[mpls] Re: Potential MNA security issue
Tony Li <tony.li@tony.li> Thu, 27 February 2025 17:00 UTC
Return-Path: <tony1athome@gmail.com>
X-Original-To: mpls@mail2.ietf.org
Delivered-To: mpls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 461522F1800 for <mpls@mail2.ietf.org>; Thu, 27 Feb 2025 09:00:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietfa.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietfa.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4FKJk-k3ifox for <mpls@mail2.ietf.org>; Thu, 27 Feb 2025 09:00:25 -0800 (PST)
Received: from mail-pl1-x62a.google.com (mail-pl1-x62a.google.com [IPv6:2607:f8b0:4864:20::62a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 763B22F1505 for <mpls@ietf.org>; Thu, 27 Feb 2025 08:59:33 -0800 (PST)
Received: by mail-pl1-x62a.google.com with SMTP id d9443c01a7336-22355618fd9so17451095ad.3 for <mpls@ietf.org>; Thu, 27 Feb 2025 08:59:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1740675572; x=1741280372; darn=ietf.org; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:sender:from:to:cc:subject :date:message-id:reply-to; bh=wbJXdHrGg/7L3aOc7eAFdSE1M6Z1yY/cZ5I3LdHM0Sk=; b=H6x6lyB5b5NFpvzLgICbtcCigflSgKNsi5J7URNRppEKj+dZ9N7H/ltqVqIRS+4bxp 5YKzNPn/wQMHjiwdwKrXgPMqrLUpvgUJxB15O/unn02cDKgAJOz2Q4ou4HklMwuUj22q jFcAQNlCChdGBl9GkH5krsL4uyU8XEnUZWFNAl5cRe+2nbc/coMolGCMywz7GtDoZ2VS gM2c547Ti5thiKxvgWQn3w7FNJRN8UhYDyjM7G2p4AhATFAiHqeUUypH3zI7pmATvZOu UpJJXN6di1JswBDiCIshAnnBX9oB/mMhHNKHOb96cU+FGYqg+7gx4ING3QgTVhI/wVGE FJTg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740675572; x=1741280372; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:sender:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=wbJXdHrGg/7L3aOc7eAFdSE1M6Z1yY/cZ5I3LdHM0Sk=; b=eNMs4t9EL9wTIhCmgb4LP3LCKZ6ev+cKDxW1hRaDoiBOqIUe7NCwUuVed19qFqu3oc Av4rb3dycSVQpoDRzs2DmDestprhkW62H07RCfVZ2G2S2XA5iJ5aDMYJ7exhTcHpaYye e6m55C/Ccl6o7JNltCv5cVgNF2M8SOuKCBPuffg0723iPL1U6CsGpn8GZnCltf9cnvSy T6IYFXRdO53vUuOqZYvzijuzINh0PGGLOhkhBAjUGRnU5BC421GEKoXzk9Goa7bK4ErA siU7vRHAo+6XmV5zxm1dfLjlnjWqfXqCwyOLK9qjITSE+oONDLRQ5tyS5Ka19hmVX/NF npFQ==
X-Gm-Message-State: AOJu0YzgHohYL5LvyOGZmZPL0t6Tuf+/QJ92yCn+OfYjdTuD4fu1rwc3 IWq6Q8zS9pRGXwVqoYgn3EOPM+rdK+6f7AREyqoaViFeCsA6S4w54OAoRA==
X-Gm-Gg: ASbGnct1rRQ8tS0hAHR0kk8Jsom5XPld5/7CxdJkHDT4Dk1T1h9GVSrmt1se/mnsWVC 224QwZDCcLURMMOoEDYBEyXSYshyfQAkCa+ldDkxVTz4BN3ISb87vJLYz53s21FnJt3Lyy942lS 0FsVSN5nlxvArhCr+DEecKRB31qOiTBRVCBuSG96qcBX8mzH+xhWaED6p01Ucje3/0K5oXHmC3g X+qRH9hFf7Xsy+HOPyL8+RwxdWy5qj8bpJiH342puhfE+acOea1XpeoEg/SbyFG8xWCqLkcMRFD fSFnOsciO4uMCiWUwA7FqdqrbQ5eGh4pi8DGqyb7h8qU+ml1yqoDeVj/fU59V0s8XFaNrA==
X-Google-Smtp-Source: AGHT+IFjgZvGCmRnxp9V11ccX7S7Dr/Gpdpn+S5SFjJfMb9MRu6XqCAdAH5b7kOGPNS1n5bZ8zV+Lg==
X-Received: by 2002:a17:903:244a:b0:220:ca39:d453 with SMTP id d9443c01a7336-2219ff9e9abmr422359845ad.17.1740675572218; Thu, 27 Feb 2025 08:59:32 -0800 (PST)
Received: from smtpclient.apple (c-73-93-167-4.hsd1.ca.comcast.net. [73.93.167.4]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-223504dc953sm17259655ad.181.2025.02.27.08.59.31 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 27 Feb 2025 08:59:31 -0800 (PST)
Sender: Tony Li <tony1athome@gmail.com>
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.400.131.1.6\))
From: Tony Li <tony.li@tony.li>
