IETF Logo Mail Archive

Re: [secdir] [sfc] Secdir last call review of draft-ietf-sfc-oam-framework

"Carlos Pignataro (cpignata)" <cpignata@cisco.com> Sun, 26 April 2020 12:52 UTC

Return-Path: <cpignata@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B056E3A14E2; Sun, 26 Apr 2020 05:52:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.598
X-Spam-Level:
X-Spam-Status: No, score=-9.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=XBZJ9ryS; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=vqM6pEsU
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HGMggvFTqg7J; Sun, 26 Apr 2020 05:52:45 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D269C3A0C8D; Sun, 26 Apr 2020 05:52:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7250; q=dns/txt; s=iport; t=1587905565; x=1589115165; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=y8iqQJKqsv6t3StqtaLa4N5d5dRDvV6lFbr3wKC3d74=; b=XBZJ9rySg8GG5I3cG6CPheWw0Mj3gpPsI4fbyTsO06j15Ay/yHk4IwY+ tkStSFzjR8PDxxrQZCK3nyrwJQ5NWiHPABj5Qkw2oxwc6wyfuteCtaUj8 aKIck5K6vvDDtob/ivYKzSjOpu5jzSp1e5Oj5kzGiQT+A5UWHp8G2ex8X k=;
IronPort-PHdr: 9a23:XvS5/ROp0IJCi6/Shwkl6mtXPHoupqn0MwgJ65Eul7NJdOG58o//OFDEu6w/l0fHCIPc7f8My/HbtaztQyQh2d6AqzhDFf4ETBoZkYMTlg0kDtSCDBjwNP/laSUmFexJVURu+DewNk0GUMs=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ArAADPg6Ve/4gNJK1mGgEBAQEBAQEBAQMBAQEBEQEBAQICAQEBATyBNgIBAQEBCwGBU1EFbFggBAsqCoQVg0YDinKCOiWYL4FCgRADVAsBAQEMAQEYCwoCBAEBhEQCF4IPJDcGDgIDAQELAQEFAQEBAgEFBG2FKgclDIVxAQEBAQIBAQEQEREMAQErAQsBBAcEAgEGAhEEAQEDAiYCAgIlCxUICAEBBA4FGweDBAGCSwMOIAEOlQWQZwKBOYgsNXaBMoMAAQEFhSUYgg4DBoEOKgGCYocOgSCBLBqBQT+BEScMEIFPfj6CZwEBgSYKAQsHASABBzECglgygi2OK4MQiQqHZo97CoJFmAAdgluIV4wlhSSpPYNDAgQCBAUCDgEBBYFoI2ZwcBU7KgGCPj4SGA2PXoFWDBeDT4UUhUJ0NQIGAQcBAQMJfItbgTUBMF8BAQ
X-IronPort-AV: E=Sophos;i="5.73,320,1583193600"; d="scan'208";a="760279099"
Received: from alln-core-3.cisco.com ([173.36.13.136]) by rcdn-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 26 Apr 2020 12:52:43 +0000
Received: from XCH-ALN-002.cisco.com (xch-aln-002.cisco.com [173.36.7.12]) by alln-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id 03QCqg9N023217 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Sun, 26 Apr 2020 12:52:43 GMT
Received: from xhs-aln-001.cisco.com (173.37.135.118) by XCH-ALN-002.cisco.com (173.36.7.12) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sun, 26 Apr 2020 07:52:42 -0500
Received: from xhs-aln-002.cisco.com (173.37.135.119) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sun, 26 Apr 2020 07:52:42 -0500
