IETF Logo Mail Archive

Re: [lisp] LISP-SEC review (finally)

Luigi Iannone <luigi.iannone@telecom-paristech.fr> Thu, 03 November 2016 08:01 UTC

Return-Path: <luigi.iannone@telecom-paristech.fr>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC0421294E3; Thu, 3 Nov 2016 01:01:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=telecom-paristech.fr
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BBZ3xEOuQeBg; Thu, 3 Nov 2016 01:01:34 -0700 (PDT)
Received: from zproxy110.enst.fr (zproxy110.enst.fr [137.194.2.192]) by ietfa.amsl.com (Postfix) with ESMTP id 06E81129473; Thu, 3 Nov 2016 01:01:34 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by zproxy110.enst.fr (Postfix) with ESMTP id 2D7BC100788; Thu, 3 Nov 2016 09:01:33 +0100 (CET)
Received: from zproxy110.enst.fr ([127.0.0.1]) by localhost (zproxy110.enst.fr [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id GuRm26sOXb7T; Thu, 3 Nov 2016 09:01:31 +0100 (CET)
Received: from localhost (localhost [127.0.0.1]) by zproxy110.enst.fr (Postfix) with ESMTP id 74ABE10073F; Thu, 3 Nov 2016 09:01:31 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.9.2 zproxy110.enst.fr 74ABE10073F
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=telecom-paristech.fr; s=A6AEC2EE-1106-11E5-B10E-D103FDDA8F2E; t=1478160091; bh=JHxKxKoCSpiH/6vySbtTjKlOiR2s8ugXykI1Q/316b4=; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:To; b=iQr+dFotK8fCVJ+BfVOVhjbecB1VuutMZOsSYha7EhUvvt8+nsEIWDiJfCGgpePXb 22CIzPATD9pjEQwM8FzgFW3XRgAGeUlkUPUrE+VcC+s7OhLQuwbT+D9neVIYBctgt7 ICZvc+RJ/MB465FdCWmuoj/RRjbePNmXvJffpsMg=
X-Virus-Scanned: amavisd-new at zproxy110.enst.fr
Received: from zproxy110.enst.fr ([127.0.0.1]) by localhost (zproxy110.enst.fr [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id rPljlf1VLxEN; Thu, 3 Nov 2016 09:01:31 +0100 (CET)
Received: from dhcp164-48.enst.fr (dhcp164-48.enst.fr [137.194.165.48]) by zproxy110.enst.fr (Postfix) with ESMTPSA id 34EB2FF6A8; Thu, 3 Nov 2016 09:01:31 +0100 (CET)
From: Luigi Iannone <luigi.iannone@telecom-paristech.fr>
Message-Id: <2DC9866F-49C3-411F-AE3D-6331299C9FC1@telecom-paristech.fr>
Content-Type: multipart/alternative; boundary="Apple-Mail=_25CE40F6-3506-4EAA-8CDF-F92BF096485D"
Mime-Version: 1.0 (Mac OS X Mail 10.1 \(3251\))
Date: Thu, 03 Nov 2016 09:01:36 +0100
In-Reply-To: <228ae951-d5d4-d3fc-fbc0-418b09ec3b4e@cisco.com>
To: Fabio Maino <fmaino@cisco.com>
References: <FC4677DB-855C-4273-8B52-161039B900A8@telecom-paristech.fr> <8204baa6-8cbd-83b3-aa88-dc3ba16c5a33@cisco.com> <38FE74C1-A8F3-4A92-B575-CC5CF4E249D8@telecom-paristech.fr> <37a920e9-b1aa-33c1-6321-e24937bc6c8d@cisco.com> <BB7D47C9-A6C3-4DF5-A408-689256084709@telecom-paristech.fr> <d7151186-f918-096b-ac78-6891e3dce316@cisco.com> <204F0A89-BEB8-4BDF-A363-4AABDBF4E262@telecom-paristech.fr> <228ae951-d5d4-d3fc-fbc0-418b09ec3b4e@cisco.com>
X-Mailer: Apple Mail (2.3251)
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/Tugx2hU-jtjGy6i2kzH-MUT-faM>
Cc: lisp-chairs@ietf.org, Damien Saucez <damien.saucez@inria.fr>, LISP mailing list list <lisp@ietf.org>
Subject: Re: [lisp] LISP-SEC review (finally)
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Nov 2016 08:01:40 -0000

