Re: [mpls] [MPLS] HELP: Need your opinion on LDP security
"Rajiv Asati (rajiva)" <rajiva@cisco.com> Wed, 27 October 2010 19:21 UTC
Return-Path: <rajiva@cisco.com>
X-Original-To: mpls@core3.amsl.com
Delivered-To: mpls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3B77F3A6828 for <mpls@core3.amsl.com>; Wed, 27 Oct 2010 12:21:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.099
X-Spam-Level:
X-Spam-Status: No, score=-9.099 tagged_above=-999 required=5 tests=[AWL=-1.500, BAYES_00=-2.599, J_CHICKENPOX_24=0.6, J_CHICKENPOX_33=0.6, J_CHICKENPOX_35=0.6, J_CHICKENPOX_38=0.6, J_CHICKENPOX_44=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qtBYMjF+U3n2 for <mpls@core3.amsl.com>; Wed, 27 Oct 2010 12:21:57 -0700 (PDT)
Received: from rtp-iport-1.cisco.com (rtp-iport-1.cisco.com [64.102.122.148]) by core3.amsl.com (Postfix) with ESMTP id AE7383A680A for <mpls@ietf.org>; Wed, 27 Oct 2010 12:21:56 -0700 (PDT)
Authentication-Results: rtp-iport-1.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av0EALcYyEytJV2a/2dsb2JhbACDDJ1bXnGjbooqkXyBIoMydASEV4kKgmY
X-IronPort-AV: E=Sophos;i="4.58,247,1286150400"; d="scan'208";a="175694602"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by rtp-iport-1.cisco.com with ESMTP; 27 Oct 2010 19:23:46 +0000
Received: from xbh-rcd-301.cisco.com (xbh-rcd-301.cisco.com [72.163.63.8]) by rcdn-core-3.cisco.com (8.14.3/8.14.3) with ESMTP id o9RJNjiY016954; Wed, 27 Oct 2010 19:23:45 GMT
Received: from xmb-rcd-111.cisco.com ([72.163.62.153]) by xbh-rcd-301.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Wed, 27 Oct 2010 14:23:46 -0500
X-MimeOLE: Produced By Microsoft Exchange V6.5
x-cr-hashedpuzzle: CDKN Imow JkSP aLc1 ds0a hhii kMez mwXi pOY5 q4yq uOrb z9CX 1XDh 2E5E 3WGs 7x62; 5; bABhAG0AYgBlAHIAdABvAC4AcwB0AGUAcgBsAGkAbgBnAEAAZwBtAGEAaQBsAC4AYwBvAG0AOwBtAGEAYwBoAEAAaAB1AGEAdwBlAGkALgBjAG8AbQA7AG0AcABsAHMAQABpAGUAdABmAC4AbwByAGcAOwByAGIAbwBuAGkAYwBhAEAAagB1AG4AaQBwAGUAcgAuAG4AZQB0ADsAdgBpAHMAaAB3AGEAcwAuAGkAZQB0AGYAQABnAG0AYQBpAGwALgBjAG8AbQA=; Sosha1_v1; 7; {A21A42B5-016C-4564-8AC7-A5E1A949D9D0}; cgBhAGoAaQB2AGEAQABjAGkAcwBjAG8ALgBjAG8AbQA=; Wed, 27 Oct 2010 19:23:33 GMT; UgBFADoAIABbAG0AcABsAHMAXQAgAFsATQBQAEwAUwBdACAASABFAEwAUAA6ACAATgBlAGUAZAAgAHkAbwB1AHIAIABvAHAAaQBuAGkAbwBuACAAbwBuACAATABEAFAAIABzAGUAYwB1AHIAaQB0AHkA
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
x-cr-puzzleid: {A21A42B5-016C-4564-8AC7-A5E1A949D9D0}
Content-class: urn:content-classes:message
Date: Wed, 27 Oct 2010 14:23:33 -0500
Message-ID: <067E6CE33034954AAC05C9EC85E2577C034CEA12@XMB-RCD-111.cisco.com>
In-Reply-To: <17309A813C1D48629621DC2F29FADD65@m55527c>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [mpls] [MPLS] HELP: Need your opinion on LDP security
Thread-Index: Act1i2kRhvEfApIHSpCZ/ZO/a9qm3AAemEmw
References: <AANLkTi=uX6aGxbXgdgyzyeijjxuuBJ2uiT4xCUPwbmAT@mail.gmail.com><FA2A0931F083430E99887FC81734A3C1@kaixinmachPC><AANLkTinkiF7C7nvHFyO35j2NEfKD=YDfZDVCkGbApMxi@mail.gmail.com><13205C286662DE4387D9AF3AC30EF456B02161BADD@EMBX01-WF.jnpr.net> <17309A813C1D48629621DC2F29FADD65@m55527c>
From: "Rajiv Asati (rajiva)" <rajiva@cisco.com>
To: Mach Chen <mach@huawei.com>, Ronald Bonica <rbonica@juniper.net>, Vishwas Manral <vishwas.ietf@gmail.com>
X-OriginalArrivalTime: 27 Oct 2010 19:23:46.0369 (UTC) FILETIME=[79B39B10:01CB760C]
Cc: mpls@ietf.org, Lamberto Sterling <lamberto.sterling@gmail.com>
Subject: Re: [mpls] [MPLS] HELP: Need your opinion on LDP security
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mpls>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Oct 2010 19:21:58 -0000
