[lisp] John Scudder's No Objection on draft-ietf-lisp-sec-26: (with COMMENT)
John Scudder via Datatracker <noreply@ietf.org> Wed, 15 June 2022 17:08 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: lisp@ietf.org
Delivered-To: lisp@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 33378C1594A8; Wed, 15 Jun 2022 10:08:24 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: John Scudder via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-lisp-sec@ietf.org, lisp-chairs@ietf.org, lisp@ietf.org, Luigi Iannone <ggx@gigix.net>, ggx@gigix.net
X-Test-IDTracker: no
X-IETF-IDTracker: 8.3.1
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: John Scudder <jgs@juniper.net>
Message-ID: <165531290419.45807.12273635973145414027@ietfa.amsl.com>
Date: Wed, 15 Jun 2022 10:08:24 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/O5p1h0C_gsJBXC9PhqXo1jSgh-Q>
Subject: [lisp] John Scudder's No Objection on draft-ietf-lisp-sec-26: (with COMMENT)
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.39
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jun 2022 17:08:24 -0000
John Scudder has entered the following ballot position for draft-ietf-lisp-sec-26: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-lisp-sec/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- I generally found this a well-written and pleasant to read document. Thanks for the conversation around my earlier DISCUSS. I have a number of additional questions, comments, and suggestions, below. 1. In §6.4, The ITR MAY use the KDF ID field to indicate the recommended KDF algorithm, according to local policy. I guess the use of MAY is there because the ITR could also put 0 in that field which we are later told (five paragraphs down) means "no preference" (and not literally no KDF at all, as a plain reading of the string "NONE" in Table 6 would imply). A few questions and suggestions arise from this: a. If the ITR puts 0 in that field, and the Map-Server updates it, how should this text in §6.9 be interpreted? If the KDF ID in the Map-Reply does not match the KDF ID requested in the Map-Request, the ITR MUST discard the Map- Reply I guess the ITR didn't "request" any particular KDF ID when it sent 0, so I guess I can disregard the text I've quoted -- but it's not very clear. Certainly a plain field comparison without special-casing 0 would fail this test. I think there should be some update to clarify this case. b. But what happens if the Map-Server puts in a KDF ID for a KDF the ITR doesn't support, even if the ITR did send 0? I presume that even though the ITR said "no preference" it still can't process the packet, so it has to discard the Map-Reply just as if it had gotten back a genuinely non-matching KDF ID. If this is so, I think there should be some update to clarify. c. It seems like the string "No Preference" would be better than "NONE" in Table 6, similar for Table 4. Similar comments apply to "The Requested HMAC ID field contains the suggested HMAC algorithm" (§6.4) and "If the EID HMAC ID field does not match the Requested HMAC ID" (§6.9). 2. Related to the previous, in Section 6.4, there are two fairly widely separated paragraphs: The ITR MAY use the KDF ID field to indicate the recommended KDF algorithm, according to local policy. The Map-Server can overwrite the KDF ID if it does not support the KDF ID recommended by the ITR (see Section 6.7). And The KDF ID field specifies the suggested key derivation function to be used by the Map-Server to derive the MS-OTK. A KDF Value of NONE (0) may be used to specify that the ITR has no preferred KDF ID. I think it would be better if these were combined, as they seem to be redundant and in any case cover the same subject. 3. For each of the fields whose value is taken from an IANA registry, I think it would be helpful to reference the registry where the field is defined, for example in Section 6.1, KDF ID: Identifier of the Key Derivation Function used to derive the MS-OTK. Refer to Section 6.7 for more details. Could be KDF ID: Identifier of the Key Derivation Function used to derive the MS-OTK. Permitted values are registered in the Key Derivation Function registry (see Section 8.5). Refer to Section 6.7 for more details. Similarly for all five registries defined here and their respective fields. 4. In §6.5, It's important to note that, to prevent ETR's overclaiming attacks, the ITR/Map-Resolver pre-shared secret MUST be different from the Map-Server/ETR pre-shared secret. This is a bit picky, but wouldn’t “independent from” be more accurate? Strictly speaking to guarantee that it be different, they’d have to collude (to check for uniqueness), which is exactly what you want to prevent, right? 5. In §6.9, this paragraph is problematic in a few ways, In response to an encapsulated Map-Request that has the S-bit set, an ITR MUST receive a Map-Reply with the S-bit set, that includes an EID-AD and a PKT-AD. If the Map-Reply does not include both ADs, the ITR MUST discard it. In response to a Protected Map-Request, an ITR expects a Map-Reply with the S-bit set to 1 including an EID-AD and a PKT-AD. The ITR MUST discard the Map-Reply otherwise. The MUST in the second line is misused -- you aren't telling the ITR what it MUST do, you're expressing an expectation that if the other entities are forming their messages per-spec, the Map-Reply will be formed as you state. You already have more actionable language later in the paragraph to cover this case, the "MUST discard" part. Beyond that, the paragraph is redundant, it says everything twice. If you throw away the redundant text, I think the problem I'm complaining of goes away, for example you could cut it down to: In response to a Protected Map-Request, an ITR expects a Map-Reply with the S-bit set to 1 including an EID-AD and a PKT-AD. The ITR MUST discard the Map-Reply otherwise. 