IETF Logo Mail Archive

Re: [Lsr] Roman Danyliw's Discuss on draft-ietf-lsr-ospfv3-extended-lsa-yang-28: (with DISCUSS and COMMENT)

Yingzhen Qu <yingzhen.ietf@gmail.com> Thu, 01 February 2024 21:29 UTC

Return-Path: <yingzhen.ietf@gmail.com>
X-Original-To: lsr@ietfa.amsl.com
Delivered-To: lsr@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 732ACC14F60D; Thu, 1 Feb 2024 13:29:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZbHlfoktet3G; Thu, 1 Feb 2024 13:28:59 -0800 (PST)
Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com [IPv6:2a00:1450:4864:20::132]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32FACC14F60C; Thu, 1 Feb 2024 13:28:59 -0800 (PST)
Received: by mail-lf1-x132.google.com with SMTP id 2adb3069b0e04-511318ef27fso1158408e87.1; Thu, 01 Feb 2024 13:28:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1706822937; x=1707427737; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=HGXIOwgxxIGl0hTwokCfEu79PKkoUNx7tvsNzoEgXBQ=; b=LkzA9cvs6mySqsRRPRv66aCbPy7fq0KOp5AMOi1Ar8Bd7PSH0nuyf52uHVR8bf7YcG Akqg/w2lTHkBSl35FHpB4VcFEfoQZyRUONZH/Ffpt2Ay0XDA23y01L93s9cwgfHnZvXF Zsy9n75G5aIxCNWqKRboq0LhBHBQbDJRZX+XPgCOlKRGNaPTPbvDrxY6RiH1CycPC9sf mB09w/ZPqj8cZp+9qOBI06I/T1ACkGl1hYzvVhAgBCOYFGb/Gz7ONeTXk1CBO5kS0c2f R+7K7eVaCksFG8obw71hmZVhrahoJ0xjl2fb+Gcyzxue4j9q1fzrIPPeWMGI985HbXSF 9Kqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706822937; x=1707427737; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=HGXIOwgxxIGl0hTwokCfEu79PKkoUNx7tvsNzoEgXBQ=; b=q5sMf2nIFaSJtxLtkGgPZfWwv264jLFc86pj/s5pJ0DI6SNpMEssphKtpNyJCE9TtH KozmSj0OB0S5n+V+IlLFmb6tCzM5fq4/EwQGodrDLlIL0vQvisONKCjumpAwh3/HRdr2 uwFGeFp8nIFUYvYDfaQ60VD1C6tcZ3WF7DiZPeRwpVYYA5RrMjvQLFIgu88AHaEbdNm7 CDwjHZba150zjGjbV/qF09h1VFJkJdoc31N4EbQYuVJFf9tgEr9bbF9uansn20Yyni6s xwzNXr0RTjy/GeGFLn9lY+gk/6PQDwFYwGi0fU4vkITtnFIIC+JrmV/U3qvKY5Nl1Lff biWQ==
X-Gm-Message-State: AOJu0YzSXSC13qwWufkKKmWTjmdC/yUip0fE+0i4WTiRjcjzVNoEX2pX SdnLiJ2pfCelICi2Wjh+f28Ln1sgKwYKRo8YBEoeg6Ki1V/F3v6ohp/IgMbN6qWJSO4J1gTf6KK MSLXbTkQsMf2FadKpqvqe6zUhZQ==
X-Google-Smtp-Source: AGHT+IGW1vt7KuXqeh6sWMdenujhyxoxcMwpODtOz9C29ejZVZ+rmUWX+lHnWK6gl5u6Z6n+jVOSUtGUBS4FjQy9V7c=
X-Received: by 2002:a05:651c:1a0f:b0:2cf:1ae2:dca with SMTP id by15-20020a05651c1a0f00b002cf1ae20dcamr5307352ljb.16.1706822936883; Thu, 01 Feb 2024 13:28:56 -0800 (PST)
MIME-Version: 1.0
References: <170674896520.10154.16061739265470573273@ietfa.amsl.com> <3DA1DD3C-BE3A-42DD-8FD3-734953C39F16@gmail.com> <FCF92100-0393-46A2-92ED-A86D9B3CA747@gmail.com> <88993C85-C0E6-4DAA-90F6-8145FB83B27C@juniper.net> <85C6BB8B-F778-4108-A686-740BC03C52DD@gmail.com>
In-Reply-To: <85C6BB8B-F778-4108-A686-740BC03C52DD@gmail.com>
From: Yingzhen Qu <yingzhen.ietf@gmail.com>
Date: Thu, 01 Feb 2024 13:28:45 -0800
Message-ID: <CABY-gOM7zoLSCtgtx9Qj_q206X_m_xJmiL4JQ7NPBOULCR5erQ@mail.gmail.com>
To: Acee Lindem <acee.ietf@gmail.com>
Cc: John Scudder <jgs@juniper.net>, Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>, "draft-ietf-lsr-ospfv3-extended-lsa-yang@ietf.org" <draft-ietf-lsr-ospfv3-extended-lsa-yang@ietf.org>, lsr-chairs <lsr-chairs@ietf.org>, lsr <lsr@ietf.org>, Christian Hopps <chopps@chopps.org>
Content-Type: multipart/alternative; boundary="000000000000d8f515061058ae39"
Archived-At: <https://mailarchive.ietf.org/arch/msg/lsr/kbuZAAA-gsnQkhiSky_HplAOtK8>
Subject: Re: [Lsr] Roman Danyliw's Discuss on draft-ietf-lsr-ospfv3-extended-lsa-yang-28: (with DISCUSS and COMMENT)
X-BeenThere: lsr@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Link State Routing Working Group <lsr.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lsr>, <mailto:lsr-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lsr/>
List-Post: <mailto:lsr@ietf.org>
List-Help: <mailto:lsr-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lsr>, <mailto:lsr-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Feb 2024 21:29:03 -0000

