Re: [dtn] [EXTERNAL] Erik Kline's No Objection on draft-ietf-dtn-bpbis-29: (with COMMENT)
Magnus Westerlund <magnus.westerlund@ericsson.com> Tue, 08 December 2020 08:35 UTC
Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: dtn@ietfa.amsl.com
Delivered-To: dtn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BAD543A0E26; Tue, 8 Dec 2020 00:35:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rhk1_ef0h-W0; Tue, 8 Dec 2020 00:35:08 -0800 (PST)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30058.outbound.protection.outlook.com [40.107.3.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C30B03A0E21; Tue, 8 Dec 2020 00:35:07 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mfMXG19p679aZ9L3QhsdICk+oG9sj4xOLh6XbUq6D3nakbi0rmZpIGH8a7Y6+q2tjs+TYxarPUUFV/GynKX0mLMRjYwqbNnpCaPBnBMI1Geg3LWqkwg3jGON6U8m2yyqOxMx7PyI8WKMYyypRqCpctjhMcKwCqwNbJAGq461rM8AN40IPEZj15cvV4qGFUcY+eSUgGzsr8ktyuM6CAxz2R8zyfEs1W/4dRk4yt4T0FYT6hG0gF3pctHi5clbSbz+hyh6DZC9SZeeYLq0m6+8cYHrFMmeFydozlZqcDxki5lmbEuj9rkEfRJ5J78K9ntF5nPF0K1zumyE+0Z0dTpvPQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=28pzRkpNE0xWFGztt8FEr/yQ1T9uVYDxntGvnA+ecIE=; b=hHVTSrMKZhqTYm4S2pYn4cr12Iou0oa1bHSFA9vxl7YPrC5QSTTB6XBNNjrEPHVGLgnYVMys9OjIhtW4IPL3NDroeedtnhmOGdDXYCXKZ0UXSpvrLpDveNI8bqxcCT82xoxTlqAH030ctynYChx2QvLKfmXKq++lQB32Wbc/Si713FJTAnh8GTsPcLqdRucWMWh4NwCjzebr7IkSOtmSwa65LdeBOUjsdrIp0h78llvCtk0brlw2ghCL6NHW8Zp+uy4Mpx0uGmBK/z5Pm8ZyYU/V6Txtjl+qk1vVNW9zAkvHt4NxIKjYdZWGNoLrv0OqHNddBaIwoB76r1hr/VRu8w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=28pzRkpNE0xWFGztt8FEr/yQ1T9uVYDxntGvnA+ecIE=; b=omztYtLR+GaUqgIJyeKuxeqZHPhEeA3xxZ3kytL5U2lPSYD89yFfDnk9QiHa8X/rmK2nCjwmz5gndx2yS7x83xY9z6D8MIzBIYd2MJSQhbWFKrJ0E1wb1LVxPrefi3a926Qq0Goe32nYn72kW3z9DAjIjZVdUNanrLqIE3voCbE=
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com (2603:10a6:7:8e::14) by HE1PR07MB3100.eurprd07.prod.outlook.com (2603:10a6:7:31::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3654.12; Tue, 8 Dec 2020 08:35:00 +0000
Received: from HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::8cd:496:65de:4ace]) by HE1PR0702MB3772.eurprd07.prod.outlook.com ([fe80::8cd:496:65de:4ace%7]) with mapi id 15.20.3654.012; Tue, 8 Dec 2020 08:35:00 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: "ek.ietf@gmail.com" <ek.ietf@gmail.com>, "scott.c.burleigh=40jpl.nasa.gov@dmarc.ietf.org" <scott.c.burleigh=40jpl.nasa.gov@dmarc.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "scott.c.burleigh@jpl.nasa.gov" <scott.c.burleigh@jpl.nasa.gov>
CC: "draft-ietf-dtn-bpbis@ietf.org" <draft-ietf-dtn-bpbis@ietf.org>, "dtn-chairs@ietf.org" <dtn-chairs@ietf.org>, "dtn@ietf.org" <dtn@ietf.org>, "fred.l.templin@boeing.com" <fred.l.templin@boeing.com>
Thread-Topic: [EXTERNAL] Erik Kline's No Objection on draft-ietf-dtn-bpbis-29: (with COMMENT)
Thread-Index: AQHWyRSsnOGWiNoLc0q4kxgabPvecqnnfCkAgAPt64CAAFQOAIAADxqAgAA+0oCAANw9gA==
Date: Tue, 08 Dec 2020 08:35:00 +0000
Message-ID: <bd16efbb6b49e64a0ea6fcc0f6cb7c5f292b30a4.camel@ericsson.com>
References: <160695935797.23387.18267563908645411959@ietfa.amsl.com> <7de7d2c03d684a25b1ab0f7c00510cb1@jpl.nasa.gov> <c84c44707337c8aa6e3d49224c28e33516fd077e.camel@ericsson.com> <3fcd89b5bf494a05be4064100dfa67e0@jpl.nasa.gov> <3d73c4f1eb8bfd028c38b414e547d7fe3fbe88ec.camel@ericsson.com> <412dba6025ca4e3d9a0557726b0d42a0@jpl.nasa.gov>
In-Reply-To: <412dba6025ca4e3d9a0557726b0d42a0@jpl.nasa.gov>
