[Idr] BGP autoconfiguration - draft-minto-idr-bgp-autodiscovery
Jeffrey Haas <jhaas@pfrc.org> Tue, 08 March 2022 06:24 UTC
Return-Path: <jhaas@slice.pfrc.org>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CEB23A11AE; Mon, 7 Mar 2022 22:24:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R4FkI8sfZOGW; Mon, 7 Mar 2022 22:24:30 -0800 (PST)
Received: from slice.pfrc.org (slice.pfrc.org [67.207.130.108]) by ietfa.amsl.com (Postfix) with ESMTP id A55023A0DE4; Mon, 7 Mar 2022 22:24:30 -0800 (PST)
Received: by slice.pfrc.org (Postfix, from userid 1001) id 8AAC31E342; Tue, 8 Mar 2022 01:24:29 -0500 (EST)
Date: Tue, 08 Mar 2022 01:24:29 -0500
From: Jeffrey Haas <jhaas@pfrc.org>
To: idr@ietf.org
Cc: draft-minto-idr-bgp-autodiscovery@ietf.org
Message-ID: <20220308062429.GF17510@pfrc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/I_USBMliuk9HUm3-8Y6u5eibb60>
Subject: [Idr] BGP autoconfiguration - draft-minto-idr-bgp-autodiscovery
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Mar 2022 06:24:36 -0000
Working Group, As noted in another thread, we had a late entrant to the BGP autoconfiguration options. In an attempt to spur along discussion of the L3ND proposal, I posted my analysis of that proposal in the same vein as the discussions we'd had over the course of the various IDR interim meetings and also as covered in the Appndices of draft-ietf-idr-bgp-autoconf-considerations.[1] While draft-minto-idr-bgp-autodiscovery[2] had been presented and received discussion at those interims, similar analysis as that in the design team's document wasn't done. The authors of L3ND have asked for similar treatment for draft-minto. Below, find my observations on the draft with questions and commentary intermixed. I finish this response with my high level analysis and personal opinion on what these properties accomplish. ----- Scoping Discussion: - The proposal starts by noting that it covers more general discovery by labeling itself "Service Advertisement". So, the scope is broader than simply BGP autoconfiguration state. - Single-hop BGP and "loopback address BGP between directly connected speakers" are use cases. - Advertised state is expected to be refreshed; it times out. - Messages are transmitted peridically. ----- Protocol properties: - PDU messages are simple 1-octet type, 2-octet length TLV format. - Two top-level PDUs defined: + Service Advertisement PDU * Defines "lifetime" properties of the advertisements. A "time to live" field. * A Config sequence TLV. Compare vs. "BGP Session Protocol State Version Number" in the requirements. * Authentication TLV. Provides authentication of Service Advertisements. * Refresh request TLV. The only message that attempts to trigger another Service advertisement speaker to send messages. Section 3's TLV format runs somewhat backwards from many RFCs: - The top level TLV, the SA PDU, is shown last. - The individual messages in an SA PDU is shown in the middle. - The generic TLV structure is at the top. Message ID, is per-message. It's a little unclear how individual message IDs within a given SA PDU is helpful. Should the message ID be per SA PDU instead? The individual field definitions should list whether they are mandatory or optional. The Remaining lifetime field is 2-octets. 65k seconds is 1k hours. That's overly long. :-) - This field should probably be bound to a much lower value for sending. - Implementations may wish to bound the maximum time they're willing to keep. - Expiry of records might want to interact with Refresh request? The Refresh request procedure is under-specified. Since it's the one field that causes another SA speaker to respond, it should describe: - What does responding to such a trigger do to the sender's timers for the message? - What sort of rate limiting should be done for responding to the triggers? Local address TLV: - The flags and Res fields need the standard "MUST BE ZERO on send, SHOULD BE ignored on receipt" text. - The flags field needs an IANA Considerations section. - Preference doesn't have any normative text as to how it should be used. - The contents of sections 4.2.1 and 4.2.2 blend together a bit. Transport properties: - Being at the top level of the SA message, the implication is that these apply uniformly to the Local Address in that message. Security TTL: - Currently specified as a zero-length flag. - Some GTSM might require 254 rather than 255. This is inconsistently flagged in many pieces of configuration state across IETF. Security authentication: - A selector for BGP's authentication mechanism. - Has TCP-MD5 and TCP-AO - Need an IANA registry. - Not bound to any particular address in the Local Address field. If security needs to vary, like any other attribute, it needs to go into a separate SA message. MSS: - 4 bytes is probably too big. :-) ----- Protocol behavior: - The procedure really needs to talk about some possible default timer values. - The procedure indicates that it may refresh more frequently than the expiration time. It should offer advice as to how often it may do so. An example from BGP's holdtime would be to send at least once in 1/3 of that interval. Other options could be to have two timers described: retention timer (placed in PDU) and transmit timer (configuration state). - Fast transmit could use some procedure. For example, transmit X times in Y interval. + The refresh TLV provides some ability to do a "pull". - When specifying "all routers", include the multicast group in the text for clarity. - The procedure argues that you can receive the same state in multiple encapsulations; i.e. IPv4 and IPv6. Some discussion should be given as to how to recognize it's the same for puposes of "resetting state". As an example, the Identifier field being the same. - The transmit procedure supplies some of the "what is mandatory" description. That should be clarified in the TLV descriptions. - The procedure for handling the identifier vs. IP addresses should be clarified. ----- Misc: - The document should really remove references to UDP port 179. IANA hasn't assigned this. It should simply be "TBD". - Code points should consider starting at 1 rather than 0. (Jeff's opinion.) - TLVs starting at > 16 should get some discussion as to why that number is being used. ----- Security Properties: Authentiction TLV for Service Advertisements contain: <key-id (2-octets), Sequence number (4-octets), Hash/digest (variable)> (Defined in §4.1.3, procedure in §5.4.) - The procedure for management of key-ids is left as an opaque detail. This would require implementations to have key id management that includes inputs for cipher and shared key. - The Sequence number field has procedure somewhat similar to BFD's use of Sequence number in non-meticulous mode. (See RFC 5880, §4.3+.) + I suspect the sequence number comparison features should refer to RFC 1982. (And the authors of draft-minto may wish to refer to the Author list of that RFC. :-) - The procedure for handling the hash over the PDU is missing many of the usual bits of procedure when such hash based mechanisms are done: - What value should the PDU's Hash/digest field be set to? - Where should the key be placed in the PDU for purposes of calculating the hash? - What are the mandatory hash mechanisms? + Is there a benefit to including an authentication type along with just the key-id? Doing so might help simplify procedure by making validation always able to determine TLV lengths based on input. - The receiver procedure needs clarification as to what its desired security properties are. For example, if the receiver expects to receive packets with the Authentication TLV, it should require one on receipt. Otherwise there's possibility of an active attacker simply generating Service Advertisements without an Authentication TLV. The mechanism is currently vulnerable to replay attacks. - This can be somewhat mitigated by reasonable key rotation and limited key lifetime. - Keys really need to be rotated as part of sequence number rollover. - Sequence number increment procedures need to be bound to prevent certain scenarios where a later sequence number has been cached by an attacker and used to trigger the "this is a valid next number" and convince listeners to ignore the valid but appear to be stale packets. For fresh starting receivers, they are vulnerable to replay attacks that keep sequence numbers from synchronizing initially. + An epoch/generation value in addition to to the steps above could reduce the attack space. + See for example TCP-AO's Sequence Number Extension concept. The security TLV for the BGP session itself is incomplete. While authentication TLV indicates TCP-AO/TCP-MD5, there needs to be a hint as to what the connection properties should be. Key-id, reference to keychain RFC, etc. Is ipsec planned for? ----- Transport Layer Considerations: - The feature uses (IP) UDP multicast. - No transport reliability is implied. - IP fragmentation is implied as the mechanism to deal with packets that are too large. + Link MTU will thus define how much state can be passed around. + Possibility is left in the design (via TBD TLVs) that fragmentation might be addressable in the