IETF Logo Mail Archive

Re: [lisp] [secdir] Secdir early review of draft-ietf-lisp-nexagon-04

Sharon Barkai <sharon.barkai@getnexar.com> Wed, 21 October 2020 14:22 UTC

Return-Path: <sharon.barkai@getnexar.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 178483A11B6 for <lisp@ietfa.amsl.com>; Wed, 21 Oct 2020 07:22:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=getnexar.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cx9hZxkiXaft for <lisp@ietfa.amsl.com>; Wed, 21 Oct 2020 07:22:23 -0700 (PDT)
Received: from mail-wr1-x432.google.com (mail-wr1-x432.google.com [IPv6:2a00:1450:4864:20::432]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62F823A113D for <lisp@ietf.org>; Wed, 21 Oct 2020 07:21:56 -0700 (PDT)
Received: by mail-wr1-x432.google.com with SMTP id e17so3233265wru.12 for <lisp@ietf.org>; Wed, 21 Oct 2020 07:21:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=getnexar.com; s=google; h=content-transfer-encoding:mime-version:subject:from:in-reply-to :date:cc:message-id:references:to; bh=r0vdFQN0lJgk6dbbAn0woSrTAJt3SxXcolDlaQYQqec=; b=mdlDeooWhrNp9+CrznqHgy63x8pmOVAgfeF1xD81oS77E8iFGt+5V9uJadISptoA3I E4hEdmQlB4h691+U7/4w8jidh6FAlcBzQ4CwxErYSpuXYVJn8C2rek1S7I8BEMbQBas/ 91j4nBL7KQK5w0rnFfwziJ1LOuJHCzqJuU/Nc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:content-transfer-encoding:mime-version:subject :from:in-reply-to:date:cc:message-id:references:to; bh=r0vdFQN0lJgk6dbbAn0woSrTAJt3SxXcolDlaQYQqec=; b=PTjXoZXBtQBJX1qO4YtXNeiJ82WLab2x4BXdBVimfPrSgTxsZCO/wyfKIyJrc19xBK eDDsFAZOm2WqNUzYqvcpf1ykO1BZHhYDmQeOi9ho40mU+/QyL9poyhWYssV72LW+tnII GZDSUDuETmGKEC5lfXP3Senzg08OD/yMIh019GVNriWINcIQivwzAjf/zX0blq6SS/GS BnsQxN9aHkPsWjrEx662Unf5s9HAAW7Lz69ex9uHsIh0xXMI8pob+TD3+ubIH+ysc3qV 66pj6gI3nSqqeLKTIZ/EH7ZG4LYpCnWksbx6vP5PXf3v97giqKoJ+BBRVP1cP9WpQ7Z5 kRXg==
X-Gm-Message-State: AOAM533yMxZSFP2OdP1XVjmIhq9bzwBdyxJ/8Ndee9LRNL/z00izJ4oH uHUNv+F4NbelflZnL4ql/L0QRw==
X-Google-Smtp-Source: ABdhPJygMYkew45cTfIfPIOQyKthrmfjRzBR0JzucogMbUTr+1VxhR56lGy7itqcmHGLsfpGi7QZIA==
X-Received: by 2002:a5d:5604:: with SMTP id l4mr4909501wrv.140.1603290114393; Wed, 21 Oct 2020 07:21:54 -0700 (PDT)
Received: from ?IPv6:2a02:14c:27c:b400:34da:b65f:e9d6:62f? ([2a02:14c:27c:b400:34da:b65f:e9d6:62f]) by smtp.gmail.com with ESMTPSA id j7sm3510016wmc.7.2020.10.21.07.21.53 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 21 Oct 2020 07:21:53 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (1.0)
From: Sharon Barkai <sharon.barkai@getnexar.com>
In-Reply-To: <1f0f6ce9-06b1-d92d-200b-29477efe4c38@mandelberg.org>
Date: Wed, 21 Oct 2020 17:21:52 +0300
Cc: secdir@ietf.org, "lisp@ietf.org list" <lisp@ietf.org>, draft-ietf-lisp-nexagon.all@ietf.org
Message-Id: <90D47E71-0310-4A4C-BA42-2655824D774A@getnexar.com>
References: <1f0f6ce9-06b1-d92d-200b-29477efe4c38@mandelberg.org>
To: David Mandelberg <david=40mandelberg.org@dmarc.ietf.org>
X-Mailer: iPhone Mail (18A393)
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/lPmfAVN_SYtRixvE40dW_bejRlo>
Subject: Re: [lisp] [secdir] Secdir early review of draft-ietf-lisp-nexagon-04
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Oct 2020 14:22:31 -0000

Thanks David, everyone, for the time and attention for the review. Its not taken for granted. 

