[mpls] Re: Potential MNA security issue
Joel Halpern <jmh@joelhalpern.com> Thu, 27 February 2025 16:35 UTC
Return-Path: <jmh@joelhalpern.com>
X-Original-To: mpls@mail2.ietf.org
Delivered-To: mpls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 814F72EB90A for <mpls@mail2.ietf.org>; Thu, 27 Feb 2025 08:35:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietfa.org (amavisd-new); dkim=pass (1024-bit key) header.d=joelhalpern.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietfa.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3xo1hNPnR-zQ for <mpls@mail2.ietf.org>; Thu, 27 Feb 2025 08:35:55 -0800 (PST)
Received: from mailb2.tigertech.net (mailb2.tigertech.net [208.80.4.154]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256)) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 7E7232EB4D2 for <mpls@ietf.org>; Thu, 27 Feb 2025 08:34:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelhalpern.com; s=2.tigertech; t=1740674081; bh=RVIYJ2Eh22c3eCKwfJU9+r1NNsEHLSEt4LGVM/AdF/Q=; h=Date:Subject:To:References:From:In-Reply-To:From; b=DOU9a5pYF1xdBj2h0O8mc7c8MksEUXRDAHX/b2ulVtjt05uA43X0nv9TKCRJqqRoK XSqxWJUHlTcxNXPR+y+T2AQFyHQC4uI01sWSqCe6grv+xPsJQzAYtvCn5GozQRNFku ZIiQ2bTn5ZeIn7Vctz5TAxW3zmuMryvj7BKHltpE=
Received: from localhost (localhost [127.0.0.1]) by mailb2.tigertech.net (Postfix) with ESMTP id 4Z3cPY6fdkz1nsPr for <mpls@ietf.org>; Thu, 27 Feb 2025 08:34:41 -0800 (PST)
X-Quarantine-ID: <JfFKyIHcDc1M>
X-Virus-Scanned: Debian amavis at b2.tigertech.net
Received: from [192.168.21.83] (unknown [50.233.136.230]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mailb2.tigertech.net (Postfix) with ESMTPSA id 4Z3cPY3zBQz1nsL1 for <mpls@ietf.org>; Thu, 27 Feb 2025 08:34:41 -0800 (PST)
Message-ID: <7252e8d7-a787-4bad-9571-9470c2ec7b00@joelhalpern.com>
Date: Thu, 27 Feb 2025 11:34:36 -0500
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: mpls <mpls@ietf.org>
References: <026801db83da$30a3ec40$91ebc4c0$@olddog.co.uk> <9D3BA859-A778-4DE6-9839-401ACA913861@tony.li> <027901db83e1$104f6300$30ee2900$@olddog.co.uk> <03aa01db847d$03447c80$09cd7580$@olddog.co.uk> <CA+RyBmWxH-BqD21MY5EO3T6MiQao8CKr_22o35L3LOfh8YJkdw@mail.gmail.com> <MR1PPFC3B5BBE277BFF5633246CCEAA8C28F0C22@MR1PPFC3B5BBE27.FRAP264.PROD.OUTLOOK.COM> <CA+RyBmUqsTKRSoask8Nqo4f-Gj9o4btsqfg+cKQPDDHm2sEAWA@mail.gmail.com> <MR1PPFC3B5BBE27581BFD44D2857AE151AAF0C22@MR1PPFC3B5BBE27.FRAP264.PROD.OUTLOOK.COM> <CA+RyBmUA9xz65J+duL9K289EAF+zyCa0G_Jt+0C4CKzzt2qAUw@mail.gmail.com> <MR1PPFC3B5BBE2778A742F44B0A62F36FCAF0CD2@MR1PPFC3B5BBE27.FRAP264.PROD.OUTLOOK.COM>
Content-Language: en-US
From: Joel Halpern <jmh@joelhalpern.com>
In-Reply-To: <MR1PPFC3B5BBE2778A742F44B0A62F36FCAF0CD2@MR1PPFC3B5BBE27.FRAP264.PROD.OUTLOOK.COM>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Message-ID-Hash: NV2RLDT5CMN5R2GFVIXHKJYAU6UHPTXS
X-Message-ID-Hash: NV2RLDT5CMN5R2GFVIXHKJYAU6UHPTXS
X-MailFrom: jmh@joelhalpern.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-mpls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [mpls] Re: Potential MNA security issue
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/mpls/PSt-V3Q7w12g1GxcpUZ24v3JFdY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mpls>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Owner: <mailto:mpls-owner@ietf.org>
List-Post: <mailto:mpls@ietf.org>
List-Subscribe: <mailto:mpls-join@ietf.org>
List-Unsubscribe: <mailto:mpls-leave@ietf.org>
