Re: [OPSEC] minutes part 2
RJ Atkinson <ran.atkinson@gmail.com> Tue, 16 December 2008 16:32 UTC
Return-Path: <opsec-bounces@ietf.org>
X-Original-To: opsec-archive@optimus.ietf.org
Delivered-To: ietfarch-opsec-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 46FBD3A6A75; Tue, 16 Dec 2008 08:32:20 -0800 (PST)
X-Original-To: opsec@core3.amsl.com
Delivered-To: opsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6E0413A695B for <opsec@core3.amsl.com>; Tue, 16 Dec 2008 08:04:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7ggU-u2E8mUR for <opsec@core3.amsl.com>; Tue, 16 Dec 2008 08:04:47 -0800 (PST)
Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.26]) by core3.amsl.com (Postfix) with ESMTP id 9278D3A67AC for <opsec@ietf.org>; Tue, 16 Dec 2008 08:04:47 -0800 (PST)
Received: by qw-out-2122.google.com with SMTP id 3so746915qwe.31 for <opsec@ietf.org>; Tue, 16 Dec 2008 08:04:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:to:content-type :content-transfer-encoding:mime-version:subject:date:x-mailer:from; bh=BlrAkBxByuWUKer5JXbtsDUv1RXx0QNklqYwZ20XDhA=; b=tSWKDvQDTmAFQ2nwB7diNeHgvx048AkvNIP2giMCsrDBEdT1P/Ep5dGl31AJ8jAREl L108viWlpid3T9PddwGsqZ80J9Kmv6UPHwMjJKCk1D4oxqcnsk66+F8wljxUnE+SeoaT Yh3eLFdQxOEla5tksiTUietZTef5EVUk0+x9I=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:to:content-type:content-transfer-encoding:mime-version :subject:date:x-mailer:from; b=IFqzsoM8Mh3IcknQo4e9w9EZe6qNd6/pkbJu0V9ZBtA2f4UJz0GWAiBc5xahtHx5IE nJ2jsMj4J68H4uimws0HKlPw5rOlrFhBsTi0uyzBVJ5qcABXN8UccwDvxZ0qz2VQKkpp 1BSWz2sWet5WfekbvK7C0rpF+yiejc6ML0tnI=
Received: by 10.214.60.5 with SMTP id i5mr9529074qaa.168.1229443478856; Tue, 16 Dec 2008 08:04:38 -0800 (PST)
Received: from ?10.10.1.61? (67.111.52.130.ptr.us.xo.net [67.111.52.130]) by mx.google.com with ESMTPS id 6sm14128401qwk.52.2008.12.16.08.04.36 (version=TLSv1/SSLv3 cipher=RC4-MD5); Tue, 16 Dec 2008 08:04:38 -0800 (PST)
Message-Id: <EC3F7E1D-F7C8-484A-A0C0-1A25E79AD86E@extremenetworks.com>
To: opsec@ietf.org
Mime-Version: 1.0 (Apple Message framework v930.3)
Date: Tue, 16 Dec 2008 11:04:31 -0500
X-Mailer: Apple Mail (2.930.3)
From: RJ Atkinson <ran.atkinson@gmail.com>
X-Mailman-Approved-At: Tue, 16 Dec 2008 08:32:19 -0800
Subject: Re: [OPSEC] minutes part 2
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/opsec>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"; DelSp="yes"
Sender: opsec-bounces@ietf.org
Errors-To: opsec-bounces@ietf.org
All, This note is a response to parts of the above email. (I was presenting a paper at a research conference, so I was unable to attend IETF/MSP in person and make these comments then/there. I can't be in two cities at the same time. :-) First, let me observe that IGP attacks are all insider attacks. Sites routinely block IGP packets from entering from outside their administrative domain. (This would be a sensible thing for OPsec to recommend if it hasn't already done so.) Similarly, ISPs normally block IGP packets from arriving on customer-facing interfaces or other exterior interfaces. Second, prospective attackers are both smart and lazy. They are not likely to use a computationally expensive attack vector (e.g. something cryptographic) when a simpler/easier attack (e.g. DoS on the router CPU) exists. Third, I am not aware of any active attacks on any deployed IGP. I've worked at more than one network operator in the past, and for multiple equipment suppliers. I've never heard of even one. If active attacks were widespread or common, then they would have received much more reporting in the trade press (as different from the zero reports that I've seen over the past ~20 years). Fourth, the *only* goal of the various cryptographic IGP authentication mechanisms (excepting: RFC-2154) always has been to remove only the "passive attack" risks described long ago in RFC-1704. Such passive attacks are trivially easy to mount, even easier than a simple DOS attack, which is why they are sensible to protect against. Fifth, the existing cryptographic authentication mechanisms are not really widely deployed operationally. Many enterprise users don't enable any form of authentication. Some enable clear-text passwords; relatively few bother to enable cryptographic authentication. Among ISPs, security mechanisms are more widely deployed, but even in that community the existing cryptographic authentication mechanisms appear not to be widely used today. This is not because operators/users are silly or uninformed. Instead, this is because they are performing sensible risk/threat analyses and deploying what actually makes sense for their operational environments. % OSPF cryptographic