Re: [secdir] [sfc] Secdir last call review of draft-ietf-sfc-oam-framework
"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Tue, 28 April 2020 05:26 UTC
Return-Path: <tirumaleswarreddy_konda@mcafee.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31CE33A0A99 for <secdir@ietfa.amsl.com>; Mon, 27 Apr 2020 22:26:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3B44XszPSkFJ for <secdir@ietfa.amsl.com>; Mon, 27 Apr 2020 22:26:36 -0700 (PDT)
Received: from us-smtp-delivery-140.mimecast.com (us-smtp-delivery-140.mimecast.com [216.205.24.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E5483A0A94 for <secdir@ietf.org>; Mon, 27 Apr 2020 22:26:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=mimecast20190606; t=1588051595; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=quk2baeQV+DJBmJ4GU4HW284fGQ6J9AA3RUN/A8YqcM=; b=gT6ou+FyVilsnQ2o7Re+a1Twme+fo2j3tlzNxQx/Ze+fkQK85+e/+4UAORnVUTTkqnZUwI rDVdC8/I+dAKOML8j36BWVBs9XK2Ge7G9e5A/nTQUc9S+7yX8WFKtX9dSmBsPSn+VZ+Md+ iOTF4jb4DYqI4kYXVWSPninPhD4qPy4=
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2168.outbound.protection.outlook.com [104.47.57.168]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-249-d7CvDs_UOSi_epbrVGNHpQ-1; Tue, 28 Apr 2020 01:26:33 -0400
X-MC-Unique: d7CvDs_UOSi_epbrVGNHpQ-1
Received: from CY4PR1601MB1254.namprd16.prod.outlook.com (2603:10b6:903:d4::12) by CY4PR1601MB1142.namprd16.prod.outlook.com (2603:10b6:903:d1::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.22; Tue, 28 Apr 2020 05:26:31 +0000
Received: from CY4PR1601MB1254.namprd16.prod.outlook.com ([fe80::8172:432c:9870:d8fc]) by CY4PR1601MB1254.namprd16.prod.outlook.com ([fe80::8172:432c:9870:d8fc%5]) with mapi id 15.20.2937.023; Tue, 28 Apr 2020 05:26:31 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: "Nagendra Kumar Nainar (naikumar)" <naikumar@cisco.com>, "Carlos Pignataro (cpignata)" <cpignata@cisco.com>
CC: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-sfc-oam-framework@ietf.org" <draft-ietf-sfc-oam-framework@ietf.org>
Thread-Topic: [sfc] Secdir last call review of draft-ietf-sfc-oam-framework
Thread-Index: AdYW4VRPPDX1YR3aSqa2kbIsbH1DggD1H3GAADj+SVAAOXNWAAAlebMQ
Date: Tue, 28 Apr 2020 05:26:31 +0000
Message-ID: <CY4PR1601MB1254CADC9C21C9A205CFDF33EAAC0@CY4PR1601MB1254.namprd16.prod.outlook.com>
References: <CY4PR1601MB12541726BC79551C2A2EBBF0EAD40@CY4PR1601MB1254.namprd16.prod.outlook.com> <AEE6AFB3-6EE8-495F-992B-6314CBD2B6F6@cisco.com> <CY4PR1601MB1254E6CD2D9C4558EAFF21F5EAAE0@CY4PR1601MB1254.namprd16.prod.outlook.com> <760DA3B5-3B10-4786-8EC9-B107BFEBAC28@cisco.com>
In-Reply-To: <760DA3B5-3B10-4786-8EC9-B107BFEBAC28@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.5.0.44
dlp-reaction: no-action
x-originating-ip: [49.37.204.18]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: bd357fc3-da6b-4517-8d26-08d7eb34b5db
x-ms-traffictypediagnostic: CY4PR1601MB1142:
x-microsoft-antispam-prvs: <CY4PR1601MB1142C9565CFCB664297A343EEAAC0@CY4PR1601MB1142.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0387D64A71