This seems a valid point, and good suggestions for mitigation. I believe it applies to both ISD and PSD. Yours, Joel On 2/27/2025 11:05 AM, bruno.decraene@orange.com wrote: > Sorry, the email somehow got sent too soon.Re-sending > > > Hi all, > > There may be a security issue with ISD in the context of VPN Carrier's Carrier. > Spec does not seem to handle independence between the CE MPLS domain and the PE MPLS domain. > So it seems like the CE/Customer would be able to inject any MNA in the stack and this MNA would be interpreted by the provider MPLS domain. Given the possibly broad applicability of MNA, this may be a significant security issue. > Granted, VPN Carrier's Carrier is a niche deployment, but the document should probably raise that security point and possibly suggest options (e.g, MNA disabled in the SP domain, or packets with MNA dropped by the PE. I.e., essentially forbidding the use of MNA by the customer, call for future extensions...). > > Thanks, > Regards, > --Bruno > ____________________________________________________________________________________________________________ > Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc > pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler > a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, > Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. > > This message and its attachments may contain confidential or privileged information that may be protected by law; > they should not be distributed, used or copied without authorisation. > If you have received this email in error, please notify the sender and delete this message and its attachments. > As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. > Thank you. > _______________________________________________ > mpls mailing list -- mpls@ietf.org > To unsubscribe send an email to mpls-leave@ietf.org
- [mpls] Potential MNA technical issue Adrian Farrel
- [mpls] Re: Potential MNA technical issue Tony Li
- [mpls] Re: Potential MNA technical issue Adrian Farrel
- [mpls] Re: Potential MNA technical issue Dongjie (Jimmy)
- [mpls] Re: Potential MNA technical issue Tony Li
- [mpls] Re: Potential MNA technical issue Loa Andersson
- [mpls] Re: Potential MNA technical issue Joel Halpern
- [mpls] Re: Potential MNA technical issue Greg Mirsky
- [mpls] Re: Potential MNA technical issue Haoyu Song
- [mpls] Re: Potential MNA technical issue Greg Mirsky
- [mpls] Re: Potential MNA technical issue Loa Andersson
- [mpls] Re: Proposed changes: Potential MNA techni… Rakesh Gandhi
- [mpls] Re: Potential MNA technical issue Greg Mirsky
- [mpls] Re: Potential MNA technical issue Haoyu Song
- [mpls] Re: Potential MNA technical issue Haoyu Song
- [mpls] Re: Potential MNA technical issue Greg Mirsky
- [mpls] Re: Potential MNA technical issue Tianran Zhou
- [mpls] Re: Potential MNA technical issue Haoyu Song
- [mpls] Re: Potential MNA technical issue Greg Mirsky
- [mpls] Re: Potential MNA technical issue Joel Halpern
- [mpls] Re: Proposed changes: Potential MNA techni… Adrian Farrel
- [mpls] Re: Potential MNA technical issue je_drake@yahoo.com
- [mpls] Re: Potential MNA technical issue Tony Li
- [mpls] Proposed changes: Potential MNA technical … Adrian Farrel
- [mpls] Re: Potential MNA technical issue Greg Mirsky
- [mpls] Re: Potential MNA technical issue Dongjie (Jimmy)
- [mpls] Re: Potential MNA technical issue je_drake@yahoo.com
- [mpls] Re: Proposed changes: Potential MNA techni… Greg Mirsky
- [mpls] Re: Proposed changes: Potential MNA techni… Greg Mirsky
- [mpls] Re: Proposed changes: Potential MNA techni… Fabian Ihle
- [mpls] Re: Potential MNA technical issue Tony Li
- [mpls] Re: Proposed changes: Potential MNA techni… Adrian Farrel
- [mpls] Re: Potential MNA technical issue Loa Andersson
- [mpls] Re: Potential MNA technical issue Stewart Bryant
