IETF Logo Mail Archive

Re: [secdir] [sfc] Secdir last call review of draft-ietf-sfc-oam-framework

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Tue, 28 April 2020 05:26 UTC

Return-Path: <tirumaleswarreddy_konda@mcafee.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31CE33A0A99 for <secdir@ietfa.amsl.com>; Mon, 27 Apr 2020 22:26:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3B44XszPSkFJ for <secdir@ietfa.amsl.com>; Mon, 27 Apr 2020 22:26:36 -0700 (PDT)
Received: from us-smtp-delivery-140.mimecast.com (us-smtp-delivery-140.mimecast.com [216.205.24.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E5483A0A94 for <secdir@ietf.org>; Mon, 27 Apr 2020 22:26:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=mimecast20190606; t=1588051595; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=quk2baeQV+DJBmJ4GU4HW284fGQ6J9AA3RUN/A8YqcM=; b=gT6ou+FyVilsnQ2o7Re+a1Twme+fo2j3tlzNxQx/Ze+fkQK85+e/+4UAORnVUTTkqnZUwI rDVdC8/I+dAKOML8j36BWVBs9XK2Ge7G9e5A/nTQUc9S+7yX8WFKtX9dSmBsPSn+VZ+Md+ iOTF4jb4DYqI4kYXVWSPninPhD4qPy4=
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2168.outbound.protection.outlook.com [104.47.57.168]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-249-d7CvDs_UOSi_epbrVGNHpQ-1; Tue, 28 Apr 2020 01:26:33 -0400
X-MC-Unique: d7CvDs_UOSi_epbrVGNHpQ-1
Received: from CY4PR1601MB1254.namprd16.prod.outlook.com (2603:10b6:903:d4::12) by CY4PR1601MB1142.namprd16.prod.outlook.com (2603:10b6:903:d1::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.22; Tue, 28 Apr 2020 05:26:31 +0000
Received: from CY4PR1601MB1254.namprd16.prod.outlook.com ([fe80::8172:432c:9870:d8fc]) by CY4PR1601MB1254.namprd16.prod.outlook.com ([fe80::8172:432c:9870:d8fc%5]) with mapi id 15.20.2937.023; Tue, 28 Apr 2020 05:26:31 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: "Nagendra Kumar Nainar (naikumar)" <naikumar@cisco.com>, "Carlos Pignataro (cpignata)" <cpignata@cisco.com>
CC: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-sfc-oam-framework@ietf.org" <draft-ietf-sfc-oam-framework@ietf.org>
Thread-Topic: [sfc] Secdir last call review of draft-ietf-sfc-oam-framework
Thread-Index: AdYW4VRPPDX1YR3aSqa2kbIsbH1DggD1H3GAADj+SVAAOXNWAAAlebMQ
Date: Tue, 28 Apr 2020 05:26:31 +0000
Message-ID: <CY4PR1601MB1254CADC9C21C9A205CFDF33EAAC0@CY4PR1601MB1254.namprd16.prod.outlook.com>
References: <CY4PR1601MB12541726BC79551C2A2EBBF0EAD40@CY4PR1601MB1254.namprd16.prod.outlook.com> <AEE6AFB3-6EE8-495F-992B-6314CBD2B6F6@cisco.com> <CY4PR1601MB1254E6CD2D9C4558EAFF21F5EAAE0@CY4PR1601MB1254.namprd16.prod.outlook.com> <760DA3B5-3B10-4786-8EC9-B107BFEBAC28@cisco.com>
In-Reply-To: <760DA3B5-3B10-4786-8EC9-B107BFEBAC28@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.5.0.44
dlp-reaction: no-action
x-originating-ip: [49.37.204.18]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: bd357fc3-da6b-4517-8d26-08d7eb34b5db
x-ms-traffictypediagnostic: CY4PR1601MB1142:
