Re: [RTG-DIR] RtgDir review: draft-ietf-bfd-multipoint-active-tail-08.txt

[Stig Venaas <stig@venaas.com>]

Hi

Please see comments inline.

On Sun, Jun 17, 2018 at 6:27 PM, Greg Mirsky <gregimirsky@gmail.com> wrote:
> Hi Stig,
> thank you for the review and the most detailed technical comments.
> Please find my answers and proposed updates in-line tagged GIM>>.
>
> Regards,
> Greg
>
> On Fri, Jun 15, 2018 at 2:16 PM, Stig Venaas <stig@venaas.com> wrote:
>>
>> Hello,
>>
>> I have been selected as the Routing Directorate reviewer for this
>> draft. The Routing Directorate seeks to review all routing or
>> routing-related drafts as they pass through IETF last call and IESG
>> review, and sometimes on special request. The purpose of the review is
>> to provide assistance to the Routing ADs. For more information about
>> the Routing Directorate, please see
>> http://trac.tools.ietf.org/area/rtg/trac/wiki/RtgDir
>>
>> Although these comments are primarily for the use of the Routing ADs,
>> it would be helpful if you could consider them along with any other
>> IETF Last Call comments that you receive, and strive to resolve them
>> through discussion or by updating the draft.
>>
>> Document: draft-ietf-bfd-multipoint-active-tail-08.txt
>> Reviewer: Stig Venaas
>> Review Date: date 2018-06-15
>> IETF LC End Date: 2018-06-18
>> Intended Status: Standards Track
>>
>> Summary:
>> I have some minor concerns about this document that I think should be
>> resolved before publication.
>>
>> Comments:
>>
>> The document is in a good shape and almost ready for publication. I
>> only have some minor issues and a couple of nits. The main one is
>> perhaps the security considerations.
>>
>> Major Issues:
>> No major issues found.
>>
>>
>> Minor Issues:
>>
>> I found 5.2.3 last paragraph a bit confusing:
>>    If the multipoint path and the reverse unicast path both stay up but
>>    the forward unicast path fails, neither side will notice so long as a
>>    unicast Poll Sequence is never sent by the head.  If the head sends a
>>    unicast Poll Sequence, the head will see the BFD session fail, but
>>    the state of the multipoint path will be unknown to the head.  The
>>    tail will continue to receive multipoint data traffic.
>>
>> It says here that the state of the multipoint path is unknown, which is
>> true if it only does unicast polling. But the assumption is 5.2.3 is
>> that multipoint polling is also done. So it might be good to point out
>> that the state of the multipoint path will determined by the multipoint
>> pull.
>
> GIM>> Please consider the updated text below:
> OLD TEXT:
>    If the multipoint path and the reverse unicast path both stay up but
>    the forward unicast path fails, neither side will notice so long as a
>    unicast Poll Sequence is never sent by the head.  If the head sends a
>    unicast Poll Sequence, the head will see the BFD session fail, but
>    the state of the multipoint path will be unknown to the head.  The
>    tail will continue to receive multipoint data traffic.
> NEW TEXT:
>    If the multipoint path and the reverse unicast path both stay up but
>    the forward unicast path fails, neither side will notice this failure
>    so long as a unicast Poll Sequence is never sent by the head.  If the
>    head sends a unicast Poll Sequence, the head will detect the failure
>    in the forward unicast path.  The state of the multipoint path will
>    be determined by multipoint Poll.  The tail will continue to receive
>    multipoint data traffic.

This looks good.

>>
>> The security considerations could need more details. Is there some way an
>> attacker can send forged multipoint polls getting clients to send a
>> large number of responses to the head?
>
> GIM>> In TSVART review of the Multipoint BFD draft Bob Briscoe brought up
> similar, as I think of it, question of sppofing attack on tails. This is the
> last mail of the discussion. Very much interested to hear your view on the
> three scenarios we've discussed: IP mcast tree, directly connected IP mcast,
> and MPLS p2mp and mp2mp LSPs. I think that for mp BFD with active tails even
> the second scenario is not realistic as there's little benefit, in my
> opinion, to run active tails in this environment.

I think spoofing is only an issue when you are on path. Generally with
multicast, there is an RPF check to check if packets are received on
the expected interface. Hence as long as an attacker is not on the
same LAN as the source, or connected to one of the links (LANs) the
shortest path tree (in some cases the shared tree) traverses, it
should be fine.

>> Also how hard would it be to use
>> any address for the head?
>
> GIM>> Demultiplexing BFD Control packets changed in mp BFD when comparing
> with RFC 5880 and it now uses not only value in Your Discriminator field
> but, as defined in Section 5.7 draft-ietf-bfd-multipoint:
>    IP and MPLS multipoint tails MUST demultiplex BFD packets based on a
>    combination of the source address, My Discriminator and the identity
>    of the multipoint path which the Multipoint BFD Control packet was
>    received from.  Together they uniquely identify the head of the
>    multipoint path.
> Thus the tail must be bootstrapped for the given mp BFD session with source
> address, head's My Discriminator value, and identity of the multipoint path.
>
>> Would clients only accept a certain address
>> for the head?
>
> GIM>> Yes, as I've noted above, the tail MUST demultiplex BFD Control
> packets using three value tuple that includes source address of the BFD
> control packet.
>
>> It should perhaps be emphasized that BFD authentication
>> mechanisms are important?
>
> GIM>>  Per Bob Briscoe suggestions, in Section 6 of
> draft-ietf-bfd-multipoint stated:
>    Shared keys in multipoint scenarios allow any tail to spoof the head
>    from the viewpoint of any other tail.  For this reason, using shared
>    keys to authenticate BFD Control packets in multipoint scenarios is a
>    significant security exposure unless all tails can be trusted not to
>    spoof the head.  Otherwise, asymmetric message authentication would
>    be needed, e.g., protocols that use Timed Efficient Stream Loss-
>    Tolerant Authentication (TESLA) as described in [RFC4082].

I agree there are issues with shared keys, but it might still be
better than no key.
Asymmetric authentication would be ideal.

>    If authentication is in use, the head and all tails may be configured
>    to have a common authentication key in order for the tails to
>    validate multipoint BFD Control packets.
>
>> It should be possible to restrict a client to
>> only respond to authenticated polls.
>
> GIM>> Currently BFD doesn't have standard procedure to authenticated some of
> the packets. BFD WG is working on draft-ietf-bfd-optimizing-authentication
> for p2p BFD sessions.
>>
>> Also perhaps have some rate
>> limiting in clients in case the head polls at an unreasonably high rate?

I think it could be useful to have an option where tails only respond
to authenticated polls, and also some kind of rate limiting, but I
leave it to you and the IESG to consider that. I guess the security
considerations in the main multipoint draft will be expanded as well.
The main thing in this draft I would think, is that the tail responses
may open up some potential attack vectors.

Stig

>>
>> Nits:
>> In the Introduction it says:
>>    This document effectively modifies and adds to Sections 5.12 and 5.13
>>    of the base BFD multipoint document [I-D.ietf-bfd-multipoint].
>> This should be 4.12 and 4.13, right?
>
> GIM>> Section enumeration changed in version -17. Section Protocol Details
> in draft-ietf-bfd-multipoint used to be #4 and now is #5.
>>
>>
>> 6.13.1 and 6.13.2
>> Refer to 5.13.x, but should be 4.13.x.
>
> GIM>> As above.
>>
>>
>> One of the authors is listed in the Acknowledgments section.
>
> GIM>> Will update the Acknowledgments section accordingly.
>>
>>
>> Regards,
>> Stig
>
>