[mpls] Re: Potential MNA security issue

Joel Halpern <jmh@joelhalpern.com> Thu, 27 February 2025 16:35 UTC

Return-Path: <jmh@joelhalpern.com>
X-Original-To: mpls@mail2.ietf.org
Delivered-To: mpls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 814F72EB90A for <mpls@mail2.ietf.org>; Thu, 27 Feb 2025 08:35:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietfa.org (amavisd-new); dkim=pass (1024-bit key) header.d=joelhalpern.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietfa.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3xo1hNPnR-zQ for <mpls@mail2.ietf.org>; Thu, 27 Feb 2025 08:35:55 -0800 (PST)
Received: from mailb2.tigertech.net (mailb2.tigertech.net [208.80.4.154]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 7E7232EB4D2 for <mpls@ietf.org>; Thu, 27 Feb 2025 08:34:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelhalpern.com; s=2.tigertech; t=1740674081; bh=RVIYJ2Eh22c3eCKwfJU9+r1NNsEHLSEt4LGVM/AdF/Q=; h=Date:Subject:To:References:From:In-Reply-To:From; b=DOU9a5pYF1xdBj2h0O8mc7c8MksEUXRDAHX/b2ulVtjt05uA43X0nv9TKCRJqqRoK XSqxWJUHlTcxNXPR+y+T2AQFyHQC4uI01sWSqCe6grv+xPsJQzAYtvCn5GozQRNFku ZIiQ2bTn5ZeIn7Vctz5TAxW3zmuMryvj7BKHltpE=
Received: from localhost (localhost [127.0.0.1]) by mailb2.tigertech.net (Postfix) with ESMTP id 4Z3cPY6fdkz1nsPr for <mpls@ietf.org>; Thu, 27 Feb 2025 08:34:41 -0800 (PST)
X-Quarantine-ID: <JfFKyIHcDc1M>
X-Virus-Scanned: Debian amavis at b2.tigertech.net
Received: from [192.168.21.83] (unknown [50.233.136.230]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mailb2.tigertech.net (Postfix) with ESMTPSA id 4Z3cPY3zBQz1nsL1 for <mpls@ietf.org>; Thu, 27 Feb 2025 08:34:41 -0800 (PST)
Message-ID: <7252e8d7-a787-4bad-9571-9470c2ec7b00@joelhalpern.com>
Date: Thu, 27 Feb 2025 11:34:36 -0500
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: mpls <mpls@ietf.org>
References: <026801db83da$30a3ec40$91ebc4c0$@olddog.co.uk> <9D3BA859-A778-4DE6-9839-401ACA913861@tony.li> <027901db83e1$104f6300$30ee2900$@olddog.co.uk> <03aa01db847d$03447c80$09cd7580$@olddog.co.uk> <CA+RyBmWxH-BqD21MY5EO3T6MiQao8CKr_22o35L3LOfh8YJkdw@mail.gmail.com> <MR1PPFC3B5BBE277BFF5633246CCEAA8C28F0C22@MR1PPFC3B5BBE27.FRAP264.PROD.OUTLOOK.COM> <CA+RyBmUqsTKRSoask8Nqo4f-Gj9o4btsqfg+cKQPDDHm2sEAWA@mail.gmail.com> <MR1PPFC3B5BBE27581BFD44D2857AE151AAF0C22@MR1PPFC3B5BBE27.FRAP264.PROD.OUTLOOK.COM> <CA+RyBmUA9xz65J+duL9K289EAF+zyCa0G_Jt+0C4CKzzt2qAUw@mail.gmail.com> <MR1PPFC3B5BBE2778A742F44B0A62F36FCAF0CD2@MR1PPFC3B5BBE27.FRAP264.PROD.OUTLOOK.COM>
Content-Language: en-US
From: Joel Halpern <jmh@joelhalpern.com>
In-Reply-To: <MR1PPFC3B5BBE2778A742F44B0A62F36FCAF0CD2@MR1PPFC3B5BBE27.FRAP264.PROD.OUTLOOK.COM>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: NV2RLDT5CMN5R2GFVIXHKJYAU6UHPTXS
X-Message-ID-Hash: NV2RLDT5CMN5R2GFVIXHKJYAU6UHPTXS
X-MailFrom: jmh@joelhalpern.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-mpls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [mpls] Re: Potential MNA security issue
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/mpls/PSt-V3Q7w12g1GxcpUZ24v3JFdY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mpls>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Owner: <mailto:mpls-owner@ietf.org>
List-Post: <mailto:mpls@ietf.org>
List-Subscribe: <mailto:mpls-join@ietf.org>
List-Unsubscribe: <mailto:mpls-leave@ietf.org>

This seems a valid point, and good suggestions for mitigation.  I 
believe it applies to both ISD and PSD.

Yours,

Joel

On 2/27/2025 11:05 AM, bruno.decraene@orange.com wrote:
> Sorry, the email somehow got sent too soon.Re-sending
>
>
> Hi all,
>
> There may be a security issue with ISD in the context of VPN Carrier's Carrier.
> Spec does not seem to handle independence between the CE MPLS domain and the PE MPLS domain.
> So it seems like the CE/Customer would be able to inject any MNA in the stack and this MNA would be interpreted by the provider MPLS domain. Given the possibly broad applicability of MNA, this may be a significant security issue.
> Granted, VPN Carrier's Carrier is a niche deployment, but the document should probably raise that security point and possibly suggest options (e.g, MNA disabled in the SP domain, or packets with MNA dropped by the PE. I.e., essentially forbidding the use of MNA by the customer, call for future extensions...).
>
> Thanks,
> Regards,
> --Bruno
> ____________________________________________________________________________________________________________
> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
>
> This message and its attachments may contain confidential or privileged information that may be protected by law;
> they should not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender and delete this message and its attachments.
> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
> Thank you.
> _______________________________________________
> mpls mailing list -- mpls@ietf.org
> To unsubscribe send an email to mpls-leave@ietf.org