Re: [Pce] Roman Danyliw's Discuss on draft-ietf-pce-stateful-pce-p2mp-12: (with DISCUSS)

Roman Danyliw <rdd@cert.org> Fri, 12 April 2019 12:28 UTC

Return-Path: <rdd@cert.org>
X-Original-To: pce@ietfa.amsl.com
Delivered-To: pce@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31E2C1202C5; Fri, 12 Apr 2019 05:28:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8ivMUb0hBkWo; Fri, 12 Apr 2019 05:28:51 -0700 (PDT)
Received: from taper.sei.cmu.edu (taper.sei.cmu.edu [147.72.252.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 350CF1201B2; Fri, 12 Apr 2019 05:28:50 -0700 (PDT)
Received: from korb.sei.cmu.edu (korb.sei.cmu.edu [10.64.21.30]) by taper.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id x3CCSeSK014882; Fri, 12 Apr 2019 08:28:40 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu x3CCSeSK014882
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1555072121; bh=ZZrlRSY0i6CZBUo9LwdLQhoIKvcN43p+zqRr3YkdJRg=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=OaOd+cmHVdzos8cPzstj2eRzc4+uFuGqbXDMkeCPIfnZoSMaOBdn9rapYpIJ9VQ78 Crk9T77l9E65wcOmhZw1X8Zc6NgdxR9SiEkEaLyjYYm8MNkJuZTIjEZpwnXmOTZtOG RHMb4pKDQbwwAXufpimD/BVykICe0jCVROc8FSZU=
Received: from CASSINA.ad.sei.cmu.edu (cassina.ad.sei.cmu.edu [10.64.28.249]) by korb.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id x3CCSVch003614; Fri, 12 Apr 2019 08:28:31 -0400
Received: from MARCHAND.ad.sei.cmu.edu ([10.64.28.251]) by CASSINA.ad.sei.cmu.edu ([10.64.28.249]) with mapi id 14.03.0435.000; Fri, 12 Apr 2019 08:28:30 -0400
From: Roman Danyliw <rdd@cert.org>
To: Dhruv Dhody <dhruv.dhody@huawei.com>, The IESG <iesg@ietf.org>
CC: "draft-ietf-pce-stateful-pce-p2mp@ietf.org" <draft-ietf-pce-stateful-pce-p2mp@ietf.org>, "pce@ietf.org" <pce@ietf.org>, "pce-chairs@ietf.org" <pce-chairs@ietf.org>
Thread-Topic: [Pce] Roman Danyliw's Discuss on draft-ietf-pce-stateful-pce-p2mp-12: (with DISCUSS)
Thread-Index: AQHU76ntQr0ahYBHQUivFIUWFCvqGKY2qC8AgAHOpMA=
Date: Fri, 12 Apr 2019 12:28:29 +0000
Message-ID: <359EC4B99E040048A7131E0F4E113AFC01B332A3B7@marchand>
References: <155490660734.22896.13528098840634992626.idtracker@ietfa.amsl.com> <23CE718903A838468A8B325B80962F9B8DA107E0@BLREML503-MBS.china.huawei.com>
In-Reply-To: <23CE718903A838468A8B325B80962F9B8DA107E0@BLREML503-MBS.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.22.6]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/pce/bCwTmY59kteSxUvjUo4yTmkFM2o>
Subject: Re: [Pce] Roman Danyliw's Discuss on draft-ietf-pce-stateful-pce-p2mp-12: (with DISCUSS)
X-BeenThere: pce@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Path Computation Element <pce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pce>, <mailto:pce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pce/>
List-Post: <mailto:pce@ietf.org>
List-Help: <mailto:pce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pce>, <mailto:pce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Apr 2019 12:28:54 -0000

Hi!

> -----Original Message-----
> From: Dhruv Dhody [mailto:dhruv.dhody@huawei.com]
> Sent: Thursday, April 11, 2019 12:52 AM
> To: Roman Danyliw <rdd@cert.org>; The IESG <iesg@ietf.org>
> Cc: draft-ietf-pce-stateful-pce-p2mp@ietf.org; pce@ietf.org; pce-
> chairs@ietf.org
> Subject: RE: [Pce] Roman Danyliw's Discuss on draft-ietf-pce-stateful-pce-
> p2mp-12: (with DISCUSS)
> 
> Hi Ramon,
> 
> Thanks for your review.
> 
> Here is the proposed update -
> 
> 12.  Security Considerations
> 
>    The stateful operations on P2MP TE LSPs are more CPU-intensive and
>    also utilize more bandwidth on wire (in comparison to P2P TE LSPs).
>    If a rogue PCC were able to request unauthorized stateful PCE
>    operations then it may be able to mount a DoS attack against a PCE,
>    which would disrupt the network and deny service to other PCCs.
>    Similarly an attacker may flood the PCC with PCUpd messages at a rate
>    that exceeds either the PCC's ability to process them or the
>    network's ability to signal the changes, by either spoofing messages
>    or compromising the PCE itself.
> 
>    Consequently, it is important that implementations conform to the
>    relevant security requirements as listed below -
> 
>    o  As per [RFC8231], it is RECOMMENDED that these PCEP extensions
>       only be activated on authenticated and encrypted sessions across
>       PCEs and PCCs belonging to the same administrative authority,
>       using Transport Layer Security (TLS) [RFC8253], as per the
>       recommendations and best current practices in [RFC7525] (unless
>       explicitly set aside in [RFC8253]).
> 
>    o  Security considerations for path computation requests and
>       responses are as per [RFC8306].
> 
>    o  Security considerations for stateful operations (such as state
>       report, synchronization, delegation, update, etc.) are as per
>       [RFC8231].
> 
>    o  Security considerations for LSP instantiation mechanism are as per
>       [RFC8231].
> 
>    o  Security considerations as stated in Section 10.1, Section 10.6,
>       and Section 10.7 of [RFC5440] continue to apply.

