Re: [lisp] [Last-Call] Tsvart last call review of draft-ietf-lisp-pubsub-10

["Alberto Rodriguez-Natal (natal)" <natal@cisco.com>]

Thanks Magnus, please see inline.

From: Magnus Westerlund <magnus.westerlund@ericsson.com>
Date: Monday, January 30, 2023 at 11:37 AM
To: mohamed.boucadair@orange.com <mohamed.boucadair@orange.com>, tsv-art@ietf.org <tsv-art@ietf.org>
Cc: draft-ietf-lisp-pubsub.all@ietf.org <draft-ietf-lisp-pubsub.all@ietf.org>, last-call@ietf.org <last-call@ietf.org>, lisp@ietf.org <lisp@ietf.org>
Subject: Re: [Last-Call] Tsvart last call review of draft-ietf-lisp-pubsub-10
Hi,

Having read up more on RFC 9303 I still don’t see how the LISP-SEC mechanism in any form source node authentication of the ITR that makes the MAP-REQUEST. I see a mechanism that tries to prevent modification enroute of the MAP-REQUEST and the MAP-REPLY. Am I missing something here?

So there is clearly a deployment dependencies here. I think for a limited scope deployment you can secure this by using a restricted overlay for the control plane so that not anyone can send these to the relevant nodes.

[AR] You can see this model on production deployments of (pre-standard) PubSub.

However, for a large scale multi domain deployment this becomes tricky. Source authentication requires that one knows all the xTRs that can make subscription requests and thus can verify their right to do it.

[AR] If needed, this role can be taken by Map-Resolvers. We could include recommendations to deploy Map-Resolvers that can verify if a given xTR can subscribe and drop their subscription requests if otherwise. Map-Servers could be configured to only accept subscription requests from Map-Resolvers that are filtering requests.

Otherwise we are more looking at this systems as DNS with a subscription for updates. Anyone can ask to install state, and the node needs to be very careful with that. To me it appears that this later is part of your threat model, and there are not sufficient warnings in place or restricting the scope of the usage of the mechanism.

[AR] I think this is fair. We could probably include guidance on how PubSub should be only used when proper verification of xTRs can take place (e.g. via restricted overlay, filtering Map-Resolvers, or any other means)

In addition there was no protection against spoofed source addresses, making the issue even worse, but that appear to be reasonably fixable.

Cheers

Magnus


From: mohamed.boucadair@orange.com <mohamed.boucadair@orange.com>
Date: Monday, 30 January 2023 at 11:03
To: Magnus Westerlund <magnus.westerlund@ericsson.com>, tsv-art@ietf.org <tsv-art@ietf.org>
Cc: draft-ietf-lisp-pubsub.all@ietf.org <draft-ietf-lisp-pubsub.all@ietf.org>, last-call@ietf.org <last-call@ietf.org>, lisp@ietf.org <lisp@ietf.org>
Subject: RE: [Last-Call] Tsvart last call review of draft-ietf-lisp-pubsub-10
Hi Magnus,

Thanks. The change will be in -11.

Authenticating subscription requests and ensuring their integrity protection build on 9301 and 9303. Specifically, spoofed Map-Requests (including tampering xTR-IDs) falls under this part from 9301:

   Deployments concerned about manipulations of Map-Request and Map-
   Reply messages and malicious ETR EID-Prefix overclaiming MUST drop
   LISP control plane messages that do not contain LISP-SEC material
   (S-bit, EID-AD, OTK-AD, PKT-AD).  See Section 3 of [RFC9303] for
   definitions of "EID-AD", "OTK-AD", and "PKT-AD".

   Mechanisms to encrypt, support privacy, and prevent eavesdropping and
   packet tampering for messages exchanged between xTRs, between xTRs
   and the Mapping System, and between nodes that make up the Mapping
   System SHOULD be deployed.  Examples of this are DTLS [RFC9147] or
   "lisp-crypto" [RFC8061].

In order to insist on the guard to avoid manipulating xTR-IDs, we made this change:

OLD:
  Generic security considerations related to LISP control messages are
   discussed in Section 9 of [RFC9301].

NEW:
  Generic security considerations related to LISP control messages are
   discussed in Section 9 of [RFC9301].  To prevent xTR-ID hijacking, it
   is RECOMMENDED to follow guidance from Section 9 of [RFC9301] to
   ensure integrity protection of Map-Request messages.

