[secdir] secdir review of draft-ietf-mpls-residence-time-12
Benjamin Kaduk <kaduk@mit.edu> Wed, 18 January 2017 06:00 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 982C8129508; Tue, 17 Jan 2017 22:00:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.4
X-Spam-Level:
X-Spam-Status: No, score=-7.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LGclZclb4FN1; Tue, 17 Jan 2017 22:00:42 -0800 (PST)
Received: from dmz-mailsec-scanner-1.mit.edu (dmz-mailsec-scanner-1.mit.edu [18.9.25.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B72E3129682; Tue, 17 Jan 2017 22:00:41 -0800 (PST)
X-AuditID: 1209190c-a0bff70000004c61-82-587f0486b062
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id D3.83.19553.6840F785; Wed, 18 Jan 2017 01:00:40 -0500 (EST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id v0I60bHS007138; Wed, 18 Jan 2017 01:00:37 -0500
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v0I60QRd024305 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 18 Jan 2017 01:00:36 -0500
Date: Wed, 18 Jan 2017 00:00:26 -0600
From: Benjamin Kaduk <kaduk@mit.edu>
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-mpls-residence-time.all@ietf.org
Message-ID: <20170118060025.GN8460@kduck.kaduk.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.6.1 (2016-04-27)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrMIsWRmVeSWpSXmKPExsUixCmqrNvBUh9hMO8hr8X3f/vYLWb8mchs 8WHhQxYHZo8lS34yBTBGcdmkpOZklqUW6dslcGX07D/JWPDDoeJLV10D4yzTLkZODgkBE4kl H2+xdTFycQgJtDFJPOl7yQzhbGSUONFwih3Cucok0TBrL5DDwcEioCpx4Z4fSDebgIpEQ/dl ZpCwiECExI4NZSCmsIC1xOv1YiAVvALGEhcer2aDsAUlTs58wgJiMwtoