any sleep over this type of attack. If the attack was a likely prospect we would be seeing it as an issue with VPNs and PWs and we see no such issue.


> Saying that one can mitigate DoS on the edge of a DetNet domain
> isn't enough: how do you mitigate the DoS, or detect it?

Again this is standard MPLS. Remember nothing gets into the network other than through a PE, and it is common for a PE to do rate detection and ensure that the attached external device does not exceed the agreed rate.  

> What if the edge is
> the problem? Are there resources that can be consumed in the center the edge
> doesn't know about?

This is no different from the MPLS traffic engineered network case with reserved bandwidth. This is widely understood in MPLS network designs. If you are concerned about faulty equipment, there are many worse things that could happen.

> 
> With confidentiality this draft mentions the possibility of link to link
> protection, ignoring the possibility of malicious nodes, and doesn't describe
> the way one actually uses that integration.

If you have a malicious node, then all bets are off anyway. There are many bad things a malicious node can do, of which this is the least interesting. We have for example known how to protect the routing system against malicious nodes since Radia wrote her thesis at MIT, but the industry does not yet have an interest in moving there. 

Our assumption is that the more likely point of attack is the link rather than the node (because it is much easier and we have an existence proof of that attack being common). It is well known to operators how to encrypt the link traffic and thus we do not add much value to this document by describing it.


> It's not clear to me what the
> security goals are, and saying a mechanism may be used, without indicating how
> doesn't make it remediation for a security problem.

In this specific case it is the prevention of snooping of traffic not secured by the application (many applications are legacy) such as the snooping that the NSA became famous for. 

> I can think of a few ways
> to abuse the one-packet only service to rewrite flows with great ease.

Please describe them in the contest of operation of this service and we will assess the eligibility and vulnerability. 

> 
> The Internet is composed of smart nodes at the edge and dumb forwarders in the
> middle.

This is **NOT** running over the general Internet. It is of necessity a well controlled network. This is an MPLS design and MPLS only operates in well controlled provider networks.

> DetNet is a very different design, with significant complexity and
> state in the network, and guarantees not maintained by end nodes.

Are you familiar with multi-segment pseudowires? This design is basically an MS-PW with the addition of the a very special type of multicast. In both cases there is a controlled amount of additional state. The state that we add here is well controlled.

As to guarantees, I would point you to the fundamental design philosophy of PWs, which was that we would operate as best we could, and if that was not good enough buy a (much more expensive) real wire. We designed some types of PW that were quite sensitive to loss and no one complained. It is the same here. If you need a greater guarantee than you get with this approach, spend more money and use a private physical network. However that discussion belongs  is in the scope of DetNet per se and this design inherits that scope. It should not be part of this text.

> This means
> that a lot that has been learned about Internet security doesn't apply, which
> raises a whole host of questions: what threat model is applied?

We are documenting that in other work, hence the references. However of all of the network types, MPLS is intrinsically one of the most secure.


> Is it
> realistic? Are the properties such as bounded latency and low jitter maintained
> even in the face of adversarial behavior?

That is why we have to police the behaviour at the edge, something that the MPLS community has a lot of existing experience with.

> While this may be appropriately
> handled at greater length in a separated draft, a tighter link to the
> mechanisms defined in this draft would be useful.

If you look at the work you will see that this would imbalance the draft and then we would have to duplicate it in the other data-plane drafts. Much better to discuss that in a single place and just call out the data-plane specific security issues in the data-plane drafts. That way the critical issues are documented in a way that the reader is less likely to lose in a sea of familiar text.

> 
> It's very likely these have been discussed in the detnet wg at length as
> evidenced by the security considerations, but I'd like to see the MPLS draft
> reflect some of that conversation more directly.

I would ask you to reflect on the discussion above. If you need any help understanding MPLS and Pseudowires (which are fundamentally assumed knowledge that anyone deploying this technology would have) I can provide you with some pointers to background reading. 

Best regards

Stewart

> 
>

v2.23.0 | Report a Bug | By Email