Re: [secdir] SECDIR review of draft-ietf-pals-seamless-vccv-02

[Phillip Hallam-Baker <phill@hallambaker.com>]

On Wed, Apr 27, 2016 at 5:31 AM, Stewart Bryant <stewart.bryant@gmail.com>
wrote:

>
>
> On 26/04/2016 15:51, Phillip Hallam-Baker wrote:
>
> Yes, I think that what is needed is IAB review of what is going on
> rather than action on this particular draft.
>
> Sorry - what is the scope of your proposed IAB review?
>
> In particular, I don't consider a protocol suitable to be considered
> an IETF standard unless people can buy devices from multiple vendors
> and configure them to work together securely.
>
>
> Sure, but I would like to see an evidence based assessment of the specific
> problem you are seeing in the field. So far none has been brought to PALS
> (ne PWE3)
> or MPLS as far as I am aware. Carlos can talk to L2TP, but again I have not
> heard of a specific problem ever being raised.
>

The point of security considerations is that the onus is on the developers
to show that the system is secure.

The documents I have read don't describe a coherent security architecture.
It seems to me that the security of the MPLS/SDN etc world is something
that hasn't really received the consideration it needs.

A few years back we suddenly realized that BGP had no security model and
desperately needed one. The whole point of security considerations was to
try to avoid situations like that occurring. It seems we have done the same
thing in this space.

The other issue is that security people probably should be looking at layer
2 security because that is the only way to achieve protection against
certain mass surveillance attacks. It is a potential tool that has been
overlooked.


Right, but I cannot see why anyone would want to mass surveil the OAM
> protocol, and we inherit the security enhancements to the underlying
>
data and control planes.
>

The type of attack that would be of concern would be injecting messages
into the control plane to affect movement of packets. There are games that
can be played just by manipulating quality of service.



> I do not consider IPSEC to be a suitable security mechanism for this
> type of system. If I was given the design brief, I would insist that
> every message be authenticated by digital signature rather than a MAC
> and the control messages logged. I might use a MAC for
> pre-authentication to prevent DoS attack on the control plane. But the
> control messages should be fixed in non repudiable fashion.
>
>
> We need to examine this statement in more detail to understand which
> element
> of the system you are concerned about. However please remember that some
> elements of the dataplane and OAM are cost and time sensitive.
>

I am mostly interested in security of the control plane messages. Though it
might well be useful to consider the possibility of using these
infrastructures as a possible platform for building traffic analysis
resistant networks.


I am aware that this is not BGP which is a layer 3 switching protocol.
>
I don't think anyone would describe BGP as a layer 3 switching protocol!

It exchanges reachability information, it does not switch packets.

I just did and I am right. The layer at which BGP data moves is pretty much
irrelevant to me. It could move out of band on carrier pigeon for all I
care. BGP is supplying the information that directs packets at layer 3.
Hence it is best viewed as a support protocol for layer 3.

The ISO layered model isn't very helpful because it directs attention to
how packets move. Once you start on virtual links and quality of service,
you end up with nested stacks if you try to maintain 'layering'.

This document has the title 'psuedowire' in the title. The protocol it is
describing creates a capability that has link-like nature. Therefore from a
security perspective we are talking layer 2 even if you build this on layer
3.

At that layer I am interested in service and traffic analysis attacks.