Re: [mpls] IESG comments on draft-ietf-mpls-sfl-framework - first tranche (security)
Benjamin Kaduk <kaduk@mit.edu> Thu, 01 October 2020 23:21 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5C833A0A02; Thu, 1 Oct 2020 16:21:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6eHn_2pC25NL; Thu, 1 Oct 2020 16:21:39 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DD593A0A01; Thu, 1 Oct 2020 16:21:39 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 091NLUU4013447 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 1 Oct 2020 19:21:32 -0400
Date: Thu, 01 Oct 2020 16:21:30 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: Stewart Bryant <sb@stewartbryant.com>
Cc: "draft-ietf-mpls-sfl-framework@ietf.org" <draft-ietf-mpls-sfl-framework@ietf.org>, "mpls-ads@ietf.org" <mpls-ads@ietf.org>, mpls <mpls@ietf.org>, Roman Danyliw <rdd@cert.org>
Message-ID: <20201001232130.GQ89563@kduck.mit.edu>
References: <2A8FF52B-BE61-44AF-B98C-9E5B75B83BBD@stewartbryant.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <2A8FF52B-BE61-44AF-B98C-9E5B75B83BBD@stewartbryant.com>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/mpls/m5ZgIvbPe4d1-wd_Zf-vkzH-XcU>
Subject: Re: [mpls] IESG comments on draft-ietf-mpls-sfl-framework - first tranche (security)
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Oct 2020 23:21:42 -0000
Hi Stewart, Thanks for the updates. Your proposals look fine to me modulo typos ("anone", "wwhere"). -Ben On Wed, Sep 30, 2020 at 11:07:38AM +0000, Stewart Bryant wrote: > Dear All, > > I am working my way through the various IESG comments on draft-ietf-mpls-sfl-framework. > > I have looked at the comments by Roman and Benjamin, but need to pause for a few days to do other work. My proposed disposition of the comments is as follows. > > I thank all of the reviewers and will address the other comments and upload a new version of the text shortly. > > Bets regards > > Stewart > > From Roman Danyliw > > ** Section 3. What is “triggering IPFIX inspection”? I wasn’t familiar with this phrasing. Is the intent to trigger more in-depth analysis of header information, as opposed to “triggering … DPI”, which will do content inspection? > > SB> I have changed this to > > "triggering an IP Flow Information Export (IPFIX) {{RFC7011}} capture" > > > ** Editorial Nits: > -- Section 3. Typo. s/co-ordinating/coordinating/ > > SB> Fixed > > -- Section 4.1. Typo. s/are present/is present/ > > I think the original is correct (there is a plurality of cases), I will leave it to the RFC Editor. > > > -- Section 5. Typo. s/invalidate the certain uses/invalidate certain uses/ > > SB> Fixed > > =========== > > Benjamin Kaduk > > I agree with the TSV-ART reviewer that some discussion of how/why the > RFC 8372 requirements are met would have been welcome. > > Other than that, I basically only have nits and minor comments; this is > pretty straightforward and well-specified. > > Section 1 > > The Introduction is essentially a verbatim copy of the Abstract with > formatting changes. It seems likely that the Introduction could be > expanded slightly if desired. > > [RFC8372] (MPLS Flow Identification Considerations) describes the > requirement for introducing flow identities within the MPLS > > nit: "requirement" singular or "requirements" plural? (It itself seems > to only claim to give "considerations" relevant for flow identification.) > > SB> I think in this context singular is correct, but will discuss with RFC Editor. > > architecture. This document describes a method of accomplishing this > > nit: the second "this" that is to be accomplished doesn't have a > terribly precise referent -- it is in some sense "accomplishing the task > of meeting the requirements" but not "accomplishing the requirements”. > > SB> Changed to "This document describes a method of providing the required identification by using a" > > by using a technique called Synonymous Flow Labels (SFL) in which > labels which mimic the behaviour of other labels provide the > identification service. These identifiers can be used to trigger > per-flow operations on the packet at the receiving label switching > router. > > nit: we currently introduce the LSR acronym in Section 3 but this seems > to be the first non-Abstract usage. > > SB> I qualify labels by adding MPLS - "behaviour of other MPLS labels" > > Section 3 > > An SFL is defined to be a label that causes exactly the same > behaviour at the egress Label Switching Router (LSR) as the label it > replaces, but in addition also causes an agreed action to take place > on the packet. There are many possible additional actions such as > > nit: is this "agreed action" on the path or also at the egress? If at > the egress, then "exactly the same behavior" is debatable, in a pedantic > sense. > > SB> I think technically the English is correct, but five years after I first wrote it > I think it could be polished. It now says: > > "An SFL is defined to be a label that causes