IETF Logo Mail Archive

Re: [Lsr] Roman Danyliw's Discuss on draft-ietf-lsr-ospfv3-extended-lsa-yang-28: (with DISCUSS and COMMENT)

Acee Lindem <acee.ietf@gmail.com> Thu, 01 February 2024 17:54 UTC

Return-Path: <acee.ietf@gmail.com>
X-Original-To: lsr@ietfa.amsl.com
Delivered-To: lsr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69EA6C14F60F; Thu, 1 Feb 2024 09:54:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Q4xNpaLRgfl; Thu, 1 Feb 2024 09:54:03 -0800 (PST)
Received: from mail-qk1-x735.google.com (mail-qk1-x735.google.com [IPv6:2607:f8b0:4864:20::735]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4407AC14F5F6; Thu, 1 Feb 2024 09:54:03 -0800 (PST)
Received: by mail-qk1-x735.google.com with SMTP id af79cd13be357-783ef8ae70aso90575085a.2; Thu, 01 Feb 2024 09:54:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1706810042; x=1707414842; darn=ietf.org; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=W7LSVLr5MkIgSLeJqHqgr9W/5rt5OYzFmnraSn5ieAk=; b=FTaRLRaDxzf//fuuWRLomYv7v28fZKRSbF/UFtiUwIbAdxkkrXif6jukY9tbVlNeEC jqbAcQFcKUOn8FDVCYMEF0C1VRg77tcZ5nkGuXrkUoUuhb5xJxCVLeuWklI9iNOO6L2Q qpE5/PWrj6Mbxs13oFfnZeMt/XvtfPDnDHkG1YK0y4JraSdmsgz3lGhvLtxj/nyio44e XyhHZaUYubk5cYbIichiK+8/X4O/oYYy9s/6axE3bgkwDVVEZ8ciwjSFhIHKvy9rZe1R Jo5QblxJYs27dJNBguopKIkyHeub1IGpMJJbSHbdT13TiwMuQ3rctrtGRyXmGWaXbxKJ 6CEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706810042; x=1707414842; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=W7LSVLr5MkIgSLeJqHqgr9W/5rt5OYzFmnraSn5ieAk=; b=IpiT7sHO8H/YeYLrczeArKAshrpX0F6acxFyeRIHyBm/972r8EdLyk/GRuKpjTs3TK tTbx1MjdZZASsjLpuHIZPCWWehD3MDduPh3swCXOGVN7FlHOfa3dleQ8k4gdMoDFHUzI aDG5tNswh6GrNhFlMFwmjPbxXEKSxZWtQlE8ubQ9xRa0UxiLDEXR/BkuMxclZCnU/8dw d134Nf58kFci9+0qyPsVkWbef7yR2V91vxL/mVxuNam3YHrvNgi54lFe98J+hJDmGXWq Z3aSqsDZCMFUtEPjKpVEKiBDxUnfeqFjhqyppvS4bktyYfw4hvxKukqiOfAG2DBJTPNp R8/Q==
X-Gm-Message-State: AOJu0YwtUxzLi/xsmbh1i9YVs8vdo1mVhGdKBfjzsCphhmAznkCt4ebk CaprTfUAvlU55cUaBkmksiBHyIXj5ocnpJcgEPD/0+AgxtdZLbbs
X-Google-Smtp-Source: AGHT+IGqVggHjC0o+6w96bdvdurfhUXbDCijW74jtt3T+Sc9gYoRibhCXoEdi7nn2HjPjfdxQBrwnQ==
X-Received: by 2002:a05:6214:d0d:b0:681:87ca:5b93 with SMTP id 13-20020a0562140d0d00b0068187ca5b93mr6234108qvh.5.1706810041883; Thu, 01 Feb 2024 09:54:01 -0800 (PST)
X-Forwarded-Encrypted: i=0; AJvYcCWKARnJbcBJoUTcGvUAbgZ7T7ew7ph6oGJbKed/WqR8HAj2P1gqEuE16cpy7LoKQPElubgRc5ScIab2mcR7hXJ5HzknyVjpaYTdZdfxlOPHgl+tapdamMHIVoajwwpwHiINdNhu4cAF8VrZ/nNQgbpnUVetab3g3lxioqMxYeRDnA0lbL+vFRPmi+rOL6Gx6Kkx+rU4JKXE63rJbRLspSX7+6K5fCM=
Received: from smtpclient.apple ([136.54.28.118]) by smtp.gmail.com with ESMTPSA id lh10-20020a05621454ca00b0068c5eb56dc9sm2944546qvb.63.2024.02.01.09.54.01 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 01 Feb 2024 09:54:01 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.700.6\))
From: Acee Lindem <acee.ietf@gmail.com>
In-Reply-To: <88993C85-C0E6-4DAA-90F6-8145FB83B27C@juniper.net>
Date: Thu, 01 Feb 2024 12:53:50 -0500
Cc: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>, "draft-ietf-lsr-ospfv3-extended-lsa-yang@ietf.org" <draft-ietf-lsr-ospfv3-extended-lsa-yang@ietf.org>, lsr-chairs <lsr-chairs@ietf.org>, lsr <lsr@ietf.org>, Christian Hopps <chopps@chopps.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <85C6BB8B-F778-4108-A686-740BC03C52DD@gmail.com>
References: <170674896520.10154.16061739265470573273@ietfa.amsl.com> <3DA1DD3C-BE3A-42DD-8FD3-734953C39F16@gmail.com> <FCF92100-0393-46A2-92ED-A86D9B3CA747@gmail.com> <88993C85-C0E6-4DAA-90F6-8145FB83B27C@juniper.net>
To: John Scudder <jgs@juniper.net>
X-Mailer: Apple Mail (2.3731.700.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/lsr/77X4yEJewizFWIkME51eNdNEa9w>
Subject: Re: [Lsr] Roman Danyliw's Discuss on draft-ietf-lsr-ospfv3-extended-lsa-yang-28: (with DISCUSS and COMMENT)
X-BeenThere: lsr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Link State Routing Working Group <lsr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lsr>, <mailto:lsr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lsr/>
List-Post: <mailto:lsr@ietf.org>
List-Help: <mailto:lsr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lsr>, <mailto:lsr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Feb 2024 17:54:07 -0000