x-microsoft-antispam-prvs: <CY4PR1601MB1142C9565CFCB664297A343EEAAC0@CY4PR1601MB1142.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0387D64A71
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CY4PR1601MB1254.namprd16.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(136003)(39860400002)(366004)(396003)(376002)(32952001)(54906003)(6506007)(66476007)(53546011)(4326008)(66446008)(66556008)(64756008)(66946007)(76116006)(110136005)(33656002)(316002)(7696005)(26005)(5660300002)(478600001)(86362001)(186003)(8936002)(71200400001)(55016002)(52536014)(9686003)(966005)(2906002)(81156014)(8676002)(85282002); DIR:OUT; SFP:1101;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Q891CPDkm0lJfS7otFhtgfxAOzYMflWo1hnk7GUqWApsNJdAx/h8vr9og4L0gD2DMbrqVclODTflPTH3WLwBNhoOVBaILs9COt9JyOwROlp2TjrDWUjVaI/2JZ3sNPQZhOC156UEmlsNQqo0nlYuCMMLjIuqfB8d2bKZ9lVvyKDj5lpnD1u6ghQMzAY+CYR2LfMdsBgsPLZC0+ZwJJcFj9pw8GubF68nFschMl3S2uceZxemd2bTFzI5TGSX0riSHm4Is4BlKUocH+NHLL3LMbz9Hh1rIwyViEDiQOYBrji2vuEgw34LaqgfgcqCuvB69d6jQRE09DkTTzBxydfXIwebaJ9yrtGWE+fgdyJUcbTRb+pSPztC2/y20xoHHZ1oJIC+RRvuB1J8+/O6Anc17cesvBq1O7tMnh1CEu0eiRZobGU1hdlg32x2xhzzZWpLZrK5G/5IJ6M+r8kf89haPJN4YKYJHStIZkNgdbeJo+iYleFZqOW2Xv4Eb4Ygr8kXZjulVOMJ9YCV24fAPLiJ3zPQwsT+1LLHUBdxGSxzB4/4nqEtbg3Aj0wGGD/G1CaMmkacSgXql15wUBmNJt1+5ot2EB8DGt8+YwJsmbJL0CU=
x-ms-exchange-antispam-messagedata: Bk/J5NsMMoKHtNo/NBg/2s15/LDvVR3furzStq1ILppXEvD0ZjpPtuleyFMSNVYzADB/OtV2RCWHxBFbL1au62f4USsuWE3BDbttQHjFlEffNM+P36ueyPBMviEIBDNFt8Zk714U5lG7MKRra4ld7Y79aTzUJAf5caA/yxaLQJKb8NkE/A1Wt6ZQ7rt2ygS8TaAR/jccxZ6y78oFg8ub/1EUjZlym0qO1n/JlmjUrSs8cxoum0rPcD/iiiFx+ev0Vqh1ijdqIl0IomESxnN7KGNpbVNQzlbjwmKlMrpfEvNvRVp1Cvf1vo8VW/X6+45rHD3plQgiVZ7amUvSS7PVLr4hepvTAqB4bvoCOFgjz0zhOZFcVpBo6GFA13O9HRWwYomsRHi9e6XE8eEmNg0ivmxoD6gmGTUG8XNrBjAt/ozAUO4/pwe0aQKvHeQZjgEKxidzOS/+YJgwQWcDCEfCpuEf7aKs8qGkOyaeJT5H9kTs5qL5YdtPT5Ja9FxFLMxUUupsX0YiMttaUV3RYcehtLjUlStuadMJDfZyhI/KIVg9vfLVn2qvb2P/xFUzE1fa6N4TPopGeIqG5N+GM3KhUSsTzugoje/TqIbDuYzA5lf2dhi2gCADEYmO8Hwa2z5Y2Jg3zE0Fix3rpJ+kDJLC8WOAmY1miAy/07QRZ/iOL0oO9fDehh66EAEOSEIRHHx1IqKFH0VdULW7F+HqGS/TINGkcIEeWEio0h+8twCxZUxIr9Sz/lDhn5qAUtBxK2Hi55d4sZ64DroFBkAlRZ4Zspbw/oWMXo5f9k3XED7LB8M=
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: mcafee.com
X-MS-Exchange-CrossTenant-Network-Message-Id: bd357fc3-da6b-4517-8d26-08d7eb34b5db
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Apr 2020 05:26:31.6076 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Wgb1dnEuZ7+MtVZmlAMFHec8nLi95ekoyozxj79dyi9vAmhYeY7tQDv440Yrla92sPC00+mulCnJg1qAoha4ZKZbE/Vb9r6fxrBtWxnzSZ6mL2azxiiaEWVJ3wq5Xv4I
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR1601MB1142
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: mcafee.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/z1NQAR0iLn6Aq1XbvvWJFJ6O9bI>
Subject: Re: [secdir] [sfc] Secdir last call review of draft-ietf-sfc-oam-framework
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Apr 2020 05:26:39 -0000

