IETF Logo Mail Archive

Re: Benjamin Kaduk's Discuss on draft-ietf-bfd-yang-16: (with DISCUSS and COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Wed, 11 July 2018 15:02 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8119128BAC; Wed, 11 Jul 2018 08:02:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id moDTd56lKSDf; Wed, 11 Jul 2018 08:02:49 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2709D130DED; Wed, 11 Jul 2018 08:02:49 -0700 (PDT)
X-AuditID: 1209190e-491ff700000035ab-3d-5b461c17bccc
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id FE.3B.13739.71C164B5; Wed, 11 Jul 2018 11:02:47 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id w6BF2jrx030769; Wed, 11 Jul 2018 11:02:46 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w6BF2ft0019332 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 11 Jul 2018 11:02:43 -0400
Date: Wed, 11 Jul 2018 10:02:41 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Jeffrey Haas <jhaas@pfrc.org>
Cc: Reshad Rahman <rrahman@cisco.com>, "Acee Lindem (acee)" <acee@cisco.com>, "rtg-bfd@ietf.org" <rtg-bfd@ietf.org>, "draft-ietf-bfd-yang@ietf.org" <draft-ietf-bfd-yang@ietf.org>, The IESG <iesg@ietf.org>, "bfd-chairs@ietf.org" <bfd-chairs@ietf.org>
Subject: Re: Benjamin Kaduk's Discuss on draft-ietf-bfd-yang-16: (with DISCUSS and COMMENT)
Message-ID: <20180711150238.GT59001@kduck.kaduk.org>
References: <153064928232.4913.5177531623706237853.idtracker@ietfa.amsl.com> <69638E39-860F-4D2F-AE2B-3B0B0A7BA855@cisco.com> <20180704035647.GF60996@kduck.kaduk.org> <20180710234621.GD12853@pfrc.org> <DBDBAFD1-8280-4389-B7F9-08785FC01BF8@cisco.com> <650FCD2E-A555-447A-A7AA-87D67B4E2BDE@cisco.com> <D4C67FBF-10C0-4F22-B8C6-1D9DD9CFE7B0@cisco.com> <EB68C226-A9F7-4254-97D8-042FB6FB6DFF@cisco.com> <B14B0368-0795-4163-8A6D-A4D03B4568A1@pfrc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <B14B0368-0795-4163-8A6D-A4D03B4568A1@pfrc.org>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrPKsWRmVeSWpSXmKPExsUixCmqrCsu4xZt0HXIymLy23nMFpNvrma0 2LTzJ5PFjD8TmS32H3zLanFtRSu7xec/2xgd2D2m/N7I6rFkyU8mj8u9W1kDmKO4bFJSczLL Uov07RK4Mk5OXMRS0GZW8WHhVKYGxj6NLkZODgkBE4n/Mz4wdzFycQgJLGaSWNawiA3C2cgo 8XpVB1TmKpPE+099rCAtLAKqEjvvXGYGsdkEVCQauiFsEQFFifn/O8G6mQWmMEncfrCZHSQh LBArcerTMSYQmxdo3+o/a1kgpp5hlngy4TEzREJQ4uTMJywgNrOAusSfeZeA4hxAtrTE8n8c EGF5ieats8HKOQVsJD5MXMsGYosKKEvs7TvEPoFRcBaSSbOQTJqFMGkWkkkLGFlWMcqm5Fbp 5iZm5hSnJusWJyfm5aUW6Rrr5WaW6KWmlG5iBMeFJN8OxkkN3ocYBTgYlXh4N3C4RQuxJpYV V+YeYpTkYFIS5ZWyco0W4kvKT6nMSCzOiC8qzUktPsQowcGsJMJrNt0lWog3JbGyKrUoHyYl zcGiJM6bvYgxWkggPbEkNTs1tSC1CCYrw8GhJMGbKg20R7AoNT21Ii0zpwQhzcTBCTKcB2i4 iRRQDW9xQWJucWY6RP4Uoy7Hn/dTJzELseTl56VKifOagQwSACnKKM2DmwNKZxLZ+2teMYoD vSXMGwdSxQNMhXCTXgEtYQJaor3QGWRJSSJCSqqB8fS/oqPHphdmzF4z6Twbh2L+88qokg7Z SQbK9sxrfZauvu1SurytL9k9hbvalP3o44l5VzrSbpftLTqafc/03GIRn/Y/O78GRB67qWzl 9dJNj/fUriyPhTwemza+vBnnK1L9b/6Umd+7/WI5Lr2KSz0b6M6gcsd0jjSr0n19hgOnpDhP TMhfosRSnJFoqMVcVJwIAAjBcvNCAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/V4qi_eEetcN6oSap_M0FjcE2O20>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jul 2018 15:02:53 -0000

"may be overkill in some circumstances" sounds exactly like an RFC 2119
SHOULD, does it not?

Anyway, we seem to be converging on what I was intending to ask for
(thanks, Reshad!), namely that when evaluating the security considerations
for configuring the BFD module, the security considerations of the IGP
scheme(s) (if any) that are used for BFD configuration are also included in
the evaulation.  This doesn't imply an adversarial relationship between two
things running on the same box -- it just means that if I want to impose a
policy about who can make what BFD changes (or similar), then I have to
consider the interactions with the IGP as well as the direct on-box change
mechanisms.

