Re: [Rift] Security review of draft-ietf-rift-rift-05 is now complete
Tony Przygienda <tonysietf@gmail.com> Thu, 02 May 2019 07:25 UTC
Return-Path: <tonysietf@gmail.com>
X-Original-To: rift@ietfa.amsl.com
Delivered-To: rift@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF9F31202FD for <rift@ietfa.amsl.com>; Thu, 2 May 2019 00:25:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VcX0vrVssrvA for <rift@ietfa.amsl.com>; Thu, 2 May 2019 00:25:02 -0700 (PDT)
Received: from mail-ed1-x534.google.com (mail-ed1-x534.google.com [IPv6:2a00:1450:4864:20::534]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB9131202F9 for <rift@ietf.org>; Thu, 2 May 2019 00:25:01 -0700 (PDT)
Received: by mail-ed1-x534.google.com with SMTP id g57so1165036edc.12 for <rift@ietf.org>; Thu, 02 May 2019 00:25:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=yGF6P8xVfjDiWC4n7Ok8oG3UBGaf9crU6X83hGwP1zc=; b=iXf++oNn0H4RCoxebTsT9LakopakcATEkExdvGz/teCiW9ECmnA5cE4xQcRARePjDW wnISG8NQmc1ZvHf+fjsGSotBHNSvOjO1bdgTp5i5ZfLxjmLC6IeWytkMfSj+lewYeopB X5EgR2BLw7HmFSS31+3ZcY75SORfowcLv7DBLuR6r65cmHjkwvF52jnNDQjJ9WNvGleR AlbuYa46wdp6yZKx0NIxK+k1e+0l7TPzcPovcJo9TpbYT+4eqLL2GsIaQGp9TYxqfdrk mKIgms0BaUmogDXMxWFm5lE8PjJBOP98ucvqmsQzHZ5fS7NqpXb4N9HoT6c6mkQfSwbs AwpQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=yGF6P8xVfjDiWC4n7Ok8oG3UBGaf9crU6X83hGwP1zc=; b=mzHNREdmKqWhw09eJOcxst4m2q2d3mm4ICYD1xVH6laIsY/ZP6ylaVUydkB7JDqF3j 0czGQWmpkt8owbzVeqnF2CUrC2ABm6DgItqN7q0JljeKk9GtDrLt3KEOTfk4XVtkBV3O smBzk6JjxHbh3DxjxNO8sn4f/lJHEsc9cSdaqmligVdv0lGscX+neC6cBUpdZRxiWRLB tLidm88CpOcfbloBeQ+zgiTryV5EMLjw2niqR81Tf9UfHqM6JRmAKtgaWChrkGQogdmU Wr8OOgJ5xPXTAFlxzzQQtn1xNRjLO8FUU6vFIIJ6gNKvEIWNU6v94lUG7xmcvcC2tHec F4Lw==
X-Gm-Message-State: APjAAAUJplgUUg+fRQILfHTmI71kUa0pA38OI/KwwNNNN7mQIwazvgDD j49iE1y24Ohafck6qLWy82j+BcW/sViHgvRHWks=
X-Google-Smtp-Source: APXvYqwN5w1ciFAD2AleXK8Jd3OzarKvZokVKhocgxN/D9AzUpJty0qVxezfjLnMyTdzSZKD2fu9b8LdP2VUsu8N82Q=
X-Received: by 2002:a50:9441:: with SMTP id q1mr1467159eda.101.1556781900414; Thu, 02 May 2019 00:25:00 -0700 (PDT)
MIME-Version: 1.0
References: <0660FAD1-B80C-4D37-B4D6-6CE4F6759BCD@gmail.com> <7FAAD212-9335-4FD6-B064-0F7A25041177@gmail.com>
In-Reply-To: <7FAAD212-9335-4FD6-B064-0F7A25041177@gmail.com>
From: Tony Przygienda <tonysietf@gmail.com>
Date: Thu, 02 May 2019 00:24:24 -0700
Message-ID: <CA+wi2hMO985sJ1cC-dz_FCy_a6mza45g=EusiEPVgbjQR_YMFw@mail.gmail.com>
To: Bruno Rijsman <brunorijsman@gmail.com>
Cc: rift@ietf.org
Content-Type: multipart/alternative; boundary="0000000000002ac4fa0587e2881a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rift/pbYN0HTWjGtEIQanDmiGRqVXvJs>
Subject: Re: [Rift] Security review of draft-ietf-rift-rift-05 is now complete
X-BeenThere: rift@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of Routing in Fat Trees <rift.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rift>, <mailto:rift-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rift/>
List-Post: <mailto:rift@ietf.org>
List-Help: <mailto:rift-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rift>, <mailto:rift-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 May 2019 07:25:05 -0000
2.3.1. So filled in a bit of the missing details on the nonce interpretation in LIEs. In fact, the draft on bitbucket says currently "... Any secure implementation MUST discard packets where its local nonce is not correctly mirrored but it may choose to either refuse forming an adjacency with an implementation not advertising signatures or valid nonces or simply keep on signing local packets while accepting neighbor's packets without further verification beside checking for proper nonce reflection. As a necessary exception, an implementation MUST advertise `undefined_nonce` for remote nonce value when the FSM is not in 2-way or 3-way state and accept an `undefined_nonce` for its local nonce value on packets in any other state than 3-way. " With that being said it looks to me like 2.3.1 attack is not possible. a 3-way will keep steady and not care whetehr any LIEs with 0 nonce are replayed and just ignore them. Maybe language needs bit clarification 2.3.2 is correct, it's a limited DoS attack on the protocol, kind of as intended. Perfect security including perfect replay security is often more expensive than what is being protected here like bits of extra CPU (where re-flooding is dampened). Usual security mantra: the safe has to be less expesive than what's inside but cost more to crack than what's in it, otherwise security does not make economic sense ;-) 2.3.3 is correct as well, just like in 2.3.2 increasing nonces on every TIDE is possible of course and would close that window but we have to chat about the performance implications. So I agree with sentiment but experience/scar tissue speaks against the sentiment. 