Re: [mpls] [MPLS] HELP: Need your opinion on LDP security

"Rajiv Asati (rajiva)" <rajiva@cisco.com> Wed, 27 October 2010 19:21 UTC

Return-Path: <rajiva@cisco.com>
X-Original-To: mpls@core3.amsl.com
Delivered-To: mpls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3B77F3A6828 for <mpls@core3.amsl.com>; Wed, 27 Oct 2010 12:21:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.099
X-Spam-Level:
X-Spam-Status: No, score=-9.099 tagged_above=-999 required=5 tests=[AWL=-1.500, BAYES_00=-2.599, J_CHICKENPOX_24=0.6, J_CHICKENPOX_33=0.6, J_CHICKENPOX_35=0.6, J_CHICKENPOX_38=0.6, J_CHICKENPOX_44=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qtBYMjF+U3n2 for <mpls@core3.amsl.com>; Wed, 27 Oct 2010 12:21:57 -0700 (PDT)
Received: from rtp-iport-1.cisco.com (rtp-iport-1.cisco.com [64.102.122.148]) by core3.amsl.com (Postfix) with ESMTP id AE7383A680A for <mpls@ietf.org>; Wed, 27 Oct 2010 12:21:56 -0700 (PDT)
Authentication-Results: rtp-iport-1.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av0EALcYyEytJV2a/2dsb2JhbACDDJ1bXnGjbooqkXyBIoMydASEV4kKgmY
X-IronPort-AV: E=Sophos;i="4.58,247,1286150400"; d="scan'208";a="175694602"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rtp-iport-1.cisco.com with ESMTP; 27 Oct 2010 19:23:46 +0000
Received: from xbh-rcd-301.cisco.com (xbh-rcd-301.cisco.com [72.163.63.8]) by rcdn-core-3.cisco.com (8.14.3/8.14.3) with ESMTP id o9RJNjiY016954; Wed, 27 Oct 2010 19:23:45 GMT
Received: from xmb-rcd-111.cisco.com ([72.163.62.153]) by xbh-rcd-301.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Wed, 27 Oct 2010 14:23:46 -0500
X-MimeOLE: Produced By Microsoft Exchange V6.5
x-cr-hashedpuzzle: CDKN Imow JkSP aLc1 ds0a hhii kMez mwXi pOY5 q4yq uOrb z9CX 1XDh 2E5E 3WGs 7x62; 5; bABhAG0AYgBlAHIAdABvAC4AcwB0AGUAcgBsAGkAbgBnAEAAZwBtAGEAaQBsAC4AYwBvAG0AOwBtAGEAYwBoAEAAaAB1AGEAdwBlAGkALgBjAG8AbQA7AG0AcABsAHMAQABpAGUAdABmAC4AbwByAGcAOwByAGIAbwBuAGkAYwBhAEAAagB1AG4AaQBwAGUAcgAuAG4AZQB0ADsAdgBpAHMAaAB3AGEAcwAuAGkAZQB0AGYAQABnAG0AYQBpAGwALgBjAG8AbQA=; Sosha1_v1; 7; {A21A42B5-016C-4564-8AC7-A5E1A949D9D0}; cgBhAGoAaQB2AGEAQABjAGkAcwBjAG8ALgBjAG8AbQA=; Wed, 27 Oct 2010 19:23:33 GMT; UgBFADoAIABbAG0AcABsAHMAXQAgAFsATQBQAEwAUwBdACAASABFAEwAUAA6ACAATgBlAGUAZAAgAHkAbwB1AHIAIABvAHAAaQBuAGkAbwBuACAAbwBuACAATABEAFAAIABzAGUAYwB1AHIAaQB0AHkA
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
x-cr-puzzleid: {A21A42B5-016C-4564-8AC7-A5E1A949D9D0}
Content-class: urn:content-classes:message
Date: Wed, 27 Oct 2010 14:23:33 -0500
Message-ID: <067E6CE33034954AAC05C9EC85E2577C034CEA12@XMB-RCD-111.cisco.com>
In-Reply-To: <17309A813C1D48629621DC2F29FADD65@m55527c>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [mpls] [MPLS] HELP: Need your opinion on LDP security
Thread-Index: Act1i2kRhvEfApIHSpCZ/ZO/a9qm3AAemEmw
References: <AANLkTi=uX6aGxbXgdgyzyeijjxuuBJ2uiT4xCUPwbmAT@mail.gmail.com><FA2A0931F083430E99887FC81734A3C1@kaixinmachPC><AANLkTinkiF7C7nvHFyO35j2NEfKD=YDfZDVCkGbApMxi@mail.gmail.com><13205C286662DE4387D9AF3AC30EF456B02161BADD@EMBX01-WF.jnpr.net> <17309A813C1D48629621DC2F29FADD65@m55527c>
From: "Rajiv Asati (rajiva)" <rajiva@cisco.com>
To: Mach Chen <mach@huawei.com>, Ronald Bonica <rbonica@juniper.net>, Vishwas Manral <vishwas.ietf@gmail.com>
X-OriginalArrivalTime: 27 Oct 2010 19:23:46.0369 (UTC) FILETIME=[79B39B10:01CB760C]
Cc: mpls@ietf.org, Lamberto Sterling <lamberto.sterling@gmail.com>
Subject: Re: [mpls] [MPLS] HELP: Need your opinion on LDP security
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mpls>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Oct 2010 19:21:58 -0000

