Re: Éric Vyncke's Discuss on draft-ietf-bfd-vxlan-09: (with DISCUSS and COMMENT)

"Carlos Pignataro (cpignata)" <cpignata@cisco.com> Thu, 19 December 2019 21:38 UTC

Return-Path: <cpignata@cisco.com>
X-Original-To: rtg-bfd@ietfa.amsl.com
Delivered-To: rtg-bfd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2BB101208B0; Thu, 19 Dec 2019 13:38:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=Dp6aB6uq; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=qpepkSCQ
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CG8UR2FHddcy; Thu, 19 Dec 2019 13:38:34 -0800 (PST)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27A6A120865; Thu, 19 Dec 2019 13:38:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=10096; q=dns/txt; s=iport; t=1576791514; x=1578001114; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=2X12owqghMumdGy2zbQXhSqe/Xj+NS8/l54n3fD1d80=; b=Dp6aB6uqGnnANEvIX2wgaiN88WXxdpLrjj7F62xrsmOqJXJY4sn0VCIT OHJnGu0P1yW0ciZyppAsbr9NThEasgoTf2JcBgsqc4Z5iwwOApSPVeWOh TegaIGTG3McoBlppUpYmeZPAA2z6oV/ctC6Q+44g63yKEYK0lMEEWAxuh c=;
IronPort-PHdr: =?us-ascii?q?9a23=3AXNnZmhzEWjzeog3XCy+N+z0EezQntrPoPwUc9p?= =?us-ascii?q?sgjfdUf7+++4j5YhWN/u1j2VnOW4iTq+lJjebbqejBYSQB+t7A1RJKa5lQT1?= =?us-ascii?q?kAgMQSkRYnBZuOEUz0Kvf2ZgQxHd9JUxlu+HToeUU=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CwAABV7Ptd/5hdJa1lGgEBAQEBAQE?= =?us-ascii?q?BAQMBAQEBEQEBAQICAQEBAYF8gU1QBWxYIAQLKgqDfINGA4p0gl+YCIFCgRA?= =?us-ascii?q?DVAkBAQEMAQElCAIBAYRAAheCBSQ4EwIDDQEBBAEBAQIBBQRthTcMhV4BAQE?= =?us-ascii?q?BAgESEREMAQE3AQQLAgEGAg4KAgImAgICMBUFCwIEDgUigwABgkYDDiABDgO?= =?us-ascii?q?RFZBkAoE4iGF1gTKCfgEBBYE1AQMCg2IYggwDBoEOKIlQgkkagUE/gREnIIJ?= =?us-ascii?q?MPoJkAQEDgS0BDAYBHgGDEDKCLI0rglM5jziOLHQKgjSHMo5mG4JDh3mEQYt?= =?us-ascii?q?Ug0eNL4YtjliDJwIEAgQFAg4BAQWBaSJncXAVOyoBgkE+EhgNjRIMFxWDO4U?= =?us-ascii?q?UhT90gSiNLA4XgQsBgQ8BAQ?=
X-IronPort-AV: E=Sophos;i="5.69,333,1571702400"; d="scan'208";a="393912822"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 19 Dec 2019 21:38:33 +0000
Received: from XCH-ALN-004.cisco.com (xch-aln-004.cisco.com [173.36.7.14]) by rcdn-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id xBJLcW82022134 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 19 Dec 2019 21:38:32 GMT
Received: from xhs-aln-003.cisco.com (173.37.135.120) by XCH-ALN-004.cisco.com (173.36.7.14) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 19 Dec 2019 15:38:31 -0600
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 19 Dec 2019 15:38:31 -0600
Received: from NAM04-CO1-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Thu, 19 Dec 2019 15:38:31 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dOHBVEXT0ejZoRoUutcwgsd1xCKTdevNU76b8fneNTzoKqZRxhRc6RHzmq5LGpPkTocOCbxzX2znjQoBt1O2ScHo8aVMmRdq+uZtxXZ1294mZTKdR2lcSnXfpCtoNYhTqNZ/bv+fTt+Jj2p6V2CbcRgcgMl0FrRiUOr+dBSiFMGDJRDmBUpK/cekF5TjleZUYatPi8mGB8s3rt/0ARvNoe8wc0uqNLIN3ILmJgcXv3M5xZ0gy0N7MRKfJd8bd9KhPL9mjmLfonb9ZKYu+Bb7dwr/P0n21LJ+HCBuCJ3FsX4ksCW+wcSxgcqBVvFdoMLgO14ZHO89+YZ3tZSrc/5vsg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2X12owqghMumdGy2zbQXhSqe/Xj+NS8/l54n3fD1d80=; b=h215k4ERV9+X8+2uGfgOM18F7FY5M44JaQObebD3+ooYqWtKUQyE7zSOWWPw+8S8owctokFpxMztk/PGG7PC5KqXZS78tExl23m46vBovnZNe9VCAl/khgWdZ2N94xv9LQb0PDbaTKfJcGZJLCkyQ2gIWhr57Y2EPvXsez1Xy6/YGufmw/KS8aMreKOOHcrazaXM+NBl1Hqo7AxHsXY265gp6PvJrRT1aEHxkqJbdxjtDtGQqIt7mz0gVHp9HmRzzCci8OzVDIGIGgq8WVff6+7tC8sjzZUstNl6kDG7IqmK7DykTMnU2abjaNOj802qnmWOp2GQsRQNmEZ1w6TmKA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2X12owqghMumdGy2zbQXhSqe/Xj+NS8/l54n3fD1d80=; b=qpepkSCQHWTHeFI2uQ/DEHVYUpCKU9VU75pdPbraVeAY6l0AqBZjvq0jWUMQN+a4AVb8PW9NKyJPeY7m+EfP5Gt4ezL7NEDwWlaLpNl6+hpDsmbsWzeBSCCBHVzGK0v1GmAFb6hg1JNSCyneDVGca8r4VEB6X1EuZV/G5vs7XdE=
Received: from BN6PR11MB0034.namprd11.prod.outlook.com (10.161.156.160) by BN6PR11MB1763.namprd11.prod.outlook.com (10.175.99.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2559.14; Thu, 19 Dec 2019 21:38:30 +0000
