Re: [mpls] AD review of draft-ietf-mpls-ldp-hello-crypto-auth
"Adrian Farrel" <adrian@olddog.co.uk> Fri, 18 April 2014 17:56 UTC
Return-Path: <adrian@olddog.co.uk>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6C1DE1A0436 for <mpls@ietfa.amsl.com>; Fri, 18 Apr 2014 10:56:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.899
X-Spam-Level:
X-Spam-Status: No, score=-101.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GixnTqWDNVJB for <mpls@ietfa.amsl.com>; Fri, 18 Apr 2014 10:56:50 -0700 (PDT)
Received: from asmtp4.iomartmail.com (asmtp4.iomartmail.com [62.128.201.175]) by ietfa.amsl.com (Postfix) with ESMTP id 29B751A01BA for <mpls@ietf.org>; Fri, 18 Apr 2014 10:56:49 -0700 (PDT)
Received: from asmtp4.iomartmail.com (localhost.localdomain [127.0.0.1]) by asmtp4.iomartmail.com (8.13.8/8.13.8) with ESMTP id s3IHuWHm017848; Fri, 18 Apr 2014 18:56:32 +0100
Received: from 950129200 (dsl-sp-81-140-15-32.in-addr.broadbandscope.com [81.140.15.32]) (authenticated bits=0) by asmtp4.iomartmail.com (8.13.8/8.13.8) with ESMTP id s3IHuUx3017827 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Fri, 18 Apr 2014 18:56:31 +0100
From: Adrian Farrel <adrian@olddog.co.uk>
To: 'Vero Zheng' <vero.zheng@huawei.com>, 'Loa Andersson' <loa@pi.nu>, draft-ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org
References: <002301cf5743$b1a74af0$14f5e0d0$@olddog.co.uk> <534FB734.2020005@pi.nu> <03d801cf5a3e$4327fcc0$c977f640$@olddog.co.uk> <2EEA459CD95CCB4988BFAFC0F2287B5C5C80DE98@SZXEMA504-MBS.china.huawei.com>
In-Reply-To: <2EEA459CD95CCB4988BFAFC0F2287B5C5C80DE98@SZXEMA504-MBS.china.huawei.com>
Date: Fri, 18 Apr 2014 18:56:30 +0100
Message-ID: <011701cf5b2f$877f2140$967d63c0$@olddog.co.uk>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0118_01CF5B37.E9484430"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQGwZu0InfoAc9cYjGAjs7sJWmJQfAHiEHL1AZxSIA8BUhszLZsvDNZQ
Content-Language: en-gb
X-TM-AS-MML: disable
X-TM-AS-Product-Ver: IMSS-7.1.0.1576-7.5.0.1017-20642.001
X-TM-AS-Result: No--37.478-10.0-31-10
X-imss-scan-details: No--37.478-10.0-31-10
X-TMASE-MatchedRID: CxmI61mtwh8KPlX4RDjq9Ft3XMydUaMXPxXiWH/cMXV3ZigbiYdosM8S ryzNCMVkhj6UQWbcFk7NbplgZ1YjZhWlpVw7TFQD4mYxmYubDHksCc2iFTIxrYKwF4K/wIz9yfC /+jAZD/JuuBQngKeoeKBXTDoMoZzLIIlDSExaEO+epOo7UqIl+U8ikszWUoVbsQufffqzSCKKRr QproVO65b8jLEV4yJnX+aNg4M0RyYR9y8WJPyXEOmc4/pDEQa2Ud7Bjfo+5jSZ1ke1DYhC7Eioj obt/WhvLBcwU+WmxDXJjJ4A9NsFloEdzT5hCcIK2MZGQuKc8UifU25efFpZMXLLhex0FFibrW41 +BBqq++rbW0Tb3XDoYwjf8at/mYVE2ZRbV2rc3GKBcawShLWviTzSFehhfJrWabPstVV86mLuXp vETnA6Cfohe8nyaIcfAHrISqOiW8KvI7z3l+uPXQIOMndeKgEGGXRndNt79WBTeBKqBRm8lSVtD 3HNHesCMa7O+PhLk7OHyiFumtKQfZsmkESQMsrTQh9A4m9EtH2v20RxLDyN4XzOtjIe3TaTgpzW PQpDCVHeOf0KsmWu/XYR5PPzmsuK4gIv0V7SZlVXhlmZsTdjNqgUkBwIfKYkzE2kM4b6HqxgpAs VRsHu2zjy8+skGB4liXG6TWiBAD7OgBbxHXmXxzwnpmtY/+rZG3SCLP7QtJ0PA/ki2kI7EtU4/p Kr/obDsbtrO33TVeLFgnz+hpr+TJ/MD+wSl/DjtK7dC6UBnkUqWKocoJo6esoDDE6CvPdp4Wcmy qBbFxC3bjvSDu959+suYAg9ZWJMxvA4OPLCf6eAiCmPx4NwGmRqNBHmBvevqq8s2MNhPDPPeN6H N6d7DfnlbwkEsa0VnRXm1iHN1Yj80Za3RRg8JLEoGJVQKnzaQc/31R5a+rgUEb56OhRq/y7BQzR jhFMlYKAKNRg9q0=
Archived-At: http://mailarchive.ietf.org/arch/msg/mpls/XeByOvjSBSgSC-KyTzzPVxvs-CA
Cc: mpls@ietf.org
Subject: Re: [mpls] AD review of draft-ietf-mpls-ldp-hello-crypto-auth
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: adrian@olddog.co.uk
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Apr 2014 17:56:54 -0000
Vero, you're very right. Sorry about that: let's blame my old age, shall we? Anyway, the main point is that 6952 exposes the issue, but does not scope the risk. This I-D plugs the hole, but doesn't say when or why you might need the feature. A From: Vero Zheng [mailto:vero.zheng@huawei.com] Sent: 18 April 2014 04:08 To: adrian@olddog.co.uk; 'Loa Andersson'; draft-ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org Cc: mpls@ietf.org Subject: RE: [mpls] AD review of draft-ietf-mpls-ldp-hello-crypto-auth > RFC 6952 comes from draft-ietf-karp-routing-tcp-analysis-00.txt that was adopted by KARP in June 2011. That derives from draft-mahesh-bgp-ldp-msdp-analysis first posted in February 2011 (note that the discussion of LDP Hellos didn't make it into this document until -01 in May2011). Adrian, That is not correct. The discussion of LDP Hellos was in the document from the very beginning. The hello spoofing was discussed in