IETF Logo Mail Archive

Re: [MBONED] Eric Rescorla's Discuss on draft-ietf-mboned-mtrace-v2-22: (with DISCUSS and COMMENT)

Hitoshi Asaeda <asaeda@ieee.org> Thu, 26 July 2018 07:22 UTC

Return-Path: <asaeda@ieee.org>
X-Original-To: mboned@ietfa.amsl.com
Delivered-To: mboned@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73D9412426A for <mboned@ietfa.amsl.com>; Thu, 26 Jul 2018 00:22:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ieee-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P8WeQ71tgVy2 for <mboned@ietfa.amsl.com>; Thu, 26 Jul 2018 00:22:32 -0700 (PDT)
Received: from mail-pl0-x230.google.com (mail-pl0-x230.google.com [IPv6:2607:f8b0:400e:c01::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07FE1130E15 for <mboned@ietf.org>; Thu, 26 Jul 2018 00:22:29 -0700 (PDT)
Received: by mail-pl0-x230.google.com with SMTP id e11-v6so421178plb.3 for <mboned@ietf.org>; Thu, 26 Jul 2018 00:22:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee-org.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=eJCbapXo6zzJ6rKUz1Cs7ups6giA1wYcay4Q+KBorhQ=; b=UncdyhZUyu9XC3JZ8nQqqxlHlflQJUZucVOTUAJCvFOipbJt6xnrxxrMvAb+GQyIoN Usx2ScT2HvBWwEjZrK77eYobbh+yR1OmdWAei+r7AVow/FFwSfiCxDyVcLu+pkl0Co/t GBnQncOv8TUJy4wwrmZqQ/sKkjlWPGy1JDwBxQQC6/Z3wMioijEfkHuCtUXtKxkxqKm6 oil8UWVm9ylXRgDjvtyCi631aKZXiTw1/oySWHLa3lCA5zzL49GC6NSFocoXdXQiVMC6 Tm3xhBbHJxZoPlh+gbk/RDyHNiMpq0bLxC5GPYHXTMQDAAmOleT3Rqumsu1jbC1CflEf SH4A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=eJCbapXo6zzJ6rKUz1Cs7ups6giA1wYcay4Q+KBorhQ=; b=XWQ5y9Z7E2ChBWbza2ty5+OCs5T+bEJKeV29OEOcuew4o9E6NWst+lFx+BDxxBky30 LnI7Hpd6CsJHDBWjtraPjEhRaVCW61HXRqqw93fVacuIrmh/sYbpKjs8IGK1W/rUHdNZ VhY4A7d6TI9K6Vk4qYWFCq7DrMqefX8k3Eclm9SGAuCSsnEGRNlM4G/NpAulWwuzsYiJ hkQjMrxrk4uuv3uGqmmqw2AuFp1ld8TvaYue+uMKX2hDvV4ePbFWI6ys+haVrINLxbcs zXPyyblY9Hq+kXSGH1LnGKbgwaTOEQV1eQrA5frZO5me+xcCanYLOSq2yQ9UnLFLinV2 1gNA==
X-Gm-Message-State: AOUpUlHN1U/vyqLr/3+A1mUxIk6K3MqW3Y+D6dq5spOdovr/f7zYXyrk 9IH6fWzqO/hcSg2t+DT/+/FFdA==
X-Google-Smtp-Source: AAOMgpelzipnmFruhqf++RT+uawYS8wwGcV+oIMjhayOTzkmjc4wneB5vfxsf37yKh+5NMnsIJeJ7A==
X-Received: by 2002:a17:902:8215:: with SMTP id x21-v6mr841230pln.175.1532589749203; Thu, 26 Jul 2018 00:22:29 -0700 (PDT)
Received: from ?IPv6:2001:200:e103:1000:b92a:1e59:7f37:3c0d? ([2001:200:e103:1000:b92a:1e59:7f37:3c0d]) by smtp.gmail.com with ESMTPSA id o21-v6sm1239039pfa.54.2018.07.26.00.22.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 26 Jul 2018 00:22:28 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Hitoshi Asaeda <asaeda@ieee.org>
In-Reply-To: <CABcZeBP67FhLcqvcpuCkMOFtg4WCFKSYhnjZ2hK9+H3aKOnOLA@mail.gmail.com>
Date: Thu, 26 Jul 2018 16:22:24 +0900
Cc: draft-ietf-mboned-mtrace-v2@ietf.org, The IESG <iesg@ietf.org>, MBONED WG <mboned@ietf.org>, mboned-chairs@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <B1FEAE29-CDA7-4F50-9713-A7B0DDAC12C1@ieee.org>
References: <3779EE09-4481-43DB-A422-9A9FE1A4CEB4@me.com> <E54E31C9-FCD2-4D5D-9295-6BBBF15BD938@me.com> <CABcZeBPdrfLf8ORuMQsKQ2jg1U0CyZ1jZHHqry2HwMEOf5hFyg@mail.gmail.com> <780E7155-9BCB-4EB3-A777-896C57E1BA85@ieee.org> <CABcZeBO9WX40eUwBt15mNRLqrqeVe6EOtyLbTFsKEZ0EwaQ_6Q@mail.gmail.com> <7ED42F6C-FD89-4F31-9AE4-269ED3EEB13D@ieee.org> <CABcZeBP67FhLcqvcpuCkMOFtg4WCFKSYhnjZ2hK9+H3aKOnOLA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mboned/URv9Da6l8N2wwZ_nYxAOtBvD40g>
Subject: Re: [MBONED] Eric Rescorla's Discuss on draft-ietf-mboned-mtrace-v2-22: (with DISCUSS and COMMENT)
X-BeenThere: mboned@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Mail List for the Mboned Working Group <mboned.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mboned>, <mailto:mboned-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mboned/>
List-Post: <mailto:mboned@ietf.org>
List-Help: <mailto:mboned-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mboned>, <mailto:mboned-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jul 2018 07:22:35 -0000