Received: from BN6PR11MB0034.namprd11.prod.outlook.com ([fe80::d4cf:20e6:8706:d006]) by BN6PR11MB0034.namprd11.prod.outlook.com ([fe80::d4cf:20e6:8706:d006%5]) with mapi id 15.20.2538.019; Thu, 19 Dec 2019 21:38:29 +0000
From: "Carlos Pignataro (cpignata)" <cpignata@cisco.com>
To: Jeff Haas <jhaas@pfrc.org>
CC: "rtg-bfd@ietf.org" <rtg-bfd@ietf.org>, "Eric Vyncke (evyncke)" <evyncke@cisco.com>, "draft-ietf-bfd-vxlan@ietf.org" <draft-ietf-bfd-vxlan@ietf.org>, The IESG <iesg@ietf.org>, "bfd-chairs@ietf.org" <bfd-chairs@ietf.org>
Subject: =?utf-8?B?UmU6IMOJcmljIFZ5bmNrZSdzIERpc2N1c3Mgb24gZHJhZnQtaWV0Zi1iZmQt?= =?utf-8?Q?vxlan-09:_(with_DISCUSS_and_COMMENT)?=
Thread-Topic: =?utf-8?B?w4lyaWMgVnluY2tlJ3MgRGlzY3VzcyBvbiBkcmFmdC1pZXRmLWJmZC12eGxh?= =?utf-8?Q?n-09:_(with_DISCUSS_and_COMMENT)?=
Thread-Index: AQHVtLc75ryADAJO5Ui6+24NC5naA6e+kjMAgAHIsoD//7wKAIAAV1IAgABfYYCAAPbrAIAAI2qAgAAHBwCAABDgAA==
Date: Thu, 19 Dec 2019 21:38:29 +0000
Message-ID: <B960F63E-0B17-4D9F-A44C-BD41E7EC805B@cisco.com>
References: <157657269782.26511.12421406428553874826.idtracker@ietfa.amsl.com> <CED2B858-AC55-4B0A-ADA2-AC46B628E6DA@cisco.com> <20191218203145.GD6488@pfrc.org> <FE5AEE55-9F03-49E9-89C3-6C9700C8683E@cisco.com> <20191218214102.GF6488@pfrc.org> <B88794A5-553E-453D-8CAF-1D05FCA56C1E@cisco.com> <20191219180609.GA27686@pfrc.org> <4744CBE3-E9EC-439D-B699-C301CFF200D3@cisco.com> <20191219203804.GB31892@pfrc.org>
In-Reply-To: <20191219203804.GB31892@pfrc.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.40.2.2.4)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=cpignata@cisco.com;
x-originating-ip: [173.38.117.67]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c1f47708-5713-4bc2-18b0-08d784cbc9f5
x-ms-traffictypediagnostic: BN6PR11MB1763:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <BN6PR11MB176355292B195DECB93F1C8FC7520@BN6PR11MB1763.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0256C18696
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(136003)(39860400002)(346002)(376002)(396003)(199004)(189003)(51914003)(6486002)(966005)(66946007)(224303003)(316002)(54906003)(66446008)(6512007)(66556008)(64756008)(6916009)(71200400001)(76116006)(6506007)(91956017)(2906002)(4326008)(36756003)(5660300002)(186003)(66476007)(33656002)(86362001)(81156014)(81166006)(26005)(478600001)(2616005)(8936002); DIR:OUT; SFP:1101; SCL:1; SRVR:BN6PR11MB1763; H:BN6PR11MB0034.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: XOPAKdcf7b87whwU12Q3ZbpxqMC7qwRk4fB7429wyp/H7PyLJ/Wee5RRvWC9ia3+JKKseDskCNWDhW8Ivnn+RrpZ7NRHIonXoHAWAf5WItPPyG/FqS+MM92yU69vHfZ4qiIwy68ioQCLjC5WfahWmzKU6yde8I6vDE+/Ib0F3IXvFjC5r5x9aGMtZIUCE/QgLsX3+NotazeGtwd8qcwir0/yvUv4HCElg0AhElZUWtziu6Bn+al2H/P6FeMAG40VOge6kwQwN3BkiipbiWkJFE/cFyUdwHTruxxAOI89SquBzAdrUNGcR/rCFE7gCByACZ5Sw+2lxed7NittJECdmItJtqmQMwXTwIqCbk9Nv7mnjB3freMuAKWq8GoqRTY3fZZAknw+gsBZdj7HklgvN1nOtHkUWVgjDj5UFHGmMubvQ4HsPpmh9fxfHVGickLb+YQvZ9UT4heakYjG+TlXbPeKLYIk12DAnSsrP+eS2VYum1hU6aqvNBfRj0PPBPjhKeLtfKip8r5OmPlUivHk0OsfP92KmeN55UQp9vYQPtg=
Content-Type: text/plain; charset="utf-8"
Content-ID: <A98B652532B3AA468488E6B1B0A71616@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: c1f47708-5713-4bc2-18b0-08d784cbc9f5
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Dec 2019 21:38:29.2298 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: NUGsXHSYAmLa83qZwPfhj8srV7IbxBNRNlS9hb6xiQ61P9NoNIbQImkjlmMeBDj8ZuhvVKwVknB7NSMPO+W7Kg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR11MB1763
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.14, xch-aln-004.cisco.com
X-Outbound-Node: rcdn-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-bfd/yGfcDi6APV4nRHZFnC8us7Ot3ts>
X-BeenThere: rtg-bfd@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "RTG Area: Bidirectional Forwarding Detection DT" <rtg-bfd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-bfd/>
List-Post: <mailto:rtg-bfd@ietf.org>
List-Help: <mailto:rtg-bfd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-bfd>, <mailto:rtg-bfd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Dec 2019 21:38:37 -0000

