Re: [Last-Call] Tsvart telechat review of draft-ietf-bfd-unaffiliated-echo-12

Jeffrey Haas <jhaas@pfrc.org> Thu, 17 October 2024 19:49 UTC

Return-Path: <jhaas@pfrc.org>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15245C1C637B; Thu, 17 Oct 2024 12:49:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lcLS4PDOnpVk; Thu, 17 Oct 2024 12:49:05 -0700 (PDT)
Received: from slice.pfrc.org (slice.pfrc.org [67.207.130.108]) by ietfa.amsl.com (Postfix) with ESMTP id 48642C1D4CC6; Thu, 17 Oct 2024 12:49:05 -0700 (PDT)
Received: from smtpclient.apple (172-125-100-52.lightspeed.livnmi.sbcglobal.net [172.125.100.52]) by slice.pfrc.org (Postfix) with ESMTPSA id D4EBA1E039; Thu, 17 Oct 2024 15:49:04 -0400 (EDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_BFBA744A-59A8-47E5-B370-E0FAC376FFAA"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.8\))
Subject: Re: [Last-Call] Tsvart telechat review of draft-ietf-bfd-unaffiliated-echo-12
From: Jeffrey Haas <jhaas@pfrc.org>
In-Reply-To: <CA+RyBmWri06cV7dJqXEKbd4rKiS6L-V_UM5FmyXfuQdqenAv9g@mail.gmail.com>
Date: Thu, 17 Oct 2024 15:49:04 -0400
Message-Id: <ECE191E1-A909-4041-8ABC-A98972627FB1@pfrc.org>
References: <172900211105.1006979.13185411143316403177@dt-datatracker-78dc5ccf94-w8wgc> <20241015204357.GA20184@unix-ag.uni-kl.de> <A1ABD509-5033-450D-BDEA-997A17E5B029@trammell.ch> <0C014316-CA00-4E4B-9DF2-98E2D057BD0D@pfrc.org> <CA+RyBmU0s=hj9tsFrWtx=pPqOKJe_p1k2r4vq0Un-tfY9gGo8g@mail.gmail.com> <D9F420E8-9C41-4EBB-B604-703D23BAD063@pfrc.org> <CA+RyBmWri06cV7dJqXEKbd4rKiS6L-V_UM5FmyXfuQdqenAv9g@mail.gmail.com>
To: Greg Mirsky <gregimirsky@gmail.com>
X-Mailer: Apple Mail (2.3696.120.41.1.8)
Message-ID-Hash: OK47LCGY6XWWCAIX2XF5PPYIHY6GDUQK
X-Message-ID-Hash: OK47LCGY6XWWCAIX2XF5PPYIHY6GDUQK
X-MailFrom: jhaas@pfrc.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-rtg-bfd.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "Brian Trammell (IETF)" <ietf@trammell.ch>, Erik Auerswald <auerswal@unix-ag.uni-kl.de>, tsv-art@ietf.org, draft-ietf-bfd-unaffiliated-echo.all@ietf.org, last-call@ietf.org, rtg-bfd@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection" <rtg-bfd.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/8C4RRv8ntDXWqjvaSIZY-k7trYc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Owner: <mailto:rtg-bfd-owner@ietf.org>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Subscribe: <mailto:rtg-bfd-join@ietf.org>
List-Unsubscribe: <mailto:rtg-bfd-leave@ietf.org>

Greg,

The shorter form is "if you can use BFD Echo, U-BFD is probably applicable".

Rather than have the argument as to what that means, I suspect the authors would be satisfied to cover the RFC 5881 deployment cases where BFD Echo is already used.