- [mpls] Re: Proposed changes: Potential MNA techni… Rakesh Gandhi
- [mpls] Re: Proposed changes: Potential MNA techni… Rakesh Gandhi
- [mpls] Re: Proposed changes: Potential MNA techni… Greg Mirsky
- [mpls] Re: Potential MNA security issue Joel Halpern
- [mpls] Re: Proposed changes: Potential MNA techni… bruno.decraene
- [mpls] Re: Proposed changes: Potential MNA techni… bruno.decraene
- [mpls] Re: Proposed changes: Potential MNA techni… Greg Mirsky
- [mpls] Re: Proposed changes: Potential MNA techni… Fabian Ihle
- [mpls] Re: Proposed changes: Potential MNA techni… Joel Halpern
- [mpls] Re: Proposed changes: Potential MNA techni… Greg Mirsky
- [mpls] Re: Proposed changes: Potential MNA techni… Adrian Farrel
- [mpls] Re: Proposed changes: Potential MNA techni… Rakesh Gandhi
- [mpls] Re: Proposed changes: Potential MNA techni… bruno.decraene
- [mpls] Re: Proposed changes: Potential MNA techni… Rakesh Gandhi
- [mpls] Re: Potential MNA technical issue - late f… Loa Andersson
- [mpls] Re: Potential MNA technical issue Loa Andersson
- [mpls] Re: Proposed changes: Potential MNA techni… Fabian Ihle
- [mpls] Re: Potential MNA technical issue - late f… Tony Li
- [mpls] Re: Potential MNA technical issue - late f… Loa Andersson
- [mpls] Re: Potential MNA technical issue - late f… Loa Andersson
- [mpls] Re: Potential MNA technical issue - late f… Tony Li
- [mpls] Re: Potential MNA technical issue - late f… Greg Mirsky
- [mpls] Re: Potential MNA technical issue Haoyu Song
- [mpls] Re: Potential MNA technical issue Stewart Bryant
- [mpls] Re: Potential MNA technical issue John Drake
- [mpls] Re: Potential MNA technical issue Joel Halpern
- [mpls] Re: Proposed changes: Potential MNA techni… Fabian Ihle
- [mpls] Re: Potential MNA security issue Joel Halpern
- [mpls] Re: Potential MNA security issue Tony Li
- [mpls] Re: Potential MNA technical issue - late f… Loa Andersson
- [mpls] Re: Proposed changes: Potential MNA techni… Loa Andersson
- [mpls] Re: Potential MNA technical issue - late f… John Drake
- [mpls] Re: Potential MNA technical issue Haoyu Song
- [mpls] Re: Potential MNA technical issue Haoyu Song
- [mpls] Re: Potential MNA technical issue Dongjie (Jimmy)
- [mpls] Re: Potential MNA technical issue - late f… Haoyu Song
- [mpls] Re: Proposed changes: Potential MNA techni… Rakesh Gandhi
- [mpls] Re: PSD technical issues Joel Halpern
- [mpls] Re: Proposed changes: Potential MNA techni… bruno.decraene
- [mpls] Re: Potential MNA security issue Tony Li
- [mpls] Re: PSD technical issues Haoyu Song
- [mpls] Re: PSD technical issues Joel Halpern
- [mpls] Re: Potential MNA technical issue - late f… Greg Mirsky
- [mpls] Re: PSD technical issues Loa Andersson
- [mpls] Re: PSD technical issues Joel Halpern
- [mpls] Re: PSD technical issues Loa Andersson
- [mpls] Re: PSD technical issues Tony Li
- [mpls] Re: Potential MNA technical issue - late f… Haoyu Song
- [mpls] Re: Proposed changes: Potential MNA techni… Joel Halpern
- [mpls] Re: PSD technical issues Greg Mirsky
- [mpls] Re: Potential MNA technical issue - late f… Greg Mirsky
- [mpls] Re: Proposed changes: Potential MNA techni… Greg Mirsky
- [mpls] Re: Potential MNA security issue bruno.decraene
- [mpls] Re: PSD technical issues Greg Mirsky
- [mpls] Re: PSD technical issues Haoyu Song
- [mpls] Re: Potential MNA technical issue - late f… Dongjie (Jimmy)
- [mpls] Re: Potential MNA technical issue - late f… Greg Mirsky
- [mpls] Re: PSD technical issues Haoyu Song
- [mpls] Re: Potential MNA technical issue - late f… Tony Li
- [mpls] Re: Potential MNA technical issue - late f… Haoyu Song
- [mpls] Re: PSD technical issues Greg Mirsky
