Re: [secdir] secdir review of draft-ietf-lisp-gpe
Fabio Maino <fmaino@cisco.com> Thu, 13 September 2018 00:12 UTC
Return-Path: <fmaino@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29BFD130ED7; Wed, 12 Sep 2018 17:12:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6MB6jaKGxCGU; Wed, 12 Sep 2018 17:12:31 -0700 (PDT)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41BB3130ED4; Wed, 12 Sep 2018 17:12:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4726; q=dns/txt; s=iport; t=1536797551; x=1538007151; h=subject:to:references:from:message-id:date:mime-version: in-reply-to:content-transfer-encoding; bh=j70G41yBHmlbM+1AjIKEL8s0zTIcRZGFwnXLLxe4oBY=; b=QFRKcliI0q8/gn/YIUFUy1eOI5hZE3pKq31lYNDNIhiNDIF4sLS5iCU+ U37Z38OI0CeT4V4rSVBY9FU227w6sInLk4N0Wl6a8fl5DgpqcujmDFhS8 Z2t+/vNE5NrLEFw7hLEAFo9f218I8gXHB6d/outKb2fEzM/H3ZV8VSvnP g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0C0AABPqplb/4MNJK1bGgEBAQEBAgEBAQEIAQEBAYFQgVcvZX8og3KWES2WPYF6CyOBMwGDFQKDTSE2FgECAQECAQECbRwMhTgBAQEBAgEjDwEFUQsYAgImAgJXBgEMCAEBgx0BgXkID6VtgS6EcoUYBYELhxSCSBeBQT+BEieCa4MbAQECAYRfglcCjjuNGUwJhjuJSQYXgUGEQ4JbhhyLRYhbgUkFLIFVMxoIGxU7gm2LFIVeHzABjnsBAQ
X-IronPort-AV: E=Sophos;i="5.53,366,1531785600"; d="scan'208";a="170951050"
Received: from alln-core-1.cisco.com ([173.36.13.131]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Sep 2018 00:12:30 +0000
Received: from [10.24.77.250] ([10.24.77.250]) by alln-core-1.cisco.com (8.15.2/8.15.2) with ESMTP id w8D0CTXR011837; Thu, 13 Sep 2018 00:12:30 GMT
To: Christopher Wood <christopherwood07@gmail.com>, The IESG <iesg@ietf.org>, secdir@ietf.org, draft-ietf-lisp-gpe.all@ietf.org
References: <CAO8oSXkv2RAL5w8oG4yY7EZNujsc+nZYmaf+OdCjOzmkY2dnTg@mail.gmail.com>
From: Fabio Maino <fmaino@cisco.com>
Message-ID: <7aedf62f-780b-6ebd-16eb-d7c2031be91d@cisco.com>
Date: Wed, 12 Sep 2018 17:12:29 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <CAO8oSXkv2RAL5w8oG4yY7EZNujsc+nZYmaf+OdCjOzmkY2dnTg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Outbound-SMTP-Client: 10.24.77.250, [10.24.77.250]
X-Outbound-Node: alln-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/5mMVNmjOcykk-qtQxwUZEjUJop0>
Subject: Re: [secdir] secdir review of draft-ietf-lisp-gpe
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Sep 2018 00:12:34 -0000
Hi Christopher, thanks for your review. Please see below how I would like to address your comment. On 9/9/18 11:26 AM, Christopher Wood wrote: > Hello, > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > The summary of my review is: Ready with issues. > > The proposed extension mechanism is simple to understand. However, my > main concern is regarding the nonce size reduction and implications on > LISP. While the threat models (on-path and off-path) do not change > with this extension, the probability of some off-path attacks might > change. Specifically, the probability of correctly guessing a 16 bit > nonce is not negligible. This might make attacks in which an adversary > tries to convince an ITR of reachability to an otherwise unreachable > ETR more likely. From [1], an ITR that sees the nonce echoed correctly > “knows that the path to and from the ETR is up.” Thus, I think some > discussion of this is necessary in the security considerations. Good point. I'll add the following text to the Security Section, after the very first paragraph: "The Echo Nonce Algorithm described in [I-D.ietf-lisp-rfc6830bis] relies on the nonce to detect reachability from ITR to ETR. In LISP-GPE the use of a 16-bit nonce, compared with the 24-bit nonce used in LISP, increases the probability of an off-path attacker to correctly guess the nonce and force the ITR to believe that a non-reachable RLOC is reachable. However, the use of common anti-spoofing mechanisms such as uRPF prevents this form of attack." > > Beyond that, I have the following minor comments and nits: > > - UDP checksums seem to be the only mechanism in place that give ITRs > and ETRs a means of checking datagram integrity. Of course, this means > an on-path adversary can muck with the g-Bit from Section 4.1 so as to > prevent use of the GPE mechanism. This is not new with this extension, > though a comment on the issue might be useful, e.g., in the security > considerations. I will add this paragraph to the security section: "LISP-GPE, as many encapsulations that use optional extensions, is subject to on-path adversaries that by manipulating the g-Bit and the packet itself can remove part of the payload. Typical integrity protection mechanisms (such as IPsec) SHOULD be used in combination with LISP-GPE by those protocol extensions that want to protect from on-path attackers." > - It would be helpful to include packet diagrams similar to Figure 2 > wherein (1) P and V are set and (2) only P is set. While I don’t find > the text misleading or confusing, a figure might help other readers. > > 0 1 2 3 > 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > |N|L|E|1|I|1|K|K| Source MV | Dest MV | Next Protocol | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | Instance ID/Locator-Status-Bits | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > 0 1 2 3 > 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > |0|L|0|0|I|1|K|K| ... 0 ... | Next Protocol | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > | Instance ID/Locator-Status-Bits | > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ I'd prefer to use diagrams that are congruent with those used in RFC6830bis. I'll defer this comment to the authors of RFC6830bis, and follow whatever convention they will decide to follow. > > - In Section 4, where it states, "A LISP-GPE router MUST NOT > encapsulate non-IP packets to a non LISP-GPE capable router," I might > replace "to a non LIST-GPE capable router" with "when the P-bit is set > to 0." I will use the following text: "A LISP-GPE router MUST NOT encapsulate non-IP packets (that have the P-bit set to 1) to a non-LISP-GPE capable router." Thanks, Fabio > > [1] https://tools.ietf.org/html/draft-ietf-lisp-rfc6830bis-16#section-10.1
- [secdir] secdir review of draft-ietf-lisp-gpe Christopher Wood
- Re: [secdir] secdir review of draft-ietf-lisp-gpe Fabio Maino
- Re: [secdir] secdir review of draft-ietf-lisp-gpe Christopher Wood