Accept-Language: sv-SE, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-mailer: Evolution 3.28.5-0ubuntu0.18.04.2
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [158.174.130.243]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 456b8022-0a60-49f6-0c1a-08d89b54270a
x-ms-traffictypediagnostic: HE1PR07MB3100:
x-microsoft-antispam-prvs: <HE1PR07MB31008443818AF28FAB4EAF3B95CD0@HE1PR07MB3100.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: lHMJZ80fbosS9Bvrq/7hQ7v4NJpnx6mACg3QroDowXTddbg4utXmUDwrSib1zqrGQPb5aItUAnmC4/8DrKhYVdBlnqC3XuTDUCTK+UhItw50JaV29913UE7jCcDPzqyHtoxOWMvSDdfiFOjPsmQqXJmGMB9FvmC+AO5xwbhcPdZcowYBX+J5urH54LmziTolq+Dkb8eFLUslK6wKZX6QB5pQWsJ4B8Lm49xRaevNUPZjTUsTAM1johSY084dRFYqa7PIwcTJXA9b5OtomJ85xQiXi40WFIodFRGbCA5eC98nUnjx3wWorpeLxFdm3SpoD+YH0uLYiDdwCXLXmKFwDs+rL05L55IpGDjmwZGJtN1vbG3rq0GrcjryNwKQxu8g
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0702MB3772.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(366004)(136003)(376002)(66556008)(110136005)(54906003)(64756008)(5660300002)(71200400001)(6486002)(66446008)(6512007)(66574015)(99936003)(26005)(44832011)(83380400001)(76116006)(2906002)(508600001)(2616005)(36756003)(186003)(66946007)(53546011)(66476007)(86362001)(8936002)(4326008)(6506007)(66616009)(8676002)(99106002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: mB4HOoIo53RK14KrwvEeZ8l88zOnZUGITOcfk7mdU2QTSmMKF1usAimbZaVU2T3QpbZdM7tiKLr7ArVxePwF1XIpAx3v92JhVU5k4kEY7MlRMZeOs8DPaPor1cIjOBaSADX8h0vkuoleTLXgBfWAmo+OBSflr6oXGMeAK4ClIbStbIfPXaV6wQYqfoUrX3I35aDyRk+JVO7dUDwpggR8MTVNOeTcwnqtufWx9qNuBn6g7zAdg4dtef8Ooy5O2iF5BFKuynPblkduNWmeOFsq/eAmWw6GQr1GCg3sG0eAWQZbOkqnvIL2Jc8V0hwNUkE6Eq1OfArAH3kMkl5I9S2A/oyVoyvZ7MrbJca0elCopgXMuREGYuCsviLdg23kUnnXdSFQZpAgHjqo9rIWxkI50oKr4ZUOedHe42M8GO77wqwwZkgGH7nBoGAwdbt2KOWHq8zZkxSQMWvLnonWIAp72hQ8P0RNUfZQJieEVONcbvueB9vx0/4oDdnbLPjOooR7bf9goW1WycDJTPopwjgVW/6OgHsx8MvXkV7PEk/moUQrFLIe9qjzydvYFFLUnH2zLw0/fYLQVVKI0VAzEJKDMAaE88v6EgM79U4msDcP3gsyfBvTVtczRsvzdy9DHE2QyYx79UdfuDKVhdbsxqLuSyf8DhOPGn0c2CjaBrrP2QyhE4QXAUafbVYerX8vzK12BL/x0KZ0r+ca/VksOSDpMuDHRtNXDXqfIOP5aIPYfOLKWaUdvscm+70m9NJJDolhEBLMxTckKnsvs5nCqj4EDVtIFICpEhiIS9Gu2HbrXo6Q9DT4Jnf3gXJuEfB+Zcl9V7WmfyJihYdnBulsPnx4EPcZ1belCO145S68NPvcfhZtlvGrHyW02gd/2Bmr6wt+vbo7eEpc9He9oeTkmrDs8fREqsF6/bDh7wr2dTC1znTWI9qNk1kcAxOgmnTxvkaFxH7BdcoCT7znGyvdhi02lmza9nvT+6oBNmwg5HnteBFbG9fTbsOOqCs371e21kfh
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; micalg="sha-256"; protocol="application/x-pkcs7-signature"; boundary="=-KJYDSJB1jz4H3pSx+1oT"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0702MB3772.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 456b8022-0a60-49f6-0c1a-08d89b54270a
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Dec 2020 08:35:00.6463 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: yEHwheGk42Y3DYNJswCKFL4N1mJ+13BoWb6NAEkWOJxecHZKQTkTH1lmUct2a5xbG2jYGKc99RkNB/qK0496MwKYNNEGGvBDlT2aTTWWP7g=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3100
Archived-At: <https://mailarchive.ietf.org/arch/msg/dtn/PjFFdjeDOFLwGcsOnY_PYF_da44>
Subject: Re: [dtn] [EXTERNAL] Erik Kline's No Objection on draft-ietf-dtn-bpbis-29: (with COMMENT)
X-BeenThere: dtn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Delay Tolerant Networking \(DTN\) discussion list at the IETF." <dtn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtn>, <mailto:dtn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtn/>
List-Post: <mailto:dtn@ietf.org>
