Re: [secdir] secdir review of draft-ietf-ospf-encapsulation-cap-06

<bruno.decraene@orange.com> Mon, 18 September 2017 09:08 UTC

Return-Path: <bruno.decraene@orange.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7563113420E; Mon, 18 Sep 2017 02:08:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.619
X-Spam-Level:
X-Spam-Status: No, score=-2.619 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TciFrxKlSpiT; Mon, 18 Sep 2017 02:08:33 -0700 (PDT)
Received: from relais-inet.orange.com (mta136.mail.business.static.orange.com [80.12.70.36]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5ECBF132932; Mon, 18 Sep 2017 02:08:33 -0700 (PDT)
Received: from opfednr02.francetelecom.fr (unknown [xx.xx.xx.66]) by opfednr21.francetelecom.fr (ESMTP service) with ESMTP id 8F924C0204; Mon, 18 Sep 2017 11:08:31 +0200 (CEST)
Received: from Exchangemail-eme2.itn.ftgroup (unknown [xx.xx.31.34]) by opfednr02.francetelecom.fr (ESMTP service) with ESMTP id 6FBFA120063; Mon, 18 Sep 2017 11:08:31 +0200 (CEST)
Received: from OPEXCLILM21.corporate.adroot.infra.ftgroup ([fe80::e92a:c932:907e:8f06]) by OPEXCLILM6F.corporate.adroot.infra.ftgroup ([fe80::bd00:88f8:8552:3349%17]) with mapi id 14.03.0361.001; Mon, 18 Sep 2017 11:08:31 +0200
From: <bruno.decraene@orange.com>
To: David Mandelberg <david@mandelberg.org>
CC: "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-ospf-encapsulation-cap.all@ietf.org" <draft-ietf-ospf-encapsulation-cap.all@ietf.org>
Thread-Topic: secdir review of draft-ietf-ospf-encapsulation-cap-06
Thread-Index: AQHTHpv/cOgvm+rnt0qxeBuvpFWeWaK0xaZggAAJ/YCAANdoUIAAcJiAgARhUyA=
Date: Mon, 18 Sep 2017 09:08:30 +0000
Message-ID: <12465_1505725711_59BF8D0F_12465_296_1_53C29892C857584299CBF5D05346208A478787B1@OPEXCLILM21.corporate.adroot.infra.ftgroup>
References: <475c78dc-c872-8795-2d99-81b28df97aed@mandelberg.org> <3691_1505412243_59BAC493_3691_229_1_53C29892C857584299CBF5D05346208A47872C5B@OPEXCLILM21.corporate.adroot.infra.ftgroup> <ae79dc6a-488a-2772-eca4-c325ea462a5f@mandelberg.org> <2597_1505460712_59BB81E8_2597_399_1_53C29892C857584299CBF5D05346208A4787384B@OPEXCLILM21.corporate.adroot.infra.ftgroup> <656e7eb8-1bbe-5f9c-e3b6-f0bbc23737db@mandelberg.org>
In-Reply-To: <656e7eb8-1bbe-5f9c-e3b6-f0bbc23737db@mandelberg.org>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.168.234.1]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/-jXzeXwpkquzg5xsLksl5nUTgqQ>
Subject: Re: [secdir] secdir review of draft-ietf-ospf-encapsulation-cap-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Sep 2017 09:08:35 -0000

Hi David,

> From: David Mandelberg [mailto:david@mandelberg.org]
 > Sent: Friday, September 15, 2017 5:56 PM
> 
 > On 09/15/2017 03:31 AM, bruno.decraene@orange.com wrote:
 > > Hi David,
 > >
 > >> From: David Mandelberg [mailto:david@mandelberg.org]
 > >   > However, what about confidentiality? Does the extension make it easier
 > >   > for an attacker to read packets they wouldn't otherwise be able to read?
 > >   > (I'm not at all convinced the extension does have a problem there. I
 > >   > just think it's plausible enough that it would nice to see an
 > >   > explanation of why it's not a problem.)
 > >
 > > Regarding confidentiality, I can think of 3 things:
 > > a) This extension can introduce packet encapsulation. This does not affect whether
 > encapsulated packet was encrypted or whether the transport infrastructure provide encryption
 > (e.g. MACSEC)
 > > b) Although this is not currently the case, this extension could be extended to advertise tunnel
 > with encryption capability. In this case, the attacker could change the tunnel properties to remove
 > the encryption
 > > c) Specific tunnels could be advertised in order to route packet over a specific link that an
 > attacker is monitoring.
 > >
 > > Do you think that some of these points would be worse mentioning? If so I could write some
 > text to cover those.
 > 
 > I don't think (a) affects security at all, and I think (b) is probably
 > out of scope for this document. For (b), I think the hypothetical
 > document describing the encryption capability would have some work to do
 > explaining how it's secure, but I don't see any reason to do that work
 > in this document.

Ok. Good.
 
 > (c) is the one that I think is worth looking into. E.g., does this new
 > extension make it easier for an attacker to route a packet across AS
 > boundaries, by setting a tunnel endpoint outside of the OSPF-routed network?
 
No. The following text already prohibits even more than this:

"  A tunnel MUST NOT be
      used if there is no route toward the IP address specified in the
      Endpoint Sub-TLV (See <xref target="EndpointTLV"/>) or if the route is
      not advertised by the router advertising this Tunnel Sub-TLV."

- By definition, this Tunnel Sub-TLV is advertised in OSPF i.e. from within the AS.
- The text also prohibits setting a tunnel endpoint to another router within the AS.


That being said, within the AS, the point "c" still applies.
However, thinking twice, the probability is even more limited. Indeed, one can only advertise a tunnel to itself. Assuming that the third party can't control the whole routing topology (i.e. routing advertisement from most core routers), it cannot control the path followed by the tunnel. Hence it would need to have monitoring capabilities on specific links that it cannot choose. (the link on the path to itself).
Plus this risk is not new, as the third party could already advertise the destination IP address of the packets (or of the BGP Next-hop of the BGP route matching the packet destination), without using any tunnel.
In conclusion, although I could be wrong, I'm not seeing such new risk. (again, assuming that a third party can modify the OSPF routing is a big assumption).

But the discussion was useful, thanks for the comments.

--Bruno
 > --
 > Freelance cyber security consultant, software developer, and more
 > https://david.mandelberg.org/

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.