Mach, As far as network boundary/edge is concerned, if LDP is not enabled on the outside interfaces, then the implementation should allow any LDP packet (IP packet with UDP/TCP port=646) to be ignored. This should not require any filtering. For LDP enabled on the inside interfaces, if we are concerned about the MITM (man-in-the-middle) attack, then wouldn't the 'Configuration Sequence Number' TLV be sufficient to counter that reasonably? Cheers, Rajiv > -----Original Message----- > From: mpls-bounces@ietf.org [mailto:mpls-bounces@ietf.org] On Behalf Of Mach Chen > Sent: Tuesday, October 26, 2010 11:59 PM > To: Ronald Bonica; Vishwas Manral > Cc: mpls@ietf.org; Lamberto Sterling > Subject: Re: [mpls] [MPLS] HELP: Need your opinion on LDP security > > Hi Ron, > > Thanks for sharing your opinion! > > Filtering is an at hand candidate method, but filter all LDP traffic at the > edges is not so easy, and sometime it may become impossilbe when you have to > set up LDP connections outside the edges. In addition, the operators should > very carefully design and configure the rules, this also needs extra > resources and is sometime boresome. > > BTW, second-order issue is an issue:) > > Best regards, > Mach > > > -------------------------------------------------- > From: "Ronald Bonica" <rbonica@juniper.net> > Sent: Wednesday, October 27, 2010 3:50 AM > To: "Vishwas Manral" <vishwas.ietf@gmail.com>; "Mach Chen" <mach@huawei.com> > Cc: <mpls@ietf.org>; "Lamberto Sterling" <lamberto.sterling@gmail.com> > Subject: RE: [mpls] [MPLS] HELP: Need your opinion on LDP security > > > Folks, > > > > Is it safe to assume that if an operator is using LDP, he should filter > > all LDP traffic at the network edges. If that is the case, authentication > > of LDP traffic becomes a second-order issue? > > > > Ron > > > > > >> -----Original Message----- > >> From: mpls-bounces@ietf.org [mailto:mpls-bounces@ietf.org] On Behalf Of > >> Vishwas Manral > >> Sent: Tuesday, October 26, 2010 3:44 PM > >> To: Mach Chen > >> Cc: mpls@ietf.org; Lamberto Sterling > >> Subject: Re: [mpls] [MPLS] HELP: Need your opinion on LDP security > >> > >> Hi Mach/ Lamberto, > >> > >> I guess, I agree with Mach and Vero here. An established session can > >> be torn down with an invalid Hello. I was thinking of an invalid > >> router trying to make a connection but missed the part of the issues > >> when the session is UP. > >> > >> If you have not clarified this in the draft yet you could add some > >> text in this regard. > >> > >> Thanks, > >> Vishwas > >> > >> On Tue, Oct 26, 2010 at 9:11 AM, Mach Chen <mach@huawei.com> wrote: > >> > Hi Lamberto, > >> > > >> > Thanks for your opionion! > >> > > >> > But if there is no hello authentication, an established LDP session > >> can be > >> > tore down by a spoofing Hello with a smaller Hold Time interval or > >> different > >> > Transpot Address. And the current TCP authentication mechanism can > >> not help > >> > for such attack. > >> > > >> > Best regards, > >> > Mach > >> > > >> > -----原始邮件----- From: Lamberto Sterling > >> > Sent: Tuesday, October 26, 2010 8:36 PM > >> > To: vishwas.ietf@gmail.com > >> > Cc: mpls@ietf.org > >> > Subject: Re: [mpls] [MPLS] HELP: Need your opinion on LDP security > >> > > >> > Hi, > >> > +1, I fully agree with Vishwas. No much benefit of hello security. > >> > > >> > Lamberto > >> > > >> > > >> > Message: 3 > >> > Date: Mon, 25 Oct 2010 21:21:07 -0700 > >> > From: Vishwas Manral <vishwas.ietf@gmail.com> > >> > Subject: Re: [mpls] [MPLS] HELP: Need your opinion on LDP security > >> > To: Vero Zheng <verozheng@huawei.com> > >> > Cc: mpls <mpls@ietf.org> > >> > Message-ID: > >> > <AANLkTik3NNJcuAcR4ZEFY4hdNV_n-RpWiesxxTYUNZmE@mail.gmail.com> > >> > Content-Type: text/plain; charset=ISO-8859-1 > >> > > >> > Hi Vero/ Mach, > >> > > >> > I had thought of this in some detail earlier. > >> > > >> > My reasoning is the follows. Thinking of what we loose if we do not > >> > authentication in LDP Hellos. We will go ahead and try to establish > >> > TCP sessions (which will anyway fail as TCP authentication is there). > >> > > >> > If we think of what we loose when adding the Authentication in > >> Hellos, > >> > it is using additional CPU capacity and an additional mechanism which > >> > is an overhead. There is nothing to loose in case of replays as the > >> > TCP messages are authenticated and session will be dropped even if > >> > Hellos are retransmitted. > >> > > >> > That said I had added a section for support of IPsec for LDP in the > >> > IPv6 draft (which we dropped as it was slightly out of context in the > >> > draft). You may want to consider that. > >> > > >> > Thanks, > >> > Vishwas > >> > > >> > 2010/10/24 Vero Zheng <verozheng@huawei.com>: > >> >> > >> >> Hi Folks, > >> >> > >> >> We would like