List-Help: <mailto:dtn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtn>, <mailto:dtn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Dec 2020 08:35:10 -0000
Hi, Yes, I agree with your conclusion. BP doesn't have the same baggage as IP has. And clearly a BP firewall could easily encounter very large bundles and would need to work on bundle level. And if BPSec is used, each bundle will have one intended form the authentication will accept. And it is that form that needs to be considered by any higher layer processing. So I think this provides a good answer to Erik's "discuss" why it is notapplicable. Cheers Magnus On Mon, 2020-12-07 at 19:28 +0000, Burleigh, Scott C (US 312B) wrote: > Hi, Magnus. The issue addressed by RFC 5722 is clearly critical in IPv6, but > I don't think it argues for a prohibition on segment overlaps in BP. > > The threat identified in RFC 5722 is that an attacker may alter a fragment - > or create a new fragment - in such a way that a firewall inspecting the > fragments will make erroneous inferences about the upper-layer (here, TCP) > data being conveyed by the fragments, following which the effect of delivering > the reassembled IPv6 packet to the destination will be to enact upper-layer > behavior that benefits the attacker. > > The prohibition on overlaps in IPv6 has two components: > 1. Overlapping fragments must not be created by the packet source. > 2. The receiver of fragments must abandon packet reassembly when fragment > overlap is detected. > > Since an attacker's BP node will be, by definition, non-conformant, extending > prohibition component #1 to BP wouldn't improve the security of the > protocol. It will always be possible for overlapping fragments to be in > circulation in the network. The burden of securing fragment processing > necessarily falls on the receiver of fragments. > > When the receiver of fragmentary bundles is the destination node (the only > point at which reassembly is required), including a malicious fragment in the > reassembled application data unit will have the same effect as any innocent > payload corruption due to link error or whatever: the payload block's CRC > and/or BIB verification will fail, and the processing of the corrupt payload > will then be a matter of implementation policy at the receiving > node. Fragmentation isn't really the issue: an attacker could just as easily > modify the payload of an un-fragmented bundle as that of a fragment, so merely > prohibiting fragment overlap is no defense. > > When the receiver of fragmentary bundles is an intermediate forwarder on the > end-to-end path: > - If the forwarding node is not a firewall, then it very likely has no > reason to inspect the upper-layer data being carried by the fragments; it > simply forwards them. > - If the forwarding node is a firewall that is required to do "deep > bundle inspection" then it should never forward fragments. It needs to > reassemble the original application data unit from fragmentary payloads in > order to make an informed judgment about the upper-layer data (and then > forward only the reassembled original bundle), and when it does so the CRC > and/or BIB verification of the reassembled application data unit should detect > payload corruption. Again, that verification is needed regardless of whether > or not the bundle is reassembled from fragments; merely prohibiting fragment > overlap is no defense. > > So I would suggest that prohibiting fragment