IETF Logo Mail Archive

Re: [mpls] Secdir last call review of draft-ietf-mpls-egress-protection-framework-05

Yimin Shen <yshen@juniper.net> Tue, 25 June 2019 13:37 UTC

Return-Path: <yshen@juniper.net>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A272212008F; Tue, 25 Jun 2019 06:37:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sorEmBsAlWcC; Tue, 25 Jun 2019 06:37:52 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BBC9F12003F; Tue, 25 Jun 2019 06:37:52 -0700 (PDT)
Received: from pps.filterd (m0108160.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x5PDTKqw019582; Tue, 25 Jun 2019 06:37:44 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=hkg6FlyLJ/xNqHV64uFJeKMsWq6a9TeMHsPDWfL0cCE=; b=pd5+H0BuITLKbWuNNRYfLC9Iz756OyvI85hAoNdnBvVlXOBIZC+ZNlzsgKUlGrVqs+Xo y4O1POgrq9DIfGBNmaqlezC7XW9My4yWuiiZLiDkUL70O3r9VuCwLIaFll2/fngEMIQK 4Vxli2sueS0GV8j4ZzaMHS7h7ThZVkkvNPIm19NpG8lENOnypMDHoYx6yi7YB+bXFBzQ PCvRBa7YgYLQ9PuSPXRYl0DxnUphZU8nG4rGwsZVrf0IA5DqNIEcHiWpwcDgyYK22/Az +riTjMNAIeDl3fNXWazA5nTHo5LQRFnn4GznkOMXg0a+RsWeKegudTFZdJ3OjR8bUdDc cw==
Received: from nam03-dm3-obe.outbound.protection.outlook.com (mail-dm3nam03lp2053.outbound.protection.outlook.com [104.47.41.53]) by mx0b-00273201.pphosted.com with ESMTP id 2tbee4gqcg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 25 Jun 2019 06:37:43 -0700
Received: from BYAPR05MB5256.namprd05.prod.outlook.com (20.177.231.94) by BYAPR05MB4104.namprd05.prod.outlook.com (52.135.199.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2032.13; Tue, 25 Jun 2019 13:37:41 +0000
Received: from BYAPR05MB5256.namprd05.prod.outlook.com ([fe80::9888:79c2:fa09:2995]) by BYAPR05MB5256.namprd05.prod.outlook.com ([fe80::9888:79c2:fa09:2995%7]) with mapi id 15.20.2008.007; Tue, 25 Jun 2019 13:37:41 +0000
From: Yimin Shen <yshen@juniper.net>
To: Christian Huitema <huitema@huitema.net>, "secdir@ietf.org" <secdir@ietf.org>
CC: "draft-ietf-mpls-egress-protection-framework.all@ietf.org" <draft-ietf-mpls-egress-protection-framework.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "mpls@ietf.org" <mpls@ietf.org>, "BRUNGARD, DEBORAH A" <db3546@att.com>
Thread-Topic: Secdir last call review of draft-ietf-mpls-egress-protection-framework-05
Thread-Index: AQHVJXazPgjNq5VAq0WZnhgezs45zqasKFUA
Date: Tue, 25 Jun 2019 13:37:41 +0000
Message-ID: <C4476E52-0616-4E29-B419-BB79A4444DE0@juniper.net>
References: <156082197755.22389.14803953372788869090@ietfa.amsl.com>
In-Reply-To: <156082197755.22389.14803953372788869090@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.a.190512
x-originating-ip: [66.129.241.12]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 241c1b0e-1e7b-4a9f-a697-08d6f9724c0d
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:BYAPR05MB4104;
x-ms-traffictypediagnostic: BYAPR05MB4104:
x-microsoft-antispam-prvs: <BYAPR05MB4104BD4872E4CFBB8E8B2457BDE30@BYAPR05MB4104.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0079056367
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(396003)(39860400002)(136003)(366004)(346002)(199004)(189003)(33656002)(186003)(6116002)(3846002)(25786009)(8936002)(8676002)(478600001)(4326008)(5660300002)(26005)(71190400001)(71200400001)(53936002)(54906003)(14444005)(256004)(66446008)(76116006)(73956011)(66946007)(66476007)(66556008)(64756008)(76176011)(6486002)(36756003)(6436002)(99286004)(446003)(305945005)(7736002)(476003)(486006)(2906002)(2501003)(14454004)(2616005)(86362001)(102836004)(316002)(58126008)(110136005)(66574012)(6246003)(81166006)(81156014)(6506007)(68736007)(229853002)(11346002)(6512007)(66066001); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR05MB4104; H:BYAPR05MB5256.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: Faa8NnCQTGSijo4sMQ10OgBUq1Gacw5zl2hQXWDixocWBhIwfSjGLgGus/+Pm7n5cefsQHFKN2Ek5QDSEwfJkRlsHLmXuRXKVwXKDn6bgpjZcGnL4Xiao9lwisL4EoK91XocrlXFsi2VglgNXVS8teJULDdqBczfxHQR6Y3Knpw0q82s7Tf4ODvz9KJDbzzlB+Yhq+F6IbfVNlJlALN7tLQ50XGrrZ+tqeOb4qHOAbGLnq+ddZ6md/w8m0vZ+4jTJKCQA+YPJOR/gGrEWuw2qb5c7YYtZq4hfuuzto0pWR25OiwpP0MeuZYwOb4+G73H0kLj/SMas5UaVk87dSj2AZV4c8X61vsShxrtgFhWpmdwlvSLY1Gh35rIdNzduOx3g+4rHqMuXIeYzBc9O0M/TL3D4AbN57k27QUiN8gmU9M=
Content-Type: text/plain; charset="utf-8"
Content-ID: <99313D75F222A24F84ACE1C489F8CA73@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 241c1b0e-1e7b-4a9f-a697-08d6f9724c0d
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jun 2019 13:37:41.5076 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: yshen@juniper.net
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB4104
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-06-25_10:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1906250106
Archived-At: <https://mailarchive.ietf.org/arch/msg/mpls/nI0b-iahwSuJgVETymw8M-P07JY>
Subject: Re: [mpls] Secdir last call review of draft-ietf-mpls-egress-protection-framework-05
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jun 2019 13:37:55 -0000

