Re: [OSPF] Kathleen Moriarty's Discuss on draft-ietf-ospf-prefix-link-attr-10: (with DISCUSS)
"Acee Lindem (acee)" <acee@cisco.com> Tue, 18 August 2015 19:42 UTC
Return-Path: <acee@cisco.com>
X-Original-To: ospf@ietfa.amsl.com
Delivered-To: ospf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1EB51A9108; Tue, 18 Aug 2015 12:42:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j3CZgi77ZMeM; Tue, 18 Aug 2015 12:42:50 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E83B1A90F0; Tue, 18 Aug 2015 12:42:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8580; q=dns/txt; s=iport; t=1439926969; x=1441136569; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=+HMYxKNcmLQmQNMExyFFkkA7JZXC7gaI9K77OAbK8xY=; b=eWejr2eRPq4W2lleZrhzNbi6Ja38YLiuZrziOjACBimK7NDwFJmVEzSq J/8mnsVExGySN84cVQx6xGrrNCe31E985KhzPaqeJsWRi1j0BhwZN0BIx 5d37S48Nwmne5bhU/P5Yg4GP7dw/jdixszUF3YgwMOyjLc2DleCwPhsI8 o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CiAgBYitNV/4kNJK1dgxtUaQaDHrpkAQmBd4V7AhyBHTgUAQEBAQEBAYEKhCQBAQQjEUUQAgEIGAICJgICAh8RFRACBA4FiBkDEg28GZA0DYVXAQEBAQEBAQEBAQEBAQEBAQEBARUEgSKKMYJPgVgRAR4zBwICgmWBQwWHIo1/AYUDhXuBbYFKhCyNA4NPg2cmgj+BPnEBgQ06gQQBAQE
X-IronPort-AV: E=Sophos;i="5.15,704,1432598400"; d="scan'208";a="19677159"
Received: from alln-core-4.cisco.com ([173.36.13.137]) by rcdn-iport-8.cisco.com with ESMTP; 18 Aug 2015 19:42:48 +0000
Received: from XCH-ALN-007.cisco.com (xch-aln-007.cisco.com [173.36.7.17]) by alln-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id t7IJgmUd003580 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 18 Aug 2015 19:42:48 GMT
Received: from xch-aln-007.cisco.com (173.36.7.17) by XCH-ALN-007.cisco.com (173.36.7.17) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Tue, 18 Aug 2015 14:42:47 -0500
Received: from xhc-rcd-x12.cisco.com (173.37.183.86) by xch-aln-007.cisco.com (173.36.7.17) with Microsoft SMTP Server (TLS) id 15.0.1104.5 via Frontend Transport; Tue, 18 Aug 2015 14:42:47 -0500
Received: from xmb-aln-x06.cisco.com ([169.254.1.223]) by xhc-rcd-x12.cisco.com ([173.37.183.86]) with mapi id 14.03.0248.002; Tue, 18 Aug 2015 14:42:47 -0500
From: "Acee Lindem (acee)" <acee@cisco.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Thread-Topic: Kathleen Moriarty's Discuss on draft-ietf-ospf-prefix-link-attr-10: (with DISCUSS)
Thread-Index: AQHQ2T4vD1u2/uPu+k2Rr3P197oiCp4SLaKA///lEgCAAEyNgP//2HWAgABEpwD//74IgA==
Date: Tue, 18 Aug 2015 19:42:46 +0000
Message-ID: <D1F9025A.2BDBA%acee@cisco.com>
References: <20150817200640.5272.4712.idtracker@ietfa.amsl.com> <D1F7DABC.2BC37%acee@cisco.com> <CAHbuEH4Cwj4EmiqpBmb1g+SVezPNjJff9RiMuVi-B0EmtSTF2Q@mail.gmail.com> <D1F8DE85.2BD4C%acee@cisco.com> <CAHbuEH7f=qFnj3SrgDvP=Dnmp93GWzPGyBgP+6dvp-GA_=dLBA@mail.gmail.com> <D1F9004C.2BD9D%acee@cisco.com> <CAHbuEH4wwar_CnrS9WMFcZrexRwNPDtjc8pWtGFOXobCU9hN_A@mail.gmail.com>
In-Reply-To: <CAHbuEH4wwar_CnrS9WMFcZrexRwNPDtjc8pWtGFOXobCU9hN_A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [173.36.7.28]
Content-Type: text/plain; charset="utf-8"
Content-ID: <71B8B9FD220F854EBB4E76AE53C94A27@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/ospf/65HnLc8quS1Uew459_NEOFoi34U>
Cc: "ospf@ietf.org" <ospf@ietf.org>, "draft-ietf-ospf-prefix-link-attr@ietf.org" <draft-ietf-ospf-prefix-link-attr@ietf.org>, "draft-ietf-ospf-prefix-link-attr.shepherd@ietf.org" <draft-ietf-ospf-prefix-link-attr.shepherd@ietf.org>, "draft-ietf-ospf-prefix-link-attr.ad@ietf.org" <draft-ietf-ospf-prefix-link-attr.ad@ietf.org>, The IESG <iesg@ietf.org>, "ospf-chairs@ietf.org" <ospf-chairs@ietf.org>
Subject: Re: [OSPF] Kathleen Moriarty's Discuss on draft-ietf-ospf-prefix-link-attr-10: (with DISCUSS)
