IETF Logo Mail Archive

Re: [Lsr] Roman Danyliw's Discuss on draft-ietf-lsr-ospfv3-extended-lsa-yang-28: (with DISCUSS and COMMENT)

Acee Lindem <acee.ietf@gmail.com> Thu, 01 February 2024 21:58 UTC

Return-Path: <acee.ietf@gmail.com>
X-Original-To: lsr@ietfa.amsl.com
Delivered-To: lsr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2565C14F6FD; Thu, 1 Feb 2024 13:58:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OJjg2aHmegVX; Thu, 1 Feb 2024 13:58:08 -0800 (PST)
Received: from mail-oo1-xc31.google.com (mail-oo1-xc31.google.com [IPv6:2607:f8b0:4864:20::c31]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 087BEC14F6E1; Thu, 1 Feb 2024 13:58:07 -0800 (PST)
Received: by mail-oo1-xc31.google.com with SMTP id 006d021491bc7-59a9304aef0so773172eaf.1; Thu, 01 Feb 2024 13:58:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1706824687; x=1707429487; darn=ietf.org; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=IPvhxQ+yUGU6K7SfMcLlc+BDGcAr5UlIIygs87O4c/A=; b=bdMmD5km0vgNTOS5CvG9DA0B15IfjUPhzaQGLoyWqzwR7rnZYEPbbz/x4VTKDrp65R DVS50Vmtqf4lys6fnmybql1b5sgHqtKWV/5zTjmUQJYmE8lgMLQ9lOWPP31j1HUrnnHj S4vfyWdMjb2e+HfKna4TreWgrRn45nGbW77tSAAiSiGTIJHtT/IoPVXgCPtDkVzozd2d gSpWW2ZdGbvJvxLeIwzA9x8FNdkUqcbF5vbFifUhuFSdT/KrQG09JQ5l1us/6nJYqHrR +NBKfXmjfvXentHnEWL3lTtdQnNnJMsUXcLpsiF3VkR2HIf35SgqilfPtaH99OKedXB1 SH2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706824687; x=1707429487; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=IPvhxQ+yUGU6K7SfMcLlc+BDGcAr5UlIIygs87O4c/A=; b=wyXPgUPlt25eZTupwHJgEE4oJTv29torvyXia509E0SKVLg+iinbD7bGJ7X9OmbdI7 PhRpM0yiapCfu+BKXmI+/fHGQqY0jdEcro+GB5HxtIhTI2uZetx899S6B/psWDjXLtyn BjInJuLu2qqXMeFkg63vFX8s08hqGt0CPaBToJBYMOQdXpAfOW00QUTSjOqpumMfCiKm 2+wdRcjLJwlIobY4DVjHCj2OvBIEMF+EMR7q/SbdpB8EValh6/T4iFCPSD6lmFbdHcXK Ld6TBZ6b5QK74I7RW0CkkMRZErFrMZhWovPsXHFSmSSp7qSY44aNY37AWLNApay8DpOU tN5g==
X-Gm-Message-State: AOJu0YxDqQAQ9p8uzGNjp0vpNtS2BJkjiS3QdBRPFQol0fkRe9E14Skh 5YRLUsTrWbSyWnSXIWSgMZHeaSAV+38rQnVoORyiEpqYwkCpbwOy
X-Google-Smtp-Source: AGHT+IEB6wCy3LA8TnPRrolcGqWWcx6qQ11ZJ3Z5sl1fyyXf8VaP+i8drzU+se4Pv6v4OUZZz+Hi9A==
X-Received: by 2002:a4a:e513:0:b0:59c:9271:39c6 with SMTP id r19-20020a4ae513000000b0059c927139c6mr811000oot.5.1706824686846; Thu, 01 Feb 2024 13:58:06 -0800 (PST)
X-Forwarded-Encrypted: i=0; AJvYcCU4I2Bsi37Lu0+xZq2v4o5LOcGEQLvqN06LmvJ7tCYnLboPbiIihzTvizvamRwhZyB8FXy7ZrfzLD98SS1vFPo4BHe/8ISDadAQTvEeHsRkNSc3MZiZ7oLl7LMtBdhRvzK0JPFP1fmK+3ik1O+BaES8Ua4KO26+hexI5HND6Z6fhc6SCkSbfAs0rKGdIgZEoEnid4+Yb0zPSPwZL6N6zYv3mHghmaaRg77U2zLmQni1PRmAXQ==
Received: from smtpclient.apple ([136.54.28.118]) by smtp.gmail.com with ESMTPSA id e19-20020ad44433000000b0068c6d56d4f7sm165039qvt.92.2024.02.01.13.58.06 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 01 Feb 2024 13:58:06 -0800 (PST)
From: Acee Lindem <acee.ietf@gmail.com>
Message-Id: <95823492-CD5B-4595-9887-07A57E12F863@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D79A6ADE-7B90-4D54-9F4B-36711073A30A"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.300.61.1.2\))
Date: Thu, 01 Feb 2024 16:57:55 -0500
In-Reply-To: <CABY-gOM7zoLSCtgtx9Qj_q206X_m_xJmiL4JQ7NPBOULCR5erQ@mail.gmail.com>
Cc: John Scudder <jgs@juniper.net>, Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>, "draft-ietf-lsr-ospfv3-extended-lsa-yang@ietf.org" <draft-ietf-lsr-ospfv3-extended-lsa-yang@ietf.org>, lsr-chairs <lsr-chairs@ietf.org>, lsr <lsr@ietf.org>, Christian Hopps <chopps@chopps.org>
To: Yingzhen Qu <yingzhen.ietf@gmail.com>
References: <170674896520.10154.16061739265470573273@ietfa.amsl.com> <3DA1DD3C-BE3A-42DD-8FD3-734953C39F16@gmail.com> <FCF92100-0393-46A2-92ED-A86D9B3CA747@gmail.com> <88993C85-C0E6-4DAA-90F6-8145FB83B27C@juniper.net> <85C6BB8B-F778-4108-A686-740BC03C52DD@gmail.com> <CABY-gOM7zoLSCtgtx9Qj_q206X_m_xJmiL4JQ7NPBOULCR5erQ@mail.gmail.com>
X-Mailer: Apple Mail (2.3774.300.61.1.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/lsr/F5Ty3yzBjrcbHBF3RPA9ZAYeKH0>
Subject: Re: [Lsr] Roman Danyliw's Discuss on draft-ietf-lsr-ospfv3-extended-lsa-yang-28: (with DISCUSS and COMMENT)
X-BeenThere: lsr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Link State Routing Working Group <lsr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lsr>, <mailto:lsr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lsr/>
List-Post: <mailto:lsr@ietf.org>
List-Help: <mailto:lsr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lsr>, <mailto:lsr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Feb 2024 21:58:11 -0000


