Re: [MBONED] Eric Rescorla's Discuss on draft-ietf-mboned-mtrace-v2-22: (with DISCUSS and COMMENT)

Toerless Eckert <tte@cs.fau.de> Fri, 26 January 2018 18:22 UTC

Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: mboned@ietfa.amsl.com
Delivered-To: mboned@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B307124235; Fri, 26 Jan 2018 10:22:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.209
X-Spam-Level:
X-Spam-Status: No, score=-4.209 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_MED=-2.3, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6PIEkn505Nsy; Fri, 26 Jan 2018 10:22:48 -0800 (PST)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2035120227; Fri, 26 Jan 2018 10:22:47 -0800 (PST)
Received: from faui40p.informatik.uni-erlangen.de (faui40p.informatik.uni-erlangen.de [131.188.34.77]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 4EBF558C56E; Fri, 26 Jan 2018 19:22:43 +0100 (CET)
Received: by faui40p.informatik.uni-erlangen.de (Postfix, from userid 10463) id 33000B0D88F; Fri, 26 Jan 2018 19:22:43 +0100 (CET)
Date: Fri, 26 Jan 2018 19:22:43 +0100
From: Toerless Eckert <tte@cs.fau.de>
To: Eric Rescorla <ekr@rtfm.com>
Cc: draft-ietf-mboned-mtrace-v2@ietf.org, mboned@ietf.org, mboned-chairs@ietf.org, The IESG <iesg@ietf.org>
Message-ID: <20180126182243.GA5294@faui40p.informatik.uni-erlangen.de>
References: <151628969901.2325.7724014542086691903.idtracker@ietfa.amsl.com> <20180119193149.GA26689@faui40p.informatik.uni-erlangen.de> <CABcZeBNDqq_5XPad76WrsrN_JS2J1iAAC068=y0Nq12SKJOQ=Q@mail.gmail.com> <20180125223335.GA16477@faui40p.informatik.uni-erlangen.de> <CABcZeBPbCJfP=VVC6irEUtbiFuQgmMCQMEUBern=kAG-KP1SQQ@mail.gmail.com> <20180126013118.GD16477@faui40p.informatik.uni-erlangen.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180126013118.GD16477@faui40p.informatik.uni-erlangen.de>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mboned/V2GZLnaRnQloRS60nc-wRdz3jeA>
Subject: Re: [MBONED] Eric Rescorla's Discuss on draft-ietf-mboned-mtrace-v2-22: (with DISCUSS and COMMENT)
X-BeenThere: mboned@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Mail List for the Mboned Working Group <mboned.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mboned>, <mailto:mboned-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mboned/>
List-Post: <mailto:mboned@ietf.org>
List-Help: <mailto:mboned-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mboned>, <mailto:mboned-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Jan 2018 18:22:51 -0000

On Fri, Jan 26, 2018 at 02:31:18AM +0100, Toerless Eckert wrote:
> > I don't see how that's true. The attack I am concerned about is that you
> > forge a *Request*, not a *Query*. And because the request indicates the original
> > requester.
> 
> Ah, sorry. I thought to remember that the text from you said query.
> I just replied for query messages so far.
                     ^^^^^
*sigh* "request" of course.