X-BeenThere: ospf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: The Official IETF OSPG WG Mailing List <ospf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ospf>, <mailto:ospf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ospf/>
List-Post: <mailto:ospf@ietf.org>
List-Help: <mailto:ospf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ospf>, <mailto:ospf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Aug 2015 19:42:53 -0000
On 8/18/15, 3:38 PM, "Kathleen Moriarty" <kathleen.moriarty.ietf@gmail.com> wrote: >On Tue, Aug 18, 2015 at 3:35 PM, Acee Lindem (acee) <acee@cisco.com> >wrote: >> Hi Kathleen, >> >> On 8/18/15, 1:54 PM, "Kathleen Moriarty" >> <kathleen.moriarty.ietf@gmail.com> wrote: >> >>>Acee, >>> >>>On Tue, Aug 18, 2015 at 1:20 PM, Acee Lindem (acee) <acee@cisco.com> >>>wrote: >>>> Hi Kathleen, >>>> >>>> On 8/18/15, 10:57 AM, "Kathleen Moriarty" >>>> <kathleen.moriarty.ietf@gmail.com> wrote: >>>> >>>>>Thank you for your quick response, Acee. I just have one tweak inline >>>>>that is usually important from a security standpoint. >>>>> >>>>>On Mon, Aug 17, 2015 at 6:46 PM, Acee Lindem (acee) <acee@cisco.com> >>>>>wrote: >>>>>> Hi Kathleen, >>>>>> Here are the updated "Security Considerations” after addressing >>>>>>Alvaro’s >>>>>> comments. >>>>>> >>>>>> 6. Security Considerations >>>>>> >>>>>> In general, new LSAs defined in this document are subject to the >>>>>>same >>>>>> security concerns as those described in [OSPFV2] and [OPAQUE]. >>>>>> >>>>>> OSPFv2 applications utilizing these OSPFv2 extensions must define >>>>>>the >>>>>> security considerations relating to those applications in the >>>>>> the specifications corresponding to those applications. >>>>>> >>>>>> Additionally, implementations must assure that malformed TLV and >>>>>>Sub- >>>>>> TLV permutations are detected and do not provide a vulnerability >>>>>>for >>>>>> attackers to crash the OSPFv2 router or routing process. >>>>>>Malformed >>>>>> LSAs MUST NOT be stored in the Link State Database (LSDB), >>>>>> acknowledged, or reflooded. Reception of malformed LSAs SHOULD >>>>>>be >>>>>> counted or logged for further analysis. >>>>> >>>>>Can you add in a sentence that says something to the effect of: >>>>> >>>>>Only valid TLVs and Sub-TLVs may be processed according to >>>>>specifications in section 2. >>>> >>>> This depends on how you define “valid”. For extendability, an >>>> implementation considers any TLV or Sub-TLV that is properly formed as >>>> valid. Of course, it only uses the TLV and Sub-TLVs that it knows how >>>>to >>>> interpret. Hence, the LSA will be considered valid and be stored in >>>>the >>>> LSDB and reflooded. This is the reason for using a TLV based encoding. >>>> >>> >>>Do you have alternate text to propose to get the same point across? >> >> I think that the text indicating not to store, acknowledge, or >> re-advertise LSAs with malformed TLVs will suffice. The handling of >> unknown TLVs, Sub-TLVs, and opaque types is well-known to those skilled >>in >> the art. > >I was hoping for text in the positive direction, meaning that you >accept what is valid and the rest is not valid or malformed and >therefore not accepted. You avoid potential problems this way with >unexpected conditions being reached. Can you change the text a >little? Actually we do not accept an LSA if it is malformed so the acceptance granularity is always at the LSA level. Opaque types, TLVs, and Sub-TLVs that are unrecognized are accepted as long as they can be parsed successfully. What do you