IETF Logo Mail Archive

Re: [Detnet] Magnus Westerlund's Discuss on draft-ietf-detnet-mpls-12: (with DISCUSS)

Magnus Westerlund <magnus.westerlund@ericsson.com> Mon, 14 September 2020 06:33 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C07D53A0C25; Sun, 13 Sep 2020 23:33:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[DKIMWL_WL_HIGH=-1.695, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VxcRQMNibKYg; Sun, 13 Sep 2020 23:33:44 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50056.outbound.protection.outlook.com [40.107.5.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9B033A0C22; Sun, 13 Sep 2020 23:33:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WC90eyyon6RPsptRQ6L3zCfJa9jkGuGlYHP+Kr+ju64cpCq2Y0enKZlNdH3pqyrftEcTYGDdYQECS/t8Px38fGvNCxVTcYFKnIb68p4mTwMFqwoSYqraHOySqHkXvCWwOWH0d03atSodk0gGj0G2nDH+w+osuNWqxkZi5fpyR0SqfRxEzpN4zPg+zdDexyeLKzisptg4zEva8cXtoxkej31M5/3eA3ZFLqtnbwM1kiEoSvGlckbBzZ9/BWo2p6MOVMnA6gMemg0QYu2+SVwaEGbA7tBp/fMGEO/lkKuiQSY89lOQps2WsJ5j/fPN+lMYBGrg7WbxRkHws47aYZoHzg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TzSlwus1rjqc51TreYadpl74T7FAeM+YTTowMNBy+V0=; b=fx41qLR0vzMJjCbALPy1GLGLOqYob98/nxQkVnXGm+4n7vZD2GXAsb0B9BxACiudD879dKrtiM/G4heOp7s3pgQBuWqvZEnbo2stkWSIDekaKEd9uqEaw50Ok0R8R+ex4Lkh2jz0eA7itQCzxWyHpPrmD4BXJkZT8FCR6R1fwgF5ZhDyNIZ0pMP3JSewy4P+J8lwR45c3rCX49jRUUx+NHSpvsiI8GXUHgPOyUKAoj5cWr2tf/YWyqY+tWTVLgV6iMZftk7IgaIaYL0KIYTBzckl/jwa56ymAvI3pnQrYHUVeALveVsvTb2+EztAMJZoVNDbESD424vdtJdumm+B4Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TzSlwus1rjqc51TreYadpl74T7FAeM+YTTowMNBy+V0=; b=ABfEfmlxOMohGft5NxfAVC6YGApNRfDZpOlMIiBXZWu5fNmeiAXRdk8WjJPM/ZhD2gyQeZXmI2AgCvTAOZP9UNCyZ+pKV792BLhdHib10Ujndm4n1MV1m1nG3EvJ/LIGMMkwU8v0xqsJ7OTTCoLW0G9OGIKGgXe/5yPmmmTyQVw=
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com (2603:10a6:7:8e::14) by HE1PR0701MB2265.eurprd07.prod.outlook.com (2603:10a6:3:20::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3391.9; Mon, 14 Sep 2020 06:33:34 +0000
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::c98a:9a0c:1eea:3fdc]) by HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::c98a:9a0c:1eea:3fdc%6]) with mapi id 15.20.3391.009; Mon, 14 Sep 2020 06:33:34 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "stewart.bryant@gmail.com" <stewart.bryant@gmail.com>, "kaduk@mit.edu" <kaduk@mit.edu>
CC: "detnet@ietf.org" <detnet@ietf.org>, "eagros@dolby.com" <eagros@dolby.com>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-detnet-mpls@ietf.org" <draft-ietf-detnet-mpls@ietf.org>, "detnet-chairs@ietf.org" <detnet-chairs@ietf.org>
Thread-Topic: Magnus Westerlund's Discuss on draft-ietf-detnet-mpls-12: (with DISCUSS)
Thread-Index: AQHWh3WlRYMrB/h8rEejW9ADf+0Uaalh4DGAgAJuIoCAA2SwgA==
Date: Mon, 14 Sep 2020 06:33:34 +0000
Message-ID: <d41559b152d4e4c40b491cd6d98512996f38e5c6.camel@ericsson.com>
References: <159974422465.29824.16341844595557587838@ietfa.amsl.com> <064BD15C-3668-4F93-81CE-816021E1588C@gmail.com> <20200912024423.GY89563@kduck.mit.edu>
In-Reply-To: <20200912024423.GY89563@kduck.mit.edu>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.2
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [158.174.116.90]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f77a7c79-ac87-4926-9b40-08d858781aee
x-ms-traffictypediagnostic: HE1PR0701MB2265:
x-microsoft-antispam-prvs: <HE1PR0701MB226511D142D50623E9C436D895230@HE1PR0701MB2265.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: EM0t46NO24YWZ/dyf/DMYiH5Zq/MuLM87vQCWJePLuqJxaJgWvdbYVxTDeETlWf2cO01mgp+++nitYGkcTxCyKTLE2Gu5JlxwSkazX6FnA6oHkoAOdLjI/mUsNIn4IOcLHzsLYsFusYi0/rDlf1ZLbGXumjiuk85ebzdCHnzHY8SxqRMQ4i1Q2YH5piNf5xwMJ4fP25fPIx8Ow6iP6uDPMi/bx7cEQEWLqrS5UE7D8qFfZpWMjJaEbtIt+41SOLjWtpKw6qAfG0cTZLmVUmsL1Vf7JBX41BYfK2s5pBH0Ehpnck6kKiR2NO75P4/L7lbsn3J7xmBVckmMvrhp+KieFU2AUm5cn2hQIyJOOi2soKLxjkftp1jQ+1WMJmYmRdZ3pyMS4f0GaaXT3//v0+ZUl036DdL6NGhbB2GMlY0djU=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3772.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(376002)(346002)(39860400002)(396003)(136003)(8936002)(2906002)(6512007)(8676002)(6486002)(110136005)(54906003)(53546011)(6506007)(26005)(71200400001)(2616005)(508600001)(86362001)(5660300002)(186003)(64756008)(66556008)(66476007)(66946007)(4326008)(83380400001)(76116006)(66446008)(316002)(44832011)(36756003)(99106002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: MLfVi+P5UFzXaGScPg2ZQ07tMDrypRcDvv9qtvE7SYK05oLDI7IlPh/bHxY11GyBK1fNb9qf9tX0KmwKDUvtFy1Qb9djHGl7uRNAqVZQBhKi60T290xQJTQJ96VyJAtwi3jEjuH0xNfcZQbE0vXg3hxTPyUAbkHA9QDLFADoe4XDEjiWAZjTzEnh/q0L1FtfjvZEbBnA0DkNXRegeqBykiVpG7v23X5uH0DFMWjlnGcFw2x3d3IjKC/WYjNv8TbTDZpMy7fenV/swXbGUu+zcUxevatDYqLZ0ovl2IigZbboewRNksFkrAJwi/tb61sP2a5wcvJGDvJJ2vdHN8L6tGnLzAEO6UD7aRy0nlIhdNC/ko4qw27/AHPvjZ41FMgmR3cCI21z+coUsz+WX2CBWg0jqywmufUAsm6AcBxUEO10DwuIGC5oE9QNdtxpoCp35uRnlmrogmFvmXCMPcOY0IKHP91gg5TKT54BIPkMG1LUt53p89eBeOrPny5RSmGCqZyyFxIunhc7QUS/1kxNP69YDAMl9tXrTYmPCYDizScnZekq7aI7BQ3eLH5JtYyu8c9nwTVg92Dk6DzoNgt9bhzSYTkI73YuUxcTPw8NRYmikwZlg5gfjCbpQO5OuqUDCFm0uUik3jXVlEuJA5Ot8w==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <2EF869D361399F4396B6D8E6D68E2BDA@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0702MB3772.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f77a7c79-ac87-4926-9b40-08d858781aee
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Sep 2020 06:33:34.2680 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 6x9vhOZ9+iwyUaI9v/CQfYDvsd1IwUYMxUSR5x8ahDZuqnsMjogXS8iMd/WNqB1koGfvgZBY/IfwQIfK4zmq3XyMvZPc8fX0JzVCnKD6li4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2265
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/jTjSYlPpw4lSk6zlRHR6cB8uAqU>
Subject: Re: [Detnet] Magnus Westerlund's Discuss on draft-ietf-detnet-mpls-12: (with DISCUSS)
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Sep 2020 06:33:47 -0000