-- Jeff


> On Oct 17, 2024, at 3:39 PM, Greg Mirsky <gregimirsky@gmail.com> wrote:
> 
> Hi Jeff,
> That update is a good step to address my concern. It seems that the document can take one or two more steps to demonstrate why U-BFD in environments other than RFC 5881 is not operable. I think that closing this issue in the core U-BFD specification is prudent and future-proof.
> 
> Regards,
> Greg
> 
> On Thu, Oct 17, 2024 at 12:18 PM Jeffrey Haas <jhaas@pfrc.org <mailto:jhaas@pfrc.org>> wrote:
> Greg,
> 
> Would you be satisfied to update the text to say this applies to RFC 5881 IPv4/IPv6 single-hop use cases and that all others are out of scope?
> 
> -- Jeff
> 
> 
>> On Oct 17, 2024, at 1:26 PM, Greg Mirsky <gregimirsky@gmail.com <mailto:gregimirsky@gmail.com>> wrote:
>> 
>> Hi Jeff,
>> it appears that you and other proponents of this draft concentrate on the
>> single-hop BFD (RFC 5881) case. But single-hop BFD is also used in
>> BFD-over-foo, e.g., RFC 5884, RFC 8971, RFC 9521, draft-ietf-bess-evpn-bfd.
>> All these specifications all state that
>>   Support for echo BFD is outside the scope of this document.
>> According to draft-ietf-bfd-unaffiliated-echo, U-BFD is applicable in, for
>> example, VXLAN, what would happen to the looped packet? I seems like it
>> will be routed through the underlay network. AFAICS, that is not part of
>> BFD Echo function per RFC 5880.
>> 
>> Regards,
>> Greg
>> 
>> On Wed, Oct 16, 2024 at 9:28 AM Jeffrey Haas <jhaas@pfrc.org <mailto:jhaas@pfrc.org>> wrote:
>> 
>>> Brian,
>>> 
>>> 
>>> On Oct 16, 2024, at 1:31 AM, Brian Trammell (IETF) <ietf@trammell.ch <mailto:ietf@trammell.ch>>
>>> wrote:
>>> 
>>> hi Erik,
>>> 
>>> Thanks for the clarifications. Xiao, please take this reply as a reply to
>>> your own request for an amendment to this review; tl;dr the recommendations
>>> to the authors, WG, and IESG change in their details but my headline
>>> opinion (“Not Ready”) stands until the document is revised.
>>> 
>>> 
>>> FWIW, I agree with Xiao that Erik's analysis is well considered.  He saved
>>> me from writing a large amount of similar tax, and did so with less
>>> frustrated sarcasm.
>>> 
>>> 
>>> My most serious concerns here are summed up in Greg’s last message (though
>>> I’m not as versed in the details of interactions with SR): in its
>>> well-behaved, deployed-as-intended state this seems fine, it’s my lack of
>>> understanding around the safeguards against (1) a malicious actor who has
>>> access to a u-bfd endpoint or (2) the impact of implementation faults
>>> breaking the sandbox assumptions around the protocol. Now, it may be that
>>> these safeguards do indeed exist in some other document I didn’t read.
>>> 
>>> 
>>> Please note that I consider Greg's references to be a "red herring", and
>>> an unnecessary distraction.  The issues with SRv6 are security issues with
>>> SRv6 and not specifically BFD related.
>>> 
>>> BFD Echo is a feature that has been shipping for years.  Echo relies on
>>> three things:
>>> 1. A BFD implementation sends echo packets to a designated port addressing
>>> those packets to itself.
>>> 2. The adjacent system loops those packets back.  The sender, talking to
>>> itself, leverages the contents of the packet to determine that it is indeed
>>> talking to itself and uses that information to decide that bi-directional
>>> connectivity thus exists.
>>> 
>>> Point 3, which I suspect is part of Greg's contention, is that such Echo
>>> reply functionality is enabled as part of BFD negotiation.  BFD's primary
>>> role is permitting rate negotiation for the feature.  (See RFC 5880,
>>> section 6.8.9)
>>> 
>>> That point is not necessarily true.
>>> 
>>> Routers will happily provide the loop behavior as part of IP forwarding.
>>> 
>>> Endpoints that are not routers that are asked to implement this mechanism
>>> need to implement IP forwarding, even if in a limited context.
>>> 
>>> 
>>> 
>>> The minimum effort fix here is probably an expanded security
>>> considerations section explaining how u-bfd doesn’t escape to the Internet.
>>> 
>>> 
>>> Unfamiliarity with BFD is likely what makes this comment seem reasonable.
>>> it's not.
>>> 
>>> From the draft:
>>> 
>>> "Similar to what's specified in [RFC5880
>>> <https://www.rfc-editor.org/info/rfc5880 <https://www.rfc-editor.org/info/rfc5880>>], the Unaffiliated BFD Echo
>>> session begins with the periodic, slow transmission of Unaffiliated BFD
