IETF Logo Mail Archive

Re: [secdir] [sfc] Secdir last call review of draft-ietf-sfc-oam-framework

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Sun, 26 April 2020 07:25 UTC

Return-Path: <tirumaleswarreddy_konda@mcafee.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEF4E3A0F3F for <secdir@ietfa.amsl.com>; Sun, 26 Apr 2020 00:25:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oYjpETbq9ha3 for <secdir@ietfa.amsl.com>; Sun, 26 Apr 2020 00:25:02 -0700 (PDT)
Received: from us-smtp-delivery-140.mimecast.com (us-smtp-delivery-140.mimecast.com [216.205.24.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 222933A0F3E for <secdir@ietf.org>; Sun, 26 Apr 2020 00:25:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=mimecast20190606; t=1587885901; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=MqCk1Mt+tMI0qWC1dFJinVWKRp1g5hyX/FcrOo8oOHw=; b=bKXwMFL5KDBfDJBWYurtA3QrYrTLxmQ2GtMbyR40YI/6Sx24LjpqAQTbkudrqtXqPc9yOR rKund9NavC8D3wayeFD0a2HX9+1+ZY5wKxn0Ve7pKX0naQiIv9lDARfIlyQa4IXY4f9CXB Kjx2lHYMoSPj7R4VelKcssZtdMJnFr8=
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (mail-co1nam11lp2176.outbound.protection.outlook.com [104.47.56.176]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-423-XFGPO1DcOI6eWXj4LS8mWg-1; Sun, 26 Apr 2020 03:23:31 -0400
X-MC-Unique: XFGPO1DcOI6eWXj4LS8mWg-1
Received: from CY4PR1601MB1254.namprd16.prod.outlook.com (2603:10b6:903:d4::12) by CY4PR1601MB1222.namprd16.prod.outlook.com (2603:10b6:903:d4::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.13; Sun, 26 Apr 2020 07:23:28 +0000
Received: from CY4PR1601MB1254.namprd16.prod.outlook.com ([fe80::8172:432c:9870:d8fc]) by CY4PR1601MB1254.namprd16.prod.outlook.com ([fe80::8172:432c:9870:d8fc%5]) with mapi id 15.20.2937.020; Sun, 26 Apr 2020 07:23:28 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: "Carlos Pignataro (cpignata)" <cpignata@cisco.com>
CC: "secdir@ietf.org" <secdir@ietf.org>, "sfc@ietf.org" <sfc@ietf.org>, "draft-ietf-sfc-ioam-nsh.all@ietf.org" <draft-ietf-sfc-ioam-nsh.all@ietf.org>
Thread-Topic: [sfc] Secdir last call review of draft-ietf-sfc-oam-framework
Thread-Index: AdYW4VRPPDX1YR3aSqa2kbIsbH1DggD1H3GAADj+SVA=
Date: Sun, 26 Apr 2020 07:23:28 +0000
Message-ID: <CY4PR1601MB1254E6CD2D9C4558EAFF21F5EAAE0@CY4PR1601MB1254.namprd16.prod.outlook.com>
References: <CY4PR1601MB12541726BC79551C2A2EBBF0EAD40@CY4PR1601MB1254.namprd16.prod.outlook.com> <AEE6AFB3-6EE8-495F-992B-6314CBD2B6F6@cisco.com>
In-Reply-To: <AEE6AFB3-6EE8-495F-992B-6314CBD2B6F6@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.5.0.44
dlp-reaction: no-action
x-originating-ip: [49.37.200.98]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 296d98f1-340a-4c0e-a91e-08d7e9b2b756
x-ms-traffictypediagnostic: CY4PR1601MB1222:
x-microsoft-antispam-prvs: <CY4PR1601MB12226B4A7A6E10D6E528DBEEEAAE0@CY4PR1601MB1222.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 03853D523D
