Re: [Pce] Eric Rescorla's Discuss on draft-ietf-pce-rfc6006bis-03: (with DISCUSS)
Dhruv Dhody <dhruv.dhody@huawei.com> Thu, 31 August 2017 16:16 UTC
Return-Path: <dhruv.dhody@huawei.com>
X-Original-To: pce@ietfa.amsl.com
Delivered-To: pce@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32F36126C7A; Thu, 31 Aug 2017 09:16:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WtUXo8lQQv3h; Thu, 31 Aug 2017 09:16:32 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B398E1200F3; Thu, 31 Aug 2017 09:16:31 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml706-cah.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DUN63714; Thu, 31 Aug 2017 16:16:29 +0000 (GMT)
Received: from BLREML405-HUB.china.huawei.com (10.20.4.41) by lhreml706-cah.china.huawei.com (10.201.108.47) with Microsoft SMTP Server (TLS) id 14.3.301.0; Thu, 31 Aug 2017 17:16:27 +0100
Received: from BLREML501-MBX.china.huawei.com ([10.20.5.198]) by BLREML405-HUB.china.huawei.com ([10.20.4.41]) with mapi id 14.03.0301.000; Thu, 31 Aug 2017 21:46:17 +0530
From: Dhruv Dhody <dhruv.dhody@huawei.com>
To: Eric Rescorla <ekr@rtfm.com>
CC: The IESG <iesg@ietf.org>, "draft-ietf-pce-rfc6006bis@ietf.org" <draft-ietf-pce-rfc6006bis@ietf.org>, "pce@ietf.org" <pce@ietf.org>, "pce-chairs@ietf.org" <pce-chairs@ietf.org>, Deborah A Brungard <db3546@att.com>, 'Kathleen Moriarty' <Kathleen.Moriarty.ietf@gmail.com>
Thread-Topic: [Pce] Eric Rescorla's Discuss on draft-ietf-pce-rfc6006bis-03: (with DISCUSS)
Thread-Index: AQHTIemYlPnoklGpikO+FkbXiWyMaaKd+HEQgAAWB4CAAJXkIA==
Date: Thu, 31 Aug 2017 16:16:17 +0000
Message-ID: <23CE718903A838468A8B325B80962F9B8CBBDA19@blreml501-mbx>
References: <150413650442.16888.3965748412519528441.idtracker@ietfa.amsl.com> <23CE718903A838468A8B325B80962F9B8CBBD650@blreml501-mbx> <CABcZeBMYziPTDkc5s09yvuBDvkV9d8EHXOtBgZgabWdfvukD2g@mail.gmail.com>
In-Reply-To: <CABcZeBMYziPTDkc5s09yvuBDvkV9d8EHXOtBgZgabWdfvukD2g@mail.gmail.com>
Accept-Language: en-GB, zh-CN, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.18.76.121]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A090203.59A8365D.00DF, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 9cf6ed20cf40e378986e3d98e007d9a2
Archived-At: <https://mailarchive.ietf.org/arch/msg/pce/ldBjfua4gUBJTNqbMcM40Al5Thw>
Subject: Re: [Pce] Eric Rescorla's Discuss on draft-ietf-pce-rfc6006bis-03: (with DISCUSS)
X-BeenThere: pce@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Path Computation Element <pce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pce>, <mailto:pce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pce/>
List-Post: <mailto:pce@ietf.org>
List-Help: <mailto:pce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pce>, <mailto:pce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Aug 2017 16:16:35 -0000
Hi Eric,
Let me take one more stab at it -
5. Security Considerations
As described in [RFC5862], P2MP path computation requests are more
CPU-intensive and also utilize more link bandwidth. In the event of
an unauthorized P2MP path computation request, or a denial of service
attack, the subsequent PCEP requests and processing may be disruptive
to the network. Consequently, it is important that implementations
conform to the relevant security requirements that specifically help
to minimize or negate unauthorized P2MP path computation requests and
denial of service attacks. These mechanisms include:
o Securing the PCEP session requests and responses is RECOMMENDED
using TCP security techniques such as TCP Authentication Option
(TCP-AO) [RFC5925] or using Transport Layer Security (TLS) [I-
D.ietf-pce-pceps], as per the recommendations and best current
practices in [RFC7525].
o Authenticating the PCEP requests and responses to ensure the
message is intact and sent from an authorized node using TCP-AO or
TLS is RECOMMENDED.
o Providing policy control by explicitly defining which PCCs, via IP
access-lists, are allowed to send P2MP path requests to the PCE.
PCEP operates over TCP, so it is also important to secure the PCE and
PCC against TCP denial of service attacks.
As stated in [RFC6952], PCEP implementations should support TCP-AO
[RFC5925] and not use TCP-MD5 because of the known vulnerabilities
and weakness.
What do you think?
