Re: [secdir] [sfc] Secdir last call review of draft-ietf-sfc-oam-framework
"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Sun, 26 April 2020 07:25 UTC
Return-Path: <tirumaleswarreddy_konda@mcafee.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEF4E3A0F3F for <secdir@ietfa.amsl.com>; Sun, 26 Apr 2020 00:25:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oYjpETbq9ha3 for <secdir@ietfa.amsl.com>; Sun, 26 Apr 2020 00:25:02 -0700 (PDT)
Received: from us-smtp-delivery-140.mimecast.com (us-smtp-delivery-140.mimecast.com [216.205.24.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 222933A0F3E for <secdir@ietf.org>; Sun, 26 Apr 2020 00:25:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=mimecast20190606; t=1587885901; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=MqCk1Mt+tMI0qWC1dFJinVWKRp1g5hyX/FcrOo8oOHw=; b=bKXwMFL5KDBfDJBWYurtA3QrYrTLxmQ2GtMbyR40YI/6Sx24LjpqAQTbkudrqtXqPc9yOR rKund9NavC8D3wayeFD0a2HX9+1+ZY5wKxn0Ve7pKX0naQiIv9lDARfIlyQa4IXY4f9CXB Kjx2lHYMoSPj7R4VelKcssZtdMJnFr8=
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (mail-co1nam11lp2176.outbound.protection.outlook.com [104.47.56.176]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-423-XFGPO1DcOI6eWXj4LS8mWg-1; Sun, 26 Apr 2020 03:23:31 -0400
X-MC-Unique: XFGPO1DcOI6eWXj4LS8mWg-1
Received: from CY4PR1601MB1254.namprd16.prod.outlook.com (2603:10b6:903:d4::12) by CY4PR1601MB1222.namprd16.prod.outlook.com (2603:10b6:903:d4::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.13; Sun, 26 Apr 2020 07:23:28 +0000
Received: from CY4PR1601MB1254.namprd16.prod.outlook.com ([fe80::8172:432c:9870:d8fc]) by CY4PR1601MB1254.namprd16.prod.outlook.com ([fe80::8172:432c:9870:d8fc%5]) with mapi id 15.20.2937.020; Sun, 26 Apr 2020 07:23:28 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: "Carlos Pignataro (cpignata)" <cpignata@cisco.com>
CC: "secdir@ietf.org" <secdir@ietf.org>, "sfc@ietf.org" <sfc@ietf.org>, "draft-ietf-sfc-ioam-nsh.all@ietf.org" <draft-ietf-sfc-ioam-nsh.all@ietf.org>
Thread-Topic: [sfc] Secdir last call review of draft-ietf-sfc-oam-framework
Thread-Index: AdYW4VRPPDX1YR3aSqa2kbIsbH1DggD1H3GAADj+SVA=
Date: Sun, 26 Apr 2020 07:23:28 +0000
Message-ID: <CY4PR1601MB1254E6CD2D9C4558EAFF21F5EAAE0@CY4PR1601MB1254.namprd16.prod.outlook.com>
References: <CY4PR1601MB12541726BC79551C2A2EBBF0EAD40@CY4PR1601MB1254.namprd16.prod.outlook.com> <AEE6AFB3-6EE8-495F-992B-6314CBD2B6F6@cisco.com>
In-Reply-To: <AEE6AFB3-6EE8-495F-992B-6314CBD2B6F6@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.5.0.44
dlp-reaction: no-action
x-originating-ip: [49.37.200.98]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 296d98f1-340a-4c0e-a91e-08d7e9b2b756
x-ms-traffictypediagnostic: CY4PR1601MB1222:
x-microsoft-antispam-prvs: <CY4PR1601MB12226B4A7A6E10D6E528DBEEEAAE0@CY4PR1601MB1222.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 03853D523D
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CY4PR1601MB1254.namprd16.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(39860400002)(396003)(136003)(366004)(376002)(32952001)(86362001)(2906002)(26005)(478600001)(5660300002)(55016002)(966005)(9686003)(81156014)(4326008)(8676002)(33656002)(54906003)(7696005)(71200400001)(186003)(6916009)(6506007)(53546011)(52536014)(8936002)(66556008)(64756008)(66446008)(316002)(66476007)(66946007)(76116006)(85282002); DIR:OUT; SFP:1101;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: IPHMv/yEZ8x2v0ZuDO+0UYKoAfezoiGcN1VmI7fgFnAzfV33AOUcOcj5wrwMwZBuuNvn4GwBDPg5c73cqFTkjKff4PuGz/4cCYAUCz0IaiqfPftmNZzekO/KII7L9InCnhmKOq72inmKOw7sLsRO9vwwjDGyLn2c9UL6RPNOR7Yy0tF+JfZvCJ9/FqYTTEDn28cQOClCbXbQbMtO11OJxhK8MnYhsuZi0K5JecfspH9aSzf1yPXJzBwWyBORMa9S/5PHf9hASWMvj32n6VSprmxFOoJFMkhGgk0JwP16B1vIm9IF2JVYacG4B31peP3NQg5MLnoWKlmcTrObHRu4RaQNxTOpYrNLKfh3NQNAYlE+XBsZHKxQgdrxtBap33tqbQwouQlNQ750Vf1Jhcv/ie72PdgIXP6PTvVMXKbmzkoKKRKjfbPbABcd7oTzyDKx3hBBELjUZsjxYwGyDiTOqaHq7wMAqJPbPuGAY+AsIbSS8Fh/wG93hQ73TYSBnzmr9Jf1P3NoyGzNlwZqbgVhujcLECk4dfQN0bD04lpyhTv2AjN4LIWNbGa72/URsYHnVOZD6Hxmk18qYlw96b0MH5mOtY+L5aA0q7DZKPb2lr4=
