[Dots] AD review of draft-ietf-dots-server-discovery-10
Benjamin Kaduk <kaduk@mit.edu> Fri, 18 September 2020 20:22 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0789B3A0AE6; Fri, 18 Sep 2020 13:22:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.92
X-Spam-Level:
X-Spam-Status: No, score=-1.92 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ceYio5Htk9Tl; Fri, 18 Sep 2020 13:22:20 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C2B423A0921; Fri, 18 Sep 2020 13:22:16 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 08IKMC51021501 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 18 Sep 2020 16:22:14 -0400
Date: Fri, 18 Sep 2020 13:22:11 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: draft-ietf-dots-server-discovery.all@ietf.org
Cc: dots@ietf.org
Message-ID: <20200918202211.GI89563@kduck.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/dFsE5Hz7zLa5b2HCt-LUrJFyX_U>
Subject: [Dots] AD review of draft-ietf-dots-server-discovery-10
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Sep 2020 20:22:22 -0000
Hi all, Despite the first half of the review basically being entirely nits, there are some substantive comments in there later on. (Would it be helpful if I tried harder to split the nits out into a separate section in the future?) Overall it's pretty straightforward, so no major issues left to address; sorry for taking so long to get through it. One thing that we should definitely fix before getting more eyes on this document is that both TBD1 and TBD2 are overloaded -- we use them to refer to the port assignments from the signal channel and call home protocol assignments, but also for the DHCPv6 option codes. Abstract The first paragraph seems to be generic about all of DOTS, not really very specific to discovery. I wonder if we want to just remove the first paragraph or perhaps swap the order, the latter of which might look like: % This document specifies mechanisms to configure Districuted Denial of % Service Open Threat Signaling (DOTS) clients with their DOTS servers. % The discovery procedure also covers the DOTS Signal Channel Call Home. % % Knowing the appropriate DOTS server for a given location can be useful % to engage mitigation actions even in cases where the DOTS client % cannot localize the attack, but only knows that some resources are % under attack and that help is needed. Section 1 appropriate mitigation actions are required. Indeed, because the lack of a common method to coordinate a real-time response among involved actors and network domains inhibits the effectiveness of DDoS attack mitigation, DOTS signal channel protocol [I-D.ietf-dots-signal-channel] is meant to carry requests for DDoS nit: missing "the" before "DOTS signal channel protocol". attack mitigation, thereby reducing the impact of an attack and leading to more efficient defensive actions in various deployment scenarios such as those discussed in [I-D.ietf-dots-use-cases]. nit: (also, this sentence is fairly long, though not necessarily problematic.) Moreover, DOTS clients can instruct a DOTS server to install filtering rules by means of the DOTS data channel protocol [I-D.ietf-dots-data-channel]. nit: maybe "named filtering rules", since that is an important aspect of how we interact with them. [I-D.ietf-dots-architecture] specifies that the DOTS client may be provided with a list of DOTS servers; each associated with one or nit: comma here, rather than semicolon. This document assumes that security credentials to authenticate DOTS server(s) are provisioned to a DOTS client using a variety of means such as (but not limited to) those discussed in [RFC8572] or nit: "using a variety of means" implies that all are used concurrently; do we really mean "any of" or "one of"? Section 2 The reader should be familiar with the terms defined in [I-D.ietf-dots-architecture], [RFC3958], and [I-D.ietf-dots-signal-call-home]. A bit surprising to not see RFCx 8782/8783 in there, too :) Section 3 o Many use cases discussed in [I-D.ietf-dots-use-cases] do involve a CPE device. Multiple CPEs, connected to distinct network nit(?): I think "Many of the use cases" reads better. providers may even be considered. It is intuitive to leverage on nits: comma after "providers"; s/on$// o Resolving a DOTS server domain name offered by an upstream transit provider provisioned to a DOTS client into IP address(es) require nit: s/require/requires/ o Some of the use cases may allow DOTS clients to have direct communications with upstream DOTS servers; that is no DOTS gateway nit: comma/semicolon usage; let's go for "DOTS servers, that is, no DOTS gateway" is involved. Leveraging on existing features that do not require nit: s/Leveraging on/Leveraging/ specific feature on the node embedding the DOTS client may ease nit: we use "features" and "feature" in this sentence, which makes it a little hard to understand what's going on. Are the initial "features" more of "protocol behaviors"? Section 4 A key point in the deployment of DOTS is the ability of network operators to be able to configure DOTS clients with the correct DOTS nit: "ability" and "to be able to" are redundant (I suggest s/to be able to/to/) All DOTS clients MUST support at least one of the three mechanisms below to determine a DOTS server list. All DOTS clients SHOULD implement all three, or as many as are practical for any specific device (e.g., a CPE will support the first two mechanisms, a host within a LAN will support the last two mechanisms, or an application server will support a local configuration. More samples are discussed in