Regards,
Dhruv
------------
From: Eric Rescorla [mailto:ekr@rtfm.com]
Sent: 31 August 2017 18:17
To: Dhruv Dhody <dhruv.dhody@huawei.com>
Cc: The IESG <iesg@ietf.org>; draft-ietf-pce-rfc6006bis@ietf.org; pce@ietf.org; pce-chairs@ietf.org
Subject: Re: [Pce] Eric Rescorla's Discuss on draft-ietf-pce-rfc6006bis-03: (with DISCUSS)
No, not really. You're still citing to 5440 which has the TCP-MD5 stuff, and there's no requirement to use AO. I think what's needed here is a normative requirement for something strong than TCP-MD5. I defer to the WG on what that should be, but it's really not OK to keep using TCP-MD5 as our basic security measure for TCP connections for routing protocols
-Ekr
On Thu, Aug 31, 2017 at 12:36 AM, Dhruv Dhody <dhruv.dhody@huawei.com> wrote:
Hi Eric,
> -----Original Message-----
> From: Pce [mailto:pce-bounces@ietf.org] On Behalf Of Eric Rescorla
> Sent: 31 August 2017 05:12
> To: The IESG <iesg@ietf.org>
> Cc: draft-ietf-pce-rfc6006bis@ietf.org; pce@ietf.org; pce-chairs@ietf.org
> Subject: [Pce] Eric Rescorla's Discuss on draft-ietf-pce-rfc6006bis-03:
> (with DISCUSS)
>
> Eric Rescorla has entered the following ballot position for
> draft-ietf-pce-rfc6006bis-03: Discuss
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-pce-rfc6006bis/
>
>
>
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
> The Security Considerations is worrisome, as it points to RFC 5440;
> Section 10.2, which basically recommends TCP-MD5:
>
> At the time of writing, TCP-MD5 [RFC2385] is the only available
> security mechanism for securing the TCP connections that underly PCEP
> sessions.
>
> As explained in [RFC2385], the use of MD5 faces some limitations and
> does not provide as high a level of security as was once believed. A
> PCEP implementation supporting TCP-MD5 SHOULD be designed so that
> stronger security keying techniques or algorithms that may be
> specified for TCP can be easily integrated in future releases.
>
> The TCP Authentication Option [TCP-AUTH] (TCP-AO) specifies new
> security procedures for TCP, but is not yet complete. Since it is
> believed that [TCP-AUTH] will offer significantly improved security
> for applications using TCP, implementers should expect to update
> their implementation as soon as the TCP Authentication Option is
> published as an RFC.
>
> Implementations MUST support TCP-MD5 and should make the security
> function available as a configuration option.
>
> TCP-AO has now been published as an RFC for quite some time, so it's
> probably not really appropriate to just point to a document which
> recommends TCP-MD5.
>
[[Dhruv Dhody]] Let me know if this change is okay -
OLD:
5. Security Considerations
As described in [RFC5862], P2MP path computation requests are more
CPU-intensive and also utilize more link bandwidth. In the event of
an unauthorized P2MP path computation request, or a denial of service
attack, the subsequent PCEP requests and processing may be disruptive
to the network. Consequently, it is important that implementations
conform to the relevant security requirements of [RFC5440] that
specifically help to minimize or negate unauthorized P2MP path
computation requests and denial of service attacks. These mechanisms
include:
o Securing the PCEP session requests and responses using TCP
security techniques (Section 10.2 of [RFC5440]).
o Authenticating the PCEP requests and responses to ensure the
message is intact and sent from an authorized node (Section 10.3
of [RFC5440]).
o Providing policy control by explicitly defining which PCCs, via IP
access-lists, are allowed to send P2MP path requests to the PCE
(Section 10.6 of [RFC5440]).
PCEP operates over TCP, so it is also important to secure the PCE and
PCC against TCP denial of service attacks. Section 10.7.1 of
[RFC5440] outlines a number of mechanisms for minimizing the risk of
TCP based denial of service attacks against PCEs and PCCs.
PCEP implementations SHOULD consider the additional security provided
by Transport Layer Security (TLS) [I-D.ietf-pce-pceps].
NEW:
5. Security Considerations
As described in [RFC5862], P2MP path computation requests are more
CPU-intensive and also utilize more link bandwidth. In the event of
an unauthorized P2MP path computation request, or a denial of service
attack, the subsequent PCEP requests and processing may be disruptive
to the network. Consequently, it is important that implementations
conform to the relevant security requirements that specifically help
to minimize or negate unauthorized P2MP path computation requests and
denial of service attacks. These mechanisms include:
o Securing the PCEP session requests and responses using TCP
security techniques such as TCP Authentication Option (TCP-AO)
[RFC5925] or using Transport Layer Security (TLS) [I-D.ietf-pce-
pceps], as per the recommendations and best current practices in
[RFC7525].
o Authenticating the PCEP requests and responses to ensure the
message is intact and sent from an authorized node using TCP-AO or
TLS.
o Providing policy control by explicitly defining which PCCs, via IP
access-lists, are allowed to send P2MP path requests to the PCE
(Section 10.6 of [RFC5440]).
PCEP operates over TCP, so it is also important to secure the PCE and
PCC against TCP denial of service attacks. Section 10.7.1 of
[RFC5440] outlines a number of mechanisms for minimizing the risk of
TCP based denial of service attacks against PCEs and PCCs.
END
Thanks,
Dhruv
>
>
>
> _______________________________________________
> Pce mailing list
> Pce@ietf.org
> https://www.ietf.org/mailman/listinfo/pce
- [Pce] Eric Rescorla's Discuss on draft-ietf-pce-r… Eric Rescorla
- Re: [Pce] Eric Rescorla's Discuss on draft-ietf-p… Dhruv Dhody
- Re: [Pce] Eric Rescorla's Discuss on draft-ietf-p… Eric Rescorla
- Re: [Pce] Eric Rescorla's Discuss on draft-ietf-p… Dhruv Dhody