- [mpls] Re: PSD technical issues Haoyu Song
- [mpls] Re: PSD technical issues Greg Mirsky
- [mpls] Re: PSD technical issues Tony Li
- [mpls] Re: Potential MNA technical issue Loa Andersson
- [mpls] Re: Potential MNA technical issue Tony Li
- [mpls] Re: PSD technical issues Dongjie (Jimmy)
- [mpls] Re: PSD technical issues Tony Li
- [mpls] Re: PSD technical issues Joel Halpern
- [mpls] Re: Proposed changes: Potential MNA techni… Greg Mirsky
- [mpls] Re: Proposed changes: Potential MNA techni… Rakesh Gandhi
- [mpls] Re: PSD technical issues Greg Mirsky
- [mpls] Re: Proposed changes: Potential MNA techni… Loa Andersson
- [mpls] Re: PSD technical issues Greg Mirsky
- [mpls] Re: Potential MNA technical issue - late f… Haoyu Song
- [mpls] Re: Proposed changes: Potential MNA techni… Loa Andersson
- [mpls] Re: PSD (was: Re: Potential MNA technical … Joel Halpern
- [mpls] Re: Potential MNA technical issue - late f… Haoyu Song
- [mpls] Re: PSD technical issues Toerless Eckert
- [mpls] PSD and BIER - Re: Re: PSD technical issues Toerless Eckert
- [mpls] Re: PSD technical issues Haoyu Song
- [mpls] Re: PSD technical issues Tony Li
- [mpls] Re: PSD technical issues Joel Halpern
- [mpls] Re: PSD technical issues Haoyu Song
- [mpls] Re: PSD technical issues Toerless Eckert
- [mpls] Re: PSD technical issues Haoyu Song
- [mpls] Re: PSD technical issues Joel Halpern
- [mpls] Re: PSD technical issues Haoyu Song
- [mpls] Re: Potential MNA technical issue Toerless Eckert
- [mpls] Re: Potential MNA technical issue Toerless Eckert
- [mpls] Re: PSD technical issues Greg Mirsky
- [mpls] Re: PSD technical issues Dongjie (Jimmy)
- [mpls] Re: PSD technical issues Dongjie (Jimmy)
- [mpls] Re: PSD technical issues Haoyu Song
- [mpls] Re: Potential MNA technical issue - late f… Greg Mirsky
- [mpls] Re: Proposed changes: Potential MNA techni… Loa Andersson
- [mpls] Re: Potential MNA technical issue Haoyu Song
- [mpls] Re: PSD technical issues Greg Mirsky
- [mpls] Re: PSD technical issues Haoyu Song
- [mpls] Re: PSD technical issues Haoyu Song
- [mpls] Re: PSD technical issues Haoyu Song
- [mpls] Re: PSD technical issues Greg Mirsky
- [mpls] Potential MNA technical issue bruno.decraene
- [mpls] Re: PSD technical issues Toerless Eckert
- [mpls] Re: Potential MNA technical issue - late f… Greg Mirsky
- [mpls] Re: Potential MNA technical issue - late f… Toerless Eckert
- [mpls] Re: Potential MNA technical issue - late f… Loa Andersson
- [mpls] Re: Proposed changes: Potential MNA techni… bruno.decraene
- [mpls] Re: Potential MNA technical issue - late f… Haoyu Song
- [mpls] Re: Potential MNA technical issue - late f… Joel Halpern
- [mpls] Re: Potential MNA technical issue - late f… Joel Halpern
- [mpls] Potential MNA security issue bruno.decraene
- [mpls] Re: Potential MNA technical issue - late f… Haoyu Song
- [mpls] Re: Proposed changes: Potential MNA techni… Rakesh Gandhi
- [mpls] Re: Proposed changes: Potential MNA techni… Adrian Farrel
- [mpls] Re: Proposed changes: Potential MNA techni… Joel Halpern
- [mpls] Re: Potential MNA technical issue - late f… Tony Li
- [mpls] Re: Proposed changes: Potential MNA techni… Joel Halpern
- [mpls] Re: Proposed changes: Potential MNA techni… Adrian Farrel
- [mpls] Re: Proposed changes: Potential MNA techni… Rakesh Gandhi
- [mpls] Re: Proposed changes: Potential MNA techni… Rakesh Gandhi
- [mpls] Re: Potential MNA technical issue - late f… Haoyu Song
- [mpls] Re: Proposed changes: Potential MNA techni… Rakesh Gandhi
- [mpls] Re: Proposed changes: Potential MNA techni… Rakesh Gandhi
- [mpls] Re: Potential MNA security issue bruno.decraene