--szb
Cell: +972.53.2470068
WhatsApp: +1.650.492.0794

> On Oct 21, 2020, at 05:12, David Mandelberg <david=40mandelberg.org@dmarc.ietf.org> wrote:
> 
> Thanks, draft-ietf-lisp-nexagon-06 addresses all of my concerns. (And sorry about the email issues and associated delays.)
> 
> On 10/20/20 1:34 AM, Sharon Barkai wrote:
>>>> On Oct 20, 2020, at 02:34, David Mandelberg <david=40mandelberg.org@dmarc.ietf.org <mailto:david=40mandelberg.org@dmarc.ietf.org>> wrote:
>>> 
>>> (I previously sent the email below on 2020-10-10, but I don't think it went through due to an email server misconfiguration. Sending again now that my email issues are fixed, I think)
>> Made it!
>>> 
>>> On 10/9/20 1:32 PM, Sharon Barkai wrote:
>>>> Sorry for the confusion, David! really want to thank you for putting in the time, you clearly understood the draft completely and point to areas we invested thought on but can improve the wording.
>>> 
>>> No worries. I'm just glad I noticed that my initial review email didn't go through. Hopefully this one does?
>>> 
>>>> Before adjusting the draft would like to rehash together with the group, Joel, and Luigi the themes pointed, which are spot on, so to reach the best possible language.
>>>> 1) End to end encryption -
>>>> Nexagon uses LISP overlay encapsulations end to end:
>>>> - between EIDClients and EdgeRTRs
>>>> - between ingress and egress EdgeRTR
>>>> - between EdgeRTRs and H3EIDServices
>>> 
>>> That doesn't cover "The H3ServiceEIDs themselves decrypt and parse actual H3-R15 annotations" though, right? Is there any encryption of the H3-R15 information all the way from EIDClient to H3EIDService?
>>> 
>>>> Depending on the specific  nexagon as service we would like to offer the option to encrypt all communications on these dynamic encapsulations.
>>>> We could suggest IPSec, draft-ietf-lisp-crypto-10 which specifies RFC2631 key exchange over LISP tunnels, also DTLS was suggested.
>>>> Should we determine one or just describe the geo privacy and commercial exposure if encryption is not used, especially on the tunnels between MobilityEIDClients and EdgeRTRs?
>>> 
>>> You understand the specifics of where this protocol will be used much better than I do, so I think you're in a better place to choose between picking one option or explaining the issues and letting implementers decide on the encryption mechanism. In general, I'd lean towards picking one good cipher suite and sticking to that (without making it difficult to change things up in the future), but there can be good reasons not to do that.
>> I think we are in sync. Encryption is on a tunnel by tunnel basis (or dynamic encapsulation to be more accurate) to and from the LISP edge tunnel router/s (EdgeRTRs), IPSec by default, leaving room for work like lisp-crypto and lisp-wiregaurd being done, but not coupling the clients and servers in that respect. There is still unclarity about the mismatch between car-compute and edge-compute hw/sw updates and depreciation, and car-compute and the car itself for that matter./
>>> 
>>>> 2) Spoofing and imposters -
>>>> EdgeRTRs and H3EIDServices are provisioned in the service provider edge network. EdgeRTRs which are added to the network are provisioned with the mapping system, H3EIDServices are whitelist provisioned with their designated EdgeRTRs.
>>>> We rely on the edge network routers to detect and stop spoofing using industry standard double-lookup source/dest  mechanisms.
>>>> Should we state so?
>>> 
>>> I think so, yes. I generally think it's good to be explicit when relying on underlying infrastructure for security, so that if anybody later tries to adapt a protocol to some different infrastructure, they know what to pay attention to.
>> Done.
>>> 
>>>> The MobilityEIDClients are behind mobile access networks and go through AAA step before receiving ephemeral EIDs and EdgeRTR  RLOCs as anchors.
>>>> This EID is based on their client ID credentials, and this EID is whitelist provisioned by the AAA to the EdgeRTR given to the client as an anchor.
>>>> The ipv6 EIDs given to these clients reflect their credibility reputation and authorization level to pub-sub into the nexagon network.
>>>> It is going to be very hard to guess a valid EIDClient which an EdgeRTR expects after AAA to whitelist provision. These EIDs are temporary and expire after 15 minutes.