Hi Christian,

Thanks very much for your security review for this draft!

We agree with you on the possibility of attack via a CE or customer site. As you have mentioned, such kind of attack may well happen to a network in the absence of the egress protection in this draft. Our view is that the network should generally be defended by using a damping mechanism on egress routers, so that the service destinations associated with a constantly flapping link are suppressed from being accepted, recognized, and advertised to other egress routers. This should be able to defeat the root cause of the attack, and prevent it from triggering control plane activities in the MPLS network, including the egress protection activities. From that perspective, the egress protection in this draft does not make a network more vulnerable to such attack. We can add text to the Security Consideration section to clarify this.

Thanks,

-- Yimin Shen


On 6/17/19, 9:39 PM, "Christian Huitema via Datatracker" <noreply@ietf.org> wrote:

    Reviewer: Christian Huitema
    Review result: Has Nits
    
    I have reviewed this document as part of the security directorate's ongoing
    effort to review all IETF documents being processed by the IESG.  These
    comments were written primarily for the benefit of the security area directors.
    Document editors and WG chairs should treat these comments just like any other
    last call comments.
    
    I think the document is almost ready, although I would like some considerations
    of a potential attack through the customer equipment.
    
    I reviewed draft-ietf-mpls-egress-protection-framework-05, MPLS Egress Protection Framework.
    The document specifies a framework for implementing protection of an MPLS tunnel against
    failure of the egress router or the egress link. 
    
    The implementation of the framework relies on the control functions of the MPLS network,
    and the security considerations correctly state that the security of the implementation relies on
    the security of these protocols. The security consideration also point out the need for
    special establishment of trust if the nodes involved are not under the same administrative
    authority.
    
    These general security considerations are correct, but I am concerned that the egress
    links between the MPLS network routers and the customer could also become a point of
    attack. Attackers that gain control of a customer's equipment might use it to simulate
    link failures and trigger the backup mechanism. They could do so in a coordinated fashion
    across a large number of customer equipments, to try overload the control plane or try
    create cascading effects in the network.
    
    It may well be that in the absence of the local backup mechanism, the attackers could mount
    the same type of attack and trigger an other type of control plane activity. The defenses
    against that might also defend against the attack listed in the previous paragraph. But
    it might be good to state it.

v2.23.0 | Report a Bug | By Email