Hi,

The configuration to enable/disable OSPFv3 Extended LSA is for migration,
please refer to RFC 8362 section 6 (RFC 8362 - OSPFv3 Link State
Advertisement (LSA) Extensibility (ietf.org)
<https://datatracker.ietf.org/doc/html/rfc8362#section-6>). If it's
disabled, the router under attack won't be able to exchange extended LSAs
with other routers, and new features using only extended LSAs won't work.

How about the following changes?
old:

      /ospf:ospf/ospf:areas/ospf:area/extended-lsa-support
      The ability to disable OSPFv3 Extended LSA support can result in a
      denial of service.

new:

      /ospf:ospf/ospf:areas/ospf:area/extended-lsa-support
      The ability to disable OSPFv3 Extended LSA support can result in a
      denial of service. Any OSPFv3 extensions using only Extended
LSAs won't work.


Thanks,

Yingzhen


On Thu, Feb 1, 2024 at 9:54 AM Acee Lindem <acee.ietf@gmail.com> wrote:

> Hi John,
>
> > On Feb 1, 2024, at 11:55 AM, John Scudder <jgs@juniper.net> wrote:
> >
> > Hi Acee, Roman, all,
> >
> > [top posting, hope that’s OK]
> >
> > After talking with Roman about this today, what I understand his
> position to be is (at least in part), since the document identifies one
> specific case of a type of attack ("The ability to disable OSPFv3 Extended
> LSA support can result in a denial of service”), shouldn’t it also list
> other cases? What’s special about "denial of service” vs. other things such
> as the ones Roman mentioned? I don’t think he was seeking an in-depth
> exploration of these, just a more complete summary list. I also wonder if
> the concern could equally be satisfied by removing the one special case.
>
> By enabling or disabling this parameter, you can only limit exchange of
> OSPFv3 LSAs between OSPFv3 routers. You cannot inject compromised LSAs into
> the OSPFv3 routing domain through modification of this parameter alone?
> How could this exploit be used to:
>
> >>>> modify network topologies to enable select traffic to avoid
> inspection or
> >>>> treatment by security controls; route traffic in a way that it would
> be subject
> >>>> to inspect/modification by an adversary node; or gain access to
> otherwise
> >>>> segregated parts of the network.
>
>
>
> Thanks,
> Acee
>
>
>
> >
> > I’m sure Roman will chime in if I’ve gotten this wrong.
> >
> > Thanks,
> >
> > —John
> >
> >> On Jan 31, 2024, at 8:50 PM, Acee Lindem <acee.ietf@gmail.com> wrote:
> >>
> >>
> >>
> >>> On Jan 31, 2024, at 20:14, Acee Lindem <acee.ietf@gmail.com> wrote:
> >>>
> >>>
> >>>
> >>>> On Jan 31, 2024, at 19:56, Roman Danyliw via Datatracker <
> noreply@ietf.org> wrote:
> >>>>
> >>>> Roman Danyliw has entered the following ballot position for
> >>>> draft-ietf-lsr-ospfv3-extended-lsa-yang-28: Discuss
> >>>>
> >>>> When responding, please keep the subject line intact and reply to all