exactly the same > behaviour at the egress Label Switching Router (LSR) as the label it > replaces, but except that it also causes anone or more additional agreed actions to take place > on the packet. " > > > the measurement of the number of received packets in a flow, > triggering IPFIX inspection, triggering other types of Deep Packet > > nit: while IPFIX appears on > > https://www.rfc-editor.org/materials/abbrev.expansion.txt > it is not > marked as "well-known", thus probably merits expansion. > > SB> Expansion added > > acceptable for scaling reasons. We therefore have no choice but to > introduce an additional label. Where penultimate hop popping (PHP) > is in use, the semantics of this additional label can be similar to > the LSP label. Where PHP is not in use, the semantics are similar to > an MPLS explicit NULL [RFC3032]. In both of these cases the label > has the additional semantics of the SFL. > > [I note that here we weaken the statement to be only "similar to", not > "exactly the same”.] > > SB> It cannot be exactly the same as it has the additional SFL properties, so I think “similar" is correct. > > > Finally we need to consider the case where there is no MPLS > application label such as occurs when sending IP over an LSP. In > > nit/editorial: I would consider mentioning the application label > earlier, to accentuate the contrasting case being introduced here. > > SB> Good point, I have changed the start of the PW text to > > "To illustrate the use of this technology, we start by considering > the case wwhere there is an "application" label in the MPLS label stack. > As a first example, let us consider a > pseudowire (PW) {{RFC3985}} on which it is desired to make > packet loss measurement." > > Section 4 > > As noted in Section 3 it is necessary to consider two cases: > [...] > 2. Single label stack > > (editorial) Some minor rewording in Section 3 to specifically mention > the "single label stack" case in such terms would probably help the > document feel more cohesive. (I assume it's meant to be the converse of > the "application label present" case, i.e., the "there is no MPLS > application label such as occurs when sending IP over an LSP" case.) > > SB> Changed the text to "Finally we need to consider the case where there is no MPLS > application label such as occurs when sending IP over an LSP, i.e. there is a single label in the MPLS label stack." > > Section 4.1 > > At the egress LSR the LSP label is popped (if present). Then the SFL > is processed in exactly the same way as the corresponding application > label would have been processed. > > [Just noting that "exact" is used here; I have no specific comment] > > SB> On reflection changed this to :" At the egress LSR the LSP label is popped (if present). Then the SFL > is processed executing both the synonymous function and the corresponding application function. > > Section 4.1.1 > > that the SFL is synonymous with. However it is recognised that, if > there is an applications need, the SFL MAY be to some other value. > > (nit) Barry already noted the missing "set", but I think it's also "the > TTL and TC bits in the SFL" and not the SFL itself -- the SFL itself is > inherently a different value, otherwise it would be called the > "identical flow label" and we probably wouldn't be writing a document > about it :) > > SB> Good catch. I have changed the text to > > "However, it is recognised that if there > is an applications need these fields in the SFL Label Stack Entry (LSE) MAY be set these to some other value." > > Section 4.2 > > I wondered to myself for Figure 1, and wonder out loud here for Figure > 2, if we can make some indication that the "May be PHPed" applies to > both the "Normal" label stack as well as to the "with SFL" label stack. > (For Figure 1 it was vertically aligned, but is not so, here.) > > SB> In Fig 1 and Fig 2 added PHP note inside the stack diagrams > SB> to make it clear where it applied. Also make clear BoS applies > SB> to both sides. > > If the LSP label is present, it processed exactly as it would > normally processed and then it is popped. This reveals the SFL which > in the case of [RFC6374] measurements is simply counted and then > discarded. In this respect the processing of the SFL is synonymous > > nit: it's not entirely clear to me why this specific case merits mention of > RFC 6374 measurement but we don't want to mention it anywhere earlier. > > SB> We originally put it in because this we wanted to show that in some important cases > SB> SFL behaviour was simple and in some cases already supported by the natural > SB> behaviour of the existing h/w. > > Section 4.3 > > Is the Aggregate SFL also in some sense "synonymous with Explicit NULL" > (as was mentioned in Figure 2)? > > > SB> It’s behaviour is similar, but as I remember an explicit NULL must be BoS. > SB> So am reluctant to add that note. > SB> Aligned Fig 3 with the changes made to Fig 1 & 2 > > Section 5 > > 2. The