Hi John, 

> On Feb 1, 2024, at 11:55 AM, John Scudder <jgs@juniper.net> wrote:
> 
> Hi Acee, Roman, all,
> 
> [top posting, hope that’s OK]
> 
> After talking with Roman about this today, what I understand his position to be is (at least in part), since the document identifies one specific case of a type of attack ("The ability to disable OSPFv3 Extended LSA support can result in a denial of service”), shouldn’t it also list other cases? What’s special about "denial of service” vs. other things such as the ones Roman mentioned? I don’t think he was seeking an in-depth exploration of these, just a more complete summary list. I also wonder if the concern could equally be satisfied by removing the one special case.

By enabling or disabling this parameter, you can only limit exchange of OSPFv3 LSAs between OSPFv3 routers. You cannot inject compromised LSAs into the OSPFv3 routing domain through modification of this parameter alone? 
How could this exploit be used to: 

>>>> modify network topologies to enable select traffic to avoid inspection or
>>>> treatment by security controls; route traffic in a way that it would be subject
>>>> to inspect/modification by an adversary node; or gain access to otherwise
>>>> segregated parts of the network.



Thanks,
Acee



> 
> I’m sure Roman will chime in if I’ve gotten this wrong.
> 
> Thanks,
> 
> —John
> 
>> On Jan 31, 2024, at 8:50 PM, Acee Lindem <acee.ietf@gmail.com> wrote:
>> 
>> 
>> 
>>> On Jan 31, 2024, at 20:14, Acee Lindem <acee.ietf@gmail.com> wrote:
>>> 
>>> 
>>> 
>>>> On Jan 31, 2024, at 19:56, Roman Danyliw via Datatracker <noreply@ietf.org> wrote:
>>>> 
>>>> Roman Danyliw has entered the following ballot position for
>>>> draft-ietf-lsr-ospfv3-extended-lsa-yang-28: Discuss
>>>> 
>>>> When responding, please keep the subject line intact and reply to all
>>>> email addresses included in the To and CC lines. (Feel free to cut this
>>>> introductory paragraph, however.)
>>>> 
>>>> 
>>>> Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ 
>>>> for more information about how to handle DISCUSS and COMMENT positions.
>>>> 
>>>> 
>>>> The document, along with other ballot positions, can be found here:
>>>> https://datatracker.ietf.org/doc/draft-ietf-lsr-ospfv3-extended-lsa-yang/
>>>> 
>>>> 
>>>> 
>>>> ----------------------------------------------------------------------
>>>> DISCUSS:
>>>> ----------------------------------------------------------------------
>>>> 
>>>> ** Section 5.
>>>> 
>>>> Write
>>>> operations (e.g., edit-config) to these data nodes without proper
>>>> protection can have a negative effect on network operations.  There
>>>> are the subtrees and data nodes and their sensitivity/vulnerability:
>>>> 
>>>>    /ospf:ospf/extended-lsa-support
>>>>    /ospf:ospf/ospf:areas/ospf:area/extended-lsa-support
>>>>    The ability to disable OSPFv3 Extended LSA support can result in a
>>>>    denial of service.
>>>> 
>>>> Isn’t it more than just denial of service?  In certain environments wouldn’t
>>>> the ability to modify OSPF Extended LSA configurations enable an attacker to:
>>>> modify network topologies to enable select traffic to avoid inspection or
>>>> treatment by security controls; route traffic in a way that it would be subject
>>>> to inspect/modification by an adversary node; or gain access to otherwise
>>>> segregated parts of the network.
>>> 
>>> Only if they were able to craft extended LSAs on behalf of the original as well as
>>> modify the YANG configuration added by this document. I didn’t think we’d have to
>>> reiterate all the possible protocol attacks for every incremental enhancement.
>> 
>> Furthermore, no one is going to use the support of extended LSAs to isolate OSPFv3 domains 
>> from one another. The configuration is to control migration to the extended LSA encodings.
>> Please see RFC 8362 for more information on OSPFv3 Extended LSAs.  
>> 
>> Acee
>> 
>> 
>> 
>> 
>> 
>>> 
>>> Acee
>>> 
>>> 
>>> 
>>>> 
>>>> 
>>>> ----------------------------------------------------------------------
>>>> COMMENT:
>>>> ----------------------------------------------------------------------
>>>> 
>>>> As an editorial note, I would have benefit from some narrative prose on the data model.
>> 
>> _______________________________________________
>> Lsr mailing list
>> Lsr@ietf.org
>> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/lsr__;!!NEt6yMaO-gk!CSaaziWFGrg6dv81sm55-XN-CP5eUEsFoeObIEuQzH8mYmJPURb3VboumvFzwTwOiHyiHP8O67tleiE$
>

v2.23.0 | Report a Bug | By Email