Toerless

> > (give or take the subnet local limitations and/or additional L2 security
> > >  required to prohibit intra-l2-lying that i mentioned in my original mail).
> > 
> > Sorry, I'm not seeing this. The point is that you pretend to be a router
> > that is forwarding a Request and fill in a bogus Client Address field. Waht
> > stops that.
> 
> In practical deployments IMHO we can only reasonable get similar solutions to
> what customer are also willing to deploy with PIM. For 99% deployments that
> is configured classificatio of interfaces as trusted/inside-clamshell or
> untrusted/user-facing, and on the untrusted interfaces you don't accept
> requests, just queries. And apply the suggested B.1 policy (Mtracev2 Client
> Address must be connected on receiving interface).
> 
> It might still be useful to have mtrace prepared for customers protecting it
> with IPsec - without requiring special features in mtrace or IPsec for it.
> 
> IMHO for that, we need to have one UDP port for mtrace NNI messages
> (requests), and another for UNI messages (query, response).
> That would allow customers to take a vanilla IPsec implementation and protect
> the mtrace NNI messages and therefore eleiminate interface clamshell
> classification.  In multicast signaling we got this for free: PIM is NNI,
> IGMP/MLD UNI. Easy to distinguish for IPsec.
> 
> > > My points B.1, B.2, B.3) provide solid access control mechanisms for
> > > mtrace using mechanisms that are the most widely adopted form of security
> > > in ISPs
> > > and that this option of security in mtrace should not be dismissed just
> > > because
> > > it took us so long to bring the protocol in front of IESG review even if
> > > we agree
> > > that we should have better options beyond that.
> > 
> > The question is whether those options are in fact adequate. For the reasons
> > above I don't believe that.
> >
> > -Ekr
> 
> Cheers
>     Toerless
> 
> > 
> > 
> > >
> > > The other point was that better security options are something we should
> > > not
> > > invent as one-off protocol hack sinto mtrace (even if some mtrace none
> > > request/reply
> > > messages might be fun to define) but instead we should adopt solutions
> > > that are more
> > > likely in-line with existing network OAM security strategies. TLS
> > > connections,
> > > netconf/yang etc. pp. As i described in my email.
> > >
> > > Cheers
> > >     toerless
> > >
> > > > -Ekr
> > > >
> > > >
> > > >
> > > > The most likely next step to overcome the trusted path issue between
> > > > > query initiator to query responder is to make an mtrace yang model
> > > where
> > > > > you can actually initiate an mtrace via netconf/yang, aka: replace
> > > > > the query with netconf. Like you would today just ssh into the
> > > > > LHR and run a local mtrace client there.
> > > > >
> > > > > Alas, i see no easy way to get back to support A) in a lightweight
> > > > > fashion ;-(
> > > > >
> > > > > Cheers
> > > > >     Toerless
> > > > >
> > > > > On Thu, Jan 18, 2018 at 07:34:59AM -0800, Eric Rescorla wrote:
> > > > > > Eric Rescorla has entered the following ballot position for
> > > > > > draft-ietf-mboned-mtrace-v2-22: Discuss
> > > > > >
> > > > > > When responding, please keep the subject line intact and reply to all
> > > > > > email addresses included in the To and CC lines. (Feel free to cut
> > > this
> > > > > > introductory paragraph, however.)
> > > > > >
> > > > > >
> > > > > > Please refer to https://www.ietf.org/iesg/stat
> > > > > ement/discuss-criteria.html
> > > > > > for more information about IESG DISCUSS and COMMENT positions.
> > > > > >
> > > > > >
> > > > > > The document, along with other ballot positions, can be found here:
> > > > > > https://datatracker.ietf.org/doc/draft-ietf-mboned-mtrace-v2/
> > > > > >
> > > > > >
> > > > > >
> > > > > > ------------------------------------------------------------
> > > ----------
> > > > > > DISCUSS:
> > > > > > ------------------------------------------------------------
> > > ----------
> > > > > >
> > > > > > The security considerations of this document are inadequate. My
> > > review
> > > > > > turns up at least the following potential issues which do
> > > > > > not seem to be addressed or even discussed:
> > > > > >
> > > > > > - Amplification: this protocol does not appear to verify that the
> > > > > >   sender of the query actually owns the IP it claims. Because
> > > > > >   responses are much larger than queries, this allows for an
> > > > > amplification
> > > > > >   attack, especially if the client is able to send a query that
> > > elicits
> > > > > >   multiple replies. One defense here would be to fill the rest of the
> > > > > packet
> > > > > >   with zeroes, thus somewhat reducing the amplification factor.
> > > Access
> > > > > >   control would also help.
> > > > > >
> > > > > > - Forgery of responses: because the query id is so short, an attacker
> > > > > >   can generally produce a message which has a nontrivial chance of
> > > > > >   corresponding to an extant query. This could be addressed by having