Hi, Jeff,

Thanks for the dailogue and please see inline some follow-ups.

> 2019/12/19 午後3:38、Jeffrey Haas <jhaas@pfrc.org>のメールt;のメール:
> 
> Carlos,
> 
> On Thu, Dec 19, 2019 at 08:12:56PM +0000, Carlos Pignataro (cpignata) wrote:
>>> 2019/12/19 午後1:06、Jeffrey Haas <jhaas@pfrc.org>のメールt;のメール:
> 
> Interesting.  You're a bit more multi-lingual that I knew. :-)

I can read Emoji :-) 

> 
>>> The encapsulated packet's outer IP header, if single hop, could certainly
>>> benefit from GTSM procedures.
>>> 
>>> But once you're more than one hop away, and you're vulnerable to general
>>> attacks against packet insertion that the base vxlan PDUs have, how exactly
>>> does setting the TTL one way or the other provide protection?
>> 
>> Think of the VXLAN tunnel as a sigle-hop link. Yes, midpoint/in-transit packet insertion is an attack vector not covered by GTSM-ing the inner IP. However, traffic from outside the VXLAN (i.e., from outside the infrastructure) routed into the tunnel could not have a 255 TTL/HL.
> 
> Right.  That was the host attack from within tenant space that I was talking
> about earlier.  But as you note here, that can also be an external insertion
> attack as well.
> 
>> However, I am not ambivalent about comments being simply ignored. I would like the Editors and pen-holders of this document to actually respond to comments.
> 
> As Shepherd, you have my apologies then.  When I was reviewing the last set
> of comments, I thought I had caught all flagged messages with your open
> issues.  But as you may note, the threads went very long.

Oh, no, no need. I think there’s shared responsibility between the editors, shepherd, and WG as a whole. But it really starts with the editors.