sequence number spoofing or replay From a technical perspective, these are solved problems. Please see RFC-2154. Note that the absence of commercial implementations of RFC-2154 reflects the total absence of user/operator concern about either of these issues, along with user/operator concern about the complexity of a digital signature approach. % Need to move from md5 to stronger crypto. There is no obvious reason for a site to move from either Keyed-MD5 or HMAC-MD5 to something else. There are no known vulnerabilities in either Keyed-MD5 or HMAC-MD5 as used by IETF routing protocols. By contrast, moving to SHA will significantly increase a router's vulnerability to DOS attacks, while providing negligible decrease in risk. (Also see the comments 3 paragraphs down about SHA's own issues.) There is only one known user with any interest in SHA authentication for routing protocols. They have said that the only reason for that interest is "policy compliance". Even they have not yet indicated that SHA support is required of their equipment suppliers. Further, there are no known shipping implementations of SHA authentication for any IETF-specified IGP. (I don't know of any that are even "in progress".) Also, the concerns about collision attacks on MD5 (which are not known to affect either Keyed-MD5 or HMAC-MD5) are not fundamentally different from the concerns about collision attacks on SHA. 1. Several published academic papers about SHA issues are quite easily found by an online search: <http://scholar.google.com/scholar?q=SHA+attack&hl=en&lr=&btnG=Search> 2. NIST is working to replace SHA anyway (Nov 2007 announcement) <http://csrc.nist.gov/news_events/news_archive/news_archive_2007.html#nov20 > So it seems silly to urge users to move to a security mode (e.g. SHA) that those users can't actually acquire or deploy, and whose underlying algorithm itself is likely to be deprecated in the near future by its own standards body (SHA is a NIST Federal Information Processing Standard). % Keys shared across the broadcast domain, % need to move to a stronger key identifier. 1. All IGPs multicast/broadcast their update packets, so sharing a key across that same multicast/broadcast domain is not a silly approach. 2. Adding a Key-ID does not actually increase the security of anything. It can make it slightly simpler for an implementation to locate the correct Security Association to use in attempting to authenticate a received packet, however the most widely deployed implementations *ignore* the Key-ID and instead just try all configured and valid SAs on the router. % For OSPFv3 relies on ipsec, because manual key sequence number, % replay protection cannot be used. See comment up top with reference to RFC-2154. % IS-IS MD5 but no sequence number not notion of keyid % for pdu key must be validated. See previous comments. Separately, IS-IS is carried directly over the link-layer, so off-link attacks are automatically precluded. This means that the only possible threat model is an on-link insider. There are simpler/easier attacks (e.g. DOS) on the routing infrastructure. So adding a sequence number doesn't really matter. Again, the KeyID is merely an implementer convenience, rather than some form of risk reduction. % Need to update from md5 There are no known attacks on either Keyed-MD5 or HMAC-MD5, so there is no obvious reason for a user/operator to deploy SHA authentication (or OSPF with Digital Signatures). Also recall that SHA itself has published issues. % ripv2, no authentication of ip or udp headers. can change % source address and receiver will still think it's a valid % neighbor If MD5 authentication is enabled, packets can't be forged. If one wants something stronger, a completely different "Digital Signature" approach (analagous to that described in RFC-2154 for OSPF) is the right direction to head (as the RIPv2 Authentication RFC already says). None of the recent documents in IGP authentication make any moves towards use of Digital Signatures, probably because there is no visible user/operator interest in this. % We need a distributed keyserver and the ospf guys need it % even more than we do. This is entirely believable, not because it increases security, but because it solves real-world operational/deployment issues. One logical approach to this would be to use a key distribution center (e.g. Kerberos). While Kerberos can be complex to deploy on all hosts in a large campus network, largely because of varying administrative domains, Kerberos is reportedly straight forward to deploy among all routers within a single administrative domain (although obviously it requires