> > > > > >   a query ID that was large and random.
> > > > > >
> > > > > > - Anyone on-path can forge responses.
> > > > > >
> > > > > > In addition, Section 9.4 seems inadequate. Isn't it generally the
> > > case
> > > > > that
> > > > > > who is sending to who is sensitive? This seems like a fairly serious
> > > > > privacy
> > > > > > obstacle to using this protocol at all.
> > > > > >
> > > > > > It seems like many of the issues I raise above would be fixed or at
> > > > > > least mitigated by having some sort of access control mechanism.  I
> > > > > > understand why it might be the case that it's not practical to have
> > > > > > full communication security between the links (though it would of
> > > > > > course be desirable), but it's not clear to me why arbitrary people
> > > > > > should be allowed to instantiate queries.
> > > > > >
> > > > > >
> > > > > > ------------------------------------------------------------
> > > ----------
> > > > > > COMMENT:
> > > > > > ------------------------------------------------------------
> > > ----------
> > > > > >
> > > > > > S 1.
> > > > > >    When an Mtrace2 client initiates a multicast trace, it sends an
> > > > > >    Mtrace2 Query packet to the LHR or RP for a multicast group and,
> > > > > >
> > > > > > This seems a bit confusing as there are multiple LHRs for the group.
> > > > > > Can you rephrase?
> > > > > >
> > > > > >
> > > > > > S 2.1.
> > > > > >    ALL-[protocol]-ROUTERS group
> > > > > >       It is a link-local multicast address for multicast routers to
> > > > > >
> > > > > > This is grammatically funny. Perhaps remove "It is"
> > > > > >
> > > > > >
> > > > > > S 3.
> > > > > >    additional information associated with the message.  If an
> > > > > >    implementation receives an unknown TLV type for the first TLV in a
> > > > > >    message (i.e., the header TLV), it SHOULD ignore and silently
> > > discard
> > > > > >    the entire packet.  If an implementation receives an unknown TLV
> > > type
> > > > > >    for a subsequent TLV within a message, it SHOULD ignore and
> > > silently
> > > > > >    discard the entire packet.
> > > > > >
> > > > > > ISTM that these cases are handled identically so is there a reason
> > > > > > not just to remove the first sentence and change the second one to
> > > > > > "for any TLV"/
> > > > > >
> > > > > >
> > > > > >
> > > > > > S 3.2.1
> > > > > >    An Mtrace2 Query is usually originated by an Mtrace2 client which
> > > > > >    sends an Mtrace2 Query message to the LHR.  When tracing towards
> > > the
> > > > > >    source or the RP, the intermediate routers MUST NOT modify the
> > > Query
> > > > > >    message except the Type field.
> > > > > >
> > > > > > I'm not sure I follow this. Don't routers either (a) not touch this
> > > at
> > > > > all
> > > > > > or (b) if they are the LHR, change Type from Query -> Request and
> > > then
> > > > > > add a response block? This text seems to not really capture either
> > > case.
> > > > > >
> > > > > >
> > > > > > S 3.2.4.
> > > > > >       Note that Mtrace2 does not require all the routers on the path
> > > to
> > > > > >       have synchronized clocks in order to measure one-way latency.
> > > > > >
> > > > > > It's not clear to me how one does this. Can you expand?
> > > > > >
> > > > > >
> > > > > > S 3.2.6.
> > > > > >
> > > > > >           0x01    # of the returned Standard Response Blocks
> > > > > >
> > > > > > Nit: Do you want to say 0x0001
> > > > > >
> > > > > > Also, an example of the case covered by this section would help, I
> > > think.
> > > > > >
> > > > > >
> > > > > >
> > > > > > S 4.4.
> > > > > > It might be clearer to move this up a bit in the text as it sort of
> > > > > > summarizes some cases you already covered before. It would be easier
> > > > > > if it provided an overview instead.
> > > > > >
> > > > > >
> > > > > > S 5.9.
> > > > > >
> > > > > >    In this case, the Mtrace2
> > > > > >    client may receive multiple Mtrace2 Replies from different routers
> > > > > >    along the path.  When this happens, the client MUST treat them as
> > > a
> > > > > >    single Mtrace2 Reply message.
> > > > > >
> > > > > > Can you please describe how the client reassembles multiple messages
> > > > > > into one. I think I may know how to do this, but the document should
> > > > > > tell me.
> > > > > >
> > > > > > S 8.
> > > > > >    The following new registries are to be created and maintained
> > > under
> > > > > >    the "RFC Required" registry policy as specified in [4].
> > > > > >
> > > > > > Why did you choose RFC Required rather than Specification Required?
> > > > > > This just seems to unduly put load on the ISE.
> > > > > >
> > > > > >
> > > > > > _______________________________________________
> > > > > > MBONED mailing list
> > > > > > MBONED@ietf.org
> > > > > > https://www.ietf.org/mailman/listinfo/mboned
> > > > >
> > > > > --
> > > > > ---
> > > > > tte@cs.fau.de
> 
> _______________________________________________
> MBONED mailing list
> MBONED@ietf.org
> https://www.ietf.org/mailman/listinfo/mboned

-- 
---
tte@cs.fau.de