In-Reply-To: <7252e8d7-a787-4bad-9571-9470c2ec7b00@joelhalpern.com>
Date: Thu, 27 Feb 2025 08:59:21 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <0D1BBFA3-7A92-4C53-8A9F-A1B2B7C2FE95@tony.li>
References: <026801db83da$30a3ec40$91ebc4c0$@olddog.co.uk> <9D3BA859-A778-4DE6-9839-401ACA913861@tony.li> <027901db83e1$104f6300$30ee2900$@olddog.co.uk> <03aa01db847d$03447c80$09cd7580$@olddog.co.uk> <CA+RyBmWxH-BqD21MY5EO3T6MiQao8CKr_22o35L3LOfh8YJkdw@mail.gmail.com> <MR1PPFC3B5BBE277BFF5633246CCEAA8C28F0C22@MR1PPFC3B5BBE27.FRAP264.PROD.OUTLOOK.COM> <CA+RyBmUqsTKRSoask8Nqo4f-Gj9o4btsqfg+cKQPDDHm2sEAWA@mail.gmail.com> <MR1PPFC3B5BBE27581BFD44D2857AE151AAF0C22@MR1PPFC3B5BBE27.FRAP264.PROD.OUTLOOK.COM> <CA+RyBmUA9xz65J+duL9K289EAF+zyCa0G_Jt+0C4CKzzt2qAUw@mail.gmail.com> <MR1PPFC3B5BBE2778A742F44B0A62F36FCAF0CD2@MR1PPFC3B5BBE27.FRAP264.PROD.OUTLOOK.COM> <7252e8d7-a787-4bad-9571-9470c2ec7b00@joelhalpern.com>
To: "Joel M. Halpern" <jmh@joelhalpern.com>
X-Mailer: Apple Mail (2.3826.400.131.1.6)
Message-ID-Hash: IT442AOC4JFKLLW4XEVFPEYKAJA2WUU3
X-Message-ID-Hash: IT442AOC4JFKLLW4XEVFPEYKAJA2WUU3
X-MailFrom: tony1athome@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-mpls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: mpls <mpls@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [mpls] Re: Potential MNA security issue
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/mpls/nAkz5aNNkMP9zCKsAEuWMAykkxY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mpls>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Owner: <mailto:mpls-owner@ietf.org>
List-Post: <mailto:mpls@ietf.org>
List-Subscribe: <mailto:mpls-join@ietf.org>
List-Unsubscribe: <mailto:mpls-leave@ietf.org>
There is text discussing this issue in the security considerations section of the framework document. T > On Feb 27, 2025, at 8:34 AM, Joel Halpern - jmh at joelhalpern.com <mailforwards@cloudmails.net> wrote: > > This seems a valid point, and good suggestions for mitigation. I believe it applies to both ISD and PSD. > > Yours, > > Joel > > On 2/27/2025 11:05 AM, bruno.decraene@orange.com wrote: >> Sorry, the email somehow got sent too soon.Re-sending >> >> >> Hi all, >> >> There may be a security issue with ISD in the context of VPN Carrier's Carrier. >> Spec does not seem to handle independence between the CE MPLS domain and the PE MPLS domain. >> So it seems like the CE/Customer would be able to inject any MNA in the stack and this MNA would be interpreted by the provider MPLS domain. Given the possibly broad applicability of MNA, this may be a significant security issue. >> Granted, VPN Carrier's Carrier is a niche deployment, but the document should probably raise that security point and possibly suggest options (e.g, MNA disabled in the SP domain, or packets with MNA dropped by the PE. I.e., essentially forbidding the use of MNA by the customer, call for future extensions...). >> >> Thanks, >> Regards, >> --Bruno >> ____________________________________________________________________________________________________________ >> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc >> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler >> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, >> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. >> >> This