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CY4PR1601MB1254.namprd16.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(39860400002)(396003)(136003)(366004)(376002)(32952001)(86362001)(2906002)(26005)(478600001)(5660300002)(55016002)(966005)(9686003)(81156014)(4326008)(8676002)(33656002)(54906003)(7696005)(71200400001)(186003)(6916009)(6506007)(53546011)(52536014)(8936002)(66556008)(64756008)(66446008)(316002)(66476007)(66946007)(76116006)(85282002); DIR:OUT; SFP:1101;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: IPHMv/yEZ8x2v0ZuDO+0UYKoAfezoiGcN1VmI7fgFnAzfV33AOUcOcj5wrwMwZBuuNvn4GwBDPg5c73cqFTkjKff4PuGz/4cCYAUCz0IaiqfPftmNZzekO/KII7L9InCnhmKOq72inmKOw7sLsRO9vwwjDGyLn2c9UL6RPNOR7Yy0tF+JfZvCJ9/FqYTTEDn28cQOClCbXbQbMtO11OJxhK8MnYhsuZi0K5JecfspH9aSzf1yPXJzBwWyBORMa9S/5PHf9hASWMvj32n6VSprmxFOoJFMkhGgk0JwP16B1vIm9IF2JVYacG4B31peP3NQg5MLnoWKlmcTrObHRu4RaQNxTOpYrNLKfh3NQNAYlE+XBsZHKxQgdrxtBap33tqbQwouQlNQ750Vf1Jhcv/ie72PdgIXP6PTvVMXKbmzkoKKRKjfbPbABcd7oTzyDKx3hBBELjUZsjxYwGyDiTOqaHq7wMAqJPbPuGAY+AsIbSS8Fh/wG93hQ73TYSBnzmr9Jf1P3NoyGzNlwZqbgVhujcLECk4dfQN0bD04lpyhTv2AjN4LIWNbGa72/URsYHnVOZD6Hxmk18qYlw96b0MH5mOtY+L5aA0q7DZKPb2lr4=
x-ms-exchange-antispam-messagedata: f/pk2bjPRowkdBH0TeH5peOmLEkceABmiYw3VlRuKSgbYYvW29MLf9XOaGRRMfxSI014nAE9bqYjCUL0lWEt+7cz4JP3DSOEMOH4OkSa0OfLd7cueFwyWIsjkaY44Tjh6s5yzKDD5Nh4bDPsFhtrswLYevPIZDGNqOjT9cGg/zSE/EPmiHceTNnaTH1XA+rq46jOh/6BC5a9s3+B22HIptEw1uug8nF8GHefIkQikB8bifY1TyRsUeKHb7U9hln3LuiNiDP4wftwyz9PCuV838gzpg0QMMxDZCB6hwUL5XWy8lCu8eyVkR/qn2Z5Wd2QAXcrseN7IVIkmCosJhezpJs6ldlDDJRhQV2Pj+HlSSJ44KOHOkCJC6j8EISjeFcAktfwFF992D7vONcJSj+Nejwyw2sIX083zBWRRSr7+cxMTLOkCHsqBSbdE5Q8koZGSJixoHMmO38j9CJ7aGQ9T9qctHQzkt3/J9pXfYSS/UZ7m3u2yrPn+pHfZjK29H1am5CZz5RqSzhLMI+5eFF9HJjC5CNaxodtI/XadIv9KkwXjA6uVQhC/k3ybFoDpvCvssP+Q2UReHBNclnHuPPcn+ZC6LTfCUzI6k4txeUFzaLRIvetzaYkRbsG+j5Qw1+8ojKyhS2pZWBfUfwT/d9+qRJ9ZMVExPAscl2TX4bHmD39cjwJFyZhb9a9WUWXc0P40sz25tgdy1+I2geTHqAZVZLrZfqctE3bjitAPDhAD0UseELXg4ugvByrCIFZfx0caSvtYncA7v7p2D2cBOSY3NUt3AO/nAeJ4bq0qgmZKSg=
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: mcafee.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 296d98f1-340a-4c0e-a91e-08d7e9b2b756
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Apr 2020 07:23:28.2806 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: sVf5NArL+2Wx+u14pYkEj9um70cmzf/NMoteZ02Ughs36yjn+/seCNK/iS8gp985FhqSUnLBeV4TXh47O6lopEqOjkSrlTA7ldluahgjUR3vlhjYHoy8qfZKi+c8lEke
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR1601MB1222
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: mcafee.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/vqXq_sqSCyaWDFtRNfUNqJe8zDE>
Subject: Re: [secdir] [sfc] Secdir last call review of draft-ietf-sfc-oam-framework
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Apr 2020 07:25:04 -0000

Hi Carlos,

Please see inline 

> -----Original Message-----
> From: Carlos Pignataro (cpignata) <cpignata@cisco.com>
> Sent: Saturday, April 25, 2020 9:29 AM
> To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>
> Cc: secdir@ietf.org; sfc@ietf.org; draft-ietf-sfc-ioam-nsh.all@ietf.org
> Subject: Re: [sfc] Secdir last call review of draft-ietf-sfc-oam-framework
> 
> CAUTION: External email. Do not click links or open attachments unless you
> recognize the sender and know the content is safe.
> 
> Hi, Tiru,
> 
> Many thanks for the review, and great to hear from you!
> 
> I hope all is well — Please see inline.

