Re: Benjamin Kaduk's Discuss on draft-ietf-bfd-vxlan-09: (with DISCUSS and COMMENT)

Jeffrey Haas <jhaas@pfrc.org> Wed, 18 December 2019 22:13 UTC

Return-Path: <jhaas@slice.pfrc.org>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F410120836; Wed, 18 Dec 2019 14:13:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mTSfUv54uiQa; Wed, 18 Dec 2019 14:13:54 -0800 (PST)
Received: from slice.pfrc.org (slice.pfrc.org [67.207.130.108]) by ietfa.amsl.com (Postfix) with ESMTP id 48FE5120089; Wed, 18 Dec 2019 14:13:54 -0800 (PST)
Received: by slice.pfrc.org (Postfix, from userid 1001) id 320B61E2F6; Wed, 18 Dec 2019 17:18:24 -0500 (EST)
Date: Wed, 18 Dec 2019 17:18:24 -0500
From: Jeffrey Haas <jhaas@pfrc.org>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: The IESG <iesg@ietf.org>, draft-ietf-bfd-vxlan@ietf.org, bfd-chairs@ietf.org, rtg-bfd@ietf.org
Subject: Re: Benjamin Kaduk's Discuss on draft-ietf-bfd-vxlan-09: (with DISCUSS and COMMENT)
Message-ID: <20191218221823.GG6488@pfrc.org>
References: <157653979360.24617.1864402887480503965.idtracker@ietfa.amsl.com> <20191218202448.GC6488@pfrc.org> <20191218220246.GK81833@kduck.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20191218220246.GK81833@kduck.mit.edu>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/cHh-4fIn8kbLinRPZtTUF9WO9ds>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Dec 2019 22:13:55 -0000

Ben,

On Wed, Dec 18, 2019 at 02:02:46PM -0800, Benjamin Kaduk wrote:
> On Wed, Dec 18, 2019 at 03:24:48PM -0500, Jeffrey Haas wrote:
> > This is a clean summary of the considerations.  At least a portion of the WG
> > seems to be comfortable with "test to the management VNI".  However, another
> > (smaller, I believe) portion were wanting to test one layer further in.
> 
> It is reassuring that I at least managed to summarize the situation
> tolerably.  Is it fair to say that testing "one layer further in" is a
> superset of what "test to the managemenet VNI" can do?

Fundamentally, this is all BFD.  The issue is almost always considerations
related to encapsulation.

The meta concern here is that if you test to the management VNI, the
operator has a lot of control over things that are clean from a security
perspective.

The minute you test one layer deeper, it's still the same thing... but you
now have a lot of sharp edges you have to worry about.

In all of these situations, the main consideration from a security
perspective and an encapsulation perspective is "don't step on the toes of
the user".  But that said, vxlan environments are provided to contain
tenants, have their own provisioning ecosystems, and security considerations
in how they are provisioned and operated.  As long as the security and
operational considerations are understood by the operator, they can decide
whether "testing one layer further in" gives them good benefit vs. the
additional security considerations.

And that said, two fundamental portions of BFD operations and security still
apply here:
- Discriminators need to be known to mess with existing sessions.  This
  means the main consideration for someone not in the tenant environment is
  privacy.  Such privacy is an overall consideration for vxlan environments.
- Authentication mechanisms in BFD may still be deployed which further
  reduce the attack space.

Basically, if your vxlan environment is appropriately operated and secured,
the main attacker of this session is the tenant itself.  And they have all
sorts of bad things they can do to knock down their own reachability from
one VTEP to another.  I.e. it's a stupid attack. :-)


-- Jeff