overlap in BP (a) would offer no > significant improvement in security and (b) would degrade network performance > by crippling bundle forwarding in opportunistic DTN topologies. Let's not do > it. > > Scott > > -----Original Message----- > From: Magnus Westerlund <magnus.westerlund@ericsson.com> > Sent: Monday, December 7, 2020 7:42 AM > To: ek.ietf@gmail.com; scott.c.burleigh=40jpl.nasa.gov@dmarc.ietf.org; > iesg@ietf.org > Cc: draft-ietf-dtn-bpbis@ietf.org; dtn-chairs@ietf.org; dtn@ietf.org; > fred.l.templin@boeing.com > Subject: Re: [EXTERNAL] Erik Kline's No Objection on draft-ietf-dtn-bpbis-29: > (with COMMENT) > > Hi Scott, > > So the below indicates that you actualy want to allow something that IPv6 > forbidds. And I do think you have reasons for allowing this. However, have you > read RFC 5722 and considered if there are attacks on BP nodes between source > and destination that could be fooled by manipulating the content of fragments. > I think this attack is not an issue assuming two things: > > 1. No on-path node will actually look into the data fragments. (This is > clearly not true on the Internet). > > 2. That each on path node treat each BP fragment independently and don't > create state. Becasue if you create state from one fragment, that will affect > the processing of subsequent fragments then you could fool the network to > believe that you are doing one thing and do something else. > > So I think some more thought is needed here to ensure that no security issue > is created. > > Cheers > > Magnus > > > On Mon, 2020-12-07 at 14:49 +0000, Burleigh, Scott C (US 312B) wrote: > > Hi, Magnus. The ">" problem is new to me, but I guess I can use "[SBx]" > > instead. As for "salient", sure, let's substitute "material". > > > > On reassembly: dropping the whole bundle if any fragment overlaps with > > previously received fragments is not at all what we want to do. > > Fragment overlaps are not anomalous in any way, as it is entirely > > nominal for multiple copies of a bundle to be concurrently taking > > different paths to the destination (this is how most terrestrial DTN > > forwarding works) and the fragmentation that occurs on one path might > > be wildly different from that which occurs on another path. > > > > The only thing we fragment is the payload, which should be immutable > > from source to destination, so the order of superposition of overlaps > > should be irrelevant. If it is not -- that is, if you get different > > results from reassembling in different ways -- then one or more > > fragments have been corrupted (i.e., changed) and the effect is the > > same as if the payload had been corrupted in any other way. The CRC > > or BIB on the payload block should report the transmission failure and the > > application should act accordingly. > > > > I believe that the way I wrote this up is the way we want it to work. > > > > Scott
- [dtn] Erik Kline's No Objection on draft-ietf-dtn… Erik Kline via Datatracker
- Re: [dtn] [EXTERNAL] Erik Kline's No Objection on… Burleigh, Scott C (US 312B)
- Re: [dtn] [EXTERNAL] Erik Kline's No Objection on… Magnus Westerlund
- Re: [dtn] [EXTERNAL] Erik Kline's No Objection on… Burleigh, Scott C (US 312B)
- Re: [dtn] [EXTERNAL] Erik Kline's No Objection on… Magnus Westerlund
- Re: [dtn] [EXTERNAL] Erik Kline's No Objection on… Burleigh, Scott C (US 312B)
- Re: [dtn] [EXTERNAL] Erik Kline's No Objection on… Magnus Westerlund