Re: [secdir] secdir review of draft-ietf-sidr-origin-ops-22
Tom Yu <tlyu@MIT.EDU> Tue, 19 November 2013 23:08 UTC
Return-Path: <tlyu@mit.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3ECD1AE137; Tue, 19 Nov 2013 15:08:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.126
X-Spam-Level:
X-Spam-Status: No, score=-3.126 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.525, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 83dICi3iqX1K; Tue, 19 Nov 2013 15:07:58 -0800 (PST)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) by ietfa.amsl.com (Postfix) with ESMTP id 212E81AE138; Tue, 19 Nov 2013 15:07:58 -0800 (PST)
X-AuditID: 1209190e-b7efb6d000000bb9-72-528bef4707c6
Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 2E.47.03001.74FEB825; Tue, 19 Nov 2013 18:07:51 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id rAJN7oZm007919; Tue, 19 Nov 2013 18:07:50 -0500
Received: from cathode-dark-space.mit.edu (cathode-dark-space.mit.edu [18.18.1.96]) (authenticated bits=56) (User authenticated as tlyu@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id rAJN7lgB008050 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 19 Nov 2013 18:07:49 -0500
Received: (from tlyu@localhost) by cathode-dark-space.mit.edu (8.12.9.20060308) id rAJN7lVK010395; Tue, 19 Nov 2013 18:07:47 -0500 (EST)
To: Randy Bush <randy@psg.com>
References: <ldv7gc53v7l.fsf@cathode-dark-space.mit.edu> <m21u2dyqav.wl%randy@psg.com>
From: Tom Yu <tlyu@MIT.EDU>
Date: Tue, 19 Nov 2013 18:07:47 -0500
In-Reply-To: <m21u2dyqav.wl%randy@psg.com> (Randy Bush's message of "Tue, 19 Nov 2013 13:21:44 +0900")
Message-ID: <ldv7gc42doc.fsf@cathode-dark-space.mit.edu>
Lines: 69
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrJIsWRmVeSWpSXmKPExsUixCmqrev+vjvIoK9Px+LSXHaLGX8mMls8 a33JZPFh4UMWBxaPJUt+MnlMnTmb0ePL5c9sAcxRXDYpqTmZZalF+nYJXBmXt19lKVglWXHu xTz2BsYFIl2MnBwSAiYSE0/OYoawxSQu3FvP1sXIxSEkMJtJYs3Wv1DORkaJnr7T7CBVQgLn mCTevROHSHQxSjxqm8AKkhARkJO4eOIdI4jNLBAl8fniabCxwgLWEid+P2ODaI6QePBgMVMX IwcHm4C0xNHFZSAmi4CqxK5XciAVnAJpEscm7ASbwitgIXF53R8WEJtHgFNi3tvXLBBxQYmT M5+wQGzSkrjx7yXTBEbBWUhSs5CkFjAyrWKUTcmt0s1NzMwpTk3WLU5OzMtLLdI11svNLNFL TSndxAgOYUm+HYxfDyodYhTgYFTi4ZVY0B0kxJpYVlyZe4hRkoNJSZR3wSugEF9SfkplRmJx RnxRaU5q8SFGCQ5mJRHeNS+AcrwpiZVVqUX5MClpDhYlcd6bHPZBQgLpiSWp2ampBalFMFkZ Dg4lCV79d0CNgkWp6akVaZk5JQhpJg5OkOE8QMMnvQUZXlyQmFucmQ6RP8WoKCXOaw3SLACS yCjNg+uFpZhXjOJArwjzmoJU8QDTE1z3K6DBTECD2SXBBpckIqSkGhhX60jr9ulMyGGeY7fs rnvyprCdOsaq2+35r/OG/tT4vO7pn96Yw8reXS/M5UX+PP8ucHi6/xJ398KtVsot60VbN7dL G/7/+/xTOG+J874D668psd1rdr+zMCFj3dTjF2wjHzg+KxLxKzF443r7gXb6PruDGtZqG/Vk L3Ituhr24u8i5Y8nPrIpsRRnJBpqMRcVJwIAX/OwigwDAAA=
Cc: draft-ietf-sidr-origin-ops.all@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-sidr-origin-ops-22
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Nov 2013 23:08:00 -0000
Randy Bush <randy@psg.com> writes: > thanks for the review > >> There should probably be an example of the sort of privilege >> escalation attacks that can result from incautious Local-Preference >> attributes. > > how about > > Local-Preference may be used to carry both the validity state of a > prefix along with its traffic engineering (TE) characteristic(s). It > is likely that an operator already using Local-Preference will have > to change policy so they can encode these two separate > characteristics in the same BGP attribute without negative impact or > opening privilege escalation attacks. E.g. do not encode validation > state in higher bits than used for TE. > > or do we need to spell it out with a hammer? I'm not sure I fully understand the scenarios, but I'm not very familiar with network operations. On further reflection, the paragraph you have written above greatly clarifies paragraph 6 of Section 5 and should probably replace it. The scenario you describe above seems to be one of multiple cases described in Section 5. Am I correct in understanding that there at least the following two sorts of inadvertent Local-Preference signaling that can occur when encoding policy information into Local-Preference? (1) As you describe above, RPKI validity state can override TE characteristics, contrary to operator intentions and possibly creating a security exposure. This can happen if RPKI validation state is encoded in higher bits than TE characteristics. (2) As described in paragraph 7 of Section 5, other policy metrics that depend on peer community signaling could override information about RPKI validity state, contrary to operator intentions and possibly creating a security exposure. (I assume "peer community" here means external BGP peers?) How about using something like the following text to replace the final paragraph of Security Considerations? When simultaneously encoding RPKI validity state and other policy information into Local-Preference, operators should take care to avoid creating privilege escalation exposures through such an encoding scheme, as described in Section 5. For example, RPKI validity state could inadvertently override other policy information such as traffic engineering preferences, or policy information computed based on signaling from external peers could inadvertently override RPKI validity state. >> Section 5 mentions a block 10.0.666.0/24, which is somewhat >> distracting because that is not a valid IPv4 address block. > > it's meant to be clearly invalid. the standard docco block could not be > used as it was not big enough for the example (ops will laugh at 666 but > freak out and rathole on a prefix longer than a /24). I defer to your greater familiarity with what readers in the operations community will find distracting. (Now that I think about it, a reasonable (if overly permissive) parsing of 10.0.666.0 would be equivalent to 10.2.154.0.) In the interest of consistency, I noticed that Section 3 uses a different example block: 10.0.66.0/24; did you intend to also use 10.0.666.0/24 there?