message and its attachments may contain confidential or privileged information that may be protected by law; >> they should not be distributed, used or copied without authorisation. >> If you have received this email in error, please notify the sender and delete this message and its attachments. >> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. >> Thank you. >> _______________________________________________ >> mpls mailing list -- mpls@ietf.org >> To unsubscribe send an email to mpls-leave@ietf.org > > _______________________________________________ > mpls mailing list -- mpls@ietf.org > To unsubscribe send an email to mpls-leave@ietf.org
- [mpls] Potential MNA technical issue Adrian Farrel
- [mpls] Re: Potential MNA technical issue Tony Li
- [mpls] Re: Potential MNA technical issue Adrian Farrel
- [mpls] Re: Potential MNA technical issue Dongjie (Jimmy)
- [mpls] Re: Potential MNA technical issue Tony Li
- [mpls] Re: Potential MNA technical issue Loa Andersson
- [mpls] Re: Potential MNA technical issue Joel Halpern
- [mpls] Re: Potential MNA technical issue Greg Mirsky
- [mpls] Re: Potential MNA technical issue Haoyu Song
- [mpls] Re: Potential MNA technical issue Greg Mirsky
- [mpls] Re: Potential MNA technical issue Loa Andersson
- [mpls] Re: Proposed changes: Potential MNA techni… Rakesh Gandhi
- [mpls] Re: Potential MNA technical issue Greg Mirsky
- [mpls] Re: Potential MNA technical issue Haoyu Song
- [mpls] Re: Potential MNA technical issue Haoyu Song
- [mpls] Re: Potential MNA technical issue Greg Mirsky
- [mpls] Re: Potential MNA technical issue Tianran Zhou
- [mpls] Re: Potential MNA technical issue Haoyu Song
- [mpls] Re: Potential MNA technical issue Greg Mirsky
- [mpls] Re: Potential MNA technical issue Joel Halpern
- [mpls] Re: Proposed changes: Potential MNA techni… Adrian Farrel
- [mpls] Re: Potential MNA technical issue je_drake@yahoo.com
- [mpls] Re: Potential MNA technical issue Tony Li
- [mpls] Proposed changes: Potential MNA technical … Adrian Farrel
- [mpls] Re: Potential MNA technical issue Greg Mirsky
- [mpls] Re: Potential MNA technical issue Dongjie (Jimmy)
- [mpls] Re: Potential MNA technical issue je_drake@yahoo.com
- [mpls] Re: Proposed changes: Potential MNA techni… Greg Mirsky
- [mpls] Re: Proposed changes: Potential MNA techni… Greg Mirsky
- [mpls] Re: Proposed changes: Potential MNA techni… Fabian Ihle
- [mpls] Re: Potential MNA technical issue Tony Li
- [mpls] Re: Proposed changes: Potential MNA techni… Adrian Farrel
- [mpls] Re: Potential MNA technical issue Loa Andersson
- [mpls] Re: Potential MNA technical issue Stewart Bryant
- [mpls] Re: Proposed changes: Potential MNA techni… Rakesh Gandhi
- [mpls] Re: Proposed changes: Potential MNA techni… Rakesh Gandhi
- [mpls] Re: Proposed changes: Potential MNA techni… Greg Mirsky
- [mpls] Re: Potential MNA security issue Joel Halpern
- [mpls] Re: Proposed changes: Potential MNA techni… bruno.decraene
- [mpls] Re: Proposed changes: Potential MNA techni… bruno.decraene
- [mpls] Re: Proposed changes: Potential MNA techni… Greg Mirsky
- [mpls] Re: Proposed changes: Potential MNA techni… Fabian Ihle
- [mpls] Re: Proposed changes: Potential MNA techni… Joel Halpern
- [mpls] Re: Proposed changes: Potential MNA techni… Greg Mirsky