Hi,

On Fri, 2020-09-11 at 19:44 -0700, Benjamin Kaduk wrote:
> Hi Stewart, Magnus,
> 
> On Thu, Sep 10, 2020 at 02:37:41PM +0100, Stewart Bryant wrote:
> > 
> > 
> > > On 10 Sep 2020, at 14:23, Magnus Westerlund via Datatracker <
> > > noreply@ietf.org> wrote:
> > > 
> > > D. Denial of service risk with attacker modifying sequence number or
> > > performing
> > > packet injection between ingress and egrees.
> > > 
> > > Based on what is written in C I would also note that there exist a serious
> > > Denial of Service attack on the Detnet flow.
> > > 
> > > If the attacker is capable of either periodically modify the sequence
> > > number of
> > > an MPLS packet for a particular S-label or inject a MPLS packet into the
> > > system
> > > that will traverse to the S-Labels PEF or POF at egress with a crafted
> > > sequence
> > > number. In either of these cases the attacker can advance the acceptance
> > > window
> > > periodically so that the actual traffic falls into the range that is
> > > discarded
> > > by the PEF and POF. Thus, cheaply accomplishing a total denial of service.
> > > 
> > > I think this risk due to the PEF and POF should be made explicit in the
> > > security considerations. Mitigations needs to be in place to prevent
> > > packet
> > > modification or injection inside the MPLS network. Some of these appears
> > > to be
> > > already discussed.
> > 
> > Where the s/n is provided outside the MPLS domain, the security issues are
> > by definition outside the scope of this text.
> > 
> > Once inside the MPLS domain the normal MPLS security rules and constrains
> > apply. An attacker inside the MPLS domain can do many things to harm the
> > network, of which this is just one. MPLS operators know that they need to
> > secure their network dataplanes and control planes, but but they also know
> > that no packet gets to enter their network without their explicit
> > permission.
> > 
> > There is the potential for similar threats to pseudo wires, (interference
> > with in flight packets) but no such issue has ever been reported to the
> > PWE3/PALS WGs.
> > 
> > So I think that this is at best one of many theoretical attacks that could
> > occur, but is unlikely to ever materialise in a practical network.
> 
> I agree -- an attacker that could inject a sequence number would have to be
> able to control the contents of one or more labels, which would cause much
> bigger problems than DoS by trashing the sequence-number window.  It's
> pretty inherent in how MPLS works that everything is tightly orchestrated
> and locked-down at the boundary, so this seems basically theoretical.
> 

Okay, so your view that this is so theoretical that it doesn't even need to be
mentioned? 
 
Cheers

Magnus Westerlund 


----------------------------------------------------------------------
Networks, Ericsson Research
----------------------------------------------------------------------
Ericsson AB                 | Phone  +46 10 7148287
Torshamnsgatan 23           | Mobile +46 73 0949079
SE-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com
----------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email