future. ----- Misc.: - The document is in need of a spelling and grammar review. In the interest of not cluttering functional analysis when the intent is clear, I will send comments on spelling and grammar separately to the authors. ----- Jeff's read of the proposal: The protocol is a "shout in the dark" type protocol. In general, it doesn't have any particular session layer. Receivers may, or may not be listening. For the most part, there is no expectation of a receiver with the expection of the refresh TLV which is intended to elicit a response from other senders. (Compare vs. IGMP/MLDv2.) Being sessionless, one of its big problems is that the state must be small enough to fit into link MTU. This is likely sufficient for many BGP autodiscovery scenarios, although the question of massive numbers of messages is raised in discussion about L3ND. IP fragmentation is offered as a possible method to deal with too-large messages, but fragmentation is often seen as an attack on IP infrastructure and in many cases is explicitly filtered. The draft discussses possible procedures for extending support via additional TLVs. If there's intent to do that, such procedure should be specified early since it would tend to manifest as one of a common set of prior solutions: - Split it into a number of additional messages. Compare vs. PIM Group Set Fragmentation. - Provide a session-based protocol as the extension mechanism. However, that opens attacks against sessions. Compare possibly vs. LLDPv2. The SA procedures can be exercised unidirectionally. This means that a device may volunteer to have BGP Speakers peer with it, but don't have to have the rest of the network trying to peer with them. The timer procedures are underspecified. Similarlities can be drawn to RIP and to some extent IGMP/MSDP. Security procedures for the SA PDU need tightening, as noted above. The procedure for keying of BGP sessions is absent and needs text. Since the protocol has no privacy, exchanging BGP session keys directly in the TLVs as cleartext cannot be suggested. Being sessionless, there is no session infrastructure to be under attack. The primary ready attacks against the infrastructure are volumetric attacks. Such attacks beat up on the crypto involved at a cost related to the strength of the cipher used to protect the validation of the packet. These attacks are mitigated, much as similar attacks on TCP-MD5 and TCP-AO, on the mechanism relying on GTSM. This restricts such attacks to on-link. Configuration of security mechanisms are critical for this protocol. In the absence of required security, since this protocol advertises state to be cached for BGP session configuration, unauthenticated messages can be used to: - Flood the cache of SA state for all listening receivers. - Cause those receivers to effectively attack hosts at TCP port 179 on the local network by trying to BGP peer with them, even if they're not BGP. -- Jeff (who is up way past his bedtime...) [1] https://datatracker.ietf.org/doc/draft-ietf-idr-bgp-autoconf-considerations/ [2] https://datatracker.ietf.org/doc/html/draft-minto-idr-bgp-autodiscovery-01
- [Idr] BGP autoconfiguration - draft-minto-idr-bgp… Jeffrey Haas
- Re: [Idr] BGP autoconfiguration - draft-minto-idr… Minto Jeyananth
- Re: [Idr] BGP autoconfiguration - draft-minto-idr… Susan Hares
- Re: [Idr] BGP autoconfiguration - draft-minto-idr… Jeffrey Haas
- Re: [Idr] BGP autoconfiguration - draft-minto-idr… Susan Hares
- Re: [Idr] BGP autoconfiguration - draft-minto-idr… Jeffrey Haas
- Re: [Idr] BGP autoconfiguration - draft-minto-idr… Susan Hares
- Re: [Idr] BGP autoconfiguration - draft-minto-idr… Jeffrey Haas
- Re: [Idr] BGP autoconfiguration - draft-minto-idr… Randy Bush
- Re: [Idr] BGP autoconfiguration - draft-minto-idr… Randy Bush
- Re: [Idr] BGP autoconfiguration - draft-minto-idr… Susan Hares
- Re: [Idr] BGP autoconfiguration - draft-minto-idr… Robert Raszuk
- Re: [Idr] BGP autoconfiguration - draft-minto-idr… Susan Hares
- Re: [Idr] BGP autoconfiguration - draft-minto-idr… Robert Raszuk
- Re: [Idr] BGP autoconfiguration - draft-minto-idr… Minto Jeyananth
- Re: [Idr] BGP autoconfiguration - draft-minto-idr… Minto Jeyananth
- Re: [Idr] BGP autoconfiguration - draft-minto-idr… Susan Hares
- Re: [Idr] BGP autoconfiguration - draft-minto-idr… Susan Hares
- Re: [Idr] BGP autoconfiguration - draft-minto-idr… Minto Jeyananth
- Re: [Idr] BGP autoconfiguration - draft-minto-idr… Susan Hares
- Re: [Idr] BGP autoconfiguration - draft-minto-idr… Minto Jeyananth
- Re: [Idr] BGP autoconfiguration - draft-minto-idr… Susan Hares