operator can elect to use [RFC6790] Entropy Labels in a > network that fully supports this type of ECMP. If this approach > is adopted, the intervening MPLS network MUST NOT load balance on > any packet field other than the entropy label. Note that this is > stricter than the text in Section 4.2 of [RFC6790]. In networks > > Is Section 4.2 ("Ingress LSR") really the best reference in RFC 6790? > Section 4.3 seems much more relevant, to me. > > SB> Good catch, 4.3 is the correct reference. > > in which the ECMP decision is independent of both the value of > any other label in the label stack, and the MPLS payload, the > path of the flow with the SFL will be congruent with the path > without the SFL. > > (side note) what would the ECMP decision be made on, in that case? A > random number generator? > > SB> The background is that some P routers load balance a number of > SB> fields rather than on just the EL. I will clarify. It now says: > > "In networks in which the ECMP decision is based solely > on the entropy lable, and ignores the value of all other labels > in the label stack, and ignores all field in the MPLS payload, > the path of the flow with the SFL will be congruent with > the path without the SFL. " > > > > Section 6 > > Thank you for noting the privacy considerations even though the > incremental exposure is fairly small! > > I might note that whenever IPFIX or other DPI techniques are used, their > relevant privacy considerations apply. > > The inclusion of originating and/or flow information in a packet > provides more identity information and hence potentially degrades the > privacy of the communication. Whilst the inclusion of the additional > > SB> Note added. > > At risk of banality, I suggest "potentially degrades the privacy of the > communiation to an attacker in position to observe the added > identifier", to subtly emphasize that the relevant attacker here has > capabilities that already allow for similar types of attack. That is, > what's new for the attacker here is that they get some signal as to how > the ingress decides to classify traffic -- they already have all the > traffic in the first place and could be doing their own classification > on it. > > SB> change made. > > granularity does allow greater insight into the flow characteristics > it does not specifically identify which node originated the packet > other than by inspection of the network at the point of ingress, or > inspection of the control protocol packets. This privacy threat may > > nit: I suggest > s/other than by/unless the attacker can/; > s/inspection of/inspect/ > > (since the attacker needs to both observe the labeled > traffic and obtain the origination-mapping information in order to > effectuate the identification). > > SB> yes that is cleared - change made. > > Section 7 > > I think that the type of attack opened up by having multiple synonyms > for conceptulaly "the same traffic", that Tero noted in the secdir > review, would be in cases where the attacker is sending traffic over the > LSP in question and knows both the classification algorithm used to > apply the SFL and the nature of the DPI performed on SFL-marked traffic, > and is thus able to ensure that whatever nefarious things they are doing > that would have been noticed by the DPI instead take the non-DPI path > and remain undetected. Now, AFAICT the type of DPI envisioned here is > mostly not going to be looking for nefarious things, and even the > existence of such nefarious things that need to be going over this LSP > that the attacker can already send traffic over seems a bit contrived, > but that's my take on the additional incremental attack that this > mechanism opens up. > > SB> Yes, if an attacker can avoid the DPI triggers by disguising the traffic > SB> they can do that regardless of the SFL mechanism, so I don’t think > SB> there is an SFL specific risk. > > There are no new security issues associated with the MPLS dataplane. > Any control protocol used to request SFLs will need to ensure the > legitimacy of the request. > > I'd suggest mentioning authorization checks as well -- a request can in > some sense still be "legitimate" even if the requestor is not currently > authorized to receive the service. > > SB> I have extended the text to say: "Any > control protocol used to request SFLs will need to ensure the > legitimacy of the request, i.e. that the requesting node is authorised > to make that SFL request by the network operator." > > Section 10.2 > > Hmm, in some reading "can elect to use [RFC6790] Entropy Labels" [..] > MUST NOT load balance on any packet field other than the entropy label" > makes 6790 a normative reference (required reading for an optional > feature). > > SB> Yes, I have moved it. > >
- [mpls] IESG comments on draft-ietf-mpls-sfl-frame… Stewart Bryant
- Re: [mpls] IESG comments on draft-ietf-mpls-sfl-f… Roman Danyliw
- Re: [mpls] IESG comments on draft-ietf-mpls-sfl-f… Benjamin Kaduk