> On 3 Nov 2016, at 00:24, Fabio Maino <fmaino@cisco.com> wrote:
> 
> On 11/2/16 9:02 AM, Luigi Iannone wrote:
>> Hi Fabio,
>> 
>> I went through the last version of the document.
>> 
>> I still think that in a few place SHOULD should be replaced by MUST. But it is just  my point of view. You can leave SHOULD.
>> 
>> There are just few residual issues:
>> 
>> - Introduction: The second sentence is not coherent with the first one. The concept of EID-to-RLOC mappings as not been introduced so starting the sentence with “These EID-to-RLOC mapping s…” is pretty unclear. I would suggest you add another sentence.
>> 
>> - Section 7 IANA Considerations: For almost all of the registries the value “0” has a special meaning that this demo is defining, hence the “defined in” field should state “this memo”
>> 
>> - - Section 7 IANA Considerations: The section is not yet 5226 compliant. More specifically, you have to state for each registry how new values are allocated (e.g. FCFS, expert review, etc..)
> 
> Thanks Luigi, 
> do you have any suggestion for the best policy to use for allocation of unassigned values? 
> 
> It seems to me that given the experimental nature of the draft, for all of the registries created, we could require that 'unassigned values are to be assigned according to the "Specification Required" policy defined in [RFC5226].'
> 

Hi,


I have no strong opinion on the issue. To be honest, since the size of the fields are pretty big considered their potential use I would simply go for a FCFS.
Even if some values are wasted there is a large space. 

If instead you want to be sure to always have something meaningful, without introducing heavy machinery, I would go for “Expert Review”.

Ciao

L.