Cheers,
Med

De : Magnus Westerlund <magnus.westerlund@ericsson.com>
Envoyé : lundi 30 janvier 2023 09:42
À : BOUCADAIR Mohamed INNOV/NET <mohamed.boucadair@orange.com>; tsv-art@ietf.org
Cc : draft-ietf-lisp-pubsub.all@ietf.org; last-call@ietf.org; lisp@ietf.org
Objet : Re: [Last-Call] Tsvart last call review of draft-ietf-lisp-pubsub-10

Hi,

I think this is a good step forward in at least acknowledging the issue from an overload perspective that can just occur. I think this is likely solved, but I want to see how what are the conclusions on preventing spoofed registrations.

Cheers

Magnus

From: mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com> <mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com>>
Date: Friday, 27 January 2023 at 18:02
To: Magnus Westerlund <magnus.westerlund@ericsson.com<mailto:magnus.westerlund@ericsson.com>>, tsv-art@ietf.org<mailto:tsv-art@ietf.org> <tsv-art@ietf.org<mailto:tsv-art@ietf.org>>
Cc: draft-ietf-lisp-pubsub.all@ietf.org<mailto:draft-ietf-lisp-pubsub.all@ietf.org> <draft-ietf-lisp-pubsub.all@ietf.org<mailto:draft-ietf-lisp-pubsub.all@ietf.org>>, last-call@ietf.org<mailto:last-call@ietf.org> <last-call@ietf.org<mailto:last-call@ietf.org>>, lisp@ietf.org<mailto:lisp@ietf.org> <lisp@ietf.org<mailto:lisp@ietf.org>>
Subject: RE: [Last-Call] Tsvart last call review of draft-ietf-lisp-pubsub-10
Re-,

Fully agree that dedicating a small fraction of resources (not only links capacity but also CPU) is a good advice, but I don’t think we can use any normative language for this. I tweaked the proposed text as follows:

NEW:
   As a reminder, the initial transmission and retransmission of Map-
   Notify messages by a Map-Server follow the procedure specified in
   Section 5.7 of [RFC9301].  Some state changes may trigger an overload
   that would impact, e.g., the outbound capacity of a Map-Server.  A
   similar problem may be experienced when a large number of state were
   simultaneously updated.  To prevent such phenomena, Map-Servers
   SHOULD be configured with policies to control the maximum number of
   subscriptions and also the pace of Map-Notify messages.  For example,
   the Map-Server may be instructed to limit the resources dedicated
   to handling unsolicited Map-Notify messages to a small fraction
   (e.g., less than 10%) of its overall processing and forwarding
   capacity.  The exact details to characterize such policies are
   deployment and implementation specific.  Likewise, this document does
   not specify which notifications take precedence when these policies
   are enforced.

Hope this is better.

Cheers,
Med

De : Magnus Westerlund <magnus.westerlund@ericsson.com<mailto:magnus.westerlund@ericsson.com>>
Envoyé : vendredi 27 janvier 2023 17:21
À : BOUCADAIR Mohamed INNOV/NET <mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com>>; tsv-art@ietf.org<mailto:tsv-art@ietf.org>
Cc : draft-ietf-lisp-pubsub.all@ietf.org<mailto:draft-ietf-lisp-pubsub.all@ietf.org>; last-call@ietf.org<mailto:last-call@ietf.org>; lisp@ietf.org<mailto:lisp@ietf.org>
Objet : Re: [Last-Call] Tsvart last call review of draft-ietf-lisp-pubsub-10

Hi,

That is a good start. The general problem for this type of problem is that one can reasonably calculate a pacing schedule based on target bit-rate at the outgoing interface. What one doesn’t know is if what path the various message takes and if that is part of a traffic load causing congestion. The Map-Server will get some indication on potential congestion issue if it has to retransmit many messages as they aren’t acked. I would think the most general thing I would say is to recommend that the pacing target a bit-rate that is no more than a small fraction of the expected bandwidth of the links to the xTRs.

That is likely preventing enough issues that there is no point in doing more advanced solution. But that is me assuming that the control plane will mostly run over links with Gbps+ capacity and that one configure this to not burst above like 1-5% of the link capacity one will not have any issues. But if there is more limited capacity or larger deployments maybe the completion time become an issue for each update.