- [mpls] Re: Proposed changes: Potential MNA techni… Adrian Farrel
- [mpls] Re: Proposed changes: Potential MNA techni… Rakesh Gandhi
- [mpls] Re: Proposed changes: Potential MNA techni… bruno.decraene
- [mpls] Re: Proposed changes: Potential MNA techni… Rakesh Gandhi
- [mpls] Re: Potential MNA technical issue - late f… Loa Andersson
- [mpls] Re: Potential MNA technical issue Loa Andersson
- [mpls] Re: Proposed changes: Potential MNA techni… Fabian Ihle
- [mpls] Re: Potential MNA technical issue - late f… Tony Li
- [mpls] Re: Potential MNA technical issue - late f… Loa Andersson
- [mpls] Re: Potential MNA technical issue - late f… Loa Andersson
- [mpls] Re: Potential MNA technical issue - late f… Tony Li
- [mpls] Re: Potential MNA technical issue - late f… Greg Mirsky
- [mpls] Re: Potential MNA technical issue Haoyu Song
- [mpls] Re: Potential MNA technical issue Stewart Bryant
- [mpls] Re: Potential MNA technical issue John Drake
- [mpls] Re: Potential MNA technical issue Joel Halpern
- [mpls] Re: Proposed changes: Potential MNA techni… Fabian Ihle
- [mpls] Re: Potential MNA security issue Joel Halpern
- [mpls] Re: Potential MNA security issue Tony Li
- [mpls] Re: Potential MNA technical issue - late f… Loa Andersson
- [mpls] Re: Proposed changes: Potential MNA techni… Loa Andersson
- [mpls] Re: Potential MNA technical issue - late f… John Drake
- [mpls] Re: Potential MNA technical issue Haoyu Song
- [mpls] Re: Potential MNA technical issue Haoyu Song
- [mpls] Re: Potential MNA technical issue Dongjie (Jimmy)
- [mpls] Re: Potential MNA technical issue - late f… Haoyu Song
- [mpls] Re: Proposed changes: Potential MNA techni… Rakesh Gandhi
- [mpls] Re: PSD technical issues Joel Halpern
- [mpls] Re: Proposed changes: Potential MNA techni… bruno.decraene
- [mpls] Re: Potential MNA security issue Tony Li
- [mpls] Re: PSD technical issues Haoyu Song
- [mpls] Re: PSD technical issues Joel Halpern
- [mpls] Re: Potential MNA technical issue - late f… Greg Mirsky
- [mpls] Re: PSD technical issues Loa Andersson
- [mpls] Re: PSD technical issues Joel Halpern
- [mpls] Re: PSD technical issues Loa Andersson
- [mpls] Re: PSD technical issues Tony Li
- [mpls] Re: Potential MNA technical issue - late f… Haoyu Song
- [mpls] Re: Proposed changes: Potential MNA techni… Joel Halpern
- [mpls] Re: PSD technical issues Greg Mirsky
- [mpls] Re: Potential MNA technical issue - late f… Greg Mirsky
- [mpls] Re: Proposed changes: Potential MNA techni… Greg Mirsky
- [mpls] Re: Potential MNA security issue bruno.decraene
- [mpls] Re: PSD technical issues Greg Mirsky
- [mpls] Re: PSD technical issues Haoyu Song
- [mpls] Re: Potential MNA technical issue - late f… Dongjie (Jimmy)
- [mpls] Re: Potential MNA technical issue - late f… Greg Mirsky
- [mpls] Re: PSD technical issues Haoyu Song
- [mpls] Re: Potential MNA technical issue - late f… Tony Li
- [mpls] Re: Potential MNA technical issue - late f… Haoyu Song
- [mpls] Re: PSD technical issues Greg Mirsky
- [mpls] Re: PSD technical issues Haoyu Song
- [mpls] Re: PSD technical issues Greg Mirsky
- [mpls] Re: PSD technical issues Tony Li
- [mpls] Re: Potential MNA technical issue Loa Andersson
- [mpls] Re: Potential MNA technical issue Tony Li
- [mpls] Re: PSD technical issues Dongjie (Jimmy)
- [mpls] Re: PSD technical issues Tony Li
