Re: [Int-area] Adam Roach's Discuss on draft-ietf-intarea-provisioning-domains-10: (with DISCUSS and COMMENT)
"Eric Vyncke (evyncke)" <evyncke@cisco.com> Thu, 23 January 2020 13:53 UTC
Return-Path: <evyncke@cisco.com>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA3FA12008D; Thu, 23 Jan 2020 05:53:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.498
X-Spam-Level:
X-Spam-Status: No, score=-14.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=Gu3uI6gV; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=fKFMWoVk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2pHJBdV2XY8h; Thu, 23 Jan 2020 05:53:07 -0800 (PST)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6ABBE120025; Thu, 23 Jan 2020 05:53:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=12120; q=dns/txt; s=iport; t=1579787587; x=1580997187; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=N5PeqHOkXFroxgqMWg1bwFG5xB+NIH6Zf7I5EXi4iLk=; b=Gu3uI6gVNWYQ3B/Rh2mWWuC9+IDO2aTI9Th90kAk7pmQUQ9pMAXcVcmR zk5VVQ6C/1TpeYIeXwPpbNSPyBqjhWQQSBsxbiFAKL0aFeaekITgPb7iZ iSQTBtniOtwVO3JQZ5gFVvcXfVLkSCNrMRmRcU/6nhNuS26sKmzlyLu7i E=;
IronPort-PHdr: 9a23:ickODB8e9B4L7v9uRHGN82YQeigqvan1NQcJ650hzqhDabmn44+8ZB7E/fs4iljPUM2b8P9Ch+fM+4HYEW0bqdfk0jgZdYBUERoMiMEYhQslVcObGEvwL/PCZC0hF8MEX1hgrDm2
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DcAQDopCle/5ldJa1cCRsBAQEBAQEBBQEBAREBAQMDAQEBgXuBVFAFbFggBAsqhBKDRgOLCII6JZgPgUKBEANUCQEBAQwBASUIAgEBhEACF4IHJDgTAgMNAQEEAQEBAgEFBG2FNwyFXwEBAQIBEhERDAEBMQYBDwIBCBAKAiYCAgIwFRACBAENBRsHgwQBgkoDDiABDqFVAoE5iGF1gTKCfwEBBYFDQYJ7GIIMCYEOKoUbhDOBHoErGoFBP4ERJwwUgkw+giRAAgECAYErAQEICgEJLYJ5MoIsjTwhAzKCQ49Rjjx2CoI5h0CFQ4UMhCUUB4JHeIcSkCaOXohijkeDXwIEAgQFAg4BAQWBaSJnWBEIcBVlAYJBCUcYDVeHKjiDO4UUhT90AoEniiGCMgEB
X-IronPort-AV: E=Sophos;i="5.70,354,1574121600"; d="scan'208";a="700518881"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by rcdn-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 23 Jan 2020 13:53:05 +0000
Received: from XCH-RCD-007.cisco.com (xch-rcd-007.cisco.com [173.37.102.17]) by rcdn-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id 00NDr5Qr011933 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 23 Jan 2020 13:53:05 GMT
Received: from xhs-aln-001.cisco.com (173.37.135.118) by XCH-RCD-007.cisco.com (173.37.102.17) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 23 Jan 2020 07:53:04 -0600
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 23 Jan 2020 07:53:03 -0600
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Thu, 23 Jan 2020 07:53:03 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=V9y5yC1ragrilZVZz3ceWbjiF9z+cV1M3MBVNzojhStYPDskowMNiGAFBWKLrw6QNyDJGW5pyC0d3qLrGdkrLvej5iPHJFOm2Hd6dbCzEcJiRdYBiUoekZEz8irkP+73A2tTsQBOsABeTHsBWlaO987KMEy6vgfnugRxMAnnfbF50J34/B55N0WWZmURFI6XiBNo/hFa1mxvkI5IgjH0Q3WrLkRld3Vu5V3nHQsvfo19aGaDJpaaFO6xIrvukyAhzKUu9fX/PIIQ5Iws+qkUzAhFAcWai7xwCzHbrhLtt/iCDf0S+AS0jqKmAi4pof1R/dt4akp865MYRJEa2L1IAA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=N5PeqHOkXFroxgqMWg1bwFG5xB+NIH6Zf7I5EXi4iLk=; b=cbe22JKQgQzsk2ndgH17LCjCVSiEtUCub/s/utax31sY9fnZGK6OAO1wYTe5ZyEvCK1NtA3Nk1OQ06shK9qugrsYN/n77ZNt9pYzdS+XYU2qc7biNQg6jOcs2eskV71pSt5ttJ7NohQ7sN8uF1+vPkEkrtr5excDfZkbUVujLq4yPRqcVj1k5Ge0NBV/6L2i2LPNFPkMHDAndzPW4v6ZDPYV2wZhgGZRxtcUYW04RvzPCTniEOS7fx9xO6QcfTmJIWb70dXaIco6ED1N+fPfVFO1rwZg3W7pFG51SXntzw6vltTf7SJPPefWb0s7ZHxOWKM7xJYAJv0f1Tt8rArfQw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=N5PeqHOkXFroxgqMWg1bwFG5xB+NIH6Zf7I5EXi4iLk=; b=fKFMWoVkTkBokOwL2r6zWnqED6WU6yW8IEW3BGxYduvXQTZ+rxNeOdpbWrxDjw61a2YofJcsYG4NlKhJExrAOgNZ0zBNsSrSW4EkatgxQ0cEczotW5qObEO1HO4DPoxfN9hxIbDqqb0zGFofu7nV2L+OfjQUb8TFwFnbIzRFpsI=
Received: from DM5PR11MB1753.namprd11.prod.outlook.com (10.175.88.141) by DM5PR11MB1913.namprd11.prod.outlook.com (10.175.87.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2644.21; Thu, 23 Jan 2020 13:53:01 +0000
