IETF Logo Mail Archive

Re: [OPSEC] draft-ietf-opsec-probe-attribution: WGLC

Fernando Gont <fgont@si6networks.com> Mon, 13 March 2023 06:57 UTC

Return-Path: <fgont@si6networks.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DCCD3C14CE22; Sun, 12 Mar 2023 23:57:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kZcIenqzxO0o; Sun, 12 Mar 2023 23:57:31 -0700 (PDT)
Received: from fgont.go6lab.si (fgont.go6lab.si [91.239.96.14]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 553A2C14CE24; Sun, 12 Mar 2023 23:57:25 -0700 (PDT)
Received: from [10.0.0.132] (unknown [186.19.1.156]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by fgont.go6lab.si (Postfix) with ESMTPSA id 1463F2804EB; Mon, 13 Mar 2023 03:57:18 -0300 (-03)
Message-ID: <ae548706-db2f-5e81-9620-83e736b62027@si6networks.com>
Date: Mon, 13 Mar 2023 03:57:14 -0300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.7.1
Content-Language: en-US
To: Jen Linkova <furry13@gmail.com>, opsec WG <opsec@ietf.org>
Cc: OpSec Chairs <opsec-chairs@ietf.org>, draft-ietf-opsec-probe-attribution@ietf.org
References: <CAFU7BAS3uEYc7JGavH9qQka1EhhYaO0mhnUDV7Q4d=Ru2SCLkQ@mail.gmail.com>
From: Fernando Gont <fgont@si6networks.com>
In-Reply-To: <CAFU7BAS3uEYc7JGavH9qQka1EhhYaO0mhnUDV7Q4d=Ru2SCLkQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/9detHBguiAQelUMHyh8qIsYHdp8>
Subject: Re: [OPSEC] draft-ietf-opsec-probe-attribution: WGLC
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Mar 2023 06:57:36 -0000

Hi, All,

My apologies for the delay in my response -- I've clearly missed the 
WGLC deadline. But, hopefully "better late than never".

Some comments on version -01 of this document:

* Section 4:
I believe some discussion is warranted about how this might affect the 
measurements themselves. e.g.,

* SYN-scans containing data might be discarded

* Also, if you're UDP-probing, the UDP probe packet needs to impleent 
the target protocol, or else it won't elicit a response. This in turn 
means that most likely you won´t be able to encode the URI in the probe 
packet.

* When probing over IPv6, including EHs will definitely affect the probe 
results (as per e.g. RFC7872)



* Section 4, page 5:
>    *  for a [RFC793] TCP packet with the SYN flag: data is allowed in
>       TCP packets with the SYN flag per section 3.4 of [RFC793] (2nd
>       paragraph).  However, it may change the way the packet is
>       processed;

s/793/9293/



* Section 4, page 5:
>    *  for a [RFC8200] IPv6 packet with either hop-by-hop or destination
>       options headers, in a PadN option.  However, the PadN option is
>       not recommended: as per the informational [RFC4942], section
>       2.1.9.5, it is suggested that PadN options should only contain 0's
>       and be smaller than 8 octets, thus limiting its use for probe
>       attribution.  Indeed, inserting the probe description URI in PadN
>       options could bias the measurement itself.  

So... what would be the recommended approach for including the URI, if 
any, in an IPv6 probe packet?


* Section 4, page 5:
> For example, the Linux
>       Kernel follows these recommendations since its version 3.5;

Is the "recommendation" to drop these packets? Either way, please 
clarify this.


* Section 4, page 5:
>    The probe description URI should start at the first octet of the
>    payload and should be terminated by an octet of 0x00, i.e., it must
>    be null terminated.  If the probe description URI cannot be placed at
>    the beginning of the payload, then it should be preceded by an octet
>    of 0x00.

There should be some discussion about MTU related issues. e.g., what if 
including the URI would cause the probe packet to be larger than the 
minimum IPv4 MTU (68 bytes) or minimum IPv6 MTU (1280 bytes)?
(since this would also affect the probe results themselves)


* Section 5, page 6:
>    Both out-of-band and in-band combined should be preferred.  It could
>    be used as an indirect means of "authenticating" the probe
>    description URI in the in-band probe, thanks to a correlation with
>    the out-of-band technique (e.g., a reverse DNS lookup).  However, the
>    out-of-band technique might not be possible due to several
>    conditions: the presence of a NAT, too many endpoints to run a web
>    server on (e.g., RIPE Atlas probes)

I'd add a reference for RIPE Atlas.


* Section 7, page 6:

>    This information is provided to identify the source and intent of
>    specific probes, but there is no authentication possible for the
>    inline information.  As a result, a malevolent actor could provide
>    false information while conducting the probes, so that the action is
>    attributed to a third party.  As a consequence, the recipient of this
>    information cannot trust this information without confirmation.  If a
>    recipient cannot confirm the information or does not wish to do so,
>    it should treat the flows as if there were no attribution.

This probably also make a case for favoring out-of-band signaling...


* Section 8, page 7:
> 
> 8.  IANA Considerations
> 
>    The "Well-Known URIs" registry should be updated with the following
>    additional values (using the template from [RFC8615]):
> 
>    *  URI suffix: probing.txt
> 
>    *  Change controller: IETF
> 
>    *  Specification document(s): this document

Should the document be std track for this? (particularly when the tet 
says "specification")

Thanks, and my apologies for my sub-optimal timing!

Regards,
Fernando




On 10/1/23 21:17, Jen Linkova wrote:
> Hello,
> 
> This email starts the WGLC for draft-ietf-opsec-probe-attribution
> (https://datatracker.ietf.org/doc/draft-ietf-opsec-probe-attribution/).
> 
> The WGLC ends on Sun, Jan 29th, 23:59:59UTC.
> 
> Please review the draft and send comments/suggestions/opinions to the list.
> 
> Thank you!
> 
> --
> SY, Jen Linkova aka Furry on behalf of OpSec chairs.
> 
> _______________________________________________
> OPSEC mailing list
> OPSEC@ietf.org
> https://www.ietf.org/mailman/listinfo/opsec

-- 
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494

v2.23.0 | Report a Bug | By Email