IETF Logo Mail Archive

Re: [secdir] [sfc] Secdir last call review of draft-ietf-sfc-oam-framework

"Carlos Pignataro (cpignata)" <cpignata@cisco.com> Sat, 25 April 2020 03:58 UTC

Return-Path: <cpignata@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC2073A0A66; Fri, 24 Apr 2020 20:58:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.598
X-Spam-Level:
X-Spam-Status: No, score=-9.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=UmSg3sqC; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=Vn/nH/gd
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lzbrZ4tmQVFd; Fri, 24 Apr 2020 20:58:52 -0700 (PDT)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA27A3A0A65; Fri, 24 Apr 2020 20:58:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4980; q=dns/txt; s=iport; t=1587787132; x=1588996732; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=56P6Sw2Hal6I5BrZVlzhl38u0UyjC1SelghE1GR6v0k=; b=UmSg3sqCM0jTWFgVRb9kRPgLMKMf/vP0IuSjVPwpBAMgxDAExO69Ok4v LhRyY6s2BoUG+DlI5ATCFifX/1oll/8JZG1ago2dv7omobOauDuWmXjbh RIpyZBUVroE0BEkP6aubicqMJzTUXiwIDJhG8kAXZFnr172o5n9UmmUag Y=;
IronPort-PHdr: 9a23:8rd+3Ra1hn0BlQPx7sBLuAH/LSx94ef9IxIV55w7irlHbqWk+dH4MVfC4el20gabRp3VvvRDjeee87vtX2AN+96giDgDa9QNMn1NksAKh0olCc+BB1f8Kavhdy01Gs1eXXdu/mqwNg5eH8OtL1A=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BaAQDFtKNe/4wNJK1mHAEBAQEBBwEBEQEEBAEBPIE2BAEBCwGBU1EFbFggBAsqCoQVg0YDinGCX5gwglIDVAsBAQEMAQEYCwoCBAEBhEQCF4IPJDcGDgIDAQELAQEFAQEBAgEFBG2FKgclDIVyAQEBAgEBARAREQwBASsBCwEECwIBBgIaAiYCAgIlCxUQAQEEDgUbB4MEAYJLAw4gAQ6VfpBnAoE5iGF2gTKDAAEBBYUrGIIOAwaBDioBgmKHCoEggSwagUE/gREnHIFPfj6CZwEBgTwoOQKCWDKCLZE3kG+PeQqCRZd8HYJaiFaMIYUgqTSDQgIEAgQFAg4BAQWBaCOBVnAVOyoBgj4+EhgNj16BVgwXg0+FFIVCdDUCBgEHAQEDCXyMAoE1AYEPAQE
X-IronPort-AV: E=Sophos;i="5.73,314,1583193600"; d="scan'208";a="668944847"
Received: from alln-core-7.cisco.com ([173.36.13.140]) by rcdn-iport-9.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 25 Apr 2020 03:58:50 +0000
Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by alln-core-7.cisco.com (8.15.2/8.15.2) with ESMTPS id 03P3wo92021475 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Sat, 25 Apr 2020 03:58:50 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 24 Apr 2020 22:58:50 -0500
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 24 Apr 2020 22:58:50 -0500
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Fri, 24 Apr 2020 23:58:50 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lH5vunlSXX1RVsRI9G3fjhvqxr6ARFmjRWW4n+M/h5SosU/paB466INceDMDmmwbD1S4DmO1u8vQGCvwJB01SaZBhwLtvBoQFz9QxKqIAH3j9RggzQwC9HH6Pgn2ym8sxHKKoFaOLKNT6Y59MJcDDygUCgeWLSg1TgiXjzCGV+AdmHQplrsqCY7zfBOLX99eC4Qm79aTM7PKrQ71iX2PoT1HaEDErMN/QSGniArJJ9vqlEm7fZdRlJhTEu6rTDucjEUnFOvrCoAcDosO0C97YXBsS+Z52LYdn/7fjoFMUrGq99maOY1UoFqdRA1ebc3SSf0OY2wy7nK8JhQpjJAdyw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=56P6Sw2Hal6I5BrZVlzhl38u0UyjC1SelghE1GR6v0k=; b=Oj/HUMGlwlQEGG1sQsHbOhqAbk2VZ1e7TrKKb6SgexpUxXhyQws7CVAlrvCQm2cwtFtqwU9utqH6UsMxQiF5lhc2cd34lNLwitMJBweJyxeftkIQsCnJHDpSRqpXIeAOJXxmXsTLX+JoFKABWU28XW+SwHFTGw8+NbuhmTl7z2z1CzOvUZsOKHDncMoThNA5+Kk8c7ch2jryiXC8AKWH1qJ6KHoRsbgV9AUMWYsQlYN13gWr+uNjhAZRy49FY3z8St23XZNPFr29AUbrsvU11kdoIQtxAy8PJadr7vNswl8wk/AYuLztvWSNM3buvOQaKZ0Nxo6Y1rq6zmrMkz0bvA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=56P6Sw2Hal6I5BrZVlzhl38u0UyjC1SelghE1GR6v0k=; b=Vn/nH/gdEkJC121M/+v8g6/JvCTJsyuCmTaZeseXv/4HUhYRd9P/EpN6hWhBDuYfdza5j0NFInqXY4lKYCuvAeg/Uo/RHWYOLiXSXpFkdkxMWvwMGfeIAo2Bnrh0N5wbLYp5XWnwjRsDzjVMB5nEJyKIE6wFQrXcXrizSwDC7zY=
Received: from BN8PR11MB3635.namprd11.prod.outlook.com (2603:10b6:408:86::20) by BN8PR11MB3842.namprd11.prod.outlook.com (2603:10b6:408:82::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2921.29; Sat, 25 Apr 2020 03:58:49 +0000
Received: from BN8PR11MB3635.namprd11.prod.outlook.com ([fe80::9981:86d4:ca20:ff96]) by BN8PR11MB3635.namprd11.prod.outlook.com ([fe80::9981:86d4:ca20:ff96%7]) with mapi id 15.20.2921.030; Sat, 25 Apr 2020 03:58:48 +0000