>>>> Spoofed EIDClients which are sniffed are going to be detected by the EdgeRTRs because of mismatched client RLOC. Spoofed client RLOCs are detected by the mobile packet core.
>>> 
>>> Oh, I didn't realize incoming packets on the EdgeRTR were dropped if the source EID doesn't match the RLOC associated with that EID. I thought that was a typical roaming case. If an attacker has to guess both a valid EID and its matching RLOC, I suspect that makes the attack much more difficult. (Though still far from impossible, depending on how many EID-RLOC pairs an EdgeRTR knows about at a time and how many guesses the attacker can get. IP allocation for the RLOC would play a huge factor too. If an ISP allocates RLOCs sequentially, it might be much easier to guess than if RLOCs are random /128s within guessable /64s. Though if an attacker can sniff RLOCs, the math changes again.)
>> Right. LISP Mapped Overlay in this context is used to load-balance clients as they network-login, and to “map-reduce” compute aggregation to EID context. There is no change of EID-RLOC binding due to random roaming. EID-RLOC pairs are whitelisted in EdgRTRs by AAA and dev-ops.
>>> 
>>>> Should we detail these aspects in security considerations ?
>>> 
>>> Yes please.
>> Done.
>>> 
>>>> 3) Fake news and client trust -
>>>> This is a higher level concern as it is with many other protocols. Privacy and reputation require trade-offs. The lisp-nexagon network uses crowd-sourced street sampling to reflect current geo-state. Even the most honest client may still be wrong, have faulty vision gear, gps interruption, or buggy AI. Malicious clients may try to manipulate geo-state to their advantage, clear their path from traffic, or simply try to saw confusion.
>>>> For this reason all detections are corroborated and trust level of each client is constantly scored by the H3EIDServices and updates the AAA system. This credit score update reflects the behavior of  the assigned ephemeral client EID not the client, a car for ecample. But the AAA system knows which client ID credentials the EID map to. The AAA system does not need to know the geo association of these EID scores. They can be aggregated from all H3EIDServices before handed to AAA.
>>>> We can describe this general behavior even though its part of management and orchestration and not part of the LISP-Nexagon interface specification.
>>> 
>>> Sounds good, even if you mention it only at a high level. I think the fact that H3EIDServices are sharing reputation information back to the AAA service is important to mention.
>> Done.
>>> 
>>>> After we clear these 3 key items to everyone satisfaction we can quickly turn around the doc to one more iteration.
>>>> Thank you in advance!
>>>> --szb
>>>> Cell: +972.53.2470068
>>>> WhatsApp: +1.650.492.0794
>> This is the updated related security considerations text in https://tools.ietf.org/html/draft-ietf-lisp-nexagon-06
>> In summary of main risk mitigations for the lisp-nexagon interface we can say:
>>   (1) tapping: all communications are through dynamic tunnels therefore may be
>>   encrypted using IP-Sec or other supported point to point underlay standards.
>>   These are not static tunnels but lisp re-tunneling routers (RTRs) perform all
>>   nexagon Overlay aggregation.
>>   (2) spoofing: it is very hard to guess a MobilityClientEID valid for a short
>>   period of time. Clients and H3Services EIDs are whitelisted in EdgeRTRs,
>>   Clients using the AAA procedure, H3Services via dev-ops.
>>   (3) impersonating: efforts to use MobilityClients and H3Services RLOCs should
>>   be caught by the underlying service provider edge and access networks. EID
>>   impersonating is caught by EdgeRTR EID RLOC whitelist mismatch.
>>   (4) credibility: the interface crowd-sources geo-state and does not assume to
>>   trust single detections. Credit history track to MobilityClientEIDs by as part
>>   of normal H3Services fact checking, aggregate scores affect AAA credentials.
>>   (5) privacy: Only EdgeRTRs are aware of both clients' RLOC and geo-location,
>>   only AAA is aware of client IDs credentials and credit but not geo-location.
>>   aggregate credit score span all H3Services administratively without source.
>> _______________________________________________
>> secdir mailing list
>> secdir@ietf.org
>> https://www.ietf.org/mailman/listinfo/secdir
>> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview

v2.23.0 | Report a Bug | By Email