IETF Logo Mail Archive

Re: [Int-area] Secdir telechat review of draft-ietf-intarea-probe-07

Ron Bonica <rbonica@juniper.net> Tue, 05 December 2017 18:03 UTC

Return-Path: <rbonica@juniper.net>
X-Original-To: int-area@ietfa.amsl.com
Delivered-To: int-area@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E90AD127871; Tue, 5 Dec 2017 10:03:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Kgnjq1BtbgZ; Tue, 5 Dec 2017 10:03:10 -0800 (PST)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2505C124B0A; Tue, 5 Dec 2017 10:03:10 -0800 (PST)
Received: from pps.filterd (m0108158.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.21/8.16.0.21) with SMTP id vB5HxbMH019658; Tue, 5 Dec 2017 10:03:08 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=PPS1017; bh=ZcYMYKuDlS/E6Ij81+n7BqjWxAfqV3LPzHLAcURySpU=; b=oRHmWx0gsMMQMIfxzFxLXQYk4UF/bjgQ+jrVCJrjff4VkBRpeqEkdII59jIyL8Ux95H4 8Dwg4A/011KNMkHdJ8ywYS0aOxBpoSDtNq/7eIP7VZ15flTkfDDoNnAjBMeRNv+eDuMo nEH1Sw8WNAFmhZXpUJ1EH3hfldYDcW6NPiVDONGqAhMCvuXyoO7SqOu77AJGNJ8pGiBL YV4npgd3rSU59hTtVlUORaMI8WQP0881WPFJZ+oFXwRQidmIsCVBRLBW6PoVkoy+TAzU ju25ZVCGYcAoYJpPBTMyIXmLd96lqwu7ztJyhdH3cusmWbC5TV1KXthEO7kHgitkxceY 9Q==
Received: from nam02-bl2-obe.outbound.protection.outlook.com (mail-bl2nam02lp0080.outbound.protection.outlook.com [207.46.163.80]) by mx0a-00273201.pphosted.com with ESMTP id 2enxga0bs6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 05 Dec 2017 10:03:08 -0800
Received: from BLUPR0501MB2051.namprd05.prod.outlook.com (10.164.23.21) by BLUPR0501MB2052.namprd05.prod.outlook.com (10.164.23.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.302.2; Tue, 5 Dec 2017 18:03:05 +0000
Received: from BLUPR0501MB2051.namprd05.prod.outlook.com ([10.164.23.21]) by BLUPR0501MB2051.namprd05.prod.outlook.com ([10.164.23.21]) with mapi id 15.20.0302.007; Tue, 5 Dec 2017 18:03:05 +0000
From: Ron Bonica <rbonica@juniper.net>
To: Yaron Sheffer <yaronf.ietf@gmail.com>, "secdir@ietf.org" <secdir@ietf.org>
CC: "draft-ietf-intarea-probe.all@ietf.org" <draft-ietf-intarea-probe.all@ietf.org>, "int-area@ietf.org" <int-area@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
Thread-Topic: Secdir telechat review of draft-ietf-intarea-probe-07
Thread-Index: AQHTa7VvnuF2paEY9kqKfeMjXKekD6M1CYMg
Date: Tue, 05 Dec 2017 18:03:05 +0000
Message-ID: <BLUPR0501MB2051DDA6190FC222569C4ABAAE3D0@BLUPR0501MB2051.namprd05.prod.outlook.com>
References: <151225050650.7531.17448190244687268847@ietfa.amsl.com>
In-Reply-To: <151225050650.7531.17448190244687268847@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [66.129.241.12]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BLUPR0501MB2052; 6:ZdDIfy4hfoinRuTP/dsIViLquDf00Wo3bDCzF0WvwqAEGcoyUkz+SX4vl6Jmguh5WtCGUIUwEvZE+BF4qMUM5z4Ny89Jmf78H2eVuWLi72zEeiS2fVsfFQ5UZPJtqR5nyWAYh81WbS86WzX19AymsKAAul1NcLy1xtovQFskinYEn+dy1uU7bGSVb+YQ0E63+vPrDE8RzpNa3pwifpD89X9OtbhkjeQFnWQR0NbVxfypAt1ZJp3IpgbY0CELQ32CdLqw8oNObBulyYkPvSwHd7veuq+dTcbE7eRR0Z+pjqs0LQt0VVP9mOUIUmgxnPJBdeUFigIUXgPYIuYCxKmKD1+Cfr/JRHC95lpJ41Yog/I=; 5:bJTuxwwnnWS+VkfwPUvNRGShJW15xUDj7v+FSiaKzAksG3Huxe1KmFPfDJTO9bK4hwtjoX53EKYG+hf+Hl5PUiLj3BaQVtTZPVHMFTHTMIqK/9Rf8T5By8OcVmeIEnKPUOFt/IvcXiZEuebNL/by04cN1X1vgmsw+7cdBVOsrxI=; 24:eEKCmLTGrw4WfKO2AlQH7a3mq2lsK6mhe0vHPO3ns9iWuQRS8guJ+/HiP6a+d1fqeziBeBBStmRHNGzacbZGhMzOfkSdvmGDeMPFnJTX7iU=; 7:64tyum13kdOshkxZzg6xnC/YiawSDK9Iusenxp4eubltcHG9wEMcNhPwqRc5JEil/131lq/RHTf59Nh0dDR4DHh18cem2sM32CBWYx86q4f3YGBW4ukLeiwu2ZSPtZ4a2/LQzPXXhKm17xwMECy5P/lB6Ddov03LLT2lMB1Zp4/QJhAB81T45NGj8U0xntCw3WkYWSpyEWbd9XKKAhnbxZBTsaKev8RiFsYiwzGMtuKSNhgV2egdilYVWMBuV4wW
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: b1263a43-ca68-40ce-3b0e-08d53c0a6f4e
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(5600026)(4604075)(4534020)(4602075)(4627115)(201703031133081)(201702281549075)(48565401081)(2017052603286); SRVR:BLUPR0501MB2052;
x-ms-traffictypediagnostic: BLUPR0501MB2052:
x-microsoft-antispam-prvs: <BLUPR0501MB2052D613EB5BDA4F3B4CEE74AE3D0@BLUPR0501MB2052.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040450)(2401047)(5005006)(8121501046)(3231022)(10201501046)(93006095)(93001095)(3002001)(6055026)(6041248)(20161123558100)(20161123562025)(20161123564025)(20161123555025)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6072148)(201708071742011); SRVR:BLUPR0501MB2052; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:BLUPR0501MB2052;
x-forefront-prvs: 0512CC5201
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(376002)(346002)(366004)(13464003)(51914003)(189003)(199004)(102836003)(316002)(97736004)(6116002)(33656002)(7736002)(6436002)(305945005)(6506006)(5660300001)(9686003)(55016002)(53936002)(77096006)(25786009)(99286004)(110136005)(106356001)(74316002)(4326008)(3846002)(68736007)(3660700001)(2900100001)(105586002)(229853002)(54906003)(101416001)(6246003)(39060400002)(2501003)(2906002)(2950100002)(7696005)(14454004)(76176011)(66066001)(8676002)(230783001)(86362001)(8936002)(81156014)(81166006)(3280700002)(478600001)(53546010); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR0501MB2052; H:BLUPR0501MB2051.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: b1263a43-ca68-40ce-3b0e-08d53c0a6f4e
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Dec 2017 18:03:05.6280 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR0501MB2052
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-12-05_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1712050259
Archived-At: <https://mailarchive.ietf.org/arch/msg/int-area/xfz4RfsiQTjOurgpbXHjn4uI7c8>
Subject: Re: [Int-area] Secdir telechat review of draft-ietf-intarea-probe-07
X-BeenThere: int-area@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF Internet Area Mailing List <int-area.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/int-area>, <mailto:int-area-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/int-area/>
List-Post: <mailto:int-area@ietf.org>
List-Help: <mailto:int-area-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/int-area>, <mailto:int-area-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Dec 2017 18:03:12 -0000

Hello Yaron,

Thanks for the thoughtful review. Responses inline......

                         Ron

> -----Original Message-----
> From: Yaron Sheffer [mailto:yaronf.ietf@gmail.com]
> Sent: Saturday, December 2, 2017 4:35 PM
> To: secdir@ietf.org
> Cc: draft-ietf-intarea-probe.all@ietf.org; int-area@ietf.org; ietf@ietf.org
> Subject: Secdir telechat review of draft-ietf-intarea-probe-07
> 
> Reviewer: Yaron Sheffer
> Review result: Has Issues
> 
> Summary
> 
> The Security Considerations section is extensive, given that this is not a major
> protocol. However I think a few additional security risks should be
> mentioned, see below. In addition, there are several points where this
> (arguably uneducated) reader was confused, and which could benefit from
> additional clarity.
> 
> Details (security-related)
> 
> * The probed interface can be identified by an IEEE 802 address (presumably,
> a MAC address). This is an important detail from a security point of view.
> Normally you don't expect a remote node to be able to access machines by
> MAC address, and many firewall deployments enforce access control solely
> at the IP level. * Similarly, in an IPv4 setting, the proxy can be identified by a
> routable address, and used to probe a non-routable (RFC 1918) address. *
> "The incoming ICMP Extend Echo Request carries a source address that is not
> explicitly authorized for the incoming ICMP Extended Echo Request L-bit
> setting" - this implies a per-node whitelist listing all IP addresses that are
> allowed to probe it. I don't think we mean seriously to list all the addresses
> that can ping a given node, so this smells like security theater - sorry.
> 
[RB ] 
I agree with all of the points that you raise above, except for the part about white listing. This isn't security theater. It's real.

For the most part,  hosts will stick with the default PROBE configuration. That is, they won't honor an ICMP Extended Echo Request of any type from any source.

A good number of network operators will enable PROBE on their routers, but for the reasons that you point out above, they won't want their routers being probed from untrusted subnetworks. They will probably restrict probe access to a few trusted subnets that are within their administrative domain (e.g., the NOC, network controllers).

I doubt if anyone will expose their routers to PROBING from all points on the Internet.
 
> Other Details
> 
> * Abstract: I think the word "alternatively" should really be "instead" (also in
> the Introduction). 
[RB ] 
I can fix that in the next version

* "The proxy interface resides on a probed node" - this
> contradicts the previous paragraph that states that either the proxy is on the
> same node, or it has direct connectivity to it (and is presumably on a different
> node). 
[RB ] 
Joel Halpern raised the same point in his review. In the next version, the probed node will be called the proxy node.

* "The probed interface can reside on the probed node or it can be
> directly connected to the probed node." I'm confused. This contradicts the
> first paragraph of the Intro: "The probing interface resides on a probing node
> while the probed interface resides on a probed node."
[RB ] 
Same fix as above

 *
"encapsulated in an
> IP header" - shouldn't that be "in an IP packet" (at least for IPv4)? 
[RB ] 
I will check RFC 792 and use whatever words they used
*
> "Ethernet is running on the probed interface" - is this well-defined? There
> are numerous 802.* protocols. Do we mean any of them? Or just 802.3?
> 
[RB ] 
Joel Halpern raised the same issue in his review. We will rename this bit to indicate that it is a Pseudowire endpoint, without mentioning what kind of PW endpoint it is.

                                   Ron

v2.23.0 | Report a Bug | By Email