IETF Logo Mail Archive

Re: [Idr] Adam Roach's No Objection on draft-ietf-idr-shutdown-08: (with COMMENT)

Job Snijders <job@ntt.net> Thu, 25 May 2017 09:08 UTC

Return-Path: <job@instituut.net>
X-Original-To: idr@ietfa.amsl.com
Delivered-To: idr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A961412714F for <idr@ietfa.amsl.com>; Thu, 25 May 2017 02:08:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.408
X-Spam-Level:
X-Spam-Status: No, score=-1.408 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, T_HTML_ATTACH=0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LNQOrcIMUMXP for <idr@ietfa.amsl.com>; Thu, 25 May 2017 02:08:29 -0700 (PDT)
Received: from mail-wm0-f44.google.com (mail-wm0-f44.google.com [74.125.82.44]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19756129C49 for <idr@ietf.org>; Thu, 25 May 2017 02:08:26 -0700 (PDT)
Received: by mail-wm0-f44.google.com with SMTP id 7so83953997wmo.1 for <idr@ietf.org>; Thu, 25 May 2017 02:08:26 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=3vU+ya/2A2hl/qsa60dsFyBT6gOzjK/fD4y9vRNfRqQ=; b=NK/6DOZpIjvupCm+a62W8ISihVkOMtDKth/UqkDommjEAT6Gb4vqb5S+A5rO3g9NFM nb9LMJbwxLTwQ09sQnmLIJnVWAHiZuLuckH5NF+McdZqEZZ+lVoqojbKc1kYdmrnKO60 GpE/Y+un3HpZwiSzsEBb8vf790BEb1CXXdw/3MnG79Puurlihvv++ocAL0y826sQ2nYD LRcpFC6/QR7d1Seq0q2spSXlj11HzGGAtYV+Timg364e/baD+MgYenL2rbUzRxyrvppU cRzjMnxuTzbhF/TyWbF6r2zCmOIVCuMqwcxCs2JGOzmDd7ZSAuwHHbN4iGKuu9RuZVf4 WaAw==
X-Gm-Message-State: AODbwcDk4cujFgPUxjQBhC8Wnn1zaR083+v0VRqqzBuR3eI/xsbLc+IO XAKWsZu5NjTMopI9
X-Received: by 10.28.178.207 with SMTP id b198mr9406544wmf.0.1495703305282; Thu, 25 May 2017 02:08:25 -0700 (PDT)
Received: from localhost (union-hotels-13.gh-union.si. [91.208.88.13]) by smtp.gmail.com with ESMTPSA id g25sm10177856wra.1.2017.05.25.02.08.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 25 May 2017 02:08:23 -0700 (PDT)
Date: Thu, 25 May 2017 11:08:20 +0200
From: Job Snijders <job@ntt.net>
To: Adam Roach <adam@nostrum.com>
Cc: The IESG <iesg@ietf.org>, aretana@cisco.com, draft-ietf-idr-shutdown@ietf.org, idr@ietf.org, idr-chairs@ietf.org, skh@ndzh.com
Message-ID: <20170525090820.ottlalmsdyorqrst@Vurt.local>
References: <149559358944.28506.18362121959782542849.idtracker@ietfa.amsl.com> <CA+b+ERmg33vdOywz=Krw_30vdwWpMYLS_EZRSE+bfrHcS12GUA@mail.gmail.com> <CA+b+ERmamUOaUjnNX2FM0Qh+S7Gz-7f7PVHXiVzczZg2rvMtwQ@mail.gmail.com> <CA+b+ERnyJAU4xe6EiwsER9gG3Np9L6F4aEQWt0ZT405mzYg5wg@mail.gmail.com> <53c58824-e5fa-88e1-b092-b2e285906514@nostrum.com> <CACWOCC86iDeFEceWG3P3W0UQEXTZXb2ogwuwrQ8OApFThWafcQ@mail.gmail.com> <0b729dc2-03cb-1ee0-18c2-aa40c454617f@nostrum.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="aqet6io5pz2xnazc"
Content-Disposition: inline
In-Reply-To: <0b729dc2-03cb-1ee0-18c2-aa40c454617f@nostrum.com>
X-Clacks-Overhead: GNU Terry Pratchett
User-Agent: NeoMutt/20170306 (1.8.0)
Archived-At: <https://mailarchive.ietf.org/arch/msg/idr/wb2lbNGzGyi3DzXJUp63jgxkLs4>
Subject: Re: [Idr] Adam Roach's No Objection on draft-ietf-idr-shutdown-08: (with COMMENT)
X-BeenThere: idr@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Inter-Domain Routing <idr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/idr>, <mailto:idr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/idr/>
List-Post: <mailto:idr@ietf.org>
List-Help: <mailto:idr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/idr>, <mailto:idr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 May 2017 09:08:32 -0000