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CY4PR1601MB1254.namprd16.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(136003)(39860400002)(366004)(396003)(376002)(32952001)(54906003)(6506007)(66476007)(53546011)(4326008)(66446008)(66556008)(64756008)(66946007)(76116006)(110136005)(33656002)(316002)(7696005)(26005)(5660300002)(478600001)(86362001)(186003)(8936002)(71200400001)(55016002)(52536014)(9686003)(966005)(2906002)(81156014)(8676002)(85282002); DIR:OUT; SFP:1101;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Q891CPDkm0lJfS7otFhtgfxAOzYMflWo1hnk7GUqWApsNJdAx/h8vr9og4L0gD2DMbrqVclODTflPTH3WLwBNhoOVBaILs9COt9JyOwROlp2TjrDWUjVaI/2JZ3sNPQZhOC156UEmlsNQqo0nlYuCMMLjIuqfB8d2bKZ9lVvyKDj5lpnD1u6ghQMzAY+CYR2LfMdsBgsPLZC0+ZwJJcFj9pw8GubF68nFschMl3S2uceZxemd2bTFzI5TGSX0riSHm4Is4BlKUocH+NHLL3LMbz9Hh1rIwyViEDiQOYBrji2vuEgw34LaqgfgcqCuvB69d6jQRE09DkTTzBxydfXIwebaJ9yrtGWE+fgdyJUcbTRb+pSPztC2/y20xoHHZ1oJIC+RRvuB1J8+/O6Anc17cesvBq1O7tMnh1CEu0eiRZobGU1hdlg32x2xhzzZWpLZrK5G/5IJ6M+r8kf89haPJN4YKYJHStIZkNgdbeJo+iYleFZqOW2Xv4Eb4Ygr8kXZjulVOMJ9YCV24fAPLiJ3zPQwsT+1LLHUBdxGSxzB4/4nqEtbg3Aj0wGGD/G1CaMmkacSgXql15wUBmNJt1+5ot2EB8DGt8+YwJsmbJL0CU=
x-ms-exchange-antispam-messagedata: Bk/J5NsMMoKHtNo/NBg/2s15/LDvVR3furzStq1ILppXEvD0ZjpPtuleyFMSNVYzADB/OtV2RCWHxBFbL1au62f4USsuWE3BDbttQHjFlEffNM+P36ueyPBMviEIBDNFt8Zk714U5lG7MKRra4ld7Y79aTzUJAf5caA/yxaLQJKb8NkE/A1Wt6ZQ7rt2ygS8TaAR/jccxZ6y78oFg8ub/1EUjZlym0qO1n/JlmjUrSs8cxoum0rPcD/iiiFx+ev0Vqh1ijdqIl0IomESxnN7KGNpbVNQzlbjwmKlMrpfEvNvRVp1Cvf1vo8VW/X6+45rHD3plQgiVZ7amUvSS7PVLr4hepvTAqB4bvoCOFgjz0zhOZFcVpBo6GFA13O9HRWwYomsRHi9e6XE8eEmNg0ivmxoD6gmGTUG8XNrBjAt/ozAUO4/pwe0aQKvHeQZjgEKxidzOS/+YJgwQWcDCEfCpuEf7aKs8qGkOyaeJT5H9kTs5qL5YdtPT5Ja9FxFLMxUUupsX0YiMttaUV3RYcehtLjUlStuadMJDfZyhI/KIVg9vfLVn2qvb2P/xFUzE1fa6N4TPopGeIqG5N+GM3KhUSsTzugoje/TqIbDuYzA5lf2dhi2gCADEYmO8Hwa2z5Y2Jg3zE0Fix3rpJ+kDJLC8WOAmY1miAy/07QRZ/iOL0oO9fDehh66EAEOSEIRHHx1IqKFH0VdULW7F+HqGS/TINGkcIEeWEio0h+8twCxZUxIr9Sz/lDhn5qAUtBxK2Hi55d4sZ64DroFBkAlRZ4Zspbw/oWMXo5f9k3XED7LB8M=
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: mcafee.com
X-MS-Exchange-CrossTenant-Network-Message-Id: bd357fc3-da6b-4517-8d26-08d7eb34b5db
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Apr 2020 05:26:31.6076 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Wgb1dnEuZ7+MtVZmlAMFHec8nLi95ekoyozxj79dyi9vAmhYeY7tQDv440Yrla92sPC00+mulCnJg1qAoha4ZKZbE/Vb9r6fxrBtWxnzSZ6mL2azxiiaEWVJ3wq5Xv4I
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR1601MB1142
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: mcafee.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/z1NQAR0iLn6Aq1XbvvWJFJ6O9bI>
Subject: Re: [secdir] [sfc] Secdir last call review of draft-ietf-sfc-oam-framework
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2020 05:26:39 -0000
Hi Nagendra, You may want to update the following line: OLD: To address the above concerns, SFC and SF OAM should provide mechanisms for: NEW: To address the above concerns, SFC and SF OAM should provide mechanisms for preventing: Rest of the changes look good. Cheers, -Tiru > -----Original Message----- > From: Nagendra Kumar Nainar (naikumar) <naikumar@cisco.com> > Sent: Monday, April 27, 2020 8:06 PM > To: Konda, Tirumaleswar Reddy > <TirumaleswarReddy_Konda@McAfee.com>; Carlos