IETF Logo Mail Archive

Re: [lisp] Secdir early review of draft-ietf-lisp-nexagon-04

Sharon Barkai <sharon.barkai@getnexar.com> Fri, 09 October 2020 14:48 UTC

Return-Path: <sharon.barkai@getnexar.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0FBB3A091A for <lisp@ietfa.amsl.com>; Fri, 9 Oct 2020 07:48:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=getnexar.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lZlc-SmhV0GV for <lisp@ietfa.amsl.com>; Fri, 9 Oct 2020 07:48:07 -0700 (PDT)
Received: from mail-wm1-x32f.google.com (mail-wm1-x32f.google.com [IPv6:2a00:1450:4864:20::32f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E0703A0906 for <lisp@ietf.org>; Fri, 9 Oct 2020 07:48:07 -0700 (PDT)
Received: by mail-wm1-x32f.google.com with SMTP id d3so10108824wma.4 for <lisp@ietf.org>; Fri, 09 Oct 2020 07:48:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=getnexar.com; s=google; h=content-transfer-encoding:mime-version:subject:from:in-reply-to :date:cc:message-id:references:to; bh=OVaKnSw78Bey0krEm5EUwIVDmpfWcOeFs3g22j2lrXs=; b=mhmpaFxE0bdOw2eVrs3DFShnJieZhOlxnuiVy6c/PtaeFzxi/ioHlPU0CbKsglkgz/ PXzdE4Q63URxjUj6CcGhGM7XV1zBbbRplE/zPllmonrDD00zbzO57LA4DteyPVCz0HFk cbBBdI97/5xK+vgIRwkLjTHhaPkSq4ceGw/rw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:mime-version:subject :from:in-reply-to:date:cc:message-id:references:to; bh=OVaKnSw78Bey0krEm5EUwIVDmpfWcOeFs3g22j2lrXs=; b=nIAeIM6hkTkw03XasLBVpmwuOQgld/iKljqIhBHd/YFlshVWZAUZAOD+9YI1tgkp+I K8jQ9nnaS5M6nhKsE/RYSDNd7AgWIyCx6E3ZAXjEaTM96TlXJKOueCl55hYKtucOpZ1n gh+b26s9XIuQJndCgyTDZjpr+wJi6h6Uohd7RfQIllO/YZHj//2YK9k3eKHp/8vxbvYR lr9PIHwY3F9q99cDDSTjCoxAwcKyZZ0mDqH6N0LFOBenFPJx9hzPxEVxsVDQWayxNWVM 3B/4Uy3fImeL0/tzC1hEDW0d2CfSS63ngcNhtF3y4d2//Kg0BTGCqg4l5dwNRxfjX1JH 6bnA==
X-Gm-Message-State: AOAM531pxmQtkWz17RAQueXIDcWVy86oNoZn4fd2GRRbWZFLPVHeszEP Qv6iGiSWRYu0l8Ly93VAvFRgXQ==
X-Google-Smtp-Source: ABdhPJz4mM8R1NHY2FebAE7xit2KSCKmn/Ga0piafoXCIYaoIDYHxLjqALWWefE7TSeEHr4yBJ7pvw==
X-Received: by 2002:a1c:960a:: with SMTP id y10mr14242305wmd.128.1602254885821; Fri, 09 Oct 2020 07:48:05 -0700 (PDT)
Received: from ?IPv6:2a02:14c:3cf:3500:1d1d:fa3d:2d38:7809? ([2a02:14c:3cf:3500:1d1d:fa3d:2d38:7809]) by smtp.gmail.com with ESMTPSA id a3sm11744685wmb.46.2020.10.09.07.48.04 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 09 Oct 2020 07:48:05 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-07DEBE42-3A3B-448C-9805-FD066C8166A9"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
From: Sharon Barkai <sharon.barkai@getnexar.com>
In-Reply-To: <160218848061.12936.5873889616190686198@ietfa.amsl.com>
Date: Fri, 09 Oct 2020 17:48:03 +0300
Cc: secdir@ietf.org, lisp@ietf.org, draft-ietf-lisp-nexagon.all@ietf.org
Message-Id: <90E55F95-C6BB-4D30-814B-ECDF0CDC990A@getnexar.com>
References: <160218848061.12936.5873889616190686198@ietfa.amsl.com>
To: Tero Kivinen <kivinen@iki.fi>
X-Mailer: iPhone Mail (18A393)
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/FS4ZBUjz7TFrhjvmAsiDgxJdcHY>
Subject: Re: [lisp] Secdir early review of draft-ietf-lisp-nexagon-04
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Oct 2020 14:48:10 -0000

Tero, really want to thank you for putting in the time, you clearly understood the draft completely and point to areas we invested thought on but can improve the wording.