>    
> 
> Fabio
> 
> 
> 
>> 
>> 
>> Check again the nits:
>> 
>>  Checking nits according to http://www.ietf.org/id-info/checklist <http://www.ietf.org/id-info/checklist> :
>>   ----------------------------------------------------------------------------
>> 
>>   == There are 10 instances of lines with non-RFC6890-compliant IPv4
>>      addresses in the document.  If these are example addresses, they should
>>      be changed.
>> 
>>   Checking references for intended status: Experimental
>>   ----------------------------------------------------------------------------
>> 
>>   == Missing Reference: 'RFC4634' is mentioned on line 840, but not defined
>> 
>>   ** Obsolete undefined reference: RFC 4634 (Obsoleted by RFC 6234)
>> 
>> 
>> The above nits reminds me of another issue that the IESG will certainly raise: can we have all the examples in IPv6 only?
>> The latest directives are that either you use both v4 and v6 or v6-only, but NOT v4-only.
>> 
>> Thanks
>> 
>> ciao
>> 
>> L.
>> 
>> 
>> 
>> 
>>> On 27 Oct 2016, at 23:48, Fabio Maino <fmaino@cisco.com <mailto:fmaino@cisco.com>> wrote:
>>> 
>>> Luigi, 
>>> I agree with all the comments. 
>>> 
>>> The document attached should reflect all your suggestions. 
>>> 
>>> A few notes below, just to explicitly ack the changes you suggested. 
>>> 
>>> 
>>> On 10/26/16 2:13 AM, Luigi Iannone wrote:
>>>> Hi Fabio,
>>>> 
>>>> Yes we are converging, very few points are left. 
>>>> 
>>>> Inline are my comments, I snipped everything that we already agreed up on.
>>>> 
>>>> L.
>>>> 
>>>>> On 26 Oct 2016, at 02:14, Fabio Maino <fmaino@cisco.com <mailto:fmaino@cisco.com>> wrote:
>>>>> 
>>>> 
>>>> [snip]
>>>> 
>>>> 
>>>>> 
>>>>>> 
>>>>>> Also, what is the MS stubbornly insists in using an algorithm that the ITR does not support?
>>>>> 
>>>>> The MS might not have alternatives, as it might only support one algorithm. 
>>>>> 
>>>> 
>>>> Sure
>>>> 
>>>> The question is: can we have situations in which MS replies always with the same algorithm (because has no alternatives) and the ITR is never able to understand that reply (because has no alternatives).
>>>> 
>>>> From my understanding this can happen, right? 
>>>> 
>>>> LISP-SEC has no way to prevent it, right?
>>>> 
>>>> What is needed is a policy like “ITR tries using all of the algorithm it supports and then gives up”, right?
>>>> 
>>>> If the answer to those questions is yes, then IMO this should be spelled out somewhere.
>>>> 
>>>> 
>>> 
>>> got it. Agreed. 
>>> 
>>> 
>>>>> 
>>>>> 
>>>> [snip]
>>>> 
>>>>>> 
>>>>>>> 
>>>>>>>> 
>>>>>>>>>    The KDF ID field, specifies the suggested key derivation function to
>>>>>>>>>    be used by the Map-Server to derive the MS-OTK.
>>>>>>>> 
>>>>>>>> What happens if the MS will choose a KDF ID not supported by the ITR?
>>>>>>>> Can you clarify how to solve this situation or explain why this will never happen?
>>>>>>> 
>>>>>>> This is described a few paragraphs below: 
>>>>>>> "
>>>>>>> If the KDF ID in the Map-Reply does not match the
>>>>>>>    KDF ID requested in the Map-Request, the ITR SHOULD discard the Map-
>>>>>>>    Reply and send, at the first opportunity it needs to, a new Map-
>>>>>>>    Request with a different KDF ID, according to ITR's... 
>>>>>>> "
>>>>>>> 
>>>>>> 
>>>>>> This does not guarantee that the MS will reply with something the ITR understands….
>>>>> 
>>>>> For some local ITR's policy it may not be guaranteed. It's a balance between reachability and security that the ITR will have to choose. 
>>>>> 
>>>>> 
>>>> I am not sure I understand your reply.
>>>> 
>>>> My point was the same as above: what if MS and ITR are not able to talk?
>>> 
>>> ok. So this is addressed by the same fix used for the previous comment. I'll specify that the ITR will stop re-sending map-requests once all HMAC IDs supported by the ITR have been attempted. 
>>>  
>>>> 
>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>>>> 
>>>>>>>>>    The EID-AD length is set to 4 bytes, since the Authentication Data
>>>>>>>>>    does not contain EID-prefix Authentication Data, and the EID-AD
>>>>>>>>>    contains only the KDF ID field.
>>>>>>>>> 
>>>>>>>>>    In response to an encapsulated Map-Request that has the S-bit set, an