Pignataro (cpignata) > <cpignata@cisco.com> > Cc: secdir@ietf.org; draft-ietf-sfc-oam-framework@ietf.org > Subject: Re: [sfc] Secdir last call review of draft-ietf-sfc-oam-framework > > CAUTION: External email. Do not click links or open attachments unless you > recognize the sender and know the content is safe. > > Hi Tirumaleswar, > > Hope you are doing good. > > Thank you for the review and the comments/suggestions. Please find the > diff attached that incorporates the comments. > > We will submit the new version with the changes. Let us know if you have > any further comments. > > Thanks, > Nagendra > > On 4/26/20, 3:24 AM, "sfc on behalf of Konda, Tirumaleswar Reddy" <sfc- > bounces@ietf.org on behalf of TirumaleswarReddy_Konda@McAfee.com> > wrote: > > Hi Carlos, > > Please see inline > > > -----Original Message----- > > From: Carlos Pignataro (cpignata) <cpignata@cisco.com> > > Sent: Saturday, April 25, 2020 9:29 AM > > To: Konda, Tirumaleswar Reddy > <TirumaleswarReddy_Konda@McAfee.com> > > Cc: secdir@ietf.org; sfc@ietf.org; draft-ietf-sfc-ioam-nsh.all@ietf.org > > Subject: Re: [sfc] Secdir last call review of draft-ietf-sfc-oam-framework > > > > CAUTION: External email. Do not click links or open attachments unless > you > > recognize the sender and know the content is safe. > > > > Hi, Tiru, > > > > Many thanks for the review, and great to hear from you! > > > > I hope all is well — Please see inline. > > Thanks, I’m fine, and I hope all is well with you too. > > > > > > 2020/04/20 午前3:28、Konda, Tirumaleswar Reddy > > <TirumaleswarReddy_Konda@McAfee.com>のメール: > > > > > > Reviewer: Tirumaleswar Reddy > > > Review result: Ready with issues > > > > > > > > > I reviewed this document as part of the security directorate's ongoing > > > effort to review all IETF documents entering the IESG.. These > comments > > are directed at the security area director(s). Document editors and WG > > chairs should treat these comments like any other last call comments. > > > > > > This document provides a reference framework for OAM for SFC. > > > > > > Comments: > > > > > > 1. The document in Section 8 discusses various attacks (including both > > > security and privacy) but does not discuss any protection mechanisms > > other than proposing rate-limiting. It is suggesting drafts proposing the > OAM > > solution should address the attacks but I don’t see any security > mechanisms > > discussed in draft-ietf-sfc-ioam-nsh to address the attacks. > > > > > > > Since the document already clarifies that it does not define solutions, it > > cannot define security consideration for those solutions, beyond saying > that > > those solutions ought to address security considerations in those areas. > Any > > security measures must be included and explained in the respective > solution > > document. I believe this comment requires potentially action on draft- > ietf- > > sfc-ioam-nsh but not on this draft. > > Yup. I see three solutions from SFC WG a) sfc-ioam-nsh b) ietf-sfc-proof- > of-transit (Experimental) c) penno-sfc-trace (Expired). sfc-ioam-nsh is the > only current standards track specification and it