Received: from DM5PR11MB1753.namprd11.prod.outlook.com ([fe80::bcaa:91e6:c27b:b8ff]) by DM5PR11MB1753.namprd11.prod.outlook.com ([fe80::bcaa:91e6:c27b:b8ff%11]) with mapi id 15.20.2665.017; Thu, 23 Jan 2020 13:53:01 +0000
From: "Eric Vyncke (evyncke)" <evyncke@cisco.com>
To: Adam Roach <adam@nostrum.com>, The IESG <iesg@ietf.org>
CC: "draft-ietf-intarea-provisioning-domains@ietf.org" <draft-ietf-intarea-provisioning-domains@ietf.org>, Erik Kline <ek@loon.com>, "intarea-chairs@ietf.org" <intarea-chairs@ietf.org>, "int-area@ietf.org" <int-area@ietf.org>
Thread-Topic: Adam Roach's Discuss on draft-ietf-intarea-provisioning-domains-10: (with DISCUSS and COMMENT)
Thread-Index: AQHV0OSQ7q/voF6PwUKkNR1YS8+LWqf4V9MA
Date: Thu, 23 Jan 2020 13:53:01 +0000
Message-ID: <EAB5FF56-2289-4A33-8AA4-0C9499F45D6B@cisco.com>
References: <157967080772.28909.16443816599872682093.idtracker@ietfa.amsl.com>
In-Reply-To: <157967080772.28909.16443816599872682093.idtracker@ietfa.amsl.com>
Accept-Language: fr-BE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.21.0.200113
authentication-results: spf=none (sender IP is ) smtp.mailfrom=evyncke@cisco.com;
x-originating-ip: [2001:420:c0c1:36:98c2:2d0a:6391:fdc2]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d9a39626-1ed8-41cb-10ed-08d7a00b8fe8
x-ms-traffictypediagnostic: DM5PR11MB1913:
x-microsoft-antispam-prvs: <DM5PR11MB1913C7E44185637A56A80DC4A90F0@DM5PR11MB1913.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 029174C036
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(396003)(346002)(136003)(376002)(39860400002)(189003)(199004)(6506007)(2906002)(186003)(2616005)(54906003)(36756003)(316002)(110136005)(76116006)(91956017)(66476007)(86362001)(66446008)(64756008)(66556008)(81156014)(66946007)(81166006)(33656002)(5660300002)(6486002)(4326008)(71200400001)(6512007)(966005)(478600001)(8936002)(8676002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR11MB1913; H:DM5PR11MB1753.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: +FahmTDOmjnujpjG1OUZORrlMM4knnqJERREsqypi4ZwS5reRtvvXigJdtc+Il3a07CQKx0QYbdY3pDNWP4kUx3X6FR9OAGHqPgIG7EQyidz7hBzyr67bBhIPwKyyBhBba1eYtFFsUbSm0dK6akw8TLGtMg3C3pOJL8KkdESsaHPed1MSbOlypszVwueEETNGI1G6r1uWiMAWmNHUEnsTfeg/eWFwCbY6Ym90Tsk56bJK/YxDVJKLwaRe7loxmhIhmd90IZgUzZnF5Mpa1RqKqlBvtSGs/zIXYGWIUQcNqTStX9Kw1MMZ/b6h41z2RW0hZJ0VbdsPdcRsMv0SLpkY+8bFMTSnsrCkdr1Iwdrna1O25rrPlRLMrSaWYqybQ0SrO5xVKvO9Xf8BWjJt6pwOsTIWWOSKufKZIwYP2r3fvdYytGjI4ziAEIyhdUt4bUAYDU1ujWVGLRjH40vAvmGLdl8M7XSEtFuy1LXf0Ck70HX5C5XUkn1HFBOvW5FHSGoS771LEbOZB8yX79BLfYArA==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <3908DF392D58934EA87F199EBBF79984@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: d9a39626-1ed8-41cb-10ed-08d7a00b8fe8
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jan 2020 13:53:01.4889 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Z9mNUjcp29v0zKUWZAk+rmxqPlhNh+Dt9gvFiASFMB23HuPDusEIct9lignD1/SsBgUMeg4OiTraeIF5KzA+9Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1913
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.17, xch-rcd-007.cisco.com
X-Outbound-Node: rcdn-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/CCfvDNsxt_UkgXmJP2hj7zvxyDw>
Subject: Re: [Int-area] Adam Roach's Discuss on draft-ietf-intarea-provisioning-domains-10: (with DISCUSS and COMMENT)
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jan 2020 13:53:10 -0000
