Re: [Detnet] Magnus Westerlund's Discuss on draft-ietf-detnet-mpls-12: (with DISCUSS)
Stewart Bryant <stewart.bryant@gmail.com> Thu, 10 September 2020 13:38 UTC
Return-Path: <stewart.bryant@gmail.com>
X-Original-To: detnet@ietfa.amsl.com
Delivered-To: detnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 500153A0A2D; Thu, 10 Sep 2020 06:38:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 00Y68jw1Yr0n; Thu, 10 Sep 2020 06:38:16 -0700 (PDT)
Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com [IPv6:2a00:1450:4864:20::32d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43FA13A0A22; Thu, 10 Sep 2020 06:38:16 -0700 (PDT)
Received: by mail-wm1-x32d.google.com with SMTP id w2so92485wmi.1; Thu, 10 Sep 2020 06:38:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=eZPj1YslDgkffFvI8Jdoh6zLcxLMxNJ2fcNcgmFRpoQ=; b=ovuc55BUcWlvNGl3SBg9JAD1vC400mN+K2Lmogvvfp+TVeZqNW4bQRQwU9E7JCSIbA e5eAlG/q9FGaQZnBV+x/dhGTJdCe/iakA6YqzNW5QCb/TYWeZl1ctowDV9ESLEfNqLcV c5qtmLphSSLwxZjkG6s4lIUHENlQmvui1FgQKLvhfh5NHDmtU1Tz7m+4ZZJhAHKWnCxx URTYjr501JduQ6TfdG4b9iVTmCUQBT3l2QlVOUb3E0YYFSivhI/+eczUTPpm+53+R9o8 7qzgMcEb3TBxsy841TVL/MVW3u9xbiL0mSWmGJjfAVef4nhUaoG/VEH1Hjryzf+SIZK6 C3XQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=eZPj1YslDgkffFvI8Jdoh6zLcxLMxNJ2fcNcgmFRpoQ=; b=JdHXmVMv6jWuvEqqdWsEmAR5ZfswDe50qrcmw2qHHcGI5b1Vm3gbJt4DmNCvJML1Kr AC8JjiK6wYG694nIQITnZq2oylxX8HEnMQjWmYZ7fmWx24yfOr3xVWFzZAg0YsViLvRc 1PBz1dXDsBukaFAR6xO6sRhjRL3kegjGHPq6xzf6LrN/qeRGAz+B7JvyWkN6gBIXO1gT IaIAAHLiUcnN0gRsTvfFUBhSGh24CrpkB3Dd+gtRiyHv3AgCjusKtG0BmO7NT5lkY6Ru JnQgMtbqilkQ0lI8vctW7It09b7OLyHmsVTHiLo0INMbr68cVIoBbgEqcjRKDHjDcFLM ZL9Q==
X-Gm-Message-State: AOAM5330S5/e0s9cSDfWhK6NT5c7GRYg1urottbGdFCx3XDYJVjW7jcg LpHi8EmwBBObwDahPLs00ac=
X-Google-Smtp-Source: ABdhPJzHXK4WNRXHbd8q8dazJXxlfW+vpgd/KakIQgdaShF07wfMz8KJnufLbcJmAXQLNvakBkacow==
X-Received: by 2002:a1c:7716:: with SMTP id t22mr56898wmi.64.1599745094654; Thu, 10 Sep 2020 06:38:14 -0700 (PDT)
Received: from [192.168.178.46] ([62.3.64.16]) by smtp.gmail.com with ESMTPSA id k12sm9007127wrn.39.2020.09.10.06.38.12 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 10 Sep 2020 06:38:12 -0700 (PDT)
From: Stewart Bryant <stewart.bryant@gmail.com>
Message-Id: <064BD15C-3668-4F93-81CE-816021E1588C@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_817786EF-CA3C-46BF-B8B4-066A0CBF79F4"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
Date: Thu, 10 Sep 2020 14:37:41 +0100
In-Reply-To: <159974422465.29824.16341844595557587838@ietfa.amsl.com>
Cc: Stewart Bryant <stewart.bryant@gmail.com>, The IESG <iesg@ietf.org>, draft-ietf-detnet-mpls@ietf.org, DetNet Chairs <detnet-chairs@ietf.org>, DetNet WG <detnet@ietf.org>, Ethan Grossman <eagros@dolby.com>
To: Magnus Westerlund <magnus.westerlund@ericsson.com>
References: <159974422465.29824.16341844595557587838@ietfa.amsl.com>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/detnet/oezwvHAcHXLvng1VY6QOPvC6gwo>
Subject: Re: [Detnet] Magnus Westerlund's Discuss on draft-ietf-detnet-mpls-12: (with DISCUSS)
X-BeenThere: detnet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions on Deterministic Networking BoF and Proposed WG <detnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/detnet>, <mailto:detnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/detnet/>
List-Post: <mailto:detnet@ietf.org>
List-Help: <mailto:detnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/detnet>, <mailto:detnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Sep 2020 13:38:18 -0000
> On 10 Sep 2020, at 14:23, Magnus Westerlund via Datatracker <noreply@ietf.org> wrote: > > D. Denial of service risk with attacker modifying sequence number or performing > packet injection between ingress and egrees. > > Based on what is written in C I would also note that there exist a serious > Denial of Service attack on the Detnet flow. > > If the attacker is capable of either periodically modify the sequence number of > an MPLS packet for a particular S-label or inject a MPLS packet into the system > that will traverse to the S-Labels PEF or POF at egress with a crafted sequence > number. In either of these cases the attacker can advance the acceptance window > periodically so that the actual traffic falls into the range that is discarded > by the PEF and POF. Thus, cheaply accomplishing a total denial of service. > > I think this risk due to the PEF and POF should be made explicit in the > security considerations. Mitigations needs to be in place to prevent packet > modification or injection inside the MPLS network. Some of these appears to be > already discussed. Where the s/n is provided outside the MPLS domain, the security issues are by definition outside the scope of this text. Once inside the MPLS domain the normal MPLS security rules and constrains apply. An attacker inside the MPLS domain can do many things to harm the network, of which this is just one. MPLS operators know that they need to secure their network dataplanes and control planes, but but they also know that no packet gets to enter their network without their explicit permission. There is the potential for similar threats to pseudo wires, (interference with in flight packets) but no such issue has ever been reported to the PWE3/PALS WGs. So I think that this is at best one of many theoretical attacks that could occur, but is unlikely to ever materialise in a practical network. - Stewart
- [Detnet] Magnus Westerlund's Discuss on draft-iet… Magnus Westerlund via Datatracker
- Re: [Detnet] Magnus Westerlund's Discuss on draft… Stewart Bryant
- Re: [Detnet] Magnus Westerlund's Discuss on draft… Benjamin Kaduk
- Re: [Detnet] Magnus Westerlund's Discuss on draft… Magnus Westerlund
- Re: [Detnet] Magnus Westerlund's Discuss on draft… Stewart Bryant
- Re: [Detnet] Magnus Westerlund's Discuss on draft… Magnus Westerlund
- Re: [Detnet] Magnus Westerlund's Discuss on draft… Toerless Eckert