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Sun, 26 Apr 2020 07:52:41 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dDb0ivechm1ioFtFg9qzXsc/kQcYgVymgCJNRZNaKhGRUkizH0Gen4rVyWupBBmm7a0jF4FDn2yS4I2LM18uE6v+UJ/SCyf8PbA5Kawb0g1Yhf4lTdBGx1tTHNVXxA4NgOcDN+Zm20LzOvjbts07xGp+vBHJhezql5ZrrYejtDioqeZ/t5GkNlHIO18nJV3bhRuUDdU71C+71+hcLFb5nSAgiz9kekm2ylcAj6oCkm8fs8gEoN0GMH3kMODylyQnQnd2x39ATTHie0+4/w5teG6GG2LVIOV5Dj6gqivvqYYO/ZboQppSpyAl1beeliiEteWIhhAw7TYjQVsumXXYmQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=y8iqQJKqsv6t3StqtaLa4N5d5dRDvV6lFbr3wKC3d74=; b=CtLPDC7tJzVHnOFxlO8t6V7TXJExUeug1gyJwBrSjaiu182Csvj4QKA09UIkB9Pas+7Vhacu9S/MKbK+f77WSnACQS4U5+rVs205+8ltcMRx+tlYMFsJk+TJdXiVzsRnLT51LRKvq51A9UyQLKT9+2hsXmsOedY8v0XNSC+R2xVWhm6BuNZPVFfYEnpgigVxct/7dH96ReFxoPgdOc1Los3vimw2n7hx3wz/YGpCGozA3fFQ+n7CZAz/r0XtmRTqYgR9TDJDB5GjwQbGGiWJwMdfQsXhYfq77RLsfZ8se1D5oybdN0/oECfZGcl8eOwtTQpGknzT+AdZ/KCT5FkPVg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=y8iqQJKqsv6t3StqtaLa4N5d5dRDvV6lFbr3wKC3d74=; b=vqM6pEsUqvyYh/9gi/UcJLhT11Fmz8qiYoO4pNZn/XuNDgqj1DggkwNbm8gLElEV9sznntV0o6obc5z5wB37R9okMmNT5iKAEloctdTqb9o7b+prgoRdptBQyyGyoLqI+H+zbRKHrT4xDIKCxSvioGAEv9ocrhwac8pMHUgVCA4=
Received: from BN8PR11MB3635.namprd11.prod.outlook.com (2603:10b6:408:86::20) by BN8PR11MB3634.namprd11.prod.outlook.com (2603:10b6:408:88::31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.22; Sun, 26 Apr 2020 12:52:39 +0000
Received: from BN8PR11MB3635.namprd11.prod.outlook.com ([fe80::9981:86d4:ca20:ff96]) by BN8PR11MB3635.namprd11.prod.outlook.com ([fe80::9981:86d4:ca20:ff96%7]) with mapi id 15.20.2937.020; Sun, 26 Apr 2020 12:52:39 +0000
From: "Carlos Pignataro (cpignata)" <cpignata@cisco.com>
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
CC: "secdir@ietf.org" <secdir@ietf.org>, "sfc@ietf.org" <sfc@ietf.org>, "draft-ietf-sfc-ioam-nsh.all@ietf.org" <draft-ietf-sfc-ioam-nsh.all@ietf.org>
Thread-Topic: [sfc] Secdir last call review of draft-ietf-sfc-oam-framework
Thread-Index: AdYW4VRPPDX1YR3aSqa2kbIsbH1DggD1H5cAADlwdwAAC36JgA==
Date: Sun, 26 Apr 2020 12:52:38 +0000
Message-ID: <F815121A-9754-457E-88F5-56F32B7F0200@cisco.com>
References: <CY4PR1601MB12541726BC79551C2A2EBBF0EAD40@CY4PR1601MB1254.namprd16.prod.outlook.com> <AEE6AFB3-6EE8-495F-992B-6314CBD2B6F6@cisco.com> <CY4PR1601MB1254E6CD2D9C4558EAFF21F5EAAE0@CY4PR1601MB1254.namprd16.prod.outlook.com>
In-Reply-To: <CY4PR1601MB1254E6CD2D9C4558EAFF21F5EAAE0@CY4PR1601MB1254.namprd16.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.80.23.2.2)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=cpignata@cisco.com;
x-originating-ip: [108.203.7.63]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 21d40610-8f45-47bf-ea97-08d7e9e0b386
x-ms-traffictypediagnostic: BN8PR11MB3634:
x-microsoft-antispam-prvs: <BN8PR11MB3634FF1E81DED0923CCE58C5C7AE0@BN8PR11MB3634.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 03853D523D