- [mpls] Re: PSD technical issues Joel Halpern
- [mpls] Re: Proposed changes: Potential MNA techni… Greg Mirsky
- [mpls] Re: Proposed changes: Potential MNA techni… Rakesh Gandhi
- [mpls] Re: PSD technical issues Greg Mirsky
- [mpls] Re: Proposed changes: Potential MNA techni… Loa Andersson
- [mpls] Re: PSD technical issues Greg Mirsky
- [mpls] Re: Potential MNA technical issue - late f… Haoyu Song
- [mpls] Re: Proposed changes: Potential MNA techni… Loa Andersson
- [mpls] Re: PSD (was: Re: Potential MNA technical … Joel Halpern
- [mpls] Re: Potential MNA technical issue - late f… Haoyu Song
- [mpls] Re: PSD technical issues Toerless Eckert
- [mpls] PSD and BIER - Re: Re: PSD technical issues Toerless Eckert
- [mpls] Re: PSD technical issues Haoyu Song
- [mpls] Re: PSD technical issues Tony Li
- [mpls] Re: PSD technical issues Joel Halpern
- [mpls] Re: PSD technical issues Haoyu Song
- [mpls] Re: PSD technical issues Toerless Eckert
- [mpls] Re: PSD technical issues Haoyu Song
- [mpls] Re: PSD technical issues Joel Halpern
- [mpls] Re: PSD technical issues Haoyu Song
- [mpls] Re: Potential MNA technical issue Toerless Eckert
- [mpls] Re: Potential MNA technical issue Toerless Eckert
- [mpls] Re: PSD technical issues Greg Mirsky
- [mpls] Re: PSD technical issues Dongjie (Jimmy)
- [mpls] Re: PSD technical issues Dongjie (Jimmy)
- [mpls] Re: PSD technical issues Haoyu Song
- [mpls] Re: Potential MNA technical issue - late f… Greg Mirsky
- [mpls] Re: Proposed changes: Potential MNA techni… Loa Andersson
- [mpls] Re: Potential MNA technical issue Haoyu Song
- [mpls] Re: PSD technical issues Greg Mirsky
- [mpls] Re: PSD technical issues Haoyu Song
- [mpls] Re: PSD technical issues Haoyu Song
- [mpls] Re: PSD technical issues Haoyu Song
- [mpls] Re: PSD technical issues Greg Mirsky
- [mpls] Potential MNA technical issue bruno.decraene
- [mpls] Re: PSD technical issues Toerless Eckert
- [mpls] Re: Potential MNA technical issue - late f… Greg Mirsky
- [mpls] Re: Potential MNA technical issue - late f… Toerless Eckert
- [mpls] Re: Potential MNA technical issue - late f… Loa Andersson
- [mpls] Re: Proposed changes: Potential MNA techni… bruno.decraene
- [mpls] Re: Potential MNA technical issue - late f… Haoyu Song
- [mpls] Re: Potential MNA technical issue - late f… Joel Halpern
- [mpls] Re: Potential MNA technical issue - late f… Joel Halpern
- [mpls] Potential MNA security issue bruno.decraene
- [mpls] Re: Potential MNA technical issue - late f… Haoyu Song
- [mpls] Re: Proposed changes: Potential MNA techni… Rakesh Gandhi
- [mpls] Re: Proposed changes: Potential MNA techni… Adrian Farrel
- [mpls] Re: Proposed changes: Potential MNA techni… Joel Halpern
- [mpls] Re: Potential MNA technical issue - late f… Tony Li
- [mpls] Re: Proposed changes: Potential MNA techni… Joel Halpern
- [mpls] Re: Proposed changes: Potential MNA techni… Adrian Farrel
- [mpls] Re: Proposed changes: Potential MNA techni… Rakesh Gandhi
- [mpls] Re: Proposed changes: Potential MNA techni… Rakesh Gandhi
- [mpls] Re: Potential MNA technical issue - late f… Haoyu Song
- [mpls] Re: Proposed changes: Potential MNA techni… Rakesh Gandhi
- [mpls] Re: Proposed changes: Potential MNA techni… Rakesh Gandhi
- [mpls] Re: Potential MNA security issue bruno.decraene