Dear IESG and WG,

I've submitted the revised Mtrace2 draft;

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the MBONE Deployment WG of the IETF.

       Title           : Mtrace Version 2: Traceroute Facility for IP Multicast
       Authors         : Hitoshi Asaeda
                         Kerry Meyer
                         WeeSan Lee
	Filename        : draft-ietf-mboned-mtrace-v2-25.txt
	Pages           : 40
	Date            : 2018-07-26

Abstract:
  This document describes the IP multicast traceroute facility, named
  Mtrace version 2 (Mtrace2).  Unlike unicast traceroute, Mtrace2
  requires special implementations on the part of routers.  This
  specification describes the required functionality in multicast
  routers, as well as how an Mtrace2 client invokes a query and
  receives a reply.

The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-mboned-mtrace-v2/

There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-mboned-mtrace-v2-25
https://datatracker.ietf.org/doc/html/draft-ietf-mboned-mtrace-v2-25

A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-mboned-mtrace-v2-25


The authors believe this revision addresses all comments given during the IESG review process.

Thank you for your comments.

Regards,

Hitoshi


> On 2018/07/09, at 22:54, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> 
> 
> On Mon, Jul 9, 2018 at 6:51 AM, Hitoshi Asaeda <asaeda@ieee.org> wrote:
> Eric,
> 
> > >> Section 4.2.1, however (see below), prohibits processing of a Request that is not sent from an adjacent router. Also, it is worth considering that this problem hypothesis supposes that a DoS attack is launched from a trusted router address. Even for this scenario, however, the document does provide protection. The normative descriptions to which the quote above refers are:
> > >> 
> > >> -  The previous paragraph from section 9.2 (requirement for use of ACLs; slightly reworded later in this email to the new proposed text):
> > >> 
> > >> ----------
> > >>   A router MUST support an access control list (ACL) mechanism to
> > >>   filter out Queries from clients and Requests from peer router
> > >>   addresses that are unauthorized or that are beyond a specified
> > >>   administrative boundary.  This filtering could, for example, be
> > >>   specified via a list of allowed/disallowed client and peer addresses
> > >>   or subnets for the Mtrace2 protocol port.  If a Query or Request is
> > >>   received from an unauthorized address or one beyond the specified
> > >>   administrative boundary, the Query/Request MUST NOT be processed.
> > >>   The router MAY, however, perform rate limited logging of such events.
> > >> ----------
> > >> 
> > >> and 
> > >> 
> > >>  - Section 4.2.1 (required validity checks to force rejection of a Request message from a source that is not an adjacent router):
> > >> 
> > >> ----------
> > >> 4.2.1.  Request Packet Verification
> > >> 
> > >>   If the Mtrace2 Request does not come from an adjacent router, or if
> > >>   the Request is not addressed to this router, or if the Request is
> > >>     addressed to a multicast group which is not a link-scoped group
> > >>   (i.e., 224.0.0.0/24 for IPv4, FFx2::/16 [3] for IPv6), it MUST be
> > >>   silently ignored.  The Generalized TTL Security Mechanism (GTSM) [14]
> > >>   SHOULD be used by the router to determine whether the router is
> > >>   adjacent or not.
> > >> ----------
> > > 
> > > Unless I'm missing something, this just restricts things to a *node* which is adjacent. But if I'm a device that's on the same LAN as a router (which isn't a crazy proposition, ISTM), then why can't I mount this attack?