> >>>> email addresses included in the To and CC lines. (Feel free to cut
> this
> >>>> introductory paragraph, however.)
> >>>>
> >>>>
> >>>> Please refer to
> https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/
> >>>> for more information about how to handle DISCUSS and COMMENT
> positions.
> >>>>
> >>>>
> >>>> The document, along with other ballot positions, can be found here:
> >>>>
> https://datatracker.ietf.org/doc/draft-ietf-lsr-ospfv3-extended-lsa-yang/
> >>>>
> >>>>
> >>>>
> >>>> ----------------------------------------------------------------------
> >>>> DISCUSS:
> >>>> ----------------------------------------------------------------------
> >>>>
> >>>> ** Section 5.
> >>>>
> >>>> Write
> >>>> operations (e.g., edit-config) to these data nodes without proper
> >>>> protection can have a negative effect on network operations.  There
> >>>> are the subtrees and data nodes and their sensitivity/vulnerability:
> >>>>
> >>>>    /ospf:ospf/extended-lsa-support
> >>>>    /ospf:ospf/ospf:areas/ospf:area/extended-lsa-support
> >>>>    The ability to disable OSPFv3 Extended LSA support can result in a
> >>>>    denial of service.
> >>>>
> >>>> Isn’t it more than just denial of service?  In certain environments
> wouldn’t
> >>>> the ability to modify OSPF Extended LSA configurations enable an
> attacker to:
> >>>> modify network topologies to enable select traffic to avoid
> inspection or
> >>>> treatment by security controls; route traffic in a way that it would
> be subject
> >>>> to inspect/modification by an adversary node; or gain access to
> otherwise
> >>>> segregated parts of the network.
> >>>
> >>> Only if they were able to craft extended LSAs on behalf of the
> original as well as
> >>> modify the YANG configuration added by this document. I didn’t think
> we’d have to
> >>> reiterate all the possible protocol attacks for every incremental
> enhancement.
> >>
> >> Furthermore, no one is going to use the support of extended LSAs to
> isolate OSPFv3 domains
> >> from one another. The configuration is to control migration to the
> extended LSA encodings.
> >> Please see RFC 8362 for more information on OSPFv3 Extended LSAs.
> >>
> >> Acee
> >>
> >>
> >>
> >>
> >>
> >>>
> >>> Acee
> >>>
> >>>
> >>>
> >>>>
> >>>>
> >>>> ----------------------------------------------------------------------
> >>>> COMMENT:
> >>>> ----------------------------------------------------------------------
> >>>>
> >>>> As an editorial note, I would have benefit from some narrative prose
> on the data model.
> >>
> >> _______________________________________________
> >> Lsr mailing list
> >> Lsr@ietf.org
> >>
> https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/lsr__;!!NEt6yMaO-gk!CSaaziWFGrg6dv81sm55-XN-CP5eUEsFoeObIEuQzH8mYmJPURb3VboumvFzwTwOiHyiHP8O67tleiE$
> >
>
>

v2.23.0 | Report a Bug | By Email