Section 3), of these ways to discover DOTS servers, in order to facilitate the deployment of DOTS in large scale environments: nit: the way the parenthetical is structured is a bit unusual, with a sentence break occurring within the parentheses (and leaving quite a gap for processing in the middle of the thought "implement all three of these ways"). It's probably okay to just make the "SHOULD implement all three" a single standalone sentence, and leave the clarification of when implementing all three is infeasible/unnecessary to a follow-up sentence. server. When only DOTS server's IP addresses are configured, a reference identifier must also be configured for authentication purposes. Forestalling my common questions; good work! * Automatic configuration (e.g., DHCP, an automation system): The DOTS client attempts to discover DOTS server(s) names and/ or addresses from DHCP, as described in Section 5. We may get questions about this one, since it is apparently equating DHCP with a (generic) "automation system". Perhaps we want to say that the DHCP mechanism is used in the absence of manual or automated explicit configuration? the relevant DOTS server is obtained directly. Implementation options may vary on a per device basis, as some devices may not have DNS capabilities and/or proper configuration. nit: maybe "proper DNS configuration" or "proper resolver configuration"? combination of interface and address family. A DOTS client may choose to perform the discovery procedure only for a desired interface/address combination if the client does not wish to discover nit: I think "interface/address-family combination". o Expiry of a lease associated with a discovered DOTS agent. Is this specifically a DHCP lease, or a more generic concept? Section 5 As reported in Section 1.7.2 of [RFC6125]: "few certification authorities issue server certificates based on IP addresses, but preliminary evidence indicates that such I think the quote is actually "[s]ome", not "few" -- please check! The list of the IP addresses returned by DHCP servers is typically used to fed the DOTS server selection procedure or to provide DOTS nit: s/fed/feed/ for the DOTS Call Home. The DOTS client (or Call Home DOTS server) will then use the address selection specified in Section 4.3 of nit: "address selection procedure" Let's consider that the DOTS server is reachable at 2001:db8:122:300::1 while the Call Home DOTS client is reachable at 2001:db8:122:300::2. The DHCP server will then return one DOTS reference identifier and a list that includes both 2001:db8:122:300::1 and 2001:db8:122:300::2 to a requesting DHCP client. That list is passed to the DOTS client (or Call Home DOTS server) which will try to establish connections to the addresses of that list and destination port number TBD1 (or TBD2). As a result, the DOTS client (or Call Home DOTS server) will select 2001:db8:122:300::1 (or 2001:db8:122:300::2) as a DOTS server (or Call Home DOTS client). I mostly expect pushback from TSV-area reviewers about giving the allocated port numbers such importance in selecting the peer address to use. Section 5.1.2 format of this option is shown in Figure 5. As a reminder, this format follows the guidelines for creating new DHCPv6 options (Section 5.1 of [RFC7227]). We need the reminder for the second option but not the first one? ;) Section 5.1.3 are used to reach the peer DOTS agent. In other words, the name conveyed in OPTION_V6_DOTS_RI MUST NOT be passed to underlying resolution library in the presence of OPTION_V6_DOTS_ADDRESS in a response. I'm not sure how much of this needs to end up in the document itself, but can we walk through the scenarios here, especially when the DNS-resolution addresses for the name in question differ from the addresses in OPTION_V6_DOTS_ADDRESS? I don't understand yet why/how this scheme ends up being safe, and am hoping that you have a head start over me on doing the analysis :) If the DHCP client receives OPTION_V6_DOTS_RI only, but OPTION_V6_DOTS_RI option contains more than one name, as nit: insert "the" at the start of the second line. If the DHCP client receives OPTION_V6_DOTS_RI only, but OPTION_V6_DOTS_RI option contains more than one name, as distinguished by the presence of multiple root labels, the DHCP client MUST use only the first name. Once the name is validated Is there a reason to make this "use the first one" vs. "ignore the whole thing as malformed? (Section 8 of [RFC8415]), the name is passed to a name resolution library. Moreover, that name is also used as a reference identifier for authentication purposes. Hmm, I'm not seeing much in Section 8 specifically of RFC 8415 that looks relevant here. Was perhaps a different document intended? Section 5.2.1 A reference to 2132 here would be timely, not least for understanding the figure. The values s1, s2, s3, etc. represent the domain name labels in the domain name encoding. super-nitty-nit: maybe "the octets of the domain name labels"? IIUC the RFC 2132 convention is to give such names to the individual bytes of the DHCP option, but this wording implies that we are naming labels, which are multi-byte (except for the root). Section 5.2.2 I wonder if anyone will complain that we are using a more "modern" structure for the figure, instead of keeping with the "traditional" DHCP option diagrams. Section 5.2.3 To discover a peer DOTS agent, the DHCPv4 client MUST include both OPTION_V4_DOTS_RI and OPTION_V4_DOTS_ADDRESS in a Parameter Request List Option [RFC2132]. Why is the v4 case a MUST but the v6 case was only MAY? If the DHCP client receives