IETF Logo Mail Archive

Re: [MBONED] Benjamin Kaduk's No Objection on draft-ietf-mboned-driad-amt-discovery-11: (with COMMENT)

"Holland, Jake" <jholland@akamai.com> Fri, 20 December 2019 18:14 UTC

Return-Path: <jholland@akamai.com>
X-Original-To: mboned@ietfa.amsl.com
Delivered-To: mboned@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F6AF120856; Fri, 20 Dec 2019 10:14:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 91wkGamlRpZo; Fri, 20 Dec 2019 10:14:31 -0800 (PST)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 570B212084D; Fri, 20 Dec 2019 10:14:31 -0800 (PST)
Received: from pps.filterd (m0050096.ppops.net [127.0.0.1]) by m0050096.ppops.net-00190b01. (8.16.0.42/8.16.0.42) with SMTP id xBKIDcRs029247; Fri, 20 Dec 2019 18:14:30 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=jan2016.eng; bh=/zyuLzMdMffdmYM178Q7Gj9b8zSU3Qg6717tbbDn/7c=; b=Lri8h5++wfGONz5+eXyPsNdh6EgTmKeepJaOQxTjt7DConTqMme1XyHZ8l0ovHr6Yg4J QIQRCRJoY2UJLn3W0yx6CY0hV0QCEve9OqEObYEzNHGA9314iRAXkfX2mLIrUqecB+T6 64qYpdKlAAdvappM2DQXtM6JSqrnTlCarU5GKHrNtpvtfGE3qlQaSLaN8N2dsl4KHUll dC9QzRSR0zGgzzBXCu9JKrIdpaCe9hSxUkG4VdaGyhrPTWv2d4ROqoKq2kOXY/Wumiss 1hoYAmM7/Ex/TXU3EEgDUkVza5OcQ+ljXtFy3OmX8sjpNr8Nr7hPJu2p9gTrY0iO+Mud 2Q==
Received: from prod-mail-ppoint3 (prod-mail-ppoint3.akamai.com [96.6.114.86] (may be forged)) by m0050096.ppops.net-00190b01. with ESMTP id 2wyymeya8g-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 20 Dec 2019 18:14:30 +0000
Received: from pps.filterd (prod-mail-ppoint3.akamai.com [127.0.0.1]) by prod-mail-ppoint3.akamai.com (8.16.0.27/8.16.0.27) with SMTP id xBKI2TlV020037; Fri, 20 Dec 2019 13:14:29 -0500
Received: from email.msg.corp.akamai.com ([172.27.165.117]) by prod-mail-ppoint3.akamai.com with ESMTP id 2wvuy3d6pa-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 20 Dec 2019 13:14:27 -0500
Received: from ustx2ex-dag1mb6.msg.corp.akamai.com (172.27.165.124) by ustx2ex-dag1mb4.msg.corp.akamai.com (172.27.165.122) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 20 Dec 2019 12:14:12 -0600
Received: from ustx2ex-dag1mb6.msg.corp.akamai.com ([172.27.165.124]) by ustx2ex-dag1mb6.msg.corp.akamai.com ([172.27.165.124]) with mapi id 15.00.1473.005; Fri, 20 Dec 2019 10:14:12 -0800
From: "Holland, Jake" <jholland@akamai.com>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: The IESG <iesg@ietf.org>, "draft-ietf-mboned-driad-amt-discovery@ietf.org" <draft-ietf-mboned-driad-amt-discovery@ietf.org>, "mboned-chairs@ietf.org" <mboned-chairs@ietf.org>, "mboned@ietf.org" <mboned@ietf.org>
Thread-Topic: [MBONED] Benjamin Kaduk's No Objection on draft-ietf-mboned-driad-amt-discovery-11: (with COMMENT)
Thread-Index: AQHVtjE/mHeHwQJBX0+Z016FYCSVR6fBzxUAgAEKEYCAAH0FgA==
Date: Fri, 20 Dec 2019 18:14:12 +0000
Message-ID: <960B7D8D-FDCE-409C-9E95-9B18A0541E85@akamai.com>
References: <157673506508.4859.18252907968152390250.idtracker@ietfa.amsl.com> <FEBA69F8-BF3B-4C88-8A37-52FA411F39B9@akamai.com> <20191220024643.GI35479@kduck.mit.edu>
In-Reply-To: <20191220024643.GI35479@kduck.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.20.0.191208
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.80.68]
Content-Type: text/plain; charset="utf-8"
Content-ID: <7927965D29FF094086DBBA3AB8E50CBC@akamai.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-12-20_05:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1911140001 definitions=main-1912200136
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,18.0.572 definitions=2019-12-20_05:2019-12-17,2019-12-20 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 bulkscore=0 clxscore=1015 mlxscore=0 impostorscore=0 priorityscore=1501 spamscore=0 mlxlogscore=999 lowpriorityscore=0 suspectscore=0 adultscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1910280000 definitions=main-1912200137
Archived-At: <https://mailarchive.ietf.org/arch/msg/mboned/JCEHby2dZ6yovY1e2uom8QE35lg>
Subject: Re: [MBONED] Benjamin Kaduk's No Objection on draft-ietf-mboned-driad-amt-discovery-11: (with COMMENT)
X-BeenThere: mboned@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Mail List for the Mboned Working Group <mboned.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mboned>, <mailto:mboned-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mboned/>
List-Post: <mailto:mboned@ietf.org>
List-Help: <mailto:mboned-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mboned>, <mailto:mboned-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Dec 2019 18:14:33 -0000