> On Feb 1, 2024, at 16:28, Yingzhen Qu <yingzhen.ietf@gmail.com> wrote:
> 
> Hi,
> 
> The configuration to enable/disable OSPFv3 Extended LSA is for migration, please refer to RFC 8362 section 6 (RFC 8362 - OSPFv3 Link State Advertisement (LSA) Extensibility (ietf.org) <https://datatracker.ietf.org/doc/html/rfc8362#section-6>). If it's disabled, the router under attack won't be able to exchange extended LSAs with other routers, and new features using only extended LSAs won't work. 
> 
> How about the following changes?
> old:
>       /ospf:ospf/ospf:areas/ospf:area/extended-lsa-support
>       The ability to disable OSPFv3 Extended LSA support can result in a
>       denial of service.
> new:
>       /ospf:ospf/ospf:areas/ospf:area/extended-lsa-support
>       The ability to disable OSPFv3 Extended LSA support can result in a
>       denial of service. Any OSPFv3 extensions using only Extended LSAs won't work.

No - there will not be connectivity between the OSPFv3 routers. For the draft that became RFC 8263, we initially had a complex interoperability mode but when no vendors signed up for implementation,  we simplified the specification to use either the base or extended LSAs for the base SPF. One could use sparse-mode for specific features (e.g., segment routing) but this is dependent on the feature configuration. 

I’ll change it to “enable or disable” since either could have this consequence. 