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN8PR11MB3635.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(39860400002)(396003)(136003)(376002)(366004)(6916009)(86362001)(33656002)(6486002)(966005)(8936002)(8676002)(2906002)(81156014)(71200400001)(36756003)(54906003)(2616005)(76116006)(66446008)(64756008)(186003)(26005)(6506007)(5660300002)(478600001)(6512007)(4326008)(53546011)(316002)(66476007)(66556008)(66946007); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: F2u1Gn6UW7tWqKebMIM93f1YQWs6oW9YVQc7Lx+ljlMsEMTWIwbYqTPaQ51S+0DnqARLZOBWaFceMOPoDGduTjybKnuDsE6ZzKT8+IiOLli6MmAzsUEygmJRNidZhGvzDlfoHkV94fJQT5Pl5M7qAluU18l18FJazqmy0yKjeIW8Wy5XsB1PukQ+QEzI0uYV65gI5q62g7UbdsFfLemhJv7E/dUYdl+5ziN/1dovK6gDOzlIlmlswNtStj7cUVFaje0zhJEE3ca0Sp7A0JBYuN0EKmF5LAnCRa9CrHCnuzDCxM1UWukWk8zvB4xV/pQx8fmMd8eKOCNMRfH1c2e4Dvt0f6XXpD4lHD14andx5S2uULYJN8szNopDp/IkdHG8mfhw0msBJMs0uuH89G7PUTsZ/ixxoLZYN0B5TViYuRqPVtD/TtS3H+vwOQm39lY5ngP3G7Yqntbj56uQG1lX89ASatWHcuiRcMI8Snw11jvFoD7+pLoQri+R5f2SUvOzFgWTFnu6592NjrEGBFKBZQ==
x-ms-exchange-antispam-messagedata: avLrqziYfuEWnQFvxz+Urk7SesmAdgok8Ln9EBIn0r1HWRWMygTGNzSSO1yCyeRi6v4uyrchPlOPf99Bud54nysoGLw+//fCP5lee17vcBJ08GfxWk/cx/LyACdahochzdBpQqVwA6YikNNdI4k8S+TewIniKxduuTlWv0IzBM7jwnlzZiLKMpS4HYNeavYRPSKd36uJX8SPqMkN1MnF5EztbGkLokrsfAsR1kmBoLJ2/Z1wzYHIi/yb0dSedyGdmMSqIYE21zOQXK10ZxFFKKjD4ei0jVOYEAs/swNRyJ0s+kW/Qf20+ffnYr7nnmQjWfQLhU23WrJAKq9DZlnXL0j3qkPvgJgrjBKp8nSu2n7Xg05rTz01JDS2lkkxzYnM19jKUu+A1yNfBKLZRqKB6SQ63Ywp8KV9+E2nOEe8UckcpsM7hk6bFHEeWCXr2bi9whS816R+yzXUYT7lSh5++HFJXsAn6BTk9z/KjktZDL28xk4JFf6q/YBSf97LFw6XWS8CZLtkeWupYviUUYIzKR+8nlMVZlVBe4Nx9gmJ2NeBdad0OL/+ramZ93mBJ/BQjnmbf16m0a1YiLjQSFMU1h0u+NKkCSf+NAA+hGf8i4ZntoNXSkVq6Ua2Y+E9hZfLJXB44LpAWUg8/ZYeuprbOVxBlt9fEHQLwsV1DFdwAvh0sabneaRfFd5AdBngD3+hPndkKaRhrWyO/EHsZVvl0Qajb4LdA+W1oziKaGyX+lk87WFOcHMBNz9TB3h3BIX8PCxGj6yrbP/O32GWTpeamZgak5UErEt17+MHWeNxxGs=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <8C2FBE49E77CB74A926ABA3E1B861BEE@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 21d40610-8f45-47bf-ea97-08d7e9e0b386
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Apr 2020 12:52:38.8005 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: tDLBwXEkWeea8D77GMx/4+Y3jbG1DbBzPvWBfV3moxYRUgdqpxxhD0DqTjIXsYI7x4aToxsLinpgh3tGRWEYVA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR11MB3634
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.12, xch-aln-002.cisco.com
X-Outbound-Node: alln-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/36D1MaNTToYvG3qC_AQJKNk7Od4>
Subject: Re: [secdir] [sfc] Secdir last call review of draft-ietf-sfc-oam-framework
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Apr 2020 12:52:48 -0000

