Re: [dtn] [EXTERNAL] Erik Kline's No Objection on draft-ietf-dtn-bpbis-29: (with COMMENT)
"Burleigh, Scott C (US 312B)" <scott.c.burleigh@jpl.nasa.gov> Mon, 07 December 2020 19:28 UTC
Return-Path: <scott.c.burleigh@jpl.nasa.gov>
X-Original-To: dtn@ietfa.amsl.com
Delivered-To: dtn@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C94943A074E; Mon, 7 Dec 2020 11:28:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level:
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_GOV_DKIM_AU=-0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=jpl.nasa.gov
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tHws8z8gKGgE; Mon, 7 Dec 2020 11:28:35 -0800 (PST)
Received: from ppa02.jpl.nasa.gov (ppa02.jpl.nasa.gov [128.149.137.113]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D126E3A0766; Mon, 7 Dec 2020 11:28:34 -0800 (PST)
Received: from pps.filterd (ppa02.jpl.nasa.gov [127.0.0.1]) by ppa02.jpl.nasa.gov (8.16.0.27/8.16.0.27) with SMTP id 0B7JJoBX002108; Mon, 7 Dec 2020 11:28:22 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jpl.nasa.gov; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=InSight1906; bh=sU0SKl7wGU3+shTgYMHY5v5ff3MMCxS7LKedSaGcRa0=; b=EXQc9z3cF08GlaCk2y9u1og5iCBKcprmVbpsEvPtJR+ju13a5OcZ13m035GMhe/5IUxQ ZdAc4oRaXCX6wHl9Po/o8tOc4s9D7Zwqfd908BbPGQhVuPLQqbgTala5JHDk/HL1hmjF gzQztIrTFcpDJjK1PUIWUcG0vnJDn/WTheqzI4U2KnUVieyaHe4XdpumseMKPHxeR3ok Ij9SAPmQySnWmPsEPaWMUf35PjZbQNeiAusO2TADRW7RXqzyzuS3Q8h25LEDmDZcF7rL quVi/T2my5+bkDybDYukBHqQsxhqvMm2kaNWe7TiA92OIeTUYDgdZz+bacVPPOb3qy3D 4w==
Received: from mail.jpl.nasa.gov (altphysenclup01.jpl.nasa.gov [128.149.137.52]) by ppa02.jpl.nasa.gov with ESMTP id 358a8wrx8h-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 07 Dec 2020 11:28:21 -0800
Received: from ap-embx16-sp30.RES.AD.JPL (ap-embx16-sp30.jpl.nasa.gov [128.149.137.85]) by smtp.jpl.nasa.gov (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with ESMTP id 0B7JSFvH012496 (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128 bits) verified FAIL); Mon, 7 Dec 2020 11:28:16 -0800
Received: from ap-embx16-sp10.RES.AD.JPL (2002:8095:8953::8095:8953) by ap-embx16-sp30.RES.AD.JPL (2002:8095:8955::8095:8955) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1979.3; Mon, 7 Dec 2020 11:28:15 -0800
Received: from ap-embx16-sp10.RES.AD.JPL ([fe80::4:f430:47b5:767b]) by ap-embx16-sp10.RES.AD.JPL ([fe80::4:f430:47b5:767b%17]) with mapi id 15.01.1979.006; Mon, 7 Dec 2020 11:28:15 -0800
From: "Burleigh, Scott C (US 312B)" <scott.c.burleigh@jpl.nasa.gov>
To: Magnus Westerlund <magnus.westerlund@ericsson.com>, "ek.ietf@gmail.com" <ek.ietf@gmail.com>, "scott.c.burleigh=40jpl.nasa.gov@dmarc.ietf.org" <scott.c.burleigh=40jpl.nasa.gov@dmarc.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
CC: "draft-ietf-dtn-bpbis@ietf.org" <draft-ietf-dtn-bpbis@ietf.org>, "dtn-chairs@ietf.org" <dtn-chairs@ietf.org>, "dtn@ietf.org" <dtn@ietf.org>, "fred.l.templin@boeing.com" <fred.l.templin@boeing.com>
Thread-Topic: [EXTERNAL] Erik Kline's No Objection on draft-ietf-dtn-bpbis-29: (with COMMENT)
Thread-Index: AQHWyRSpF4Gy47qmJESeIt+6ByxO2KnnJqZggATJT4D//8io4IAAmnSA//+k7jA=
Date: Mon, 07 Dec 2020 19:28:15 +0000
Message-ID: <412dba6025ca4e3d9a0557726b0d42a0@jpl.nasa.gov>
References: <160695935797.23387.18267563908645411959@ietfa.amsl.com> <7de7d2c03d684a25b1ab0f7c00510cb1@jpl.nasa.gov> <c84c44707337c8aa6e3d49224c28e33516fd077e.camel@ericsson.com> <3fcd89b5bf494a05be4064100dfa67e0@jpl.nasa.gov> <3d73c4f1eb8bfd028c38b414e547d7fe3fbe88ec.camel@ericsson.com>
In-Reply-To: <3d73c4f1eb8bfd028c38b414e547d7fe3fbe88ec.camel@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [207.151.104.72]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Source-IP: ap-embx16-sp30.jpl.nasa.gov [128.149.137.85]
X-Source-Sender: scott.c.burleigh@jpl.nasa.gov
X-AUTH: Authorized
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.343, 18.0.737 definitions=2020-12-07_16:2020-12-04, 2020-12-07 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-2009150000 definitions=main-2012070124
Archived-At: <https://mailarchive.ietf.org/arch/msg/dtn/mzAgnpV4C44WkbMVpfL-3cAzjW4>
Subject: Re: [dtn] [EXTERNAL] Erik Kline's No Objection on draft-ietf-dtn-bpbis-29: (with COMMENT)
X-BeenThere: dtn@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Delay Tolerant Networking \(DTN\) discussion list at the IETF." <dtn.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtn>, <mailto:dtn-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtn/>
List-Post: <mailto:dtn@ietf.org>
List-Help: <mailto:dtn-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtn>, <mailto:dtn-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Dec 2020 19:28:37 -0000