Mach,

As far as network boundary/edge is concerned, if LDP is not enabled on the outside interfaces, then the implementation should allow any LDP packet (IP packet with UDP/TCP port=646) to be ignored. This should not require any filtering.

For LDP enabled on the inside interfaces, if we are concerned about the MITM (man-in-the-middle) attack, then wouldn't the 'Configuration Sequence Number' TLV be sufficient to counter that reasonably?

Cheers,
Rajiv


> -----Original Message-----
> From: mpls-bounces@ietf.org [mailto:mpls-bounces@ietf.org] On Behalf Of Mach Chen
> Sent: Tuesday, October 26, 2010 11:59 PM
> To: Ronald Bonica; Vishwas Manral
> Cc: mpls@ietf.org; Lamberto Sterling
> Subject: Re: [mpls] [MPLS] HELP: Need your opinion on LDP security
> 
> Hi Ron,
> 
> Thanks for sharing your opinion!
> 
> Filtering is an at hand candidate method, but filter all LDP traffic at the
> edges is not so easy, and sometime it may become impossilbe when you have to
> set up LDP connections outside the edges. In addition, the operators should
> very carefully design and configure the rules, this also needs extra
> resources and is sometime boresome.
> 
> BTW, second-order issue is an issue:)
> 
> Best regards,
> Mach
> 
> 
> --------------------------------------------------
> From: "Ronald Bonica" <rbonica@juniper.net>
> Sent: Wednesday, October 27, 2010 3:50 AM
> To: "Vishwas Manral" <vishwas.ietf@gmail.com>; "Mach Chen" <mach@huawei.com>
> Cc: <mpls@ietf.org>; "Lamberto Sterling" <lamberto.sterling@gmail.com>
> Subject: RE: [mpls] [MPLS] HELP: Need your opinion on LDP security
> 
> > Folks,
> >
> > Is it safe to assume that if an operator is using LDP, he should filter
> > all LDP traffic at the network edges. If that is the case, authentication
> > of LDP traffic becomes a second-order issue?
> >
> >                                                    Ron
> >
> >
> >> -----Original Message-----
> >> From: mpls-bounces@ietf.org [mailto:mpls-bounces@ietf.org] On Behalf Of
> >> Vishwas Manral
> >> Sent: Tuesday, October 26, 2010 3:44 PM
> >> To: Mach Chen
> >> Cc: mpls@ietf.org; Lamberto Sterling
> >> Subject: Re: [mpls] [MPLS] HELP: Need your opinion on LDP security
> >>
> >> Hi Mach/ Lamberto,
> >>
> >> I guess, I agree with Mach and Vero here. An established session can
> >> be torn down with an invalid Hello. I was thinking of an invalid
> >> router trying to make a connection but missed the part of the issues
> >> when the session is UP.
> >>
> >> If you have not clarified this in the draft yet you could add some
> >> text in this regard.
> >>
> >> Thanks,
> >> Vishwas
> >>
> >> On Tue, Oct 26, 2010 at 9:11 AM, Mach Chen <mach@huawei.com> wrote:
> >> > Hi Lamberto,
> >> >
> >> > Thanks for your opionion!
> >> >
> >> > But if there is no hello authentication,  an established LDP session
> >> can be
> >> > tore down by a spoofing Hello with a smaller Hold Time interval or
> >> different
> >> > Transpot Address.  And the current TCP authentication mechanism can
> >> not help
> >> > for such attack.
> >> >
> >> > Best regards,
> >> > Mach
> >> >
> >> > -----原始邮件----- From: Lamberto Sterling
> >> > Sent: Tuesday, October 26, 2010 8:36 PM
> >> > To: vishwas.ietf@gmail.com
> >> > Cc: mpls@ietf.org
> >> > Subject: Re: [mpls] [MPLS] HELP: Need your opinion on LDP security
> >> >
> >> > Hi,