x-ms-exchange-antispam-messagedata: f/pk2bjPRowkdBH0TeH5peOmLEkceABmiYw3VlRuKSgbYYvW29MLf9XOaGRRMfxSI014nAE9bqYjCUL0lWEt+7cz4JP3DSOEMOH4OkSa0OfLd7cueFwyWIsjkaY44Tjh6s5yzKDD5Nh4bDPsFhtrswLYevPIZDGNqOjT9cGg/zSE/EPmiHceTNnaTH1XA+rq46jOh/6BC5a9s3+B22HIptEw1uug8nF8GHefIkQikB8bifY1TyRsUeKHb7U9hln3LuiNiDP4wftwyz9PCuV838gzpg0QMMxDZCB6hwUL5XWy8lCu8eyVkR/qn2Z5Wd2QAXcrseN7IVIkmCosJhezpJs6ldlDDJRhQV2Pj+HlSSJ44KOHOkCJC6j8EISjeFcAktfwFF992D7vONcJSj+Nejwyw2sIX083zBWRRSr7+cxMTLOkCHsqBSbdE5Q8koZGSJixoHMmO38j9CJ7aGQ9T9qctHQzkt3/J9pXfYSS/UZ7m3u2yrPn+pHfZjK29H1am5CZz5RqSzhLMI+5eFF9HJjC5CNaxodtI/XadIv9KkwXjA6uVQhC/k3ybFoDpvCvssP+Q2UReHBNclnHuPPcn+ZC6LTfCUzI6k4txeUFzaLRIvetzaYkRbsG+j5Qw1+8ojKyhS2pZWBfUfwT/d9+qRJ9ZMVExPAscl2TX4bHmD39cjwJFyZhb9a9WUWXc0P40sz25tgdy1+I2geTHqAZVZLrZfqctE3bjitAPDhAD0UseELXg4ugvByrCIFZfx0caSvtYncA7v7p2D2cBOSY3NUt3AO/nAeJ4bq0qgmZKSg=
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: mcafee.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 296d98f1-340a-4c0e-a91e-08d7e9b2b756
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Apr 2020 07:23:28.2806 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: sVf5NArL+2Wx+u14pYkEj9um70cmzf/NMoteZ02Ughs36yjn+/seCNK/iS8gp985FhqSUnLBeV4TXh47O6lopEqOjkSrlTA7ldluahgjUR3vlhjYHoy8qfZKi+c8lEke
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR1601MB1222
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: mcafee.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/vqXq_sqSCyaWDFtRNfUNqJe8zDE>
Subject: Re: [secdir] [sfc] Secdir last call review of draft-ietf-sfc-oam-framework
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Apr 2020 07:25:04 -0000
Hi Carlos, Please see inline > -----Original Message----- > From: Carlos Pignataro (cpignata) <cpignata@cisco.com> > Sent: Saturday, April 25, 2020 9:29 AM > To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com> > Cc: secdir@ietf.org; sfc@ietf.org; draft-ietf-sfc-ioam-nsh.all@ietf.org > Subject: Re: [sfc] Secdir last call review of draft-ietf-sfc-oam-framework > > CAUTION: External email. Do not click links or open attachments unless you > recognize the sender and know the content is safe. > > Hi, Tiru, > > Many thanks for the review, and great to hear from you! > > I hope all is well — Please see inline. Thanks, I’m fine, and I hope all is well with you too. > > > 2020/04/20 午前3:28、Konda, Tirumaleswar Reddy > <TirumaleswarReddy_Konda@McAfee.com>のメール: > > > > Reviewer: Tirumaleswar Reddy > > Review result: Ready with issues > > > > > > I reviewed this document as part of the security directorate's ongoing > > effort to review all IETF documents entering the IESG.. These comments > are directed at the security area director(s). Document editors and WG > chairs should treat these comments like any other last call comments. > > > > This document provides a reference framework for OAM for SFC. > > > > Comments: > > > > 1. The document in Section 8 discusses various attacks (including both > > security and privacy) but does not discuss any protection mechanisms > other than proposing rate-limiting. It is suggesting drafts proposing the OAM > solution should address the attacks but I