Cheers

Magnus

From: mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com> <mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com>>
Date: Friday, 27 January 2023 at 15:53
To: Magnus Westerlund <magnus.westerlund@ericsson.com<mailto:magnus.westerlund@ericsson.com>>, tsv-art@ietf.org<mailto:tsv-art@ietf.org> <tsv-art@ietf.org<mailto:tsv-art@ietf.org>>
Cc: draft-ietf-lisp-pubsub.all@ietf.org<mailto:draft-ietf-lisp-pubsub.all@ietf.org> <draft-ietf-lisp-pubsub.all@ietf.org<mailto:draft-ietf-lisp-pubsub.all@ietf.org>>, last-call@ietf.org<mailto:last-call@ietf.org> <last-call@ietf.org<mailto:last-call@ietf.org>>, lisp@ietf.org<mailto:lisp@ietf.org> <lisp@ietf.org<mailto:lisp@ietf.org>>
Subject: RE: [Last-Call] Tsvart last call review of draft-ietf-lisp-pubsub-10
Re-,

Thanks Magnus for clarifying.

I suggest to add the following in Section 6:

NEW:
   As a reminder, the initial transmission and retransmission of Map-
   Notify messages by a Map-Server follow the procedure specified in
   Section 5.7 of [RFC9301].  Some state changes may trigger an overload
   that would impact, e.g., the outbound capacity of a Map-Server.  A
   similar problem may be experienced when a large number of state were
   simultaneously updated.  To prevent such phenomena, Map-Servers
   SHOULD be configured with policies to control the maximum number of
   subscriptions and also the pace of Map-Notify messages.  The exact
   details to characterize such policies are deployment and
   implementation specific.  Likewise, this document does not specify
   which notifications take precedence when these policies are enforced.

Do we need to say more without going too much into implementation territory?

Cheers,
Med

De : Magnus Westerlund <magnus.westerlund@ericsson.com<mailto:magnus.westerlund@ericsson.com>>
Envoyé : vendredi 27 janvier 2023 11:39
À : BOUCADAIR Mohamed INNOV/NET <mohamed.boucadair@orange.com<mailto:mohamed.boucadair@orange.com>>; tsv-art@ietf.org<mailto:tsv-art@ietf.org>
Cc : draft-ietf-lisp-pubsub.all@ietf.org<mailto:draft-ietf-lisp-pubsub.all@ietf.org>; last-call@ietf.org<mailto:last-call@ietf.org>; lisp@ietf.org<mailto:lisp@ietf.org>
Objet : Re: [Last-Call] Tsvart last call review of draft-ietf-lisp-pubsub-10

Hi Med,

Overall, the spec leverages the mechanisms in both RFC9301 and RFC9303. I don't know if you checked those when performing your review.

MW: Yes, I looked at those, and as you cite some of it I can explain why I think this isn’t sufficient for this specification.

> -----Message d'origine-----
> De : last-call <last-call-bounces@ietf.org<mailto:last-call-bounces@ietf.org>> De la part de Magnus
> Westerlund via Datatracker
> Envoyé : mardi 24 janvier 2023 14:20
> À : tsv-art@ietf.org<mailto:tsv-art@ietf.org>
> Cc : draft-ietf-lisp-pubsub.all@ietf.org<mailto:draft-ietf-lisp-pubsub.all@ietf.org>; last-call@ietf.org<mailto:last-call@ietf.org>;
> lisp@ietf.org<mailto:lisp@ietf.org>
> Objet : [Last-Call] Tsvart last call review of draft-ietf-lisp-
> pubsub-10
>
> Reviewer: Magnus Westerlund
> Review result: Not Ready
>
> This document has been reviewed as part of the transport area
> review team's ongoing effort to review key IETF documents. These
> comments were written primarily for the transport area directors,
> but are copied to the document's authors and WG to allow them to
> address any issues raised and also to the IETF discussion list for
> information.
>
> When done at the time of IETF Last Call, the authors should
> consider this review as part of the last-call comments they
> receive. Please always CC tsv-art@ietf.org<mailto:tsv-art@ietf.org> if you reply to or
> forward this review.
>
> My review comments are:
>
>
> C.      When a Map-Notify is to be sent there are no discussion in
> regards to
> congestion control of the transmission of the Map-Notify.




_________________________________________________________________________________________________________________________



Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc

pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler

a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,

Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.



This message and its attachments may contain confidential or privileged information that may be protected by law;

they should not be distributed, used or copied without authorisation.

If you have received this email in error, please notify the sender and delete this message and its attachments.

As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.

Thank you.

_________________________________________________________________________________________________________________________



Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc

pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler

a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,

Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.



This message and its attachments may contain confidential or privileged information that may be protected by law;

they should not be distributed, used or copied without authorisation.

If you have received this email in error, please notify the sender and delete this message and its attachments.

As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.

Thank you.