IETF Logo Mail Archive

Re: [secdir] SecDir review of draft-ietf-mpls-ldp-hello-crypto-auth-05

"Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com> Mon, 19 May 2014 00:17 UTC

Return-Path: <manav.bhatia@alcatel-lucent.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AE591A021F; Sun, 18 May 2014 17:17:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_HI=-5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7qROSdvYkGep; Sun, 18 May 2014 17:17:11 -0700 (PDT)
Received: from ihemail3.lucent.com (ihemail3.lucent.com [135.245.0.37]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 402F01A021D; Sun, 18 May 2014 17:17:10 -0700 (PDT)
Received: from us70uusmtp4.zam.alcatel-lucent.com (h135-5-2-66.lucent.com [135.5.2.66]) by ihemail3.lucent.com (8.13.8/IER-o) with ESMTP id s4J0H85G022953 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sun, 18 May 2014 19:17:09 -0500 (CDT)
Received: from US70UWXCHHUB01.zam.alcatel-lucent.com (us70uwxchhub01.zam.alcatel-lucent.com [135.5.2.48]) by us70uusmtp4.zam.alcatel-lucent.com (GMO) with ESMTP id s4J0H8Rx027409 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Sun, 18 May 2014 20:17:08 -0400
Received: from SG70XWXCHHUB01.zap.alcatel-lucent.com (135.253.2.46) by US70UWXCHHUB01.zam.alcatel-lucent.com (135.5.2.48) with Microsoft SMTP Server (TLS) id 14.2.247.3; Sun, 18 May 2014 20:17:07 -0400
Received: from SG70YWXCHMBA05.zap.alcatel-lucent.com ([169.254.5.212]) by SG70XWXCHHUB01.zap.alcatel-lucent.com ([135.253.2.46]) with mapi id 14.02.0247.003; Mon, 19 May 2014 08:17:05 +0800
From: "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>, IETF Security Directorate <secdir@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org" <draft-ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org>
Thread-Topic: SecDir review of draft-ietf-mpls-ldp-hello-crypto-auth-05
Thread-Index: AQHPcRACnDeFnD7gHUOXWsSAGM4MlZtGKCeA
Date: Mon, 19 May 2014 00:17:04 +0000
Message-ID: <20211F91F544D247976D84C5D778A4C32E60982F@SG70YWXCHMBA05.zap.alcatel-lucent.com>
References: <53761B24.1060501@gmail.com>
In-Reply-To: <53761B24.1060501@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [135.253.19.17]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/G82zJ4POgf9OWXWGAdzMz94YQI4
Cc: "manavbhatia@gmail.com" <manavbhatia@gmail.com>
Subject: Re: [secdir] SecDir review of draft-ietf-mpls-ldp-hello-crypto-auth-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 May 2014 00:17:13 -0000

Hi Yaron,

Thanks for the comments. My comments inline.

> 
> • The main issue is that only a symmetric crypto option is defined.
> IMHO, adding a public-key based scheme would be invaluable. Public keys
> do not necessarily imply certificates, and can be used with little
> added
> complexity compared to the current proposal. As far as I can see, the
> current use is not so performance constrained to preclude public key
> operations. And public keys would enable much easier and more secure
> deployment in many cases:
> 	∘ Different organizations can accept messages from one another,
> without
> needing to share the same keys. So even if groups keys are used (which
> is certainly not the best practice), public keys have an advantage.
> 	∘ Revocation is much simpler: to be able to revoke each
> individual
> sender (e.g. when a router is decomissioned), you need N**2 SAs in the
> symmetric case, vs. N keys when public keys are used.

The idea behind this draft is to bring LDP HELLO's security to at least the same level as the routing protocols running in the same networks today. All IGPs are currently using a symmetric crypto option and we think it is ok at this point in time to continue with the same for LDP.

With SDN principles its possible that the key distribution becomes quite simple with a central controller distributing the keys to all the nodes in the network along with the other information. This also seems to be one of the thoughts behind not pursuing an automated key management protocol for IGPs (something that we were supposed to take up as part of the Phase 2 in the KARP WG -- you can look at RFC 6518 for more details).

Given this I would like to continue with what we have and look at other mechanisms once we have more clarity on the direction which we seem to be heading towards.

Also finally note that this security is always within a providers network -- there isnt a need to involve different organizations.

> • Managing the 32-bit SAID manually in a large network is extremely
> onerous. So in practice keys would be rarely on never changed.

Ok, so whats the point?

> 
> • 2.2: the authentication algorithm and the authentication key are not
> "independent", because the algorithm normally determines the key
> length.

This is nit-picking and sure we can remove the word "independent". When defining the Authentication Key we do mention that it depends on the algo.

Authentication Key

      This value denotes the cryptographic authentication key associated
      with the LDP SA.  The length of this key is variable and depends
      upon the authentication algorithm specified by the LDP SA.

> 
> • 2.2: the various time values included in the SA essentially require
> (rough) time synchronization between the nodes. If this is the case,
> time values could have been used for replay protection, which would
> have
> been much simpler to implement than the 64-bit sequence number which
> needs to persist across reboots.

The various timers are only associated if somebody wants to rollover the keys. The granularity of these timers can be coarse (implementation specific) and will not be secure enough to use for anti replay protection.

Moreover, without the 64 bit sequence numbers, its very difficult to protect against inter-session replay attacks (RFC 6862)

> 
> • 5.1: Redefining HMAC (RFC 2104) is an extremely bad idea. This
> reviewer does not have the appropriate background to critique the
> proposed solution, but there must be an overwhelming reason to reopen
> cryptographic primitives.

This is a decision that was taken by Sec Ads when we were doing the crypto protection for the IGPs based on some feedback from NIST. This mathematics is not new and has been done for all IGPs and has been approved and rather encouraged by the Security ADs.

> 
> • 7: 128-bit keys are OK (or overkill) for some algorithms, but too
> short for others. In general, the recommended key length is not
> constant. It depends on the algorithm.

This needs to be punched on each router console. For an internal network, do you think 128 bit isnt good enough?
> 
> • "The mechanism described herein is not perfect and does not need to
> be
> perfect." This is kind of vague, and would be better replaced by your
> security goals.

I think we can just delete this! :-)

Cheers, Manav

> 
> Thanks,
> 	Yaron

v2.23.0 | Report a Bug | By Email