> > 
> > Only an adjacent *multicast router* can send requests, because a request is transformed from a query initiated by a downstream node/device and forwarded toward the source/RP 
> > 
> > But the difference between a request and a response is just some bits in the packet.
> 
> I cannot understand this comment.
> It is very common to design protocol messages using the TLV format and differentiate the messages by the different type values. 
> 
> Yes. That's why it's important to have the receiver check.
> 
> 
> 
> > And so what stops some other host on the LAN from sending something that claims to be a request.
> 
> We cannot stop someone from sending packets, but can ignore/drop/rate-limit the packets if something wrong.
> 
> Yes.
> 
> 
> > In your example, you are a valid *user (or device)* and send Request, and can attack someone. But in our definition, you cannot send any Requests because you are not a valid *multicast router*.
> > 
> > Yes, but that needs to be technically enforced, not just stated.
> 
> Right. That's why we propose a new type of ACLs as follows.
> 
>  
> 
> > The problem you may think here is that the ACLs in general do not validate the Request is traversed from valid (or invalid) routers as the message types cannot be specified in ACLs, right?
> > If we define a *particular* ACL entry to specify accepted/non-accepted IP addresses (or ranges) or admin boundaries for each of three mtrace message types, Query/Request/Reply, will your concern be disappeared?
> > 
> > I think so, if you require its use.
> 
> Ok, fine. I'll explain this ACL extension in the upcoming meeting.
> 
> > To protect against spoofing of Request packet, as Kerry said,
> > > > NOTE:  To protect against spoofing of Request packets by a trusted host, some authentication mechanism such as use of an Authentication Header (AH) between routing peers should be also considered. However, discussion of such external authentication mechanisms is out of the scope of this document.
> > 
> > Also, router validation is in general defined in the routing protocol specifications and routers can run the authentication mechanisms. We do not provide an mtrace unique/specific authentication mechanism for routers in this document. But as the example, we can describe the PIM case to verify adjacent PIM neighbor routers, if it's helpful.
> > 
> > I don't follow this.
> 
> Is some point unclear for you?
> Let's see PIM-SM (multicast routing protocol). PIM-SM has a way to verify/recognize a valid PIM neighbor. If you need such adjacent router verification, we can mention this routing protocol's verification mechanism. 
> 
> > > Given that we're a week from Montreal, it might be easier to just try to meet there. What say you?
> > 
> > Although Kerry may not, I'll be there.
> > I asked a slot to report the current situation in the Mboned WG meeting. Please come to the meeting.
> > 
> > I have to be at RTCWEB.
> 
> Hmm.. Then we won't be able to reach any consensus in the meeting... 
> 
> > But before the f2f discussions or the meeting, I need to understand and clarify problems you have been thinking.
> > 
> > The point of the F2F discussion is to clarify the issue.
> 
> I'll then personally contact you to meet next week.
> 
> That's fine, but if you send me proposed new text beforehand, I can also review it. 
> 
> Regards,
> 
> Hitoshi
> 
> 
> 
> > -Ekr
> > 
> > 
> > Regards,
> > 
> > Hitoshi
> > 
> > (snip a lot)

v2.23.0 | Report a Bug | By Email