Hi, Magnus. The issue addressed by RFC 5722 is clearly critical in IPv6, but I don't think it argues for a prohibition on segment overlaps in BP. The threat identified in RFC 5722 is that an attacker may alter a fragment - or create a new fragment - in such a way that a firewall inspecting the fragments will make erroneous inferences about the upper-layer (here, TCP) data being conveyed by the fragments, following which the effect of delivering the reassembled IPv6 packet to the destination will be to enact upper-layer behavior that benefits the attacker. The prohibition on overlaps in IPv6 has two components: 1. Overlapping fragments must not be created by the packet source. 2. The receiver of fragments must abandon packet reassembly when fragment overlap is detected. Since an attacker's BP node will be, by definition, non-conformant, extending prohibition component #1 to BP wouldn't improve the security of the protocol. It will always be possible for overlapping fragments to be in circulation in the network. The burden of securing fragment processing necessarily falls on the receiver of fragments. When the receiver of fragmentary bundles is the destination node (the only point at which reassembly is required), including a malicious fragment in the reassembled application data unit will have the same effect as any innocent payload corruption due to link error or whatever: the payload block's CRC and/or BIB verification will fail, and the processing of the corrupt payload will then be a matter of implementation policy at the receiving node. Fragmentation isn't really the issue: an attacker could just as easily modify the payload of an un-fragmented bundle as that of a fragment, so merely prohibiting fragment overlap is no defense. When the receiver of fragmentary bundles is an intermediate forwarder on the end-to-end path: - If the forwarding node is not a firewall, then it very likely has no reason to inspect the upper-layer data being carried by the fragments; it simply forwards them. - If the forwarding node is a firewall that is required to do "deep bundle inspection" then it should never forward fragments. It needs to reassemble the original application data unit from fragmentary payloads in order to make an informed judgment about the upper-layer data (and then forward only the reassembled original bundle), and when it does so the CRC and/or BIB verification of the reassembled application data unit should detect payload corruption. Again, that verification is needed regardless of whether or not the bundle is reassembled from fragments; merely prohibiting fragment overlap is no defense. So I would suggest that prohibiting fragment overlap in BP (a) would offer no significant improvement in security and (b) would degrade network performance by crippling bundle forwarding in opportunistic DTN topologies. Let's not do it. Scott -----Original Message----- From: Magnus Westerlund <magnus.westerlund@ericsson.com> Sent: Monday, December 7, 2020 7:42 AM To: ek.ietf@gmail.com; scott.c.burleigh=40jpl.nasa.gov@dmarc.ietf.org; iesg@ietf.org Cc: draft-ietf-dtn-bpbis@ietf.org; dtn-chairs@ietf.org; dtn@ietf.org; fred.l.templin@boeing.com Subject: Re: [EXTERNAL] Erik Kline's No Objection on draft-ietf-dtn-bpbis-29: (with COMMENT) Hi Scott, So the below indicates that you actualy want to allow something that IPv6 forbidds. And I do think you have reasons for allowing this. However, have you read RFC 5722 and considered if there are attacks on BP nodes between source and destination that could be fooled by manipulating the content of fragments. I think this attack is not an issue assuming two things: 1. No on-path node will actually look into the data fragments. (This is clearly not true on the Internet). 2. That each on path node treat each BP fragment independently and don't create state. Becasue if you create state from one fragment, that will affect the processing of subsequent fragments then you could fool the network to believe that you are doing one thing and do something else. So I think some more thought is needed here to ensure that no security issue is created. Cheers Magnus On Mon, 2020-12-07 at 14:49 +0000, Burleigh, Scott C (US 312B) wrote: > Hi, Magnus. The ">" problem is new to me, but I guess I can use "[SBx]" > instead. As for "salient", sure, let's substitute "material". > > On reassembly: dropping the whole bundle if any fragment overlaps with > previously received fragments is not at all what we want to do. > Fragment overlaps are not anomalous in any way, as it is entirely > nominal for multiple copies of a bundle to be concurrently taking > different paths to the destination (this is how most terrestrial DTN > forwarding works) and the fragmentation that occurs on one path might > be wildly different from that which occurs on another path. > > The only thing we fragment is the payload, which should be immutable > from source to destination, so the order of superposition of overlaps > should be irrelevant. If it is not -- that is, if you get different > results from reassembling in different ways -- then one or more > fragments have been corrupted (i.e., changed) and the effect is the > same as if the payload had been corrupted in any other way. The CRC > or BIB on the payload block should report the transmission failure and the application should act accordingly. > > I believe that the way I wrote this up is the way we want it to work. > > Scott
- [dtn] Erik Kline's No Objection on draft-ietf-dtn… Erik Kline via Datatracker
- Re: [dtn] [EXTERNAL] Erik Kline's No Objection on… Burleigh, Scott C (US 312B)
- Re: [dtn] [EXTERNAL] Erik Kline's No Objection on… Magnus Westerlund
- Re: [dtn] [EXTERNAL] Erik Kline's No Objection on… Burleigh, Scott C (US 312B)
- Re: [dtn] [EXTERNAL] Erik Kline's No Objection on… Magnus Westerlund
- Re: [dtn] [EXTERNAL] Erik Kline's No Objection on… Burleigh, Scott C (US 312B)
- Re: [dtn] [EXTERNAL] Erik Kline's No Objection on… Magnus Westerlund