Hi Nagendra,

You may want to update the following line:

OLD:
To address the above concerns, SFC and SF OAM should provide mechanisms for: 
NEW:
To address the above concerns, SFC and SF OAM should provide mechanisms for preventing:

Rest of the changes look good.

Cheers,
-Tiru

> -----Original Message-----
> From: Nagendra Kumar Nainar (naikumar) <naikumar@cisco.com>
> Sent: Monday, April 27, 2020 8:06 PM
> To: Konda, Tirumaleswar Reddy
> <TirumaleswarReddy_Konda@McAfee.com>; Carlos Pignataro (cpignata)
> <cpignata@cisco.com>
> Cc: secdir@ietf.org; draft-ietf-sfc-oam-framework@ietf.org
> Subject: Re: [sfc] Secdir last call review of draft-ietf-sfc-oam-framework
> 
> CAUTION: External email. Do not click links or open attachments unless you
> recognize the sender and know the content is safe.
> 
> Hi Tirumaleswar,
> 
> Hope you are doing good.
> 
> Thank you for the review and the comments/suggestions. Please find the
> diff attached that incorporates the comments.
> 
> We will submit the new version with the changes. Let us know if you have
> any further comments.
> 
> Thanks,
> Nagendra
> 
> On 4/26/20, 3:24 AM, "sfc on behalf of Konda, Tirumaleswar Reddy" <sfc-
> bounces@ietf.org on behalf of TirumaleswarReddy_Konda@McAfee.com>
> wrote:
> 
>     Hi Carlos,
> 
>     Please see inline
> 
>     > -----Original Message-----
>     > From: Carlos Pignataro (cpignata) <cpignata@cisco.com>
>     > Sent: Saturday, April 25, 2020 9:29 AM
>     > To: Konda, Tirumaleswar Reddy
> <TirumaleswarReddy_Konda@McAfee.com>
>     > Cc: secdir@ietf.org; sfc@ietf.org; draft-ietf-sfc-ioam-nsh.all@ietf.org
>     > Subject: Re: [sfc] Secdir last call review of draft-ietf-sfc-oam-framework
>     >
>     > CAUTION: External email. Do not click links or open attachments unless
> you
>     > recognize the sender and know the content is safe.
>     >
>     > Hi, Tiru,
>     >
>     > Many thanks for the review, and great to hear from you!
>     >
>     > I hope all is well — Please see inline.
> 
>     Thanks, I’m fine, and I hope all is well with you too.
> 
>     >
>     > > 2020/04/20 午前3:28、Konda, Tirumaleswar Reddy
>     > <TirumaleswarReddy_Konda@McAfee.com>のメール:
>     > >
>     > > Reviewer: Tirumaleswar Reddy
>     > > Review result: Ready with issues
>     > >
>     > >
>     > > I reviewed this document as part of the security directorate's ongoing
>     > > effort to review all IETF documents entering the IESG..  These
> comments
>     > are directed at the security area director(s).  Document editors and WG
>     > chairs should treat these comments like any other last call comments.
>     > >
>     > > This document provides a reference framework for OAM for SFC.
>     > >
>     > > Comments:
>     > >
>     > > 1. The document in Section 8 discusses various attacks (including both
>     > > security and privacy) but does not discuss any protection mechanisms
>     > other than proposing rate-limiting.  It is suggesting drafts proposing the
> OAM
>     > solution should address the attacks but I don’t see any security
> mechanisms
>     > discussed in draft-ietf-sfc-ioam-nsh to address the attacks.
>     > >
>     >
>     > Since the document already clarifies that it does not define solutions, it
>     > cannot define security consideration for those solutions, beyond saying
> that
>     > those solutions ought to address security considerations in those areas.
