Re: [MBONED] TSV Area Review of draft-ietf-mboned-mtrace-v2
"Brian Trammell (IETF)" <ietf@trammell.ch> Thu, 25 January 2018 15:07 UTC
Return-Path: <ietf@trammell.ch>
X-Original-To: mboned@ietfa.amsl.com
Delivered-To: mboned@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECA4D12DFDB; Thu, 25 Jan 2018 07:07:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cxn1Onj2Tmyz; Thu, 25 Jan 2018 07:06:59 -0800 (PST)
Received: from gozo.iway.ch (gozo.iway.ch [212.25.24.36]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63DB71243F6; Thu, 25 Jan 2018 07:06:59 -0800 (PST)
Received: from gozo.iway.ch (localhost [127.0.0.1]) by localhost (Postfix) with ESMTP id 1936A340F31; Thu, 25 Jan 2018 16:06:56 +0100 (CET)
Received: from localhost (localhost [127.0.0.1]) by localhost (ACF/6597.15055); Thu, 25 Jan 2018 16:06:55 +0100 (CET)
Received: from switchplus-mail.ch (switchplus-mail.ch [212.25.8.236]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by gozo.iway.ch (Postfix) with ESMTPS; Thu, 25 Jan 2018 16:06:55 +0100 (CET)
Received: from nb-10604.ethz.ch (account ietf@trammell.ch [82.130.102.91] verified) by switchplus-mail.ch (CommuniGate Pro SMTP 6.1.18) with ESMTPSA id 43309185; Thu, 25 Jan 2018 16:06:55 +0100
From: "Brian Trammell (IETF)" <ietf@trammell.ch>
Message-Id: <5F0B89C5-AD6B-440E-9076-39B493C7205C@trammell.ch>
Content-Type: multipart/signed; boundary="Apple-Mail=_ED2DC57B-9237-49B8-84AF-59D2C82E5529"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Thu, 25 Jan 2018 16:06:54 +0100
In-Reply-To: <B17B10CF-E535-47A9-8686-34B29741D708@ieee.org>
Cc: mboned@ietf.org, draft-ietf-mboned-mtrace-v2@ietf.org, tsv-art@ietf.org
To: Hitoshi Asaeda <asaeda@ieee.org>
References: <91243C66-4C6B-4A53-BB61-B6CE153FC31F@trammell.ch> <B17B10CF-E535-47A9-8686-34B29741D708@ieee.org>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mboned/3DHeIHHrarpwcCGkSn0MKJZa0qU>
Subject: Re: [MBONED] TSV Area Review of draft-ietf-mboned-mtrace-v2
X-BeenThere: mboned@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Mail List for the Mboned Working Group <mboned.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mboned>, <mailto:mboned-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mboned/>
List-Post: <mailto:mboned@ietf.org>
List-Help: <mailto:mboned-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mboned>, <mailto:mboned-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Jan 2018 15:07:04 -0000
hi Hitoshi, Replies inline... > On 25 Jan 2018, at 05:54, Hitoshi Asaeda <asaeda@ieee.org> wrote: > > Hi Brian, > > Thanks for your review and comments. > >> 2018/01/24 18:47, Brian Trammell (IETF) <ietf@trammell.ch> wrote: >> >> Greetings, >> >> I've reviewed this document as part of the transport area review team's ongoing effort to review key IETF documents. These comments were written primarily for the transport area directors, but are copied to the document's authors for their information and to allow them to address any issues raised. When done at the time of IETF Last Call, the authors should consider this review together with any other last-call comments they receive. Please always CC tsv-art@… if you reply to or forward this review. >> >> Summary: >> >> The document is not ready for publication as a Standards Track RFC in its current state. >> >> The protocol appears to make appropriate use of UDP; i.e., it poses no concerns about congestion safety when implemented and used as designed with non-malicious clients. >> >> However, I'm concerned about the potential for abuse of mtrace2. Specifically, replies are larger than queries, so the protocol can be used for amplification, and the protocol will send replies to a client address which is sent in cleartext without integrity protection, so the potential for redirection via spoofing exists. >> >> The first, I think, could be addressed by requiring the initial query to be a near-maximum-size UDP packet, or at least larger than the reply packets. > > I may misunderstand this comment, but.. > Do you think creating the initial query to be a near-maximum-size UDP packet (maybe by padding with zero?) addresses the security concern? Partially. There are two kinds of amplification: one spoofed packet causes many packets to be sent to the target, which is more pernicious; one spoofed packet causes a single larger spoofed packet to be sent to the target, which is less dangerous but still not great. > A malicious user would cause more disruption by sending big query packets than by sending small ones. The point is to reduce the ratio between Query and Reply size to ensure that there is no incentive to try to use mtrace2 reflection to increase the bandwidth available to an attacker. > Since only one mtrace