more than one instance of OPTION_V4_DOTS_RI (or OPTION_V4_DOTS_ADDRESS) option, it MUST use only the first instance of that option. I think the parenthetical needs to be dropped, since in the previous section we say that this is a concatenation-requiring option. If the DHCP client receives OPTION_V4_DOTS_RI only, but OPTION_V4_DOTS_RI option contains more than one name, as distinguished by the presence of multiple root labels, the DHCP client MUST use only the first name. Once the name is validated (Section 10 of [RFC8415]), the name is passed to a name resolution library. Moreover, that name is also used as a reference identifier for authentication purposes. [same comments about "use first" as for v4] I see that here we reference §10, rather than 8, of RFC 8415, though it still doesn't say much explicitly about a "validation procedure". The diff between §5.1.3 and 5.2.3 includes "(e.g., PKIX [RFRC6125])" only in 5.1.3; it seems like it would also apply here. The DHCP client MUST silently discard multicast and host loopback addresses conveyed in OPTION_V4_DOTS_ADDRESS. Can we put a reference for "multicast and host loopback" addresses as we did for the v6 case? Section 6 1. A DNS domain name is retrieved for each combination of interface and address family. A DOTS agent has to determine the domain in which it is located relying on dynamic means such as DHCP (Section 5) . [...] Hmm, this may be worth a closer look. If I understand correctly, if the procedures in Section 5 only give you a name, you're supposed to use DNS to get IP addresses to talk to, from that name. So is this procedure only applicable when the A/AAAA lookup fails? Otherwise I'm not sure how you would get only a name but not full contact information, from the section 5 procedure. Or, if the intent of "the name is passed to a name resolution library" in Section 5 is to induce the S-NAPTR lookups defined here, Section 5 should be more clear about that. Once the DOTS agent has retrieved its DNS domain or discovered the peer DOTS agent name that needs to be resolved (e.g., Section 5), an (The parenthetical seems redundant with step (1).) S-NAPTR lookup with 'DOTS' application service and the desired [...] This specification defines "DOTS" and "DOTS-CALL-HOME" as application service tags (Sections 9.4.1 and 9.4.2). It also defines We should probably mention "DOTS-CALL-HOME" in both places, or just say something generic like "the appropriate application service" in the first instance, instead of only saying 'DOTS' the first time. a.example.net. IN AAAA 2001:db8::1 I'm sure my INT-area colleagues will appreciate the IPv6 examples :) Section 8 Having a clearly defined priority order for using the different discovery mechanisms covers most of the potential security considerations inherently, but I think some text is in order about whether an attacker can block/modify traffic to force a "lower priority" mechanism to be used (but would not be able to modify the "higher priority" mechanism's results with the same capabilities). We may also want to reiterate that discovery results are scoped by interface and address family, and that bad things can happen if you use a result from one interface for traffic from a different interface. There are probably not particularly interesting privacy considerations of advertising/exposing DOTS server names in these various discovery mechanisms, but a brief section on privacy considerations is likely in order regardless. Section 8.2 The primary attack against the methods described in Section 6 is one that would lead to impersonation of a peer DOTS agent. An attacker could attempt to compromise the S-NAPTR resolution. The use of mutual authentication makes it difficult to redirect a DOTS client (or a Call Home DOTS server) to an illegitimate DOTS server (or a Call Home DOTS client). IIUC this property only holds if the domain name used for authenticating the peer (i.e., the input to the RFC 6125 procedures) is the one used as input to the procedure in Section 6, not the intermediate names produced during that procedure (e.g., "example.net" as input and "a.example.net" as intermediate, from Figure 10). I don't think we specify anywhere that this must be the case, so on the face of it it seems that in the absence of DNSSEC, an attacker spoofing DNS responses can redirect the client to an arbitrary name controlled by the attacker, for which the attacker has valid PKIX credentials. (We also allow SRV-IDs for validation, so the SRV names are also affected.) I also note that the analogous question for mail servers (whether they authenticate as example.net or a.example.net) is a recurring source of trouble, so our hand may be forced by deployment realities. Section 8.3 I was going to say that we should reference the RFC 6763 security considerations, too, but they are just saying the same things we already say. Section 12.2 I expect at least one AD to suggest that the architecture draft should be normative since we require it for terminology, but I don't insist on changing its classification at this time. (Likewise for Call Home.) -Ben
- [Dots] AD review of draft-ietf-dots-server-discov… Benjamin Kaduk
- Re: [Dots] AD review of draft-ietf-dots-server-di… Jon Shallow
- Re: [Dots] AD review of draft-ietf-dots-server-di… mohamed.boucadair
- Re: [Dots] AD review of draft-ietf-dots-server-di… mohamed.boucadair
- Re: [Dots] AD review of draft-ietf-dots-server-di… Benjamin Kaduk
- Re: [Dots] AD review of draft-ietf-dots-server-di… Benjamin Kaduk
- Re: [Dots] AD review of draft-ietf-dots-server-di… mohamed.boucadair