> Any
>     > security measures must be included and explained in the respective
> solution
>     > document. I believe this comment requires potentially action on draft-
> ietf-
>     > sfc-ioam-nsh but not on this draft.
> 
>     Yup. I see three solutions from SFC WG a) sfc-ioam-nsh b) ietf-sfc-proof-
> of-transit (Experimental) c) penno-sfc-trace (Expired). sfc-ioam-nsh is the
> only current standards track specification and it should address these attacks.
> 
>     >
>     > That said you are right regarding the specifics of the rate-liming
>     > recommendation. See the next answer for text.
>     >
>     > Also, in re-reading Section 8, seems like this:
>     >
>     >    To address the above concerns, SFC and SF OAM may provide
> mechanism
>     >    for:
>     >
>     >
>     > Should say
>     >
>     >    To address the above concerns, SFC and SF OAM should provide
>     > mechanisms
>     >    for preventing:
> 
>     Yes.
> 
>     >
>     >
>     >
>     > > 2. More discussion is required on the internal attacks.
>     > > (a) How are attack packets bypassing SFC detected and blocked ?
>     > > (b) How is sensitive information protected from eavesdroppers ?
>     > > (c) How is DoS/DDoS attack of misusing the OAM channel is mitigated ?
>     > > (d) Rate-limiting blocks both good and bad OAM probes and is a weak
>     > mitigation strategy. Anomaly detection (e.g., deep learning techinques)
> and
>     > identifying the attacker look like a better strategy.
>     > >
>     >
>     >
>     > This is a good point. How about.
>     >
>     > OLD:
>     >
>     >    The documents proposing the OAM solution for SF component should
>     >    consider rate-limiting the OAM probes at a frequency guided by the
>     >    implementation choice.  Rate-limiting may be applied at the SFF or
>     >    the SF . The OAM initiator may not receive a response for the probes
>     >    that are rate-limited resulting in false negatives and the
>     >    implementation should be aware of this.
>     >
>     >
>     > NEW:
>     >
>     >
>     >    The documents proposing the OAM solution for SF component should
>     >    consider rate-limiting the OAM probes at a frequency guided by the
>     >    implementation choice.  Rate-limiting may be applied at the SFF or
>     >    the SF.  The OAM initiator may not receive a response for the probes
>     >    that are rate-limited resulting in false negatives and the
>     >    implementation should be aware of this. To mitigate any attacks that
>     >    Leverage OAM packets, future documents proposing OAM solutions
>     >    should describe the use of any techniques to detect
>     >    and mitigate anomalies and various security  attacks.
> 
>     Works for me.
> 
>     Cheers,
>     -Tiru
> 
>     >
>     >
>     > Would that work?
>     >
>     > Please feel free to suggest textual improvements or changes.
>     >
>     > Thanks,
>     >
>     > Carlos.
>     >
>     > > Cheers,
>     > > -Tiru
>     > > _______________________________________________
>     > > sfc mailing list
>     > > sfc@ietf.org
>     > > https://www.ietf.org/mailman/listinfo/sfc
> 
>     _______________________________________________
>     sfc mailing list
>     sfc@ietf.org
>     https://www.ietf.org/mailman/listinfo/sfc
>

v2.23.0 | Report a Bug | By Email