Hello Adam, Replying with my co-author's hat. First thank you for the review and the catch (I feel a little ashamed of not spotting it before!). As noted by you and Tommy, sections 4.4 and 7 actually protect the real PvD additional information server based on the source IP address of the PvD-aware hosts but not 'normal web servers'. In section 4.1, there is this text: " If the HTTP status of the answer is greater than or equal to 400 the host MUST abandon and consider that there is no additional PvD information." This text could be augmented to at least state 'not to be retried' for the same PvD sequence number. But, of course, the rogue RA[1] could rotate the sequence numbers... hence Tommy's proposal of rate limiting the outbound HTTPS connections is probably the best mitigation technique. As Tommy wrote, adding a DNS TXT for an easy & quick check whether the PvD ID has actually a 'valid' additional information server is valid but add more work to do on the PvD hosts (that could be very lightweight). Even with this added complexity drawback, it sounds doable. Good suggestion as well on the delay computation Regards -éric [1] OTOH, I sincerely hope that networks are deployed nowadays with a feature such as RA-guard so that RA messages can reasonably be trusted esp in large networks. On 22/01/2020, 06:26, "Adam Roach via Datatracker" <noreply@ietf.org> wrote: Adam Roach has entered the following ballot position for draft-ietf-intarea-provisioning-domains-10: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-intarea-provisioning-domains/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Thanks to the authors and working group for their work on this document. I have one major concern about the ability for this mechanism to be abused to form DDoS attacks, described below. Unfortunately, while I have identified the attack, I don't have an easy solution to propose that mitigates it satisfactorily. I also have a handful of mostly editorial comments on the document. --------------------------------------------------------------------------- §6: I was expecting to see a discussion of the DDoS attack that may result from a large network (or a rogue host on such a network) sending out a PvD ID containing the hostname of a victim machine, and setting the "H" flag. Since the messages used to trigger these HTTP connections are extremely lightweight, unauthenticated UDP messages, and the resulting HTTP connections require the exchange of a significant number of packets in addition to a number of cryptographic operations, this is a very high ratio amplification attack, both in terms of network and CPU resources. Given that the delay setting comes from the network instead of being independently computed by the host, such an attack could be honed to be particularly devastating. Although it isn't a complete mitigation, one approach to consider would be moving computation of the delay upper bound to the host, or specifying a minimum upper bound of several minutes (where a smaller value will cause the host to use this minimum upper bound). Regardless of how this is ultimately handled, I think this is a pretty severe risk that needs addressing in the document prior to publication. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- > This document also introduces a mechanism for hosts to retrieve > optional additional information related to a specific PvD by means of > an HTTP over TLS query using an URI derived from the PvD ID. Nit: "...a URI..." --------------------------------------------------------------------------- §3.4.1: > This is intended to > resolve backward compatibility issues with rare deployments choosing > to assign addresses with DHCPv6 while not sending any matching PIO. It seems that this set of circumstances could also arise due to a misconfiguration of DHCPv6. If this is expected to be only rarely intended, perhaps some oprationational/implementation guidance to log a warning or otherwise alert the operator would be helpful. --------------------------------------------------------------------------- §4.1: > HTTP requests and responses for PvD additional information use the > "application/pvd+json" media type (see Section 8). Clients SHOULD > include this media type as an Accept header in