[secdir] Secdir review of draft-ietf-mpls-rfc4379bis-07
Vincent Roca <vincent.roca@inria.fr> Fri, 21 October 2016 08:13 UTC
Return-Path: <vincent.roca@inria.fr>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A38A3129521; Fri, 21 Oct 2016 01:13:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.33
X-Spam-Level:
X-Spam-Status: No, score=-7.33 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.431] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VFN_eXnHG6-o; Fri, 21 Oct 2016 01:13:12 -0700 (PDT)
Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E71C1294F4; Fri, 21 Oct 2016 01:13:11 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.31,375,1473112800"; d="asc'?scan'208,217";a="241724985"
Received: from dom38-1-82-236-155-50.fbx.proxad.net (HELO [192.168.1.133]) ([82.236.155.50]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-SHA; 21 Oct 2016 10:13:09 +0200
From: Vincent Roca <vincent.roca@inria.fr>
X-Pgp-Agent: GPGMail
Content-Type: multipart/signed; boundary="Apple-Mail=_F335C447-FDBE-4867-9730-78C6CF79696D"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Date: Fri, 21 Oct 2016 10:13:06 +0200
Message-Id: <E1052DB3-20AB-4A0B-9869-927E0CADAFDA@inria.fr>
To: IESG <iesg@ietf.org>, secdir@ietf.org, draft-ietf-mpls-rfc4379bis.all@ietf.org
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/3uDs_37Imxu1HWz1uruTtnu7AzE>
Subject: [secdir] Secdir review of draft-ietf-mpls-rfc4379bis-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2016 08:13:15 -0000
Hello, I have reviewed this document as part of the security directorate’s ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. IMHO, the document is Ready with issues. I have two main comments: 1- This document has an interesting security considerations section. However it lacks some key information. First of all, there is no attacker model. Is the threat coming from corrupted equipment? Do we assume those attackers have full control over the equipment and flows? Are attackers on path or off path? Clarifying these points (it's not an exhaustive list) would help structuring the discussion on a case by case basis. 2- Something else to clarify: I have the feeling (after quickly searching integrity/ authentication/HMAC/... keywords in the doc) that is no message integrity nor sender authentication mechanism in the echo request/response detailed here. If the attacker model also includes a full control of LSR, nothing can be done to prevent some attacks. Please clarify. And a few additional ones: 3- First sentence says: "Overall, the security needs for LSP ping are similar to those of ICMP ping." Such debugging tools as ping and traceroute (not speaking of MPLS version here) have an efficiency that heavily relies on (sometimes arbitrary) decisions made by the system administrators whose security policies lead to total or partial blackholes. Hence my questions: is the situation similar with MPLS or can we expect more homogeneous and favorable security policies (e.g., because there's a limited number of administrative domains, or because we are not relying on an ICMP mechanism any more, or because the present document is more directive on what a system administrator should authorize/block/limit)? This could change a lot the security aspects and the potential impacts on the debugging tools. 4- Later it is said: "To avoid potential Denial-of-Service attacks, it is RECOMMENDED that implementations regulate the LSP ping traffic going to the control plane. A rate limiter SHOULD be applied to the well-known UDP port defined below." - Do you mean port 3503? It is mentionned but not defined below in this section. Wording should be adjusted. - It is not clear to me by reading this sentence if it concerns the sender (who sends traffic to the control plane) or forwarding nodes, which I guess are the target. In other words, "going to the control plane" is somewhat ambiguous. 5- Then: "To protect against unauthorized sources using MPLS echo request messages to obtain network information, it is RECOMMENDED that implementations provide a means of checking the source addresses of MPLS echo request messages against an access list before accepting the message." Are ACL efficient in this context? If an attacker can forge the source address, it's not. Unless some cryptographic mechanism is used, there's little hope to provide a secure ping service. This is a follow up of comment 1. - Typo: "...an implementation MAY also validate the TimeStamp Sent by requiring an exact match on this field." Sent => sent. Cheers, Vincent
- [secdir] Secdir review of draft-ietf-mpls-rfc4379… Vincent Roca
- Re: [secdir] Secdir review of draft-ietf-mpls-rfc… Carlos Pignataro (cpignata)