should address these attacks. > > > > > That said you are right regarding the specifics of the rate-liming > > recommendation. See the next answer for text. > > > > Also, in re-reading Section 8, seems like this: > > > > To address the above concerns, SFC and SF OAM may provide > mechanism > > for: > > > > > > Should say > > > > To address the above concerns, SFC and SF OAM should provide > > mechanisms > > for preventing: > > Yes. > > > > > > > > > > 2. More discussion is required on the internal attacks. > > > (a) How are attack packets bypassing SFC detected and blocked ? > > > (b) How is sensitive information protected from eavesdroppers ? > > > (c) How is DoS/DDoS attack of misusing the OAM channel is mitigated ? > > > (d) Rate-limiting blocks both good and bad OAM probes and is a weak > > mitigation strategy. Anomaly detection (e.g., deep learning techinques) > and > > identifying the attacker look like a better strategy. > > > > > > > > > This is a good point. How about. > > > > OLD: > > > > The documents proposing the OAM solution for SF component should > > consider rate-limiting the OAM probes at a frequency guided by the > > implementation choice. Rate-limiting may be applied at the SFF or > > the SF . The OAM initiator may not receive a response for the probes > > that are rate-limited resulting in false negatives and the > > implementation should be aware of this. > > > > > > NEW: > > > > > > The documents proposing the OAM solution for SF component should > > consider rate-limiting the OAM probes at a frequency guided by the > > implementation choice. Rate-limiting may be applied at the SFF or > > the SF. The OAM initiator may not receive a response for the probes > > that are rate-limited resulting in false negatives and the > > implementation should be aware of this. To mitigate any attacks that > > Leverage OAM packets, future documents proposing OAM solutions > > should describe the use of any techniques to detect > > and mitigate anomalies and various security attacks. > > Works for me. > > Cheers, > -Tiru > > > > > > > Would that work? > > > > Please feel free to suggest textual improvements or changes. > > > > Thanks, > > > > Carlos. > > > > > Cheers, > > > -Tiru > > > _______________________________________________ > > > sfc mailing list > > > sfc@ietf.org > > > https://www.ietf.org/mailman/listinfo/sfc > > _______________________________________________ > sfc mailing list > sfc@ietf.org > https://www.ietf.org/mailman/listinfo/sfc >
- [secdir] Secdir last call review of draft-ietf-sf… Konda, Tirumaleswar Reddy
- Re: [secdir] [sfc] Secdir last call review of dra… Carlos Pignataro (cpignata)
- Re: [secdir] [sfc] Secdir last call review of dra… Konda, Tirumaleswar Reddy
- Re: [secdir] [sfc] Secdir last call review of dra… Carlos Pignataro (cpignata)
- Re: [secdir] [sfc] Secdir last call review of dra… Nagendra Kumar Nainar (naikumar)
- Re: [secdir] [sfc] Secdir last call review of dra… Konda, Tirumaleswar Reddy
- Re: [secdir] [sfc] Secdir last call review of dra… Carlos Pignataro (cpignata)
- Re: [secdir] [sfc] Secdir last call review of dra… Nagendra Kumar Nainar (naikumar)