2.5.2 is solved by Appendix A explaining rollover in detail. What needs to be added, just the "roll-over over 0?" ... We may have a problem with 0 being "undefined nonce" already, bares discussing out ... Maybe we need add that on rollover when 0 is the value, it must immediately go to 1? 2.6. yes, spec was missing the new text I wrote above. That should prevent replays to shut down a 3-way and take care of the problem you describe. 2.6.2 is interesting, what your take? we have to always check the outer key before looking @ nonce. I thought taht was understood but we can add text ... 2.7 Your table says it all, having SHA-265 (which isn't very strong) doing only 20K @ 9K MTU is a problem so I disagree with your conclusion. SHA-512 doing 14K is way lower than flooding rates I see easily now so sorry, it's way, way too slow ... AFAIK MD5 is already history even as signature and AFAIR e.g. for FIPS not allowed. Yes, asymmetric signing is very slow, validation is much faster AFAIU. So yes, nothing changed, doing 100K @ couple KB packets doing serious signatures is too expensive. Maybe we can make the delta configurable but then you'll have very fragile adjhacency configuration. An implementation can BTW easily put a knob like that in ... 2.9. I think the correct way to distribute certificaties inline is KV ! The KV draft is still pending to be written and it's a great topic for that BTW ... ;-) 2.10 is a good optimization, given especially that the object is the biggest part so flooding out we'll save tons of CPU when outer envelope (lifetime) changes. Should we include that? 2.11 section 5.4.3 is really not something that needs to be spefcified. It's how the implemenation chooses to scope keys, can be per adjacency, can be global. It's local behavior 3.2 a) relying on strictly increasing numbers reads well but is fragile from deployment experience on PNNI. One lost or misordered packets can reset adjacency, pretty disastrous so many implementation have interesting "additions" to deal with that AFAIR which amount to delta on nonces we use in some variant ;-) Deployment experience & scar tissue. Link state protocols do misorder and they loose, it's a fact of life. The faster you go the worse it gets and loosing an adjacnecy can cause quite sensational amount of flooding on normal protocols and given disaggregation, even in RIFT can be costly. In deployments normnally, "do not loose adjacenies" is much, much more important than "perfect replay security" ... b) if you use different nonces for TIE/TIDE and so on you'd have to negotiate them per packet type? That's infeasible IMO. c) I need to read up the karp-ospf-ip draft again. AFAIR it was complex but I forgot details. will come back and let's see whether there are more comments on the list ... So, security folks, fire away, I think the analysis is very, very thorough and the few points raised need shaking out ... --- tony On Wed, May 1, 2019 at 9:43 AM Bruno Rijsman <brunorijsman@gmail.com> wrote: > My security review of draft-ietf-rift-rift-05 is now complete and > available at http://bit.ly/rift-security-review > > — Bruno > > On Apr 23, 2019, at 10:41 AM, Bruno Rijsman <brunorijsman@gmail.com> > wrote: > > PS: Due to other activities, it will take me a week or two to finish the > write-up of my comments on the security section of the RIFT draft. I want > to make sure my write-up is accurate and complete before I send it out, > because some of my comments are quite subtle or opinionated. > > — Bruno > > > _______________________________________________ > RIFT mailing list > RIFT@ietf.org > https://www.ietf.org/mailman/listinfo/rift >
- [Rift] 2 weeks for comments on security section Bruno Rijsman
- [Rift] Security review of draft-ietf-rift-rift-05… Bruno Rijsman
- Re: [Rift] Security review of draft-ietf-rift-rif… Tony Przygienda
- Re: [Rift] Security review of draft-ietf-rift-rif… Tony Przygienda
- Re: [Rift] Security review of draft-ietf-rift-rif… Tony Przygienda