Not having an agreed-upon tracking system in the IETF does not help either…

While at it, though, out of the 6 issues brought up on that email, I only saw a response to issue #4 (and not we are discussing Issue #2). I would not mind the authors responding to the others :-) 

> 
>> I am not looking for a specific answer, but I am looking for a thoughtful, deliberate, explicit, and intentional decision, shared on the list. That’s the role of Editors.
>> 
>> For example, see comment #2 in this note from June 2019 https://mailarchive.ietf.org/arch/msg/rtg-bfd/BL9Ob66Yxie4wX13yZJELbYPLJs 
> 
> Specifically covering this issue.
> 
>> 
>> That comment, as well as others on that same note, were not ever responded to or acknowledged.
>> 
>> I reminded the editor that some comments were not being answered to: https://mailarchive.ietf.org/arch/msg/rtg-bfd/uzAtld-P7qB3B5z3NViFx83oaGA
> 
> That one did go to list traffic and I did take time to cover what I believed
> was reasonable justification for not mentioning it.
> 
>>> If my observation above above about insertion attacks is valid, then using
>>> GTSM for the inner IP packet isn't helpful for protecting against what GTSM
>>> is intended for.  This leave us with roughly two modes:
>> 
>> Yes, it is valid, but it is not the only attack vector.
> 
> I'm unclear what you're flagging here.  Yes, we can attack all sorts of
> things here, but we're discussing very specifically TTL and its use in
> mitigating attacks viz. GTSM.
> 
>>> - With GTSM, enforce the usual related BFD procedure.  If packets aren't
>>> "caught" by BFD, they have the potential to bounce around until they
>>> expire.  Either way, BFD should go Down and the max damage is a number of
>>> BFD packets eventually settling back to the 1/sec timer.
>>> - Without GTSM, exactly the same, just with less distance.
>>> 
>>> So, presuming my observation is valid:
>>> It doesn't help.
>>> It doesn't hurt (much).
>>> If we want to require it, go for it.
>>> 
>> 
>> I have the same question as before though.
>> 
>> To me the real vector of questions is: If the base GTSM spec requires it, why is that requirement relaxed? Where is it explained in the document?
> 
> See my prior ambivalence. :-)  It's reasonable modulo one of the two prior
> implementations saying "this is a big deal!" to say "for our purposes, we
> wish to use the security considerations of 5881".  As I noted for the IESG,
> the considerations we have currently reflect 5884.  And while your
> explanation for 5884's situation was helpful, I'm not entirely clear why the
> vxlan encapsulation is so entirely different with regard to its impact vs.
> MPLS and thus the 5884 scenario.

This is a most useful clarification and perhaps goes to the core of the different in perspective.

To me, RFC 5884 is not the most similar scenario to VXLAN. RFC 5884 concerns itself with a uni-directional label-swapping-or-popping-hop-by-hop paradigm where popping too many Label Stack Entries (LSEs) in-flight mid-tunnel would expose the inner packet to the point of being mis-forwarded and let loose in the core infrastructure. 

The same is not the case for VXLAN, which really seems more similar to RFC 5885 or 5881, the former saying:
      The Time to
      Live/Hop Limit and Generalized TTL Security Mechanism (GTSM)
      procedures from Section 5 of [RFC5881] apply to this
      encapsulation, and hence the TTL/Hop Limit is set to 255.


And while looking at this, the document seems to show further confusion around this.

S9 of https://tools.ietf.org/html/draft-ietf-bfd-vxlan-09 says:

   This document recommends using an address from the Internal host
   loopback addresses (127/8 range for IPv4 and
   0:0:0:0:0:FFFF:7F00:0/104 range for IPv6) as the destination IP
   address in the inner IP header.  Using such address prevents the
   forwarding of the encapsulated BFD control message by a transient
   node in case the VXLAN tunnel is broken as according to [RFC1812]:


However, a transient node cannot expose the Inner header since it does not understand VXLAN or the context of VXLAN… that’s the difference with MPLS... 

> 
>>> But it doesn't help your security story at all and using it perhaps confuses
>>> people about it actually helping.  So, don't insist on it for security
>>> reasons.
>> 
>> I would say “don’t insist on it for every possible security reason”. The fact that there are some cases not covered does not imply that there are none.
> 
> If there's at least one well articulated one, that's sufficient.  What I'm
> trying to get talked into is that there is such reason where this really
> helps.
> 
> If that's protecting vs. traffic that originates in the tenant's networking
> space that hits the tunnel and happens to be destined to an inner-IP address
> that is the tenant assigned address space that is not in the loopback
> network address space, that'll do.  But it also feeds into my related
> commentary on some considerations are scenario specific.  In particular, if
> we're using the 5884 loopback network trick, you can't originate such
> traffic from the tenant network.  (Hopefully the IESG reviewers have noted
> this.)
> 

That’s exactly the case — traffic on the tenant’s network being tunneled. They are scenario-specific and thinner but non-null.

Your comment about the destination address being a loopback is useful. The document says SHOULD, not MUST use 127/8 or ::FFFF:127.0.0.0/104.

Thank you,

Carlos.

> -- Jeff