Re: [Int-area] Secdir telechat review of draft-ietf-intarea-probe-07
Yaron Sheffer <yaronf.ietf@gmail.com> Wed, 06 December 2017 10:45 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D641212969E; Wed, 6 Dec 2017 02:45:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.951
X-Spam-Level:
X-Spam-Status: No, score=-0.951 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_12_24=1.049, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5oFFWBHmGVQJ; Wed, 6 Dec 2017 02:45:00 -0800 (PST)
Received: from mail-pg0-x22f.google.com (mail-pg0-x22f.google.com [IPv6:2607:f8b0:400e:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31BD11279E5; Wed, 6 Dec 2017 02:45:00 -0800 (PST)
Received: by mail-pg0-x22f.google.com with SMTP id j4so2028432pgp.1; Wed, 06 Dec 2017 02:45:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=v7RNXADvPuPt8t1HxAJZbOgVFQYC6L2ecpZmFgXQ5Ms=; b=FZb+bwWVlhEiJejPGfBF2eyth57NG+hFhwxeWeXgbuuJxzs688jjfdWi3o9aTclP79 fYfIiDmNnL3RFTf5OlmPxumOH6m+n6v3wjIzvyGTLFLuW/jztK7n4HGlbTwBWMA7x+sH YwFjzmnxZLIf38rXKGp2mDSa4WgSFxTawoBES2dIinL/ducK7pPIQYUsrb6bdSqo+0OO bMNSmimSeLA0e59aMUVxTm6ysvfesEU3hCRZka/LFQFxwYO50MmAotRcwPX50H8lv05w eOZetVWjlkIM+9L/inVebBCY0oE1Ve5XrI92KV3TzBr970VVV45UC7ATOZ6VWVTC2UhM SxNQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=v7RNXADvPuPt8t1HxAJZbOgVFQYC6L2ecpZmFgXQ5Ms=; b=BD78jiE+rlQ0yJschLRJJO0VoQI3mWhZcl6n2agKbXU6pYIRUnWQtjWkh5kqnK7mdf UPTLYvnw00vjjVNw59q/zvaSdMkKpsU9btkeQaCnwzNMPrQdYZ8C9GNe548wEtQKnp1X B39M5UKfvzCJb8RWriGRkxo1I3Z13e3XBm0S0Q1ltpLhKoTYCn38sV5hB6XrVSRvshUT pHd9Cnsx/2Cwo5VsRgRT7no7rleDTGUSme1pKLTmAB98pWan5w9Ld+pNqR08P7CVj8Ko PXoiKgEK2bvA45XmMcO9QQyEiiMSvwdQTsM776/Kyi7idU0EszyPKwBpZ6QAR9jXtym1 tlLg==
X-Gm-Message-State: AKGB3mI7AOuviWQ1x5INsqzK5IOJXTJsN3PhPSbD6JXds92XCvhP5Ljg IvleX33lXekmE05EcaWSeAVlh87n
X-Google-Smtp-Source: AGs4zMZab94n+msYFhYwEdoF5GzmpYi7cur1O8u6h2VTsCSk0hgF0uEeOrwu0QX6/V9GAknHGclFOg==
X-Received: by 10.98.150.221 with SMTP id s90mr2303462pfk.151.1512557099424; Wed, 06 Dec 2017 02:44:59 -0800 (PST)
Received: from [172.19.249.8] ([104.153.224.169]) by smtp.gmail.com with ESMTPSA id t202sm3489857pgb.75.2017.12.06.02.44.50 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 06 Dec 2017 02:44:58 -0800 (PST)
To: Ron Bonica <rbonica@juniper.net>, "secdir@ietf.org" <secdir@ietf.org>
Cc: "draft-ietf-intarea-probe.all@ietf.org" <draft-ietf-intarea-probe.all@ietf.org>, "int-area@ietf.org" <int-area@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
References: <151225050650.7531.17448190244687268847@ietfa.amsl.com> <BLUPR0501MB2051DDA6190FC222569C4ABAAE3D0@BLUPR0501MB2051.namprd05.prod.outlook.com>
From: Yaron Sheffer <yaronf.ietf@gmail.com>
Message-ID: <925c8acc-b3c4-fed5-6cc4-055b945975b8@gmail.com>
Date: Wed, 06 Dec 2017 00:40:41 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0
MIME-Version: 1.0
In-Reply-To: <BLUPR0501MB2051DDA6190FC222569C4ABAAE3D0@BLUPR0501MB2051.namprd05.prod.outlook.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/7ummgSyJpfpWpmatDaazmyWo1fQ>
Subject: Re: [Int-area] Secdir telechat review of draft-ietf-intarea-probe-07
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Dec 2017 10:45:02 -0000
Hi Ron, Thanks for putting me right about the expected use case. Please consider including these paragraphs more or less as-is in the security considerations. While informal, they give the reader a good idea how to use this facility securely. Regards, Yaron On 05/12/17 20:03, Ron Bonica wrote: > Hello Yaron, > > Thanks for the thoughtful review. Responses inline...... > > Ron > >> -----Original Message----- >> From: Yaron Sheffer [mailto:yaronf.ietf@gmail.com] >> Sent: Saturday, December 2, 2017 4:35 PM >> To: secdir@ietf.org >> Cc: draft-ietf-intarea-probe.all@ietf.org; int-area@ietf.org; ietf@ietf.org >> Subject: Secdir telechat review of draft-ietf-intarea-probe-07 >> >> Reviewer: Yaron Sheffer >> Review result: Has Issues >> >> Summary >> >> The Security Considerations section is extensive, given that this is not a major >> protocol. However I think a few additional security risks should be >> mentioned, see below. In addition, there are several points where this >> (arguably uneducated) reader was confused, and which could benefit from >> additional clarity. >> >> Details (security-related) >> >> * The probed interface can be identified by an IEEE 802 address (presumably, >> a MAC address). This is an important detail from a security point of view. >> Normally you don't expect a remote node to be able to access machines by >> MAC address, and many firewall deployments enforce access control solely >> at the IP level. * Similarly, in an IPv4 setting, the proxy can be identified by a >> routable address, and used to probe a non-routable (RFC 1918) address. * >> "The incoming ICMP Extend Echo Request carries a source address that is not >> explicitly authorized for the incoming ICMP Extended Echo Request L-bit >> setting" - this implies a per-node whitelist listing all IP addresses that are >> allowed to probe it. I don't think we mean seriously to list all the addresses >> that can ping a given node, so this smells like security theater - sorry. >> > [RB ] > I agree with all of the points that you raise above, except for the part about white listing. This isn't security theater. It's real. > > For the most part, hosts will stick with the default PROBE configuration. That is, they won't honor an ICMP Extended Echo Request of any type from any source. > > A good number of network operators will enable PROBE on their routers, but for the reasons that you point out above, they won't want their routers being probed from untrusted subnetworks. They will probably restrict probe access to a few trusted subnets that are within their administrative domain (e.g., the NOC, network controllers). > > I doubt if anyone will expose their routers to PROBING from all points on the Internet. > >> Other Details >> >> * Abstract: I think the word "alternatively" should really be "instead" (also in >> the Introduction). > [RB ] > I can fix that in the next version > > * "The proxy interface resides on a probed node" - this >> contradicts the previous paragraph that states that either the proxy is on the >> same node, or it has direct connectivity to it (and is presumably on a different >> node). > [RB ] > Joel Halpern raised the same point in his review. In the next version, the probed node will be called the proxy node. > > * "The probed interface can reside on the probed node or it can be >> directly connected to the probed node." I'm confused. This contradicts the >> first paragraph of the Intro: "The probing interface resides on a probing node >> while the probed interface resides on a probed node." > [RB ] > Same fix as above > > * > "encapsulated in an >> IP header" - shouldn't that be "in an IP packet" (at least for IPv4)? > [RB ] > I will check RFC 792 and use whatever words they used > * >> "Ethernet is running on the probed interface" - is this well-defined? There >> are numerous 802.* protocols. Do we mean any of them? Or just 802.3? >> > [RB ] > Joel Halpern raised the same issue in his review. We will rename this bit to indicate that it is a Pseudowire endpoint, without mentioning what kind of PW endpoint it is. > > Ron > >
- [Int-area] Secdir telechat review of draft-ietf-i… Yaron Sheffer
- Re: [Int-area] Secdir telechat review of draft-ie… Ron Bonica
- Re: [Int-area] Secdir telechat review of draft-ie… Yaron Sheffer