Re: [mpls] AD review of draft-ietf-mpls-ldp-hello-crypto-auth
Loa Andersson <loa@pi.nu> Thu, 17 April 2014 13:41 UTC
Return-Path: <loa@pi.nu>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BB7D1A0106 for <mpls@ietfa.amsl.com>; Thu, 17 Apr 2014 06:41:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.172
X-Spam-Level:
X-Spam-Status: No, score=-2.172 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.272] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HK8qoxWMHQu7 for <mpls@ietfa.amsl.com>; Thu, 17 Apr 2014 06:41:41 -0700 (PDT)
Received: from pipi.pi.nu (pipi.pi.nu [83.168.239.141]) by ietfa.amsl.com (Postfix) with ESMTP id 1360C1A0175 for <mpls@ietf.org>; Thu, 17 Apr 2014 06:41:41 -0700 (PDT)
Received: from [192.168.1.133] (81-236-221-144-no93.tbcn.telia.com [81.236.221.144]) (using TLSv1 with cipher ECDHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: loa@pi.nu) by pipi.pi.nu (Postfix) with ESMTPSA id 32EEE1800905; Thu, 17 Apr 2014 15:41:37 +0200 (CEST)
Message-ID: <534FDA11.4030209@pi.nu>
Date: Thu, 17 Apr 2014 15:41:37 +0200
From: Loa Andersson <loa@pi.nu>
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: adrian@olddog.co.uk, draft-ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org
References: <002301cf5743$b1a74af0$14f5e0d0$@olddog.co.uk> <534FB734.2020005@pi.nu> <03d801cf5a3e$4327fcc0$c977f640$@olddog.co.uk>
In-Reply-To: <03d801cf5a3e$4327fcc0$c977f640$@olddog.co.uk>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/mpls/spGapdCH7l5BuUaTXYGGllftf-0
Cc: mpls@ietf.org
Subject: Re: [mpls] AD review of draft-ietf-mpls-ldp-hello-crypto-auth
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Apr 2014 13:41:45 -0000
Adrian, Sorry if I don't have the history right, but it is not really the that is my problem. It is the tension between > There is a risk with the Hello and it needs a solution. > No issue with that, and I support this draft. and > why a bad actor within the network would waste its time attacking LDP > when there is so much else it can do! The first seems says that there is a risk that needs to be taken care of, the second seems to say that this is moot. /Loa On 2014-04-17 15:09, Adrian Farrel wrote: > Hello, > > I don't think that is the history at all! > This document started as draft-zheng-mpls-ldp-hello-crypto-auth in October 2010. > Before that the issue with the Hello was discussed and batted around for a > while. > There is a risk with the Hello and it needs a solution. > No issue with that, and I support this draft. > > RFC 6952 comes from draft-ietf-karp-routing-tcp-analysis-00.txt that was adopted > by KARP in June 2011. That derives from draft-mahesh-bgp-ldp-msdp-analysis first > posted in February 2011 (note that the discussion of LDP Hellos didn't make it > into this document until -01 in May 2011). > > But who cares? > > RFC 6952 does not describe the attacks or their mitigations. It just notes that > spoofing a Hello can have some bad effects. > > As a deployer, I need help to explain when I need to insist on having this > feature implemented by my supplier (BTW, it looks like none of the suppliers is > implementing it) and when I need to enable it. It seems to me that this feature > is needed to protect against attacks (which 6952 claims have been seen in the > wild), but that those attacks only arise in specific situations. > > Since the security mechanisms defined in this document are pretty heavy-weight > (compare with simple text passwords so loved for IGP security :-) it would be > great to get some help on this topic. Are all networks always exposed (if so it > looks like a must-have feature)? Are the risks only significant for targeted > LDP? Is the network safe if it applies access controls at the edges and assumes > no subversion of routers? Does applying an access list at the LDP speakers > provide protection against everything except address spoofing? > > Cheers, > Adrian > >> -----Original Message----- >> From: Loa Andersson [mailto:loa@pi.nu] >> Sent: 17 April 2014 12:13 >> To: adrian@olddog.co.uk; > draft-ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org >> Cc: mpls@ietf.org >> Subject: Re: AD review of draft-ietf-mpls-ldp-hello-crypto-auth >> >> Adrian, >> >> Given my limited understanding of the security mechanisms, I >> nevertheless have one question I need to ask. >> >> You say: >> >> On 2014-04-13 20:10, Adrian Farrel wrote: >>> It would help if the document was a >>> little clearer about which attacks it is defending against and why normal >>> protection at the edge of the network is not considered enough for the > former, >>> and why a bad actor within the network would waste its time attacking LDP >> when >>> there is so much else it can do! >> >> My understanding is that this document was written as a response to the >> risk analysis in RFC 6952. If I remember correctly you had a number of >> questions, but also said that you had no objections after having these >> question answered. >> >> Since RFC 6952 says we have a security hole that we need to close, you >> said that you approve of that, we tried to fill the hole; how should I >> understand the comment above? Do you just want another reference to >> RFC 6952? >> >> /Loa > -- Loa Andersson email: loa@mail01.huawei.com Senior MPLS Expert loa@pi.nu Huawei Technologies (consultant) phone: +46 739 81 21 64
- [mpls] AD review of draft-ietf-mpls-ldp-hello-cry… Adrian Farrel
- Re: [mpls] AD review of draft-ietf-mpls-ldp-hello… Loa Andersson
- Re: [mpls] AD review of draft-ietf-mpls-ldp-hello… Adrian Farrel
- Re: [mpls] AD review of draft-ietf-mpls-ldp-hello… Loa Andersson
- Re: [mpls] AD review of draft-ietf-mpls-ldp-hello… Adrian Farrel
- Re: [mpls] AD review of draft-ietf-mpls-ldp-hello… Vero Zheng
- Re: [mpls] AD review of draft-ietf-mpls-ldp-hello… Adrian Farrel