From: "Carlos Pignataro (cpignata)" <cpignata@cisco.com>
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
CC: "secdir@ietf.org" <secdir@ietf.org>, "sfc@ietf.org" <sfc@ietf.org>, "draft-ietf-sfc-ioam-nsh.all@ietf.org" <draft-ietf-sfc-ioam-nsh.all@ietf.org>
Thread-Topic: [sfc] Secdir last call review of draft-ietf-sfc-oam-framework
Thread-Index: AdYW4VRPPDX1YR3aSqa2kbIsbH1DggD1H3GA
Date: Sat, 25 Apr 2020 03:58:48 +0000
Message-ID: <AEE6AFB3-6EE8-495F-992B-6314CBD2B6F6@cisco.com>
References: <CY4PR1601MB12541726BC79551C2A2EBBF0EAD40@CY4PR1601MB1254.namprd16.prod.outlook.com>
In-Reply-To: <CY4PR1601MB12541726BC79551C2A2EBBF0EAD40@CY4PR1601MB1254.namprd16.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3608.80.23.2.2)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=cpignata@cisco.com;
x-originating-ip: [108.203.7.63]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a01acc2c-a06f-4d39-9111-08d7e8ccf5bc
x-ms-traffictypediagnostic: BN8PR11MB3842:
x-microsoft-antispam-prvs: <BN8PR11MB3842E0122E396E2FAD52644AC7D10@BN8PR11MB3842.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0384275935
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN8PR11MB3635.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(10009020)(4636009)(346002)(366004)(136003)(376002)(396003)(39860400002)(8936002)(26005)(66476007)(76116006)(64756008)(5660300002)(81156014)(8676002)(186003)(86362001)(316002)(6916009)(66556008)(66446008)(2906002)(4326008)(66946007)(6512007)(966005)(54906003)(33656002)(2616005)(71200400001)(478600001)(6486002)(36756003)(6506007); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: +jRZB2t5j1eaPeI4B0GnAd4dpkQ6OU48gyxBSw42DXbC4IQLYgFDi0v4jK8iB35nfT7xAL7/f/VuTydojTMzXwYNrgxLKEVH8xK1RKssp+mOF8/Ek14WkWdvzEBrsyBH48qx4xFjfBcAtxsVKzdCs79s8mQFFwxki8P/h1Ml4P9YF0YUo5z0pRmtWdZ1Nszc+7kLuVqLfd9SonVYo8ZkkY5KTwCMcKPnhtMZTU8Qs+Yo6dRTVW/p4br4HjpU50j0csd/Dj21iW84GqLxP6ylTBMIaiPe2ghs8Nfr+PKreWV9tbWHK6+duOcOwLNNYT0g8AQdzoty34OW4+inAX1OVXRxcPVfuU+6sMbMynKYBm5nNhOVQNoaZxnYt4EMWOcNRFiGUXvqUXjruF2HZIW6P8U/FLcuJNaz3dGNqdqmDLpcKVSs04PC/f5JfE0DfsHnTABnKDmvi+vUhlHUZP4JjyJkeDCkb64G9r9Fnh70khlh5CS+P1L0mgWRFnwS1vTTOZvQoONV/augp7xRe1ngdw==
x-ms-exchange-antispam-messagedata: PzkiCrcQmmlWFBZ3iyL3X/Kx8FfLJOZORChDEwbmFk9KWkhcCZ1yeqZzHFlR0RRV5xoGKOBmuLdz44nbpDgVSIKHkRNBE0zcZkpZmFLgrnjoPYoHxqKzNoB9cPvixZuW5ADp3fZXOJow56c+yFHKwH1DOTEJTJwf7sr+Q3zjp08j3aupE17TR/fiUoV46jl0LwHA1fhZi2y4S2O0umtKKarOi307sc3W5nUSV5leRffb3lgjzujXt+rQDHOtAEW5hAgbihNZ7OMmTGGpRKgMAg68YiNTGBQtp71g8aDvFGFbq9iDOAfvjIIq5OdXqlSziBlGMR2D4+NKey4QZ9bFRqqsmE/AbGT5y+n1HPlnxZRq3EkIl1HtN6hGVil7h2XblL4TAiHZW1L2nHlWpfdFeTmRhGY8wbBNLwSojk4mwpU8zJNC2Ak9+6FV/aIjAoNE1cBCU3lu+/bmohYoaf+IDtR82Pv1FIdp+fj1QOdohcbfHz5g2m2T1j5S2enqo/QYPnVAaRUs6i/wyG1ewQzYSn2Oi62NfteUNvUmY5EgqxHMQ2Q8E+7tQU9Xy4M1wL01CppbUxKCgyBMULQEuB+3ceGB5AvWwADQMC95pTYrjo5YUAY7aeCFc8wZn+ttPnu8Vq4SNfOzwq1oUrrsHiY9aL6w79AZBwiYs7tMV5jhg0J8vFIURef+m5cW/S1t6McIfsP7pWgtdcpuOjkdMmcPwc976Ig3j1sa8wC7iJJRffIbrL8jm5F8KCqbfQE14FZp7xY2V/VMcy5wsBf/3Z8mRYWPH6XzeXBVRFjb0i84/NY=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <A977B69BA4B07E49A2C7533CF0937146@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: a01acc2c-a06f-4d39-9111-08d7e8ccf5bc
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Apr 2020 03:58:48.9393 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: dlgnqyHK6YMNBOz219dMIWNtR5DpjMZ6b8DSFc6hkukifgVUmbfOilon62Llz/8MHDbzFOSvymEd3gtggLZN6A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR11MB3842
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.11, xch-aln-001.cisco.com
X-Outbound-Node: alln-core-7.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/6QWbVtmVrfG7kHeflaeohFYLLgk>
Subject: Re: [secdir] [sfc] Secdir last call review of draft-ietf-sfc-oam-framework
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Apr 2020 03:58:55 -0000

