IETF Logo Mail Archive

Re: [mpls] LDP Security

Eric Rescorla <ekr@rtfm.com> Wed, 08 November 2017 18:00 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 429FC1294E7 for <mpls@ietfa.amsl.com>; Wed, 8 Nov 2017 10:00:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f6rJe3StNCmi for <mpls@ietfa.amsl.com>; Wed, 8 Nov 2017 10:00:37 -0800 (PST)
Received: from mail-yw0-x22c.google.com (mail-yw0-x22c.google.com [IPv6:2607:f8b0:4002:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C99F11294FF for <mpls@ietf.org>; Wed, 8 Nov 2017 10:00:25 -0800 (PST)
Received: by mail-yw0-x22c.google.com with SMTP id q126so3019864ywq.10 for <mpls@ietf.org>; Wed, 08 Nov 2017 10:00:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=/RZkCphureJliGcCJy7BoV6ea3Xb1ZNxAgGh4CysROY=; b=I7BFVOn8VXyCtTncIV8T051eeMvvdamx5bDGscfmIADTmKxFWtRhHQnemZPHba17ZE e1XgTy6YQz9fQObpC6E1kHVU4GQs6rKGTL7hZp63tDF97+QBepindbjWqJD3Bj1MYL2N UNSXGSI18pdEdopkcZZcnSsqaEZO5fIilgJO7ARcK+4SzLwCxIU/0XpZjU/SiflgXkIS z00Alj7bQFKhhSrrqEF+FG79qS6tRggAmmp/LAT1oV1FKYs1RxcCJMZcDAOG3l99DCDj pgSzxA3kJs6dxYlk3xtVz99MBXgQ0RAvpb9HUKierdrAlszBgHmAopPhYuZcvw1LfFbu Q23g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=/RZkCphureJliGcCJy7BoV6ea3Xb1ZNxAgGh4CysROY=; b=MPdAH7TTgon38Y+8t+lm5+8CvQHr1CEXbgX9X/nsl0J9lWJXQ1Pxjs0EcTHPr05eBX p+Tya1woMu1Rqu6jA6vxLDcUtXwJL9Ejx9ZQZDe+li7XKawOaAJWBfInuKIltyZmxDoe 1fnIja+18cgYV/SfkNs2ETA3IP3SOLccm/IJG2/FrC6uFfIAvDECQziq5q/w/RhIzfVv JyQlykt3uRU0e/aB86Xs8h8lvmnmsneD3ikpBhaX20mByZfwfNdvJ7vPRj3+rE1xxPrp NxL5oP98s8ZSfzJjHFY8uIUlVQkPfKweB9w55cubNz1H1etT/dtHSpQcgQUsE0fXAzFd ZoCQ==
X-Gm-Message-State: AJaThX7MB08VN5yTRjW6SlvRQYB9DDZWg/mQ2xxiDVIJi7lKvfrwSdCE ZbqI2Lkqk0caBREgZpS+71aoW7WXqrUj8WnruFCjhA==
X-Google-Smtp-Source: ABhQp+R0CZoUgFfT0eVATB7W+/Knr74Af/9k7/zBe7FO31l5n5Xt6ykG4rd2ww9mfVeRruJTviUExLbxHDiL5gTg1k4=
X-Received: by 10.129.26.208 with SMTP id a199mr889107ywa.280.1510164024987; Wed, 08 Nov 2017 10:00:24 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.61.12 with HTTP; Wed, 8 Nov 2017 09:59:44 -0800 (PST)
In-Reply-To: <15335748-e900-280d-554f-24c55c0f3ba5@gmail.com>
References: <2da71163-cf29-cba6-df61-d75a2cfc9c43@gmail.com> <d3b28075-d8c0-c677-1f4b-6ad5ee5539ca@gmail.com> <CAA=duU2PzZLymVZk-PR9B94Pj1WMsHe+TTv51Ukef2MaSg-DbA@mail.gmail.com> <5994f353-5306-0fa8-2d2d-024ebdbb10df@gmail.com> <CAA=duU2YLjSg8Q5PDT+u9cxn9u2xsiPu-imBJrnyL3bfkQFW7A@mail.gmail.com> <7ee4fd77-7d8d-0db2-527e-9cf91d87e634@gmail.com> <CAA=duU3nJsS86udidgkH9jhB9ZD+xaRa2A4MniAVL1BpGE78ZQ@mail.gmail.com> <cf0cb5a4-cc21-97e1-1c26-38974bf9c0be@pi.nu> <51b9e5b4-0a44-1449-a4df-91e4f9df5d6b@pi.nu> <CAA=duU2R9kBMWnRdwPPO49LF1Jc1tyrxvwkyTgaE6SC6jsVruw@mail.gmail.com> <02a50f02-779e-bc39-505c-5a51d066b3f0@pi.nu> <CAA=duU1qV-LiU5pR7VtLLVGtb-8nZHrnUqVyOKpST3-6Dr-Xgw@mail.gmail.com> <ce2c75b6-156d-da80-91d7-b7e6ba2059a0@gmail.com> <CAA=duU1xvV0genbR0CBx2rmpOWUkFmRJX3qrMEp21gTd1HOVww@mail.gmail.com> <f0d553da-0ac4-e794-5cd5-d9cc95063dc6@pi.nu> <15335748-e900-280d-554f-24c55c0f3ba5@gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 08 Nov 2017 09:59:44 -0800
Message-ID: <CABcZeBOr5x=98nXeBCT8O-wjk90ga1F3EVk2ktMYoAj9Q8tRkg@mail.gmail.com>
To: Stewart Bryant <stewart.bryant@gmail.com>
Cc: "<sec-ads@ietf.org>" <sec-ads@ietf.org>, "<rtg-ads@ietf.org>" <rtg-ads@ietf.org>, "mpls-chairs@ietf.org" <mpls-chairs@ietf.org>, "pals-chairs@tools.ietf.org" <pals-chairs@tools.ietf.org>, "mpls@ietf.org" <mpls@ietf.org>, "pals@ietf.org" <pals@ietf.org>
Content-Type: multipart/alternative; boundary="001a1142d0d4432907055d7c76f5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mpls/LOk5HGwayJEIBoGwspfxeXE9GtI>
Subject: Re: [mpls] LDP Security
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Nov 2017 18:00:39 -0000