query can be sent per UDP packet, there is no “amplification” exposure in which a packet could contain a large number of queries, yielding a much higher volume of response data for a given packet. The ratio of response data per mtrace query is unchanged by sending big query packets and using extra bandwidth for the queries is undesirable. I might misunderstand the protocol, but doesn't each Query cause at least one Request to be sent per hop? Although this then results in only one Reply, so I suppose the parallel per-packet amplification threat is minimal... >> The security concept in sections 9.1 and 9.2 seems to assume that client filtering at a network border is sufficient; however, this does not appear to address the case of inside an administrative domain spoofing its address. > > There are two different types of filtering being mixed up in this comment: (1) Filtering by administrative boundary (which only makes sense at a border). (2) Filtering to allow only acceptable source addresses (which can be applied on any router and can be used to filter out unwanted sources within an administrative domain). We think that we can satisfy your concern by clarifying this point (with editorial update). > We’ll provide some text for (2) in the revision. Thanks! >> Section 9.5 acknowledges the potential of the protocol for amplification, but should provide concrete advice for rate limiting. > > We think it is difficult to provide concrete advice for rate limiting, because it hardly depends on the environments and situations/conditions. The WG also agreed that the rate limit is left to the router's implementation. > If you believe we should specify some advice for concrete value for rate limiting, could you kindly give some example? I'm also not sure here, because I'm not familiar with the environments in which mtrace operates. In general, what is the data rate mtrace traffic on the path between routers, as a percentage of total available bandwidth? Perhaps expressing the recommended rate limits in these terms would be useful. > >> One question: this may be a moot question (I did not review mtrace v1), but it appears that mtrace2 is designed to share a port with mtrace1, and I don't see any version field in the messages. How is version transition handled by this protocol? Is it possible to run a mixed network with both mtrace versions and have the right thing (probably downgrade) happen, or is the assumption that mtrace version migration is a flag day? A related editorial suggestion: a list of changes from mtrace v1 to mtrace v2 in an appendix would be useful. > > There is no mtrace v1 specification. Some vendors and UNIX OSes implemented mtrace (aka mtrace “v1”) without the standard specification. It was mentioned in section 10 (Acknowledgements) as follows; > > This specification started largely as a transcription of Van > Jacobson's slides from the 30th IETF, and the implementation in > mrouted 3.3 by Ajit Thyagarajan. Van's original slides credit Steve > Casner, Steve Deering, Dino Farinacci and Deb Agrawal. The original > multicast traceroute client, mtrace (version 1), has been implemented > by Ajit Thyagarajan, Steve Casner and Bill Fenner. > > The problem is that since no standard specification, there is no interoperability with the different mtrace v1 implementations. Mtrace v1 is not only obsolete but also no specification; hence it is difficult or meaningless to clearly show the diffs between mtrace v1 and v2, IMO. > > Regarding backward compatibility, as briefly mentioned in section 1 (as follows); > > Mtrace2 supports both IPv4 and IPv6. Unlike the previous version of > Mtrace, which implements its query and response as Internet Group > Management Protocol (IGMP) messages [8], all Mtrace2 messages are > UDP-based. > > mtrace v1 was implemented on top of IGMP, while mtrace v2 is defined with UDP. There is no compatibility between them, and the WG agreed on ignoring this compatibility. Ah, right. I did see this, but it didn't register that that made versioning irrelevant, sorry. Thanks for explaining! > Also it may be worth noting that we can handle new (e.g., v3) mtrace versions by supporting new TLV types, with downward compatibility provided for the mtrace2 TLV types at this moment. Yep, this clearly works, and should probably be called out explicitly in the draft. Thanks, cheers, Brian
- [MBONED] TSV Area Review of draft-ietf-mboned-mtr… Brian Trammell (IETF)
- Re: [MBONED] TSV Area Review of draft-ietf-mboned… Hitoshi Asaeda
- Re: [MBONED] TSV Area Review of draft-ietf-mboned… Brian Trammell (IETF)
- Re: [MBONED] TSV Area Review of draft-ietf-mboned… Toerless Eckert
- Re: [MBONED] TSV Area Review of draft-ietf-mboned… Toerless Eckert