[Idr] additional mic comments on security/IPsec

Benjamin Kaduk <kaduk@mit.edu> Fri, 02 August 2019 19:16 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDEE4120147 for <idr@ietfa.amsl.com>; Fri, 2 Aug 2019 12:16:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lvKVMYl7C8rZ for <idr@ietfa.amsl.com>; Fri, 2 Aug 2019 12:16:33 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 646CF1200E9 for <idr@ietf.org>; Fri, 2 Aug 2019 12:16:33 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x72JGTnu029250 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <idr@ietf.org>; Fri, 2 Aug 2019 15:16:31 -0400
Date: Fri, 2 Aug 2019 14:16:29 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: idr@ietf.org
Message-ID: <20190802191628.GY1006@kduck.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/61jQYFqxSUJNEeMNo2GVISoWeSE>
Subject: [Idr] additional mic comments on security/IPsec
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Aug 2019 19:16:36 -0000

Hi all,

Stealing Paul's subject line, and with apologies for the slowness in
sending, let me expound a bit more on my comments from the mic line
regarding the IPsec-related documents.

My intention was to look at a high-level picture that might be appropriate
for all three of the documents in question, to make sure that we're
thinking about the right aspects as we do the protocol analysis for these
proposals; that does, of course, mean that there's some risk that not all
comments will apply to all documents.

First off, when we start to get IPsec config via BGP, it's helpful to think
of what other information we get in the same way, and to analyze the
effects of misconfiguration or malicious configuration both on IPsec and on
the broader system.  For example, if we are getting NLRI from BGP, then a
misconfiguration that gives us parameters that are incompatible with a
peer's is not causing particularly new harm, since we could just as easily
be told that the peer is unreachable and we wouldn't try to talk to them
anyway.  On the other hand, we could be given configuration to use
computationally expensive algorithms, which would increase the DoS risk in
a way that may not (or may!) already be possible.

It's also important to remind ourselves what the goal of using IPsec is --
IIRC all the schemes presented are using ESP, and so desire data
confidentiality.  But confidentiality from whom, and the authentication of
the peer remain important questions.  If the configuration obtained via BGP
influences how we determine what the valid peer identities are, then we
could end up producing a "secure" IPsec ESP connection to a peer that we've
"successfully authenticated", and yet still not achieve the data
confidentiality that we intended, if the peer we authenticated is actually
an attacker.  In a single administrative domain (as in Jun's draft) where
the BGP messages with configuration are already going over (preconfigured)
IPSec, there is unlikely to be any problem, but once we start getting into
scenarios with multiple administrative domains the analysis can get a lot
more complicated.

In a related vein, adding IPsec configuration to the mix means that we now
have two types of information relating to connectivity/connections -- the
network layer information inherent to BGP but also IPsec configuration
about IKE parameters to use with which peers and traffic selectors for what
traffic to send where.  Ensuring consistency between these two classes of
information will be important (and probably left to local
enforcement/policy).

With respect to the question of what to do when conflicting configuration
is received (e.g., via different BGP peers), the normal
priority/tie-breaking scheme already used for NRLI should be fine.  The
important matter is that all parties agree on the scheme that's used; the
specific algorithm is probably less important.


I did also have a few comments about the specific technology presentations:

Jun's presentation seemed fairly boring from a security perspective (that's
a good thing!) -- within a single administrative domain and just
distributing configuration parameters before running normal IKEv2 is pretty
much using the protcol as intended.  Assuming the IKEv2 implementation
isn't willing to accept nonsense parameters (or the local agent does sanity
checking), I'm not very worried about this.

For the SDWAN case, one of the biggest security risks I see is tracking
when traffic is going over the (trusted) MPLS path vs. the open Internet.
Keeping consistency between the IPsec configuration and the network-layer
routing is very important here, and similarly for the site-ID/node-ID
information (sorry, my notes are pretty vague on the last part).  It may be
possible to have local policy enforce sanity checks on the respective
configurations.  (That said, many in the security community remain
skeptical that "secure networks" are always so and will remain so
indefinitely, but this is not the place for that debate.)

For "controller-IKE", I'm willing to accept that there are external factors
(to IKE) motivating the desire to use the controller to distribute
configuration/keying information, even if the concrete details of the
scaling improvements remain a little hazy (this is the "messages" vs.
"bytes" question, basically, but I don't feel a need to reiterate it at the
moment).  Another factor that stuck out to me was the note about how in
some cases the connection to the controller is "securely provisioned"
whereas the full mesh of connections is less so; that will be important to
keep in mind when doing the security analysis, especially if it is a
property that can be guaranteed for all deployments.  Paul's point about
the loss of unique per-peer key material and the corresponding weakening of
the security properties is also important to consider, though.

Thanks for the interesting talks (and for asking us to come by early in the
process)!

-Ben