>>>>>>>>>    ITR MUST receive a Map-Reply with the S-bit set, that includes an
>>>>>>>>>    EID-AD and a PKT-AD.  If the Map-Reply does not include both ADs, the
>>>>>>>>>    ITR MUST discard it.  In response to an encapsulated Map-Request with
>>>>>>>>>    S-bit set to 0, the ITR expects a Map-Reply with S-bit set to 0, and
>>>>>>>>>    the ITR SHOULD discard the Map-Reply if the S-bit is set.
>>>>>>>> Why a “SHOULD”? If the Map-Request has S-bit=0 it mean that there is no AD, hence no OTK, how can the ITR decrypt the reply?????
>>>>>>>> It MUST discard…..
>>>>>>> 
>>>>>>> If S-bit = 0 there's no Authentication Data. The Map-reply is in clear, and can be read.
>>>>>> 
>>>>>> I am not sure you understood my point.
>>>>>> 
>>>>>> You send a Map-Request with S=0, hence unenbcrypted. How can you possible receive a Map-Reply with S=1?
>>>>>> How is it encrypted if the ITR did not provide any OTK?
>>>>> 
>>>>> Misconfiguration, bugs? I was just trying to enumerate the behaviors of the ITR. There's probably something wrong, and the map-reply should be discarded. Still the mapping is readable, so an ITR favoring reachability may decide to use the mapping. 
>>>>> 
>>>> 
>>>> Oh… I may see the misunderstanding. You are saying that the bit is set in the Map-Reply, but actually the content is not encrypted, right? SO the ITR can decide whether or not to use it.
>>>> 
>>>> Is that right?
>>> 
>>> right. 
>>> 
>>>> 
>>>> 
>>>> [snip]
>>>>>>>> I think “log message" is too much implementation specific. 
>>>>>>>> If there is a notification, and how this notification is done, is implementation specific IMHO.
>>>>>>> ok. Same as above.
>>>>>>>> 
>>>>>>>>>    The EID-record with EID-prefix 1.1.2.0/24 is stored in the map-cache
>>>>>>>>>    because it matches the second EID-prefix contained in the EID-AD.
>>>>>>>>> 
>>>>>>>>>    The EID-record with EID-prefix 1.2.0.0/16 is not processed since it
>>>>>>>>>    is not included in any of the EID-ADs signed by the Map-Server.  A
>>>>>>>>>    log message is issued.
>>>>>>>> I think “log message" is too much implementation specific. 
>>>>>>>> If there is a notification, and how this notification is done, is implementation specific IMHO.
>>>>>>> ok. Same as above
>>>>>>>> 
>>>>>>>>>   In this last example the ETR is trying to
>>>>>>>>>    over claim the EID-prefix 1.2.0.0/16, but the Map-Server authorized
>>>>>>>>>    only 1.2.3.0/24, hence the EID-record is discarded.
>>>>>>>> Reading the example I am not sure I would follow this behaviour.
>>>>>>>> Only 1 record out of 3 is valid so why should I actually trust the ETR instead of throwing everything away?
>>>>>>>> Can you explain ???
>>>>>>> The other two records are validated by the MS, so there is no reason to throw those away.
>>>>>> 
>>>>>> Yes, but the ETR is still trying to cheat on the third one….
>>>>>> So the ETR may be compromised, why should I send traffic to him???
>>>>> 
>>>>> ITR has flagged the security exception with the log entry, and some local ITR policy will decide what to do (including stop encapsulating to the ETR, if that's what is specified by the policy).  At the LISP level LISP-SEC has done its job: verified mapping  goes into the map-cache, overclaimed mapping is dropped. 
>>>>> 
>>>> 
>>>> This is not what the above text states. The text states that the valid EID-record is stored in the map-cache.
>>>> To be consistent with your reply you should change and state that the EID-record is eligible to be used by the ITR.
>>> 
>>> 
>>> got it. I changed 'stored into the map-cache' with 'eligible to be used by the ITR'. For consistency I have used similar language for the other two cases (rather than not processed).  
>>> 
>>>> 
>>>> BTW to be consistent with other LISP document you should use "LISP Cache” instead of “map-cache” (in the whole document).
>>>> 
>>>> 
>>> ok. With the change above we don't use the word map-cache anymore in the document. So this is addresses as well.
>>> 
>>> Thanks!
>>> Fabio
>>> 
>>> 
>>> 
>>>> [snip]
>>>> 
>>> 
>>> <Diff_ draft-ietf-lisp-sec-11.txt - draft-ietf-lisp-sec-12b.txt.html><draft-ietf-lisp-sec-12b.txt>
>> 
>

v2.46.0 | Report a Bug | By Email | System Status