their GET requests, Nit: "...Accept header field..." --------------------------------------------------------------------------- §4.1: > If the HTTP > status of the answer is between 200 and 299, inclusive, the host MAY > get a file containing a single JSON object. This is very confusing phrasing. The sentence -- and the use of a normative "MAY" in particular -- indicates that the host is given permission to take some additional action that "gets" a JSON object from somewhere. I think it's intending to say that a 200-class HTTP response will contain such an object. Consider rephrasing. --------------------------------------------------------------------------- §4.3: > Private-use or experimental keys MAY be used in the JSON dictionary. > In order to avoid such keys colliding with IANA registry keys, > implementers or vendors defining private-use or experimental keys > MUST create sub-dictionaries, where the sub-dictionary is added into > the top-level JSON dictionary with a key of the format "vendor-*" > where the "*" is replaced by the implementer's or vendor's > identifier. For example, keys specific to the FooBar organization > could use "vendor-foobar". Upon receiving such a sub-dictionary, > host MUST ignore this sub-dictionary if it is unknown. When the > vendor or implementer is part of an IANA URN namespace [URN], the URN > namespace SHOULD be used rather than the "vendor-*" format. This is kind of a minor nit, but this paragraph is a bit confusing. It starts off with a less-preferred convention ("vendor-*") and discusses it as if it were the only way to do things; and then it throws in a SHOULD-strength different encoding at the end as a surprise twist. I would suggest reworking the paragraph so that the preferred encoding (URNs) are mentioned first, as a SHOULD-strength statement, followed by the less-preferred "vendor-*" as a fallback. --------------------------------------------------------------------------- §4.3: > +------------+-----------------+-----------+------------------------+ > | JSON key | Description | Type | Example | > +------------+-----------------+-----------+------------------------+ > | identifier | PvD ID FQDN | String | "pvd.example.com." | ... > { > "identifier": "cafe.example.com", > "expires": "2017-07-23T06:00:00Z", > "prefixes": ["2001:db8:1::/48", "2001:db8:4::/48"], > } I'm concerned about the variation in the identifier field alternately containing and not containing the terminal dot of the FQDN. If the intention that these are to be equivalent, it would probably head off some implementation incompatibilities if the document were to say so explicitly. --------------------------------------------------------------------------- §7: > without leaking identity information, SHOULD make use of an IPv6 > Privacy Address and SHOULD NOT include any privacy sensitive data, > such as User Agent header or HTTP cookie, while performing the HTTP Nit: "...User-Agent header field..." ^ ^^^^^
- [Int-area] Adam Roach's Discuss on draft-ietf-int… Adam Roach via Datatracker
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Warren Kumari
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Ted Lemon
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Adam Roach
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Ted Lemon
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Adam Roach
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Adam Roach
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Adam Roach
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Adam Roach
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Adam Roach
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Suresh Krishnan
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Eric Vyncke (evyncke)
- Re: [Int-area] Adam Roach's Discuss on draft-ietf… Tommy Pauly