Hi Stewart

Thanks for your note.

My overall sense of the state of play is, I think much like yours.

TCP-MD5 is inadequate in two major respects:
- It uses weak algorithms
- It has a bad negotiation/setuop story (manual key management)

TCP-AO is intended to be a drop-in replacement for TCP-MD5 and so remedies
the algorithm
issue but not the key management issue [0]. We haven't made much progress
on the key
management story, and that seems to be a major impediment to deploying
either of these
technologies (which I am given to understand don't see a lot of use). We
should probably
talk in Singapore about that, but that's not going to get better any time
soon.

In the interim, I think the text you have is OK, and "TBD" should read
"SHA-256", with
the fallback being SHA-256 -> SHA-1 -> MD5.

-Ekr


[0] Technically It has better support for rollover, but this is not a huge
improvement.
[1] tcpcrypt is kind of orthogonal here as it's unauthenticated but
opportunistic.  That said,
it would provide defense against attackers who gain access to the link
after connection
setup and doesn't require configuration.

On Wed, Nov 8, 2017 at 9:27 AM, Stewart Bryant <stewart.bryant@gmail.com>
wrote:

> To the SEC and RTG ADs,
>
> I am sending the following message on behalf of the MPLS and the
> PALS WG Chairs.
>
> There is a concern shared among the security community and the working
> groups that develop the LDP protocol that LDP is no longer adequately
> secured. LDP currently relies on MD5 for cryptographic security of its
> messages, but MD5 is a hash function that is no longer considered to meet
> current security requirements.
>
> In RFC5036 (published 2007) Section 5.1 (Spoofing) , List element 2.
> Session communication carried by TCP the following statements is made:
>
> "LDP specifies use of the TCP MD5 Signature Option to provide for the
> authenticity and integrity of session messages.
>
> "[RFC2385] asserts that MD5 authentication is now considered by some to be
> too weak for this application.  It also points out that a similar TCP
> option with a stronger hashing algorithm (it cites SHA-1 as an example)
> could be deployed.  To our knowledge, no such TCP option has been defined
> and deployed.  However, we note that LDP can use whatever TCP message
> digest techniques are available, and when one stronger than MD5 is
> specified and implemented, upgrading LDP to use it would be relatively
> straightforward."
>
> We note that BGP has already been through this process, and replaced MD5
> with TCP-AO in RFC 7454. I would be logical to follow the same approach to
> secure LDP. However, as far as we are able to ascertain, there is currently
> no recommended, mandatory to implement, cryptographic function specified.
> We are concerned that without such a mandatory function, implementations
> will simply fall back to MD5 and we will be no further forward
>
> We think that the best way forward is to publish a draft similar to RFC
> 7454 that contains the following requirement:
>
> "Implementations conforming to this RFC MUST implement TCP-AO to secure
> the TCP sessions carrying LDP in addition to the currently required TCP MD5
> Signature Option. Furthermore, the TBD cryptographic mechanism must be
> implemented and provided to TCP-AO to secure LDP messages. The TBD
> mechanism is the preferred option, and MD5 is only to be used when TBD is
> unavailable."
>
> We are not an experts on this part of the stack, but it seems that TCP
> security negotiation is still work in progress. If we are wrong, then we
> need to include a requirement that such negotiation is also required. In
> the absence of a negotiation protocol, however, we need to leave this as a
> configuration process until such time as the negotiation protocol work is
> complete. On completion of a suitable negotiation protocol we need to issue
> a further update requiring its use.
>
> Additionally we should note that no cryptographic mechanism has an
> indefinite lifetime, and that implementation should note the IETF
> anticipates updating the default cryptographic mechanism over time.
>
> The TBD default security function will need to be chosen such that it can
> reasonably be implemented on a typical router route processor, and which
> will provide adequate security without significantly degrading the
> convergence time of an LSR. Without a function that does not significantly
> impact router convergence we simply close one vulnerability and open
> another.
>
> As experts on the LDP protocol, but not on security mechanisms, we  need
> to ask the security area for a review of our proposed approach, and help
> correcting any misunderstanding of the security issues or our
> misunderstanding of the existing security mechanisms. We also need the
> recommendations of a suitable security function (TBD in the above text).
>
> Best regards
>
> The MPLS WG Chairs
> The PALS WG Chairs
>
>
>

v2.23.0 | Report a Bug | By Email