Dear adam,

On Wed, May 24, 2017 at 01:44:12PM -0500, Adam Roach wrote:
> I understand your request for me to send text, but I'm still slightly
> perplexed about the exact issue you are trying to highlight, so I'll
> probably get it somewhat wrong. Here's an attempt:
> 
> 1) Completely remove this text:
> 
>    However, the visual spoofing due to character confusion still
>    persists.  This specification minimizes the effects of visual
>    spoofing by limiting the length of the Shutdown Communication.
> 
> 2) Between the first and second paragraph, add the following:
> 
> "As BGP Shutdown messages are likely to appear in syslog output, there is a
> risk that carefully formed Shutdown Communication fields might be formatted
> by receiving systems in a way to make them appear as additional syslog
> messages. To limit the ability to mount such an attack, the mechanism
> described in this document limits the length of BGP Shutdown Communication
> fields to 128 octets in length."
> 
> To be clear, I don't believe the mitigation proposed is a particularly
> good solution to the problem. I'm just proposing this text as my
> interpretation of what you seem to be claiming the existing text is
> supposed to say. If you can verify that the text I propose above is an
> accurate representation of the concern, then we can open a discussion
> around whether the mitigation is appropriate.

I accepted your suggestion & slightly rewrote the sentences for
readability flow within the context of this document. Thanks!

As to your belief on whether the mitigation proposed helps, the shutdown
communication concept could've been defined in such a way to allow the
communication to fill up to the maximum BGP message size (4000 octets,
so with marker, type, etc a bgp shutdown communication perhaps could've
been ~ 3979 octets). I believe that putting a limit in is useful: with
3979 octets someone can fill up a terminal screen, with 128 you can't.
128 could've been 127, or 129 - it is an arbitrary small value.

The 128 number comes from earlier implementations where there was no
Length field, in later versions of the document on the length field was
added, but the effective shutdown communication message size was not
changed. To keep things byte-aligned a 8 bit length field was used.
"hysterical raisins" :)

BTW, if you want to open an discussion, I don't understand why you cast
your ballot as "no objection". And what outcome are you targetting? It
seems unlikely at this point for the on-the-wire format to change.

Attached is a rfcdiff HTML file to show the differences.

NEW:
--------
    6.  Security Considerations

       This document uses UTF-8 encoding for the Shutdown Communication.
       There are a number of security issues with UNICODE.  Implementers and
       operator are advised to review UNICODE TR36 [UTR36] to learn about
       these issues.  UTF-8 "Shortest Form" encoding is REQUIRED to guard
       against the technical issues outlined in UTR36.

       As BGP Shutdown Communications are likely to appear in syslog output,
       there is a risk that carefully constructed Shutdown Communication
       might be formatted by receiving systems in a way to make them appear
       as additional syslog messages.  To limit the ability to mount such an
       attack, the BGP Shutdown Communication is limited to 128 octets in
       length.

       Users of this mechanism should be aware that unless a transport that
       provides integrity is used for the BGP session in question, a
       Shutdown Communication message could be forged.  Unless a transport
       that provides confidentiality is used, a Shutdown Communication
       message could be snooped by an attacker.  These issues are common to
       any BGP message but may be of greater interest in the context of this
       proposal since the information carried in the message is generally
       expected to be used for human-to-human communication.  Refer to the
       related considerations in [RFC4271] and [RFC4272].

       Users of this mechanism should consider applying data minimization
       practises as outlined in Section 6.1 [RFC6973] as a received Shutdown
       Communication may be used at the receiver's discretion.
-------

Kind regards,

Job

v2.23.0 | Report a Bug | By Email