suggest? Thanks, Acee > >Thanks, >Kathleen > >> >> Thanks, >> Acee >> >> >> >> >> >>> >>>Thanks, >>>Kathleen >>> >>>>> >>>>>Something similar for LSAs as well. >>>> >>>> Opaque LSAs [RFC 5250] are valid even if the opaque type is not >>>> recognized. >>>> >>>> Thanks, >>>> Acee >>>> >>>> >>>> >>>> >>>> >>>>> >>>>>A variation of that is fine. The main point being that you usually >>>>>want to accept only what is valid in a programming sense because of >>>>>you look for the malformed, you could miss something and wind up with >>>>>an unexpected condition as opposed to only accepting what is valid. >>>>> >>>>>Thank you, >>>>>Kathleen >>>>> >>>>>> >>>>>> >>>>>> Thanks, >>>>>> Acee >>>>>> >>>>>> On 8/17/15, 4:06 PM, "Kathleen Moriarty" >>>>>> <Kathleen.Moriarty.ietf@gmail.com> wrote: >>>>>> >>>>>>>Kathleen Moriarty has entered the following ballot position for >>>>>>>draft-ietf-ospf-prefix-link-attr-10: Discuss >>>>>>> >>>>>>>When responding, please keep the subject line intact and reply to >>>>>>>all >>>>>>>email addresses included in the To and CC lines. (Feel free to cut >>>>>>>this >>>>>>>introductory paragraph, however.) >>>>>>> >>>>>>> >>>>>>>Please refer to >>>>>>>https://www.ietf.org/iesg/statement/discuss-criteria.html >>>>>>>for more information about IESG DISCUSS and COMMENT positions. >>>>>>> >>>>>>> >>>>>>>The document, along with other ballot positions, can be found here: >>>>>>>https://datatracker.ietf.org/doc/draft-ietf-ospf-prefix-link-attr/ >>>>>>> >>>>>>> >>>>>>> >>>>>>>-------------------------------------------------------------------- >>>>>>>-- >>>>>>>DISCUSS: >>>>>>>-------------------------------------------------------------------- >>>>>>>-- >>>>>>> >>>>>>>Thanks for your work on this draft. >>>>>>> >>>>>>>I have questions along the lines that Alvaro raised on the last >>>>>>>sentence >>>>>>>of the Security Considerations section, but in context of security, >>>>>>>this >>>>>>>is something that should be discussed. >>>>>>> >>>>>>> "Additionally, >>>>>>> implementations must assure that malformed TLV and Sub-TLV >>>>>>> permutations do not result in errors that cause hard OSPF >>>>>>>failures." >>>>>>> >>>>>>>It would be very helpful to expand upon this statement. Are there >>>>>>>exploits that could result as well? Should this instead be scoped >>>>>>>in >>>>>>>terms of what is valid so that the appropriate actions occur >>>>>>>consistently >>>>>>>when an invalid or malformed TLV or sub-TLV are received? I would >>>>>>>think >>>>>>>the answer to the last question would clarify this enough for this >>>>>>>security consideration and if that's not possible, can you explain >>>>>>>what >>>>>>>I'm missing? >>>>>>> >>>>>>>Thank you. >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>>> >>>>> >>>>>-- >>>>> >>>>>Best regards, >>>>>Kathleen >>>> >>> >>> >>> >>>-- >>> >>>Best regards, >>>Kathleen >> > > > >-- > >Best regards, >Kathleen
- Re: [OSPF] Kathleen Moriarty's Discuss on draft-i… Acee Lindem (acee)
- Re: [OSPF] Kathleen Moriarty's Discuss on draft-i… Acee Lindem (acee)
- Re: [OSPF] Kathleen Moriarty's Discuss on draft-i… Acee Lindem (acee)
- Re: [OSPF] Kathleen Moriarty's Discuss on draft-i… Acee Lindem (acee)
- Re: [OSPF] Kathleen Moriarty's Discuss on draft-i… Alia Atlas
- Re: [OSPF] Kathleen Moriarty's Discuss on draft-i… Acee Lindem (acee)
- Re: [OSPF] Kathleen Moriarty's Discuss on draft-i… Acee Lindem (acee)
- Re: [OSPF] Kathleen Moriarty's Discuss on draft-i… Acee Lindem (acee)
- Re: [OSPF] Kathleen Moriarty's Discuss on draft-i… Acee Lindem (acee)
- Re: [OSPF] Kathleen Moriarty's Discuss on draft-i… Acee Lindem (acee)