ordinary planning and care in deployment). At least one very large multi-continent ISP had deployed Kerberos over 10 years ago. Two widely deployed brands of router have already shipped Kerberos support, so this approach might be easier to get router implementers to support. Folks interested in this might want to put together a "requirements" draft as a first step. % gathering a group of people to identify the needs and go and % beat on msec Agreed. Using work from the IETF MSEC WG is another reasonable approach to adding key management for IGPs. % Second draft, minimum cryptographic requirements. the fact is % cryptographic algorithms continue to be attacked. we need to % keep track of this. the idea of this document is to keep % modifying it but to track the minimum requirements for interoperability I see this document as largely valueless. Most users/operators aren't enabling any form of cryptographic authentication today, because their risk/threat environment makes that not sensible for their operational domain. The market (i.e. users and RFPs) drive which IETF specifications are widely implemented by equipment suppliers. The days when IETF recommendations were widely and automatically obeyed by product managers at many equipment vendors has been gone for more than a decade now. I am not aware of *any* known attacks on any deployed IGP with any form of cryptographic authentication configured. If someone has actually seen such himself/herself, please provide the details here as that would be significant news. Again, there are no known vulnerabilities in either Keyed-MD5 or HMAC-MD5, and it is not obvious that SHA is necessarily either better or stronger (although it is measurably more computationally expensive for the router trying to authenticate a received packet). So there is no obvious security reason for an operational site to deploy something other than MD5. Heck, many sites don't even go that far today because their risk/threat model doesn't need it. In summary, the actual *operational* issue that this group can make an impact with would be to specify some requirements (from an operator/user perspective) for IGP authentication key management (so that IGP authentication is easier to configure/deploy/manage), and then work with other appropriate groups (e.g. Kerberos, MSEC) to have those groups add the necessary capabilities in their protocols. It seems to me that this would be a much better focus. If folks really think that the current approaches to IGP authentication aren't adequate, then they really ought to consider working on adding "Digital Signature" support for RIPv2 + IS-IS and they also ought to be asking their router suppliers to implement RFC-2154 support. Yours, Ran Atkinson rja@extremenetworks.com _______________________________________________ OPSEC mailing list OPSEC@ietf.org https://www.ietf.org/mailman/listinfo/opsec
- [OPSEC] minutes part 2 Joel Jaeggli
- Re: [OPSEC] minutes part 2 RJ Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- [OPSEC] Prospective issue with IPsec ESP-NULL & I… R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] Prospective issue with IPsec ESP-NULL… Vishwas Manral
- Re: [OPSEC] Prospective issue with IPsec ESP-NULL… R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] Prospective issue with IPsec ESP-NULL… Vishwas Manral
- Re: [OPSEC] Prospective issue with IPsec ESP-NULL… R Atkinson
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] Prospective issue with IPsec ESP-NULL… Vishwas Manral
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Bhatia, Manav (Manav)
- Re: [OPSEC] minutes part 2 Bhatia, Manav (Manav)
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] Prospective issue with IPsec ESP-NULL… Darrel Lewis (darlewis)
- Re: [OPSEC] minutes part 2 Darrel Lewis (darlewis)
- Re: [OPSEC] minutes part 2 Bhatia, Manav (Manav)
- Re: [OPSEC] minutes part 2 Bhatia, Manav (Manav)
- Re: [OPSEC] minutes part 2 Joel Jaeggli
- Re: [OPSEC] minutes part 2 RJ Atkinson
- Re: [OPSEC] minutes part 2 RJ Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Glen Kent
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 Joel Jaeggli
- Re: [OPSEC] minutes part 2 Joel Jaeggli
- Re: [OPSEC] minutes part 2 RJ Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Joel Jaeggli
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 Vishwas Manral
- [OPSEC] FW: minutes part 2 Michael Barnes
- Re: [OPSEC] FW: minutes part 2 Smith, Donald
- Re: [OPSEC] FW: minutes part 2 Michael Barnes
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson
- Re: [OPSEC] minutes part 2 Vishwas Manral
- Re: [OPSEC] minutes part 2 R Atkinson