Thanks, I’m fine, and I hope all is well with you too.

> 
> > 2020/04/20 午前3:28、Konda, Tirumaleswar Reddy
> <TirumaleswarReddy_Konda@McAfee.com>のメール:
> >
> > Reviewer: Tirumaleswar Reddy
> > Review result: Ready with issues
> >
> >
> > I reviewed this document as part of the security directorate's ongoing
> > effort to review all IETF documents entering the IESG..  These comments
> are directed at the security area director(s).  Document editors and WG
> chairs should treat these comments like any other last call comments.
> >
> > This document provides a reference framework for OAM for SFC.
> >
> > Comments:
> >
> > 1. The document in Section 8 discusses various attacks (including both
> > security and privacy) but does not discuss any protection mechanisms
> other than proposing rate-limiting.  It is suggesting drafts proposing the OAM
> solution should address the attacks but I don’t see any security mechanisms
> discussed in draft-ietf-sfc-ioam-nsh to address the attacks.
> >
> 
> Since the document already clarifies that it does not define solutions, it
> cannot define security consideration for those solutions, beyond saying that
> those solutions ought to address security considerations in those areas. Any
> security measures must be included and explained in the respective solution
> document. I believe this comment requires potentially action on draft-ietf-
> sfc-ioam-nsh but not on this draft.

Yup. I see three solutions from SFC WG a) sfc-ioam-nsh b) ietf-sfc-proof-of-transit (Experimental) c) penno-sfc-trace (Expired). sfc-ioam-nsh is the only current standards track specification and it should address these attacks.
 
> 
> That said you are right regarding the specifics of the rate-liming
> recommendation. See the next answer for text.
> 
> Also, in re-reading Section 8, seems like this:
> 
>    To address the above concerns, SFC and SF OAM may provide mechanism
>    for:
> 
> 
> Should say
> 
>    To address the above concerns, SFC and SF OAM should provide
> mechanisms
>    for preventing:

Yes.

> 
> 
> 
> > 2. More discussion is required on the internal attacks.
> > (a) How are attack packets bypassing SFC detected and blocked ?
> > (b) How is sensitive information protected from eavesdroppers ?
> > (c) How is DoS/DDoS attack of misusing the OAM channel is mitigated ?
> > (d) Rate-limiting blocks both good and bad OAM probes and is a weak
> mitigation strategy. Anomaly detection (e.g., deep learning techinques) and
> identifying the attacker look like a better strategy.
> >
> 
> 
> This is a good point. How about.
> 
> OLD:
> 
>    The documents proposing the OAM solution for SF component should
>    consider rate-limiting the OAM probes at a frequency guided by the
>    implementation choice.  Rate-limiting may be applied at the SFF or
>    the SF . The OAM initiator may not receive a response for the probes
>    that are rate-limited resulting in false negatives and the
>    implementation should be aware of this.
> 
> 
> NEW:
> 
> 
>    The documents proposing the OAM solution for SF component should
>    consider rate-limiting the OAM probes at a frequency guided by the
>    implementation choice.  Rate-limiting may be applied at the SFF or
>    the SF.  The OAM initiator may not receive a response for the probes
>    that are rate-limited resulting in false negatives and the
>    implementation should be aware of this. To mitigate any attacks that
>    Leverage OAM packets, future documents proposing OAM solutions
>    should describe the use of any techniques to detect
>    and mitigate anomalies and various security  attacks.

Works for me.

Cheers,
-Tiru

> 
> 
> Would that work?
> 
> Please feel free to suggest textual improvements or changes.
> 
> Thanks,
> 
> Carlos.
> 
> > Cheers,
> > -Tiru
> > _______________________________________________
> > sfc mailing list
> > sfc@ietf.org
> > https://www.ietf.org/mailman/listinfo/sfc

v2.23.0 | Report a Bug | By Email