Re: [secdir] Secdir review of draft-ietf-mpls-ldp-igp-sync-bcast-04

Tobias Gondrom <tobias.gondrom@gondrom.org> Sun, 03 October 2010 19:45 UTC

Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3D0FD3A6D5B for <secdir@core3.amsl.com>; Sun, 3 Oct 2010 12:45:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -94.953
X-Spam-Level:
X-Spam-Status: No, score=-94.953 tagged_above=-999 required=5 tests=[AWL=0.409, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CPeNz0zp8mHb for <secdir@core3.amsl.com>; Sun, 3 Oct 2010 12:45:16 -0700 (PDT)
Received: from lvps83-169-7-107.dedicated.hosteurope.de (lvps83-169-7-107.dedicated.hosteurope.de [83.169.7.107]) by core3.amsl.com (Postfix) with ESMTP id 813AE3A6D16 for <secdir@ietf.org>; Sun, 3 Oct 2010 12:45:15 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=nqVMJDU/4IDodJtM/cgtzRRCmhMfjpmZPsSMZ4nuaqYjzLCDIUY0hMzplHEGlKvpwyhD0MsxdT2ueO1xlk+fwv57Q7jAJnoeuQm3Fz9jrvZ3uYL6u83k1Zc5nAc1Y2mz; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:X-Enigmail-Version:Content-Type:Content-Transfer-Encoding;
Received: (qmail 3384 invoked from network); 3 Oct 2010 21:45:42 +0200
Received: from 94-194-102-93.zone8.bethere.co.uk (HELO seraphim.heaven) (94.194.102.93) by lvps83-169-7-107.dedicated.hosteurope.de with (DHE-RSA-AES256-SHA encrypted) SMTP; 3 Oct 2010 21:45:42 +0200
Message-ID: <4CA8DDAC.3050801@gondrom.org>
Date: Sun, 03 Oct 2010 20:46:52 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.9) Gecko/20100914 SUSE/3.1.4 Lightning/1.0b2 Thunderbird/3.1.4
MIME-Version: 1.0
To: Sriganesh Kini <sriganesh.kini@ericsson.com>
References: <4CA081F7.60304@gondrom.org> <5A5E55DF96F73844AF7DFB0F48721F0F56F5FDE903@EUSAACMS0703.eamcs.ericsson.se>
In-Reply-To: <5A5E55DF96F73844AF7DFB0F48721F0F56F5FDE903@EUSAACMS0703.eamcs.ericsson.se>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: "swallow@cisco.com" <swallow@cisco.com>, Wenhu Lu <wenhu.lu@ericsson.com>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-mpls-ldp-igp-sync-bcast.all@tools.ietf.org" <draft-ietf-mpls-ldp-igp-sync-bcast.all@tools.ietf.org>, "martin.vigoureux@alcatel-lucent.com" <martin.vigoureux@alcatel-lucent.com>, "iesg@ietf.org" <iesg@ietf.org>, "adrian.farrel@huawei.com" <adrian.farrel@huawei.com>, "loa@pi.nu" <loa@pi.nu>
Subject: Re: [secdir] Secdir review of draft-ietf-mpls-ldp-igp-sync-bcast-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Oct 2010 19:45:17 -0000

 Answers inline [tg]
BR, Tobias

On 10/01/2010 09:08 PM, Sriganesh Kini wrote:
> Hello Tobias,
>
> Pls see inline at [Sri].
>
> Thanks
>
>> -----Original Message-----
>> From: Tobias Gondrom [mailto:tobias.gondrom@gondrom.org]
>> Sent: Monday, September 27, 2010 4:37 AM
>> To: iesg@ietf.org; secdir@ietf.org
>> Cc: draft-ietf-mpls-ldp-igp-sync-bcast.all@tools.ietf.org;
>> Sriganesh Kini; Wenhu Lu; swallow@cisco.com; loa@pi.nu; 
>> adrian.farrel@huawei.com; martin.vigoureux@alcatel-lucent.com
>> Subject: Secdir review of draft-ietf-mpls-ldp-igp-sync-bcast-04
>>
>>
>>  I have reviewed this document as part of the security directorate's 
>> ongoing effort to review all IETF documents being processed by the 
>> IESG.  These comments were written primarily for the benefit of the 
>> security area directors.
>> Document editors and WG chairs should treat these comments just like 
>> any other last call comments.
>>
>>
>> draft-ietf-mpls-ldp-igp-sync-bcast-04
>> LDP IGP Synchronization for broadcast networks
>>
>> the draft updates RFC 5443 (LDP IGP Synchronization) It basically 
>> proposes the following mechanism: "If an interface is not a 'cut-edge'
>> then the updating of the LSA with that link to the pseudo-node is 
>> postponed until LDP is operational."
>>
>> The document states that there would be no security considerations 
>> beyond RFC5443.
>> I am not certain of that. Although the idea behind bcast is good, it 
>> adds a new mechanism beyond 5443.
>> To make sure the security considerations are accurate, I'd like to 
>> raise two questions for the authors/WG:
>> 1. Which security implications does the WG see for removing a coming 
>> up link from the LSDB?
> [Sri] Since the link is only delayed from being added to the LSDB we don't believe there are any new/additional security implications.
[tg] still the delay is in theory not time limited, but based on the
condition of LDP of the link. In combination with #2 (below) that the
cut-edge of the network may actually be calculated falsely, can this be
exploited or lead to unreachability?
Note: although your remark is right regarding similarities with 5443,
the criteria in 5443 is much weaker as it only increases its metric, but
does not remove it from LSDB/hold back its entry. Again, I am not an
expert on that layer, but I am still uncertain that no security
considerations derive from that. Did you consider this scenario when you
wrote the draft? Is it unrealistic that it could be exploited with bad
intentions?
If not, which would be the underlying implied pre-conditions to be met
to avoid such or under which pre-conditions could such a problem occur?
(potential input for the security considerations section)
 
>> 2. Can there be a gap between the algorithm to determine "cut-edge" 
>> and TTL (e.g. may not qualify for "cut-edge" and thus be removed from 
>> LSDB, but have a large number of links and effectively not be 
>> reachable)?
> [Sri] This problem is not unique to this draft. Even in RFC 5443 when the link has high metric, an alternate path with num hops > 255 (but a lower path metric than the directly connected link's max metric) can result in unreachability.
>
>> and three minor editorial comments:
>> - section 3, last paragraph:
>> s/Since A's cost to reach B not high/Since A's cost to reach B is not 
>> high
> [Sri] Accepted
>
>> - Appendix A: Computation of 'cut-edge'
>> there should be an informative reference for mentioned "Dijkstra's 
>> algorithm"
> [Sri] Accepted. Will refer to RFC 2328 sec 16.1
>
>> - abbreviation "SPF" should list the its expanded term (Shortest Path
>> First) at first mentioning.
> [Sri] Accepted.
>
>> Best regards, Tobias
>>
>>
>>
>>
>>