Re: [secdir] Secdir last call review of draft-ietf-mpls-spring-lsp-ping-11

"Carlos Pignataro (cpignata)" <cpignata@cisco.com> Tue, 10 October 2017 00:01 UTC

Return-Path: <cpignata@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74D0A1320C9; Mon, 9 Oct 2017 17:01:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.521
X-Spam-Level:
X-Spam-Status: No, score=-14.521 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zZwzZf9haQRq; Mon, 9 Oct 2017 17:01:36 -0700 (PDT)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5183E120720; Mon, 9 Oct 2017 17:01:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3938; q=dns/txt; s=iport; t=1507593696; x=1508803296; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=bOMMiPHyHXylwm8a6kZnUGRicHjn2sGVHtX7r5RqMZA=; b=RH9NPAR3HkGmapy4KBs4ZzBfNtRy7wDHoR35eZEL9eV1pX0rfETkDe1z YPfKBwln/feXsbCKZ9sgnf8Mck9rYFLyoVajFIXgxh2y0PivpgIw15HDv nisUXHPqvJvfRtbI1njpk4wiAUboEROFCgG8AUGW5bbXFrn6OKOL6RhnJ I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0D7AQAyDdxZ/5RdJa1chHFuJweDc7I4g?= =?us-ascii?q?hIKhTsCGoQgPxgDAQEBAQEBAWsohRkBBSMRRQULAgEIGAICKgIwFRACBA4FijA?= =?us-ascii?q?Qp26CJ4tUBYEOgh+CAoFRghULgj41iEaCMgWhNQKHXI0JghSFb4N+hwqVLQIRG?= =?us-ascii?q?QGBOAEfOIEOeBVbAYcKd4VELIEFgRABAQE?=
X-IronPort-AV: E=Sophos;i="5.42,502,1500940800"; d="scan'208";a="308667405"
Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by rcdn-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 10 Oct 2017 00:00:31 +0000
Received: from XCH-RTP-016.cisco.com (xch-rtp-016.cisco.com [64.101.220.156]) by rcdn-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id v9A00Uut002350 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 10 Oct 2017 00:00:31 GMT
Received: from xch-rtp-020.cisco.com (64.101.220.160) by XCH-RTP-016.cisco.com (64.101.220.156) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Mon, 9 Oct 2017 20:00:30 -0400
Received: from xch-rtp-020.cisco.com ([64.101.220.160]) by XCH-RTP-020.cisco.com ([64.101.220.160]) with mapi id 15.00.1320.000; Mon, 9 Oct 2017 20:00:30 -0400
From: "Carlos Pignataro (cpignata)" <cpignata@cisco.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
CC: "secdir@ietf.org" <secdir@ietf.org>, mpls <mpls@ietf.org>, "draft-ietf-mpls-spring-lsp-ping.all@ietf.org" <draft-ietf-mpls-spring-lsp-ping.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-mpls-spring-lsp-ping-11
Thread-Index: AQHTPrBSI1p/j3GTGEeyOcbEmYYd56LcezoA
Date: Tue, 10 Oct 2017 00:00:30 +0000
Message-ID: <BF589AB9-4A07-4A8F-8172-F149B3ECEB00@cisco.com>
References: <150730050726.13161.17866745423154681018@ietfa.amsl.com>
In-Reply-To: <150730050726.13161.17866745423154681018@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.118.116.133]
Content-Type: text/plain; charset="utf-8"
Content-ID: <8E1A4A5A8D42104184186D31E8743A2A@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/HhRollkdh9Y581j7HlQys8kP4nE>
Subject: Re: [secdir] Secdir last call review of draft-ietf-mpls-spring-lsp-ping-11
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Oct 2017 00:01:38 -0000

Hi, Stephen,

Thanks for the review, please see inline.

> On Oct 6, 2017, at 10:35 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie>; wrote:
> 
> Reviewer: Stephen Farrell
> Review result: Ready
> 

Thanks!

> 
> Hiya,
> 
> The document describes yet another variant of ping and traceroute for 
> MPLS, which is fine. The security considerations text is probably right
> in saying there's no big delta here vs. RFC 8029.
> 
> I do have one query:
> 
> The "protocol" field in the requests here seems like it's maybe a new
> thing, that wasn't in 8029 (or at least wasn't clearly there from my
> fairly uninformed read:-).

The idea of the “Protocol” field exists from RFC 8029, both implicitly and explicitly.

First, as part of the Downstream information as per:
https://tools.ietf.org/html/rfc8029#section-3.4.1.2

That in turn gets updated by this with OSPF and ISIS:
https://tools.ietf.org/html/draft-ietf-mpls-spring-lsp-ping-11#section-6

Second, within a request, it is implied in the type of Target FEC Stack (TFS) — see the Table of Contents of RFC 8029, Sections 3.2.X (LDP, RSVP, BGP, etc.)

This spec adds TFSes that allow different protocols, so it is explicitly now as either OSPF or ISIS. The alternative was to separate these into two TFSes and have the protocol as implicit, but since the are mutually exclusive and distribute the same TFS info, it makes more sense to use a single TFS with a protocol field.
https://tools.ietf.org/html/draft-ietf-mpls-spring-lsp-ping-11#section-5.1

So...

> That's defined as:
> 
>      Set to 1, if the Responder MUST perform FEC validation using OSPF
>      as IGP protocol.  Set to 2, if the Responder MUST perform Egress
>      FEC validation using ISIS as IGP protocol.
> 
> I don't know what's required for those validation steps, nor if there's 
> any chance that doing such validation could form a new DoS vector,

This is used only to validate that the FEC was advertised by that protocol, same as previous TFSes by LDP or BGP or RSVP.

> or if it could (interestingly) affect the interpretation of the information 
> in the responses (say if validation can affect response timing in some
> weird way),

Nope, it does not, as per detailed explanation above.

> so this is just to check if there's anything more to be said
> about that. I assume the authors' answer will be that implementers
> of this will know what validation means here, that it's no big deal as
> a DoS vector and that the timing effects are not a problem.

That is correct. But we do not only say “no biggie, we know what it means”, I am detailing the reasons why this is so.

> If so,
> that's probably fine, but it might be good to verify that.
> 

Hopefully, verified.

Thanks again, Stephen for the security review.

— Carlos.

> Cheers,
> S.
> 
>