Before adjusting the draft would like to rehash together with the group, Joel, and Luigi the themes pointed, which are spot on, so to reach the best possible language. 


1) End to end encryption -

Nexagon uses LISP tunnels end to end:
- between EIDClients and EdgeRTRs
- between ingress and egress EdgeRTR
- between EdgeRTRs and H3EIDServices

Depending on the specific  nexagon network as service offered we would like to offer the option to encrypt all communications on these tunnels.

We could suggest IPSec, draft-ietf-lisp-crypto-10 which specifies RFC2631 key exchange over LISP tunnels, also DTLS was suggested.

Should we determine one or just describe the geo privacy and commercial exposure if encryption is not used, especially on the tunnels between MobilityEIDClients and EdgeRTRs?

2) Spoofing and imposters - 

EdgeRTRs and H3EIDServices are provisioned in the service provider edge network. EdgeRTRs which are added to the network are provisioned with the mapping system, H3EIDServices are whitelist provisioned with their designated EdgeRTRs.

We rely on the edge network routers to detect and stop spoofing using industry standard double-lookup source/dest  mechanisms.
Should we state so?

The MobilityEIDClients are behind mobile access networks and go through AAA step before receiving ephemeral EIDs and EdgeRTR  RLOCs as anchors. 

This EID is based on their client ID credentials, and this EID is whitelist provisioned by the AAA to the EdgeRTR given to the client as an anchor. 

The ipv6 EIDs given to these clients reflect their credibility reputation and authorization level to pub-sub into the nexagon network. It is going to be very hard to guess a valid EIDClient which an EdgeRTR expects after AAA to whitelist provision. These EIDs are temporary and expire after 15 minutes.

Spoofed EIDClients which are sniffed are going to be detected by the EdgeRTRs because of mismatched client RLOC. Spoofed client RLOCs are detected by the mobile packet core.

Should we detail these aspects in security considerations ? 

3) Fake news and client trust -

This is a higher level concern as it is with many other protocols. Privacy and reputation require trade-offs. The lisp-nexagon network uses crowd-sourced street sampling to reflect current geo-state. Even the most honest client may still be wrong, have faulty vision gear, gps interruption, or buggy AI. Malicious clients may try to manipulate geo-state to their advantage, clear their path from traffic, or simply try to saw confusion. 

For this reason all detections are corroborated and trust level of each client is constantly scored by the H3EIDServices and updates the AAA system. This credit score update reflects the behavior of  the assigned ephemeral client EID not the client, a car for ecample. But the AAA system knows which client ID credentials the EID map to. The AAA system does not need to know the geo association of these EID scores. They can be aggregated from all H3EIDServices before handed to AAA.

We can describe this general behavior even though its part of management and orchestration and not part of the LISP-Nexagon interface specification.   

After we clear these 3 key items to everyone satisfaction we can quickly turn around the doc to one more iteration. 

Thank you in advance!


--szb
Cell: +972.53.2470068
WhatsApp: +1.650.492.0794

> On Oct 8, 2020, at 23:21, Tero Kivinen via Datatracker <noreply@ietf.org> wrote:
> 
> Reviewer: David Mandelberg
> Review result: Not Ready
> 
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
> 
> The summary of the review is Not ready.
> 
> If I understand correctly, 64-bit Client EIDs serve as both 
> identification and authentication for a client. How many clients will an 
> EdgeRTR know about at a single time? How many EIDs can an attacker guess 
> per second? If an attacker can guess 1024 EIDs per second, and there are 
> 2^32 valid EIDs, I think that would mean it would take about 24 days on 
> average to guess a (non-specific) EID. Are my numbers off? Is that 
> acceptable?
> 
> How does the Client XTR verify the authenticity of the data coming from 
> Server XTRs? Is it relying on infrastructure security in the LISP and 
> server networks, and the obscurity of its own Client EID? E.g., if a 
> non-participant in the LISP network can get the Client EID and RLOC 
> (e.g., by sniffing packets), could they spoof an unsolicited multicast 
> packet to the client?
> 
> If the above is possible, I think this part of the Security 
> Considerations section should be fleshed out more, and possibly made 
> mandatory: "The traffic on the MobilityClient<>EdgeRTR interface is 
> tunneled  and its UDP content may be encrypted"
> 
> The Security Considerations section says "The H3ServiceEIDs themselves 
> decrypt and parse actual H3-R15 annotations" but as far as I can tell, 
> that's the first mention of any mandatory encryption of H3-R15 
> information. How does that encryption work?
> 
> I assume it wouldn't be that hard for an attacker to get legitimate 
> access to a Mobility Client (e.g., by buying a car). What would stop 
> them from sending the type of "fake-news" updates the Security 
> Considerations section talks about?
> 
> 
> 
>

v2.23.0 | Report a Bug | By Email