>>> Echo packets. The slow transmission rate SHOULD be no less than one second
>>> per packet, until the session is Up. After the session is Up, the
>>> provisioned transmission interval is used."
>>> 
>>> If it's the case that a U-BFD session is provisioned to test a system that
>>> isn't a willing participant, these things follow from underlying procedures:
>>> - If the system doesn't loop the U-BFD packets, the BFD session never goes
>>> to Up and thus the packet rate is 1/second.  This is less aggressive in
>>> many respects that someone leaving ping running because the target IP stack
>>> doesn't need to process this in user-land.
>>> - If the system does loop the U-BFD packets and it is more than one IP hop
>>> away, the TTL check will cause the U-BFD packets to be dropped and the
>>> session will never go Up.  See prior comment for impact.
>>> 
>>> Is there something outside of these considerations that are intended to
>>> cover "escape to the Internet" because that phrase doesn't actually make
>>> much sense.
>>> 
>>> Other comments follow:
>>> 
>>> 
>>> On 15 Oct 2024, at 22:43, Erik Auerswald <auerswal@unix-ag.uni-kl.de <mailto:auerswal@unix-ag.uni-kl.de>>
>>> wrote:
>>> 
>>> Okay, then I am confused by the name of the protocol (“[…] Echo”), as well
>>> as figure 1, which clearly shows device B sending packets back to device A.
>>> I’m not sure I understand the distinction between “looping” a packet and
>>> “creating a response packet” unless said looping functionality is at layer
>>> 1, but I see no reference here to optical or electromagnetic delay lines,
>>> so I assume that is not the case.
>>> 
>>> 
>>> You may wish to review the Echo procedures from RFC 5880 since the
>>> terminology originates there.
>>> 
>>> In this case, it is loopback where a sender "talks to itself" by sending a
>>> packet to an adjacent node with its own address as the destination.  IP
>>> forwarding on that system sends the traffic back to itself. No packet
>>> reception by the remote system beyond that required for forwarding is
>>> required.
>>> 
>>> Unaffiliated BFD Echo is based on the fact that BFD Echo packets are not
>>> handeled on any device except the device creating them.
>>> 
>>> 
>>> I’m also having a lot of trouble reconciling Figure 1 with this, and with
>>> Jeff’s statement “[t]he actual idea of a remote system is farcical for this
>>> mode[…, in] U-bfd the system is only talking to itself.” Either the packets
>>> stay on the device (and there are strong protocol-level guarantees that
>>> would isolate the protocol from the Internet in cases of implementation
>>> fault or unintentional misconfiguration, and the document needs to detail
>>> what those are), or the session runs between two devices (in which case the
>>> concerns about isolation need to be addressed explicitly).
>>> 
>>> 
>>> How would you suggest graphically depicting "Device A" sending a PDU with
>>> a destination of Device A to Device B and Device B, using standard IP
>>> forwarding, sending the PDU back to Device A?  A UML sequence diagram?
>>> Pseudocode?
>>> 
>>> Perhaps the term "loopback" is confusing some people because they think
>>> they're talking to 127.0.0.1?
>>> 
>>> 
>>> This uses the idea from RFC 5082, "The Generalized TTL Security Mechanism
>>> (GTSM)", adapted to work over a single hop instead of no hop.
>>> 
>>> 
>>> There is no citation to 5082 in this document. Please consider adding one
>>> to help readers understand that that’s the intent here.
>>> 
>>> 
>>> The citation would, at best, be to the non-normative appendix A.  Is that
>>> satisfactory?
>>> 
>>> Yes, but it would ensure that non-compromised intermediate devides would
>>> not forward the packet
>>> 
>>> 
>>> Forward what packet?
>>> If it's a configured U-BFD session from a conformant implementation, it'd
>>> be the system addressing PDUs to itself.
>>> 
>>> 
>>> , therefore reducing the risk of misuse via reflection. This concept seems
>>> to lean very heavily on the assumption that these packets will never leave
>>> the u-bfd sandbox (in the sense of “restricted environment”), otherwise I
>>> would expect that using TTL as an escape safety feature would take priority
>>> over using it as an internal detection feature.
>>> 
>>> 
>>> Your scenario is not clear.  Are you arguing "don't use GTSM"?
>>> 
>>> Consider articulating a full scenario rather than some abstract "escapes"
>