don’t see any security mechanisms > discussed in draft-ietf-sfc-ioam-nsh to address the attacks. > > > > Since the document already clarifies that it does not define solutions, it > cannot define security consideration for those solutions, beyond saying that > those solutions ought to address security considerations in those areas. Any > security measures must be included and explained in the respective solution > document. I believe this comment requires potentially action on draft-ietf- > sfc-ioam-nsh but not on this draft. Yup. I see three solutions from SFC WG a) sfc-ioam-nsh b) ietf-sfc-proof-of-transit (Experimental) c) penno-sfc-trace (Expired). sfc-ioam-nsh is the only current standards track specification and it should address these attacks. > > That said you are right regarding the specifics of the rate-liming > recommendation. See the next answer for text. > > Also, in re-reading Section 8, seems like this: > > To address the above concerns, SFC and SF OAM may provide mechanism > for: > > > Should say > > To address the above concerns, SFC and SF OAM should provide > mechanisms > for preventing: Yes. > > > > > 2. More discussion is required on the internal attacks. > > (a) How are attack packets bypassing SFC detected and blocked ? > > (b) How is sensitive information protected from eavesdroppers ? > > (c) How is DoS/DDoS attack of misusing the OAM channel is mitigated ? > > (d) Rate-limiting blocks both good and bad OAM probes and is a weak > mitigation strategy. Anomaly detection (e.g., deep learning techinques) and > identifying the attacker look like a better strategy. > > > > > This is a good point. How about. > > OLD: > > The documents proposing the OAM solution for SF component should > consider rate-limiting the OAM probes at a frequency guided by the > implementation choice. Rate-limiting may be applied at the SFF or > the SF . The OAM initiator may not receive a response for the probes > that are rate-limited resulting in false negatives and the > implementation should be aware of this. > > > NEW: > > > The documents proposing the OAM solution for SF component should > consider rate-limiting the OAM probes at a frequency guided by the > implementation choice. Rate-limiting may be applied at the SFF or > the SF. The OAM initiator may not receive a response for the probes > that are rate-limited resulting in false negatives and the > implementation should be aware of this. To mitigate any attacks that > Leverage OAM packets, future documents proposing OAM solutions > should describe the use of any techniques to detect > and mitigate anomalies and various security attacks. Works for me. Cheers, -Tiru > > > Would that work? > > Please feel free to suggest textual improvements or changes. > > Thanks, > > Carlos. > > > Cheers, > > -Tiru > > _______________________________________________ > > sfc mailing list > > sfc@ietf.org > > https://www.ietf.org/mailman/listinfo/sfc
- [secdir] Secdir last call review of draft-ietf-sf… Konda, Tirumaleswar Reddy
- Re: [secdir] [sfc] Secdir last call review of dra… Carlos Pignataro (cpignata)
- Re: [secdir] [sfc] Secdir last call review of dra… Konda, Tirumaleswar Reddy
- Re: [secdir] [sfc] Secdir last call review of dra… Carlos Pignataro (cpignata)
- Re: [secdir] [sfc] Secdir last call review of dra… Nagendra Kumar Nainar (naikumar)
- Re: [secdir] [sfc] Secdir last call review of dra… Konda, Tirumaleswar Reddy
- Re: [secdir] [sfc] Secdir last call review of dra… Carlos Pignataro (cpignata)
- Re: [secdir] [sfc] Secdir last call review of dra… Nagendra Kumar Nainar (naikumar)