6. In §6.9, the phrase "the first opportunity it needs to" is used several times, for example, If the EID HMAC ID field does not match the Requested HMAC ID the ITR MUST discard the Map-Reply and send, at the first opportunity it needs to, a new Map-Request with a different Requested HMAC ID field, according to ITR's local policy. I don't understand the "needs to" part, I suspect there is some nuance going on here, of trying to shoehorn LISP-SEC into the control plane in some backward-compatible way, but if so the chosen language is too subtle to be unambiguous. To try to work through some of the possibilities -- - Leaving out the entire clause "at the first opportunity it needs to" would be clear. It would mean that the ITR is supposed to retry right away. Which seems fine, but is probably not what you're going for (else why have that clause at all). - Leaving out the words "it needs to" would be the same as the above. - So, maybe what's being said here is something like, "we expect that an event on the ITR will trigger it to retry anyway, and we're just piggybacking onto that event"? If that's right, I guess what the ITR is expected to do is something like: - When it needs to look up a given EID, launch a Map-Request. - If it gets back a Map-Reply with a different HMAC ID or KDF ID from what it sent (except, maybe not in the case where it sent 0, see my earlier question), do something like keep a notation in a local cache, that says "next time you send a Map-Request for this EID, try this other KDF ID". - Presumably in the mean time it might have dropped some packets destined to that EID, depending on other details of the deployment. - At some point it needs to look up that EID again (maybe because it has another packet to deliver) and before launching a new Map-Request it consults its cache and says "aha, I need to use a HMAC ID/KDF ID other than my default one". The fact that I'm guessing about all this suggests that the spec may not be clear enough on these points. (Or that I'm not reading carefully enough, of course, in which case please point me to the parts I've missed that make it clear.) 7. Nit, §6.9, [I-D.ietf-lisp-rfc6833bis] allows ETRs to send Solicited-Map-Requests Should be "Solicit", not "Solicited". 8. In §6.9, If an ITR accepts Map-Replies piggybacked in Map-Requests and its content is not already present in its EID-to-RLOC cache, it MUST send a Map-Request over the mapping system in order to verify its content with a secured Map-Reply. Does this mean, a. The piggybacked Map-Reply will be put into use immediately by the ITR, but a verification will be initiated with a secured Map-Reply? How long is the piggybacked one to be used? What happens if the secured transaction never completes? If this is the intention, it needs to be clarified and probably also discussed in the Security Considerations, because it's not hard to imagine an attacker abusing it. Or is it, b. The piggybacked Map-Reply is not permitted to be used until it has been verified by a secured Map-Reply? It would be considerably less problematic in terms of security analysis (it's functionally almost the same as the operation of LISP-SEC without piggybacked replies) but less optimal of course. In either case the spec needs to be clarified. 9. There are four places in §6.9.1 where you say "a log action MUST be taken". I wonder if these unintentionally open a resource exhaustion attack vector, since an attacker might be able to cause an ITR to log like crazy, and logging is often an expensive operation. I guess it depends on just how nuanced you expect the implementor to be in construing what a "log action" is -- if I decide to construe "log action" to implicitly include "with rate limiting" then that's potentially fine, but if I'm a naive implementor and just syslog every time the spec tells me to take a log action, I may be setting myself up as a soft target. Maybe SHOULD instead of MUST would be a middle ground? 10. By the way, none of the "Receiving a Map-Reply" text talks about other checks. For example, before doing any of the checks specified in §6.9 one might imagine an implementation would first confirm it's even expecting this Map-Reply (presumably looking for a matching unfulfilled Map-Request), and throw it away if not. I briefly looked to see if that's in rfc6833bis but without success. Is the assumption that the checks in §6.9 are performed after other checks that are specified in the base control plane? 11. In §7.6, Replay Attacks, you say In case of replayed Map-Request, the Map-Server, Map-Resolver and ETR will have to do a LISP-SEC computation. This is equivalent, in terms of resources, to a valid LISP-SEC computation and an attacker does not obtain any benefit, since the corresponding Map-Reply is discarded as previously explained. How does the attaker "not obtain any benefit"? Suppose the benefit the attacker is trying to obtain, is to DoS the mapping system or ETR -- aren't they able to use these replayed Map-Requests to force these entities to do work? 12. In §7.7 you say DTLS [RFC9147] SHOULD be used to provide communication privacy and to prevent eavesdropping, tampering, or message forgery to the messages exchanged between the ITR, Map-Resolver, Map-Server, and ETR, unless the OTK is encrypted in another way, e.g. using a pre-shared secret. Elsewhere in the spec this is a MUST, for example §6.5: 2. If the NULL-KEY-WRAP-128 algorithm (see Section 8.4) is selected and DTLS is not enabled, the Map-Request MUST be dropped and an appropriate log action SHOULD be taken. Probably in §7.7 you should similarly say MUST, then? 13. There are many Specification Required registries that don't have guidance to designated experts, as requested by RFC 8126 §4.5 (which is referenced by RFC 8126 §4.6, which says Specification Required is just a fancy version of Expert Review). Likewise there's no field for change controller. Please consider adding these.
- [lisp] John Scudder's No Objection on draft-ietf-… John Scudder via Datatracker
- Re: [lisp] John Scudder's No Objection on draft-i… Luigi Iannone