Hi, Tiru,

Many thanks for the review, and great to hear from you!

I hope all is well — Please see inline.

> 2020/04/20 午前3:28、Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>のメール:
> 
> Reviewer: Tirumaleswar Reddy
> Review result: Ready with issues
>  
>  
> I reviewed this document as part of the security directorate's ongoing effort to review all IETF documents entering the IESG..  These comments are directed at the security area director(s).  Document editors and WG chairs should treat
> these comments like any other last call comments.
>  
> This document provides a reference framework for OAM for SFC.
>  
> Comments:
>  
> 1. The document in Section 8 discusses various attacks (including both security and privacy) but does not discuss any protection mechanisms other than proposing rate-limiting.  It is suggesting drafts proposing the OAM solution should address the attacks but I don’t see any security 
> mechanisms discussed in draft-ietf-sfc-ioam-nsh to address the attacks.
>  

Since the document already clarifies that it does not define solutions, it cannot define security consideration for those solutions, beyond saying that those solutions ought to address security considerations in those areas. Any security measures must be included and explained in the respective solution document. I believe this comment requires potentially action on draft-ietf-sfc-ioam-nsh but not on this draft.

That said you are right regarding the specifics of the rate-liming recommendation. See the next answer for text.

Also, in re-reading Section 8, seems like this:

   To address the above concerns, SFC and SF OAM may provide mechanism
   for:


Should say

   To address the above concerns, SFC and SF OAM should provide mechanisms
   for preventing:



> 2. More discussion is required on the internal attacks. 
> (a) How are attack packets bypassing SFC detected and blocked ?
> (b) How is sensitive information protected from eavesdroppers ?
> (c) How is DoS/DDoS attack of misusing the OAM channel is mitigated ?
> (d) Rate-limiting blocks both good and bad OAM probes and is a weak mitigation strategy. Anomaly detection (e.g., deep learning techinques) and identifying the attacker look like a better strategy.
>  


This is a good point. How about.

OLD:

   The documents proposing the OAM solution for SF component should
   consider rate-limiting the OAM probes at a frequency guided by the
   implementation choice.  Rate-limiting may be applied at the SFF or
   the SF . The OAM initiator may not receive a response for the probes
   that are rate-limited resulting in false negatives and the
   implementation should be aware of this.


NEW:

 
   The documents proposing the OAM solution for SF component should
   consider rate-limiting the OAM probes at a frequency guided by the
   implementation choice.  Rate-limiting may be applied at the SFF or
   the SF.  The OAM initiator may not receive a response for the probes
   that are rate-limited resulting in false negatives and the
   implementation should be aware of this. To mitigate any attacks that
   Leverage OAM packets, future documents proposing OAM solutions  
   should describe the use of any techniques to detect
   and mitigate anomalies and various security  attacks.


Would that work?

Please feel free to suggest textual improvements or changes.

Thanks,

Carlos.

> Cheers,
> -Tiru
> _______________________________________________
> sfc mailing list
> sfc@ietf.org
> https://www.ietf.org/mailman/listinfo/sfc

v2.23.0 | Report a Bug | By Email