to hear you opinion on LDP security. > >> >> > >> >> Unlike all other LDP messages, the Hello messages are sent using > >> UDP?not > >> >> TCP. > >> >> This means that they cannot benefit from the security?mechanisms > >> available > >> >> with TCP. > >> >> [RFC5036] does not provide any?security mechanisms for use with > >> Hello > >> >> messages except to note that?some configuration may help protect > >> against > >> >> bogus discovery events. > >> >> > >> >> Do we need to allow the use of different keys from the ones used on > >> the > >> >> TCP > >> >> session? > >> >> > >> >> We have submitted a new?"LDP Hello Cryptographic Authentication" > >> draft. In > >> >> this draft, we introduce a new Cryptographic Authentication > >> TLV?which is > >> >> used in LDP Hello message as an optional parameter. > >> >> An LSR can be configured to?only accept Hello messages from specific > >> peers > >> >> when authentication?is in use. > >> >> The URL for it is: > >> >> http://tools.ietf.org/id/draft-zheng-mpls-ldp-hello-crypto-auth- > >> 00.txt > >> >> Looking forward to your comments. > >> >> > >> >> BR, > >> >> Mach and Vero > >> >> _______________________________________________ > >> >> mpls mailing list > >> >> mpls@ietf.org > >> >> https://www.ietf.org/mailman/listinfo/mpls > >> >> > >> >> > >> > > >> > > >> > ------------------------------ > >> > > >> > > >> > > >> > > >> > > >> > _______________________________________________ > >> > mpls mailing list > >> > mpls@ietf.org > >> > https://www.ietf.org/mailman/listinfo/mpls > >> > > >> _______________________________________________ > >> mpls mailing list > >> mpls@ietf.org > >> https://www.ietf.org/mailman/listinfo/mpls > > > _______________________________________________ > mpls mailing list > mpls@ietf.org > https://www.ietf.org/mailman/listinfo/mpls
- [mpls] [MPLS] HELP: Need your opinion on LDP secu… Vero Zheng
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Eric Rosen
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Mallette, Edwin
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Vero Zheng
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Vero Zheng
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Vishwas Manral
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Vero Zheng
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Mach Chen
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Lamberto Sterling
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Mach Chen
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Vishwas Manral
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Ronald Bonica
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Thomas Morin
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Mach Chen
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Vero Zheng
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Mach Chen
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Dave Katz
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Eric Rosen
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Rajiv Asati (rajiva)
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Mach Chen
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Vero Zheng
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … lizhong.jin
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Mach Chen
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … lizhong.jin
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Eric Rosen
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Vero Zheng
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Rajiv Asati (rajiva)
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … iLya
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Nitin Bahadur
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Adrian Farrel
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Mach Chen
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Vero Zheng
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Eric Gray
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Vero Zheng
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Rajiv Asati (rajiva)
- Re: [mpls] [MPLS] HELP: Need your opinion on LDP … Rajiv Asati (rajiva)