To frame the same idea in a different fashion, we have this nice security
considerations boilerplate for YANG modules, talking about how the usual
access methods are NETCONF/RESTCONF, with MTI secure transport of ssh/TLS.
The scheme being described here is effectively providing a new access
mechanism (IGP) for a subset of the YANG module, and so the security
considerations should talk about the corresponding "secure transport"
options for that new access mechanism, at least to mention that there
exist considerations regarding security of transport for the IGP access
mechanism.  (The "MTI secure transport" options for IGPs are not really
something I want to bring into scope here, because this document has to
work with what's available.)

-Benjamin


On Wed, Jul 11, 2018 at 10:36:49AM -0400, Jeffrey Haas wrote:
> Even that may be overkill in some circumstances.
> 
> Consider the case where an operator may decide that they'll permit BFD to be de-configured for protocols without also giving operators permission to similarly de-configure the underlying client protocols.  Examples of this may be that BFD is experiencing issues that are leading to false negatives and tearing down valid sessions.
> 
> While the above example would seem unusual, it was more of a concern in the more subtle use cases for BFD-on-LAG where links may be managed by one provisioning group and protocols by another.
> 
> -- Jeff
> 
> > On Jul 11, 2018, at 10:31 AM, Reshad Rahman (rrahman) <rrahman@cisco.com> wrote:
> > 
> > Hi Acee,
> > 
> > That and a statement saying the BFD clients should be authenticated.
> > 
> > Regards,
> > Reshad.
> > 
> > On 2018-07-11, 10:10 AM, "Acee Lindem (acee)" <acee@cisco.com> wrote:
> > 
> >    Hi Reshad, 
> > 
> >    Ok - so are you saying that all that is being asked for is that the NACM rules on IGP BFD configuration be at least as strict as BFD since the IGPs are instantiated BFD sessions? I'd be ok with that. 
> > 
> >    Thanks,
> >    Acee 
> > 
> >    On 7/11/18, 9:25 AM, "Reshad Rahman (rrahman)" <rrahman@cisco.com> wrote:
> > 
> >        Hi,
> > 
> >        My read on the DISCUSS is not just wrt spoofing of BFD clients but also making sure that the proper access restriction (NACM) is used for the BFD clients. 
> > 
> >        I didn't interpret Benjamin's comments as requiring a security boundary between BFD clients (BGP, IPGPs) and BFD running on the same dveice, which I agree would be preposterous.
> > 
> >        Regards,
> >        Reshad.
> > 
> >        On 2018-07-10, 10:17 PM, "Acee Lindem (acee)" <acee@cisco.com> wrote:
> > 
> > 
> > 
> >            On 7/10/18, 7:46 PM, "Rtg-bfd on behalf of Jeffrey Haas" <rtg-bfd-bounces@ietf.org on behalf of jhaas@pfrc.org> wrote:
> > 
> >                On Tue, Jul 03, 2018 at 10:56:49PM -0500, Benjamin Kaduk wrote:
> >> On Wed, Jul 04, 2018 at 03:20:42AM +0000, Reshad Rahman (rrahman) wrote:
> >>> <RR> I am not 100% sure I understand the point being made. Is it a question of underlying the importance of having the IGPs authenticated since the IGPs can create/destroy BFD sessions via the local API?
> >> 
> >> That's the crux of the matter, yes.  Since (in this case) the IGP state
> >> changes are being translated directly into BFD configuration changes,
> >> the NETCONF/RESTCONF authentication is not really used.  So, any
> >> authentication/authorization decisions that are made must be on the basis
> >> of authentication at the IGP level.  This does not necessarily mean a hard
> >> requirement for IGP authentication, though using unauthenticated IGP would
> >> then be equivalent (for the purposes of this document) to allowing
> >> anonymous NETCONF/RESTCONF access.
> >> 
> >> I'd be happy to just have a note in the security considerations that "when
> >> BFD clients such as IGPs are used to modify BFD configuration, any
> >> authentication and authorization for the configuration changes take place
> >> in the BFD client, such as by using authenticated IGPs".  But feel free to
> >> reword in a better fashion; this is really just about acknowledging the new
> >> access mechanism (since the boilerplate covers SSH/TLS for
> >> NETCONF/RESTCONF).
> > 
> >                I must admit to being somewhat perplexed by the request here.
> > 
> >                In the cases where BFD as a top level module is not the creator of a BFD
> >                session, you seem to be concerned that BFD can be used to attack a resource
> >                by spoofing that non-BFD client.
> > 
> >                While this is perhaps logically true, it also means that you have a far
> >                greater problem of being able to spoof the underlying BFD clients.  To give
> >                some real-world examples:
> >                - BGP typically requires explicit configuration for its endpoints.
> >                - Both OSPF and ISIS will require a matched speaker with acceptable
> >                  configuration parameters for a session to come up.
> >                - Static routes with BFD sessions will require explicit configuration.
> > 
> >                In each of these cases, a client protocol that also wants to use BFD, the
> >                simple spoofing of the protocol endpoints is already a massive disaster
> >                since it will allow injection of control plane or forwarding state into the
> >                device.  This is so much worse than convincing a BFD session to try to come
> >                up with its default one packet per mode that ... well, I'm boggled we're
> >                even talking about this. :-)
> > 
> >                My request would be that we not complicate the security considerations of
> >                this module for such cases.
> > 
> >            I agree. This is DISCUSS is just preposterous - imposing some sort of security boundary between the IGP modules and the BFD module running on the same networking device.
> > 
> >            Thanks,
> >            Acee (LSR WG Co-Chair) 
> > 
> > 
> > 
> >                -- Jeff
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
>

v2.23.0 | Report a Bug | By Email