Hi, Tiru,

I think we are on the same page — see inline.

> 2020/04/26 午前3:23、Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>のメール:
> 
> Hi Carlos,
> 
> Please see inline 
> 
>> -----Original Message-----
>> From: Carlos Pignataro (cpignata) <cpignata@cisco.com>
>> Sent: Saturday, April 25, 2020 9:29 AM
>> To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>
>> Cc: secdir@ietf.org; sfc@ietf.org; draft-ietf-sfc-ioam-nsh.all@ietf.org
>> Subject: Re: [sfc] Secdir last call review of draft-ietf-sfc-oam-framework
>> 
>> CAUTION: External email. Do not click links or open attachments unless you
>> recognize the sender and know the content is safe.
>> 
>> Hi, Tiru,
>> 
>> Many thanks for the review, and great to hear from you!
>> 
>> I hope all is well — Please see inline.
> 
> Thanks, I’m fine, and I hope all is well with you too.

:-)

> 
>> 
>>> 2020/04/20 午前3:28、Konda, Tirumaleswar Reddy
>> <TirumaleswarReddy_Konda@McAfee.com>のメール:
>>> 
>>> Reviewer: Tirumaleswar Reddy
>>> Review result: Ready with issues
>>> 
>>> 
>>> I reviewed this document as part of the security directorate's ongoing
>>> effort to review all IETF documents entering the IESG..  These comments
>> are directed at the security area director(s).  Document editors and WG
>> chairs should treat these comments like any other last call comments.
>>> 
>>> This document provides a reference framework for OAM for SFC.
>>> 
>>> Comments:
>>> 
>>> 1. The document in Section 8 discusses various attacks (including both
>>> security and privacy) but does not discuss any protection mechanisms
>> other than proposing rate-limiting.  It is suggesting drafts proposing the OAM
>> solution should address the attacks but I don’t see any security mechanisms
>> discussed in draft-ietf-sfc-ioam-nsh to address the attacks.
>>> 
>> 
>> Since the document already clarifies that it does not define solutions, it
>> cannot define security consideration for those solutions, beyond saying that
>> those solutions ought to address security considerations in those areas. Any
>> security measures must be included and explained in the respective solution
>> document. I believe this comment requires potentially action on draft-ietf-
>> sfc-ioam-nsh but not on this draft.
> 
> Yup. I see three solutions from SFC WG a) sfc-ioam-nsh b) ietf-sfc-proof-of-transit (Experimental) c) penno-sfc-trace (Expired). sfc-ioam-nsh is the only current standards track specification and it should address these attacks.

Agreed.

Checking draft-ietf-sfc-ioam-nsh, it does not have a pointer to draft-ietf-sfc-oam-framework. I believe a Reference should be added, with a citation capturing your comment.


> 
>> 
>> That said you are right regarding the specifics of the rate-liming
>> recommendation. See the next answer for text.
>> 
>> Also, in re-reading Section 8, seems like this:
>> 
>>   To address the above concerns, SFC and SF OAM may provide mechanism
>>   for:
>> 
>> 
>> Should say
>> 
>>   To address the above concerns, SFC and SF OAM should provide
>> mechanisms
>>   for preventing:
> 
> Yes.

Will make this change.

> 
>> 
>> 
>> 
>>> 2. More discussion is required on the internal attacks.
>>> (a) How are attack packets bypassing SFC detected and blocked ?
>>> (b) How is sensitive information protected from eavesdroppers ?
>>> (c) How is DoS/DDoS attack of misusing the OAM channel is mitigated ?
>>> (d) Rate-limiting blocks both good and bad OAM probes and is a weak
>> mitigation strategy. Anomaly detection (e.g., deep learning techinques) and
>> identifying the attacker look like a better strategy.
>>> 
>> 
>> 
>> This is a good point. How about.
>> 
>> OLD:
>> 
>>   The documents proposing the OAM solution for SF component should
>>   consider rate-limiting the OAM probes at a frequency guided by the
>>   implementation choice.  Rate-limiting may be applied at the SFF or
>>   the SF . The OAM initiator may not receive a response for the probes
>>   that are rate-limited resulting in false negatives and the
>>   implementation should be aware of this.
>> 
>> 
>> NEW:
>> 
>> 
>>   The documents proposing the OAM solution for SF component should
>>   consider rate-limiting the OAM probes at a frequency guided by the
>>   implementation choice.  Rate-limiting may be applied at the SFF or
>>   the SF.  The OAM initiator may not receive a response for the probes
>>   that are rate-limited resulting in false negatives and the
>>   implementation should be aware of this. To mitigate any attacks that
>>   Leverage OAM packets, future documents proposing OAM solutions
>>   should describe the use of any techniques to detect
>>   and mitigate anomalies and various security  attacks.
> 
> Works for me.
> 

Great. We will make this change as well.

Thanks!

Carlos.

> Cheers,
> -Tiru
> 
>> 
>> 
>> Would that work?
>> 
>> Please feel free to suggest textual improvements or changes.
>> 
>> Thanks,
>> 
>> Carlos.
>> 
>>> Cheers,
>>> -Tiru
>>> _______________________________________________
>>> sfc mailing list
>>> sfc@ietf.org
>>> https://www.ietf.org/mailman/listinfo/sfc
>

v2.23.0 | Report a Bug | By Email