This text is very clear and addresses my concerns.  I see that it is in -13 so I'll clear the DISCUSS.

Thank you for this change.

Roman

> 
> More inline -
> 
> > -----Original Message-----
> > From: Pce [mailto:pce-bounces@ietf.org] On Behalf Of Roman Danyliw via
> > Datatracker
> > Sent: 10 April 2019 20:00
> > To: The IESG <iesg@ietf.org>
> > Cc: draft-ietf-pce-stateful-pce-p2mp@ietf.org; pce@ietf.org; pce-
> > chairs@ietf.org
> > Subject: [Pce] Roman Danyliw's Discuss on draft-ietf-pce-stateful-pce-
> > p2mp-12: (with DISCUSS)
> >
> > Roman Danyliw has entered the following ballot position for
> > draft-ietf-pce-stateful-pce-p2mp-12: Discuss
> >
> > When responding, please keep the subject line intact and reply to all
> > email addresses included in the To and CC lines. (Feel free to cut
> > this introductory paragraph, however.)
> >
> >
> > Please refer to
> > https://www.ietf.org/iesg/statement/discuss-criteria.html
> > for more information about IESG DISCUSS and COMMENT positions.
> >
> >
> > The document, along with other ballot positions, can be found here:
> > https://datatracker.ietf.org/doc/draft-ietf-pce-stateful-pce-p2mp/
> >
> >
> >
> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------
> >
> > The Security Considerations section has numerous helpful and
> > appropriate references.  Thanks for tracking them down.  However,
> > explicit, additional text is required to help identify, de-duplicate
> > and deconflict the “relevant guidance” provided by them.
> >
> > (1) Per “it is important that implementations conform to the relevant
> > security requirements of [RFC5440], [RFC8306] and [RFC8231], and
> > [RFC8281]”:
> >
> > ** [RFC8231] says “RECOMMENDED that these PCEP extensions only be
> > activated on authenticated and encrypted sessions across PCEs and PCCs
> > belonging to the same administrative authority, using Transport Layer
> > Security (TLS) [PCEPS], as per the recommendations and best current
> > practices in [RFC7525]”.  Good language.
> > This draft again re-states “Securing the PCEP session using Transport
> > Layer Security (TLS) [RFC8253], as per the recommendations and best
> > current practices in [RFC7525], is RECOMMENDED.”  Why say that twice?
> > Is there something new there?
> >
> 
> [[Dhruv Dhody]] Used the text from RFC8231.
> 
> > ** Per Section 10.4 of RFC5440 from 2009, IPSec is a MAY and Section
> > 10.2 makes
> > TCP-MD5 a MUST.  The more recent (2017) RFC8306 and RFC8253
> reference
> > TLS and TCP-AO, no IPSec.  RFC8306 explicitly says don’t use TCP-MD5.
> > What is the RECOMMENDED approach today?
> >
> > (2) Per “[s]ecuring the PCEP session using Transport Layer Security
> > (TLS) [RFC8253], as per the recommendations and best current practices
> > in [RFC7525], is RECOMMENDED”, how should the guidance on both of
> these
> > drafts be synthesized?
> 
> [[Dhruv Dhody]] Added "(unless explicitly set aside in [RFC8253])".
> 
> > Specifically, this sentence is unclear on whether the the robust TLS
> > 1.2 requirements in Section 3.4 of RFC8253 are RECOMMENDED, and/or
> > whether the Security Considerations/Section 7 of RFC8253, which
> > undermine these robust requirements by saying administrators MAY allow
> > the usage weak ciphersuites, apply.
> 
> [[Dhruv Dhody]] Section 3.4 of RFC8253 says -
> 
>        *  Negotiation of a ciphersuite providing for confidentiality is
>           RECOMMENDED.
> 
> Then, Section 7 says -
> 
>    Some TLS ciphersuites only provide integrity validation of their
>    payload and provide no encryption; such ciphersuites SHOULD NOT be
>    used by default.  Administrators MAY allow the usage of these
>    ciphersuites after careful weighting of the risk of relevant internal
>    data leakage that can occur in such a case, as explicitly stated by
>    [RFC6952].
> 
> The 'MAY' in the above text is to optionally allow going against something
> that is 'RECOMMENDED' with a suitable guidance. In my reading that is
> okay. Am I missing something?
> 
> > This
> > sentence also cites RFC7525 which makes statements that weak
> > (NULL) cipher suites MUST NOT be negotiated in contradiction to the
> > RFC8253 Section 7 guidance.
> >
> [[Dhruv Dhody]] This is taken care by "(unless explicitly set aside in
> [RFC8253])" in the proposed update.
> 
> > Given the discussion of TLs, some additional treatment of TLS v1.3 is
> > needed, recognizing that RFC7525 does recommend “v1.2+”
> >
> [[Dhruv Dhody]] Both RFC8253 and RFC7525 say TLS1.2 or later; not sure if
> we need to say more in this I-D (a very specific P2MP extension).
> 
> > Again, there is helpful guidance across all of the references.  Please
> > provide more textually narrative about which specific sections apply
> > on the references.
> >
> >
> [[Dhruv Dhody]] See proposed text.
> 
> If the new text needs further changes, it would be very helpful if you could
> include the changes you would like to see.
> 
> Thanks for your review!
> 
> Regards!
> Dhruv
> 
> >
> >
> > _______________________________________________
> > Pce mailing list
> > Pce@ietf.org
> > https://www.ietf.org/mailman/listinfo/pce