Thanks,
Acee


> 
> Thanks,
> Yingzhen
> 
> On Thu, Feb 1, 2024 at 9:54 AM Acee Lindem <acee.ietf@gmail.com <mailto:acee.ietf@gmail.com>> wrote:
>> Hi John, 
>> 
>> > On Feb 1, 2024, at 11:55 AM, John Scudder <jgs@juniper.net <mailto:jgs@juniper.net>> wrote:
>> > 
>> > Hi Acee, Roman, all,
>> > 
>> > [top posting, hope that’s OK]
>> > 
>> > After talking with Roman about this today, what I understand his position to be is (at least in part), since the document identifies one specific case of a type of attack ("The ability to disable OSPFv3 Extended LSA support can result in a denial of service”), shouldn’t it also list other cases? What’s special about "denial of service” vs. other things such as the ones Roman mentioned? I don’t think he was seeking an in-depth exploration of these, just a more complete summary list. I also wonder if the concern could equally be satisfied by removing the one special case.
>> 
>> By enabling or disabling this parameter, you can only limit exchange of OSPFv3 LSAs between OSPFv3 routers. You cannot inject compromised LSAs into the OSPFv3 routing domain through modification of this parameter alone? 
>> How could this exploit be used to: 
>> 
>> >>>> modify network topologies to enable select traffic to avoid inspection or
>> >>>> treatment by security controls; route traffic in a way that it would be subject
>> >>>> to inspect/modification by an adversary node; or gain access to otherwise
>> >>>> segregated parts of the network.
>> 
>> 
>> 
>> Thanks,
>> Acee
>> 
>> 
>> 
>> > 
>> > I’m sure Roman will chime in if I’ve gotten this wrong.
>> > 
>> > Thanks,
>> > 
>> > —John
>> > 
>> >> On Jan 31, 2024, at 8:50 PM, Acee Lindem <acee.ietf@gmail.com <mailto:acee.ietf@gmail.com>> wrote:
>> >> 
>> >> 
>> >> 
>> >>> On Jan 31, 2024, at 20:14, Acee Lindem <acee.ietf@gmail.com <mailto:acee.ietf@gmail.com>> wrote:
>> >>> 
>> >>> 
>> >>> 
>> >>>> On Jan 31, 2024, at 19:56, Roman Danyliw via Datatracker <noreply@ietf.org <mailto:noreply@ietf.org>> wrote:
>> >>>> 
>> >>>> Roman Danyliw has entered the following ballot position for
>> >>>> draft-ietf-lsr-ospfv3-extended-lsa-yang-28: Discuss
>> >>>> 
>> >>>> When responding, please keep the subject line intact and reply to all
>> >>>> email addresses included in the To and CC lines. (Feel free to cut this
>> >>>> introductory paragraph, however.)
>> >>>> 
>> >>>> 
>> >>>> Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ 
>> >>>> for more information about how to handle DISCUSS and COMMENT positions.
>> >>>> 
>> >>>> 
>> >>>> The document, along with other ballot positions, can be found here:
>> >>>> https://datatracker.ietf.org/doc/draft-ietf-lsr-ospfv3-extended-lsa-yang/
>> >>>> 
>> >>>> 
>> >>>> 
>> >>>> ----------------------------------------------------------------------
>> >>>> DISCUSS:
>> >>>> ----------------------------------------------------------------------
>> >>>> 
>> >>>> ** Section 5.
>> >>>> 
>> >>>> Write
>> >>>> operations (e.g., edit-config) to these data nodes without proper
>> >>>> protection can have a negative effect on network operations.  There
>> >>>> are the subtrees and data nodes and their sensitivity/vulnerability:
>> >>>> 
>> >>>>    /ospf:ospf/extended-lsa-support
>> >>>>    /ospf:ospf/ospf:areas/ospf:area/extended-lsa-support
>> >>>>    The ability to disable OSPFv3 Extended LSA support can result in a
>> >>>>    denial of service.
>> >>>> 
>> >>>> Isn’t it more than just denial of service?  In certain environments wouldn’t
>> >>>> the ability to modify OSPF Extended LSA configurations enable an attacker to:
>> >>>> modify network topologies to enable select traffic to avoid inspection or
>> >>>> treatment by security controls; route traffic in a way that it would be subject
>> >>>> to inspect/modification by an adversary node; or gain access to otherwise
>> >>>> segregated parts of the network.
>> >>> 
>> >>> Only if they were able to craft extended LSAs on behalf of the original as well as
>> >>> modify the YANG configuration added by this document. I didn’t think we’d have to
>> >>> reiterate all the possible protocol attacks for every incremental enhancement.
>> >> 
>> >> Furthermore, no one is going to use the support of extended LSAs to isolate OSPFv3 domains 
>> >> from one another. The configuration is to control migration to the extended LSA encodings.
>> >> Please see RFC 8362 for more information on OSPFv3 Extended LSAs.  
>> >> 
>> >> Acee
>> >> 
>> >> 
>> >> 
>> >> 
>> >> 
>> >>> 
>> >>> Acee
>> >>> 
>> >>> 
>> >>> 
>> >>>> 
>> >>>> 
>> >>>> ----------------------------------------------------------------------
>> >>>> COMMENT:
>> >>>> ----------------------------------------------------------------------
>> >>>> 
>> >>>> As an editorial note, I would have benefit from some narrative prose on the data model.
>> >> 
>> >> _______________________________________________
>> >> Lsr mailing list
>> >> Lsr@ietf.org <mailto:Lsr@ietf.org>
>> >> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/lsr__;!!NEt6yMaO-gk!CSaaziWFGrg6dv81sm55-XN-CP5eUEsFoeObIEuQzH8mYmJPURb3VboumvFzwTwOiHyiHP8O67tleiE$
>> > 
>>

v2.23.0 | Report a Bug | By Email