both the discussion on current state/optimal state of the protocols in -00. Obviously, the document authors careJ Cheers, Vero > -----Original Message----- > From: mpls [mailto:mpls-bounces@ietf.org] On Behalf Of Adrian Farrel > Sent: Thursday, April 17, 2014 9:09 PM > To: 'Loa Andersson'; draft-ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org > Cc: mpls@ietf.org > Subject: Re: [mpls] AD review of draft-ietf-mpls-ldp-hello-crypto-auth > > Hello, > > I don't think that is the history at all! > This document started as draft-zheng-mpls-ldp-hello-crypto-auth in October > 2010. > Before that the issue with the Hello was discussed and batted around for a > while. > There is a risk with the Hello and it needs a solution. > No issue with that, and I support this draft. > > RFC 6952 comes from draft-ietf-karp-routing-tcp-analysis-00.txt that was > adopted by KARP in June 2011. That derives from > draft-mahesh-bgp-ldp-msdp-analysis first posted in February 2011 (note that > the discussion of LDP Hellos didn't make it into this document until -01 in May > 2011). > > But who cares? > > RFC 6952 does not describe the attacks or their mitigations. It just notes that > spoofing a Hello can have some bad effects. > > As a deployer, I need help to explain when I need to insist on having this feature > implemented by my supplier (BTW, it looks like none of the suppliers is > implementing it) and when I need to enable it. It seems to me that this feature > is needed to protect against attacks (which 6952 claims have been seen in the > wild), but that those attacks only arise in specific situations. > > Since the security mechanisms defined in this document are pretty > heavy-weight (compare with simple text passwords so loved for IGP security :-) > it would be great to get some help on this topic. Are all networks always > exposed (if so it looks like a must-have feature)? Are the risks only significant > for targeted LDP? Is the network safe if it applies access controls at the edges > and assumes no subversion of routers? Does applying an access list at the LDP > speakers provide protection against everything except address spoofing? > > Cheers, > Adrian > > > -----Original Message----- > > From: Loa Andersson [ <mailto:loa@pi.nu> mailto:loa@pi.nu] > > Sent: 17 April 2014 12:13 > > To: <mailto:adrian@olddog.co.uk> adrian@olddog.co.uk; > <mailto:draft-ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org> draft-ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org > > Cc: <mailto:mpls@ietf.org> mpls@ietf.org > > Subject: Re: AD review of draft-ietf-mpls-ldp-hello-crypto-auth > > > > Adrian, > > > > Given my limited understanding of the security mechanisms, I > > nevertheless have one question I need to ask. > > > > You say: > > > > On 2014-04-13 20:10, Adrian Farrel wrote: > > > It would help if the document was a > > > little clearer about which attacks it is defending against and why > > > normal protection at the edge of the network is not considered > > > enough for the > former, > > > and why a bad actor within the network would waste its time > > > attacking LDP > > when > > > there is so much else it can do! > > > > My understanding is that this document was written as a response to > > the risk analysis in RFC 6952. If I remember correctly you had a > > number of questions, but also said that you had no objections after > > having these question answered. > > > > Since RFC 6952 says we have a security hole that we need to close, you > > said that you approve of that, we tried to fill the hole; how should I > > understand the comment above? Do you just want another reference to > > RFC 6952? > > > > /Loa > > _______________________________________________ > mpls mailing list > <mailto:mpls@ietf.org> mpls@ietf.org > <https://www.ietf.org/mailman/listinfo/mpls> https://www.ietf.org/mailman/listinfo/mpls
- [mpls] AD review of draft-ietf-mpls-ldp-hello-cry… Adrian Farrel
- Re: [mpls] AD review of draft-ietf-mpls-ldp-hello… Loa Andersson
- Re: [mpls] AD review of draft-ietf-mpls-ldp-hello… Adrian Farrel
- Re: [mpls] AD review of draft-ietf-mpls-ldp-hello… Loa Andersson
- Re: [mpls] AD review of draft-ietf-mpls-ldp-hello… Adrian Farrel
- Re: [mpls] AD review of draft-ietf-mpls-ldp-hello… Vero Zheng
- Re: [mpls] AD review of draft-ietf-mpls-ldp-hello… Adrian Farrel