Thanks Ben!

2 more responses for the hopefully final rev:

On 2019-12-19, 18:47, "Benjamin Kaduk" <kaduk@mit.edu> wrote:
> The potential edit (not quite a suggestion) was to note that when we're
> using a relay-discovery procedure that involves "try one, and fall over to
> another one if it doesn't work", an attacker can disrupt one (or more)
> attempts early in the procedure to try to force a particular relay to be
> used.  (That might be with the ultimate goal to intercept traffic, to alter
> traffic, to gain the ability to selectively drop traffic, or otherwise, but
> it's not terribly interesting for this point.)  Furthermore, the particular
> procedure that we've chosen reduces the ability of an attacker to do so,
> since we try the relays that are "closer" (and thus harder to attack)
> first.

This is an interesting point, but I'm reluctant to claim that this
improves the security in practice, so I'm thinking I'll leave it out.

The reason being that although we take a close relay first (with DNS-SD,
for instance), and although that relay might be hard for an off-path
attacker to disrupt, it's likely that upstream of the DNS-SD connection
there's another gateway using DRIAD to connect to a sender-advertised
relay (the main other option being native multicast connectivity to the
sender, which is uncommon on today's internet).

So I think the "find a close relay first" approach likely doesn't do
enough to warrant a mention as a useful mitigation to this issue, because
an attacker who can disrupt a connection and force retrying to his target
could still disrupt another connection further upstream that's still a
part of the path.  Ultimately all the traffic from a sender would usually
come from relays known to the sender, except where there's native multicast
connectivity all the way to a "close" gateway (or to the receiver), which
in practice today is mostly just walled garden scenarios that already
limit the reachability for this kind of attack.

>> Yes, but this is generic to AMT and is mentioned in the 2nd paragraph of
>> Section 6.2 of RFC 7450.  I guess it's a fair point that it's not clear
>> the warning there is entirely adequate--should I try to write a section
>> about this on the grounds that I'm updating 7450 and making it more
>> widely deployable?
>
> I don't insist on it, so maybe give it a quick go and see if it looks good.

I'll add a paragraph to the bottom of "6.1 Use of AMT" section:

   Note that AMT does not itself provide any integrity protection on
   Multicast Data packets (Section 5.1.6 of [RFC7450]), so absent
   protections like those mentioned above, even an off-path attacker who
   discovers the gateway IP, the relay IP, and the relay source port for
   an active AMT connection can inject multicast data packets for a
   joined (S,G) into the data stream if he can get data packets
   delivered to the gateway IP that spoof the relay as the source.

v2.31.3 | Report a Bug | By Email | System Status