> >> > +1, I fully agree with Vishwas. No much benefit of hello security.
> >> >
> >> > Lamberto
> >> >
> >> >
> >> > Message: 3
> >> > Date: Mon, 25 Oct 2010 21:21:07 -0700
> >> > From: Vishwas Manral <vishwas.ietf@gmail.com>
> >> > Subject: Re: [mpls] [MPLS] HELP: Need your opinion on LDP security
> >> > To: Vero Zheng <verozheng@huawei.com>
> >> > Cc: mpls <mpls@ietf.org>
> >> > Message-ID:
> >> >      <AANLkTik3NNJcuAcR4ZEFY4hdNV_n-RpWiesxxTYUNZmE@mail.gmail.com>
> >> > Content-Type: text/plain; charset=ISO-8859-1
> >> >
> >> > Hi Vero/ Mach,
> >> >
> >> > I had thought of this in some detail earlier.
> >> >
> >> > My reasoning is the follows. Thinking of what we loose if we do not
> >> > authentication in LDP Hellos. We will go ahead and try to establish
> >> > TCP sessions (which will anyway fail as TCP authentication is there).
> >> >
> >> > If we think of what we loose when adding the Authentication in
> >> Hellos,
> >> > it is using additional CPU capacity and an additional mechanism which
> >> > is an overhead. There is nothing to loose in case of replays as the
> >> > TCP messages are authenticated and session will be dropped even if
> >> > Hellos are retransmitted.
> >> >
> >> > That said I had added a section for support of IPsec for LDP in the
> >> > IPv6 draft (which we dropped as it was slightly out of context in the
> >> > draft). You may want to consider that.
> >> >
> >> > Thanks,
> >> > Vishwas
> >> >
> >> > 2010/10/24 Vero Zheng <verozheng@huawei.com>:
> >> >>
> >> >> Hi Folks,
> >> >>
> >> >> We would like to hear you opinion on LDP security.
> >> >>
> >> >> Unlike all other LDP messages, the Hello messages are sent using
> >> UDP?not
> >> >> TCP.
> >> >> This means that they cannot benefit from the security?mechanisms
> >> available
> >> >> with TCP.
> >> >> [RFC5036] does not provide any?security mechanisms for use with
> >> Hello
> >> >> messages except to note that?some configuration may help protect
> >> against
> >> >> bogus discovery events.
> >> >>
> >> >> Do we need to allow the use of different keys from the ones used on
> >> the
> >> >> TCP
> >> >> session?
> >> >>
> >> >> We have submitted a new?"LDP Hello Cryptographic Authentication"
> >> draft. In
> >> >> this draft, we introduce a new Cryptographic Authentication
> >> TLV?which is
> >> >> used in LDP Hello message as an optional parameter.
> >> >> An LSR can be configured to?only accept Hello messages from specific
> >> peers
> >> >> when authentication?is in use.
> >> >> The URL for it is:
> >> >> http://tools.ietf.org/id/draft-zheng-mpls-ldp-hello-crypto-auth-
> >> 00.txt
> >> >> Looking forward to your comments.
> >> >>
> >> >> BR,
> >> >> Mach and Vero
> >> >> _______________________________________________
> >> >> mpls mailing list
> >> >> mpls@ietf.org
> >> >> https://www.ietf.org/mailman/listinfo/mpls
> >> >>
> >> >>
> >> >
> >> >
> >> > ------------------------------
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > _______________________________________________
> >> > mpls mailing list
> >> > mpls@ietf.org
> >> > https://www.ietf.org/mailman/listinfo/mpls
> >> >
> >> _______________________________________________
> >> mpls mailing list
> >> mpls@ietf.org
> >> https://www.ietf.org/mailman/listinfo/mpls
> >
> _______________________________________________
> mpls mailing list
> mpls@ietf.org
> https://www.ietf.org/mailman/listinfo/mpls