IETF Logo Mail Archive

Re: [Last-Call] Secdir last call review of draft-ietf-sfc-multi-layer-oam-23

Greg Mirsky <gregimirsky@gmail.com> Wed, 24 May 2023 00:21 UTC

Return-Path: <gregimirsky@gmail.com>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC4A9C14F747; Tue, 23 May 2023 17:21:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.985
X-Spam-Level:
X-Spam-Status: No, score=-1.985 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTML_TAG_BALANCE_BODY=0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_HTML_ATTACH=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YSzeDyQ7c5p1; Tue, 23 May 2023 17:21:06 -0700 (PDT)
Received: from mail-yb1-xb29.google.com (mail-yb1-xb29.google.com [IPv6:2607:f8b0:4864:20::b29]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3BF1CC14CEFF; Tue, 23 May 2023 17:21:06 -0700 (PDT)
Received: by mail-yb1-xb29.google.com with SMTP id 3f1490d57ef6-ba82956d3e0so796116276.0; Tue, 23 May 2023 17:21:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684887665; x=1687479665; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=+IbYkgCM/IWgMI4kca1x2d8jmwkCGcbA2K10PVJ103Q=; b=TPs1VwSCQSXEV5lFN60Yca7aaChr6W4Y/zUsm3EYzFMSKb/Sa0KwnH0CgB9ySN6Ld0 mxRvXkC1keFaQKcKp2Tc3j3A74ybTWOynzsF+S+4WHLacINtalaYGh/qL8/B3bHTHUBq dX58tmuOCgzIbT/3TCVF0P2lGNRCLfGYaW+1+mAfjadx1UScBa5G9nFPTZ1laEUFTByu hkbUQT+FTyS/YZ6DXCCWviwl1/mFk/HSuJ7Y7zwU/dhEg63WaTf3baPQd9/x2N9dicNQ xQdK0br9VEhNAAv+py67AXt0E3Eh9M5Pm5Y75tLRGO1pHeKGgYnUnBkeK/jEA1TzjKsZ NgxA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684887665; x=1687479665; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=+IbYkgCM/IWgMI4kca1x2d8jmwkCGcbA2K10PVJ103Q=; b=jiY0uA18e00BWuSIsxDsHWUdK88I7cd5BbaplgiM5ZIL1sGEcHAAyxqVgh0yYTj4QT n5irJGyOgSjb5qPxusT62XIAWDDY2JK6S0qehAAhgQogB4hRSOX1OC7O54NM7WCddZsO Aj/kBkvUnOgwmcA4AWH+ZSKVvH/N3c4N7a5k2UJRwzYLxrzLVzGlfayuCxfFsBWeUobN c71S/qKd5EYCYb3X+yvpPv5Ir1RkdiHyzPmk5qZ3zyFV0tz3O0X1jkKirurK35HQQiBN AFUimvtp8WGikN7xTOBJIBiZBp6nYKEpjZNMAVkoRN7sudUc4sxCiJQ3atQj/0tW0I2p bgmA==
X-Gm-Message-State: AC+VfDyRhGcN1wEtAPocIBIesjY9z1etyyrdkiAOU5H2/DkJaCaVwppV Ua312UkkVQbbpGKbh1NtnmZfjy6OIHRgSqdblQ5r0SRZQAg=
X-Google-Smtp-Source: ACHHUZ5mBJHiv2ZDhcLgIpYkMhXqXrEOTuB48JZnITEw4kGZ9j71GLMtdb7nSj8B9hr40uxJaQvrk2RpqWK1AvOSP3w=
X-Received: by 2002:a25:6a09:0:b0:ba7:ba17:6a69 with SMTP id f9-20020a256a09000000b00ba7ba176a69mr17043071ybc.8.1684887665011; Tue, 23 May 2023 17:21:05 -0700 (PDT)
MIME-Version: 1.0
References: <168426671517.61243.16490512107577657053@ietfa.amsl.com>
In-Reply-To: <168426671517.61243.16490512107577657053@ietfa.amsl.com>
From: Greg Mirsky <gregimirsky@gmail.com>
Date: Tue, 23 May 2023 17:20:55 -0700
Message-ID: <CA+RyBmWFGCMN541GbCcuy461Hp_yPnXVB_5pfCHjQcp_-kBUQg@mail.gmail.com>
To: Russ Mundy <mundy@tislabs.com>
Cc: secdir@ietf.org, draft-ietf-sfc-multi-layer-oam.all@ietf.org, last-call@ietf.org, sfc@ietf.org
Content-Type: multipart/mixed; boundary="000000000000c2bf3905fc657ada"
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/hfXBftAtRQKGmfpXNB7x6eSSQPw>
Subject: Re: [Last-Call] Secdir last call review of draft-ietf-sfc-multi-layer-oam-23
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 May 2023 00:21:11 -0000

Hi Russ,
thank you for your review and detailed comments. Please find my notes below
tagged GIM>>. Attached, are the working version of the draft (it now
includes updates resulting from the discussions with reviewers from RtgDir,
TsvArt, and GenArt.) and the diff that highlights those updates.

Regards,
Greg

On Tue, May 16, 2023 at 12:51 PM Russ Mundy via Datatracker <
noreply@ietf.org> wrote:

> Reviewer: Russ Mundy
> Review result: Has Issues
>
> Document: draft-ietf-sfc-multi-layer-oam
> Document Title: Active OAM for Service Function Chaining (SFC)
> Reviewer: Russ Mundy
> Review Results: Has issues
>
> I have reviewed this document as part of the security directorate's ongoing
> effort to review all IETF documents being processed by the IESG. These
> comments
> were written primarily for the benefit of the security area directors.
> Document
> editors and WG chairs should treat these comments just like any other last
> call
> comments.
>
> The document defines additional capabilities for use in the Service
> Function
> Chaining (SFC) Architecture described in RFC7665 as well as other related
> RFCs,
> e.g. 7799, 8300, 8924. The document abstract is:
>
> "A set of requirements for active Operation, Administration, and
> Maintenance
> (OAM) of Service Function Chains (SFCs) in a network is presented in this
> document. Based on these requirements, an encapsulation of active OAM
> messages
> in SFC and a mechanism to detect and localize defects are described."
>
> The primary issue that I have with the document is that it does not
> describe
> how the defined capabilities implement the security requirements that are
> in
> RFC7665, RFC8300 and RFC8924. Section 6 and 10 of the document does address
> RFC9124 NSH header protection requirements but I did not see how the set of
> security requirements in RFC7665, RFC8300 and RFC8924 are addressed (in
> Section
> 7 or elsewhere in the document).  Some illustrations follow:
>
> - RFC7665 Security Considerations specifically states that "... realization
> ought to provide means to protect against security and privacy attacks in
> the
> areas hereby described." and describes four areas to be addressed. I could
> not
> see where the document directly addressed any of these areas. The defined
> NSH
> header protection most likely meets expectations of some of these areas
> but it
> would be good to specifically identify this in this document's Security
> Considerations (Section 7). - - Since RFC7665 defines the overall
> architecture
> and provides specific security areas that implementations must address, it
> seems appropriate that Section 7 would make specific statements about each
> of
> the four areas from RFC7665, i.e., does the expectation apply to the
> capabilities and, if so, how it is met (at least Boundaries: and
> Classification: would seem to apply). - - The Boundaries: requirement in
> RFC7665 appears to dictate that the Section 7 "RECOMMENDED" statements
> should
> be "MUST" statements.
>
> - RFC8300 contains an extensive Security Considerations section. The
> document
> does define RFC9124 NSH header protection definition but it's not clear how
> these relate to RFC8300 expectations contained in that document's Security
> Considerations section. Since RFC8300 is foundational for this document, it
> seems appropriate to have specific statements in Section 7 about what
> RFC8300
> Security Considerations apply to this   document and how they are
> met/implemented.
>
> - An area that the document does not currently address is whether or not
> the
> defined capabilities are expected to be used in a single administrative
> domain
> or some other environment, e.g. an applicability statement. Most (maybe
> all)
> related documents have statements about whether or not they are expected
> to be
> used in 'open environment' or in a restricted environment, e.g. a single
> administrative domain. Understanding the threat environment is important
> part
> of implementing an appropriate secure solution. (personally I found RFC8300
> Section 1.1 a very good example).
>
GIM>> We added the following text in Section 7:
NEW TEXT:
    As an element of SFC OAM and, specifically, NSH-based, the Echo
   Request/Reply mechanism described in this document inherits Security
   Considerations discussed in [RFC7665] and [RFC8300].
Would this text address your concerns? What would you suggest to expand?
In the course of addressing RtgDir comments, we extended the explanation of
"fate sharing" in REQ#1:
      REQ#1: Packets of active SFC OAM SHOULD be fate sharing with the
      monitored SFC data in the forward direction from ingress toward
      egress endpoint(s) of the OAM test.

   The fate sharing, in the SFC environment, is achieved when a test
   packet traverses the same path and receives the same treatment in the
   underlay network layer as an SFC-encapsulated packet (e.g., NSH).
"Fate sharing" is not only essential for accurate understanding of the
network conditions as experienced by the monitored data, but also to stress
that all security recommendations listed in RFC 8300 are applicable to SFC
active OAM and SFC Echo Request/Reply that is defined in the draft.


> Minor issue: It seems to me that RFC7665 should be a Normative Reference
> rather
> than Informative.
>
GIM>> Agreed and moved to the Normative list. Will inform the Shepherd
about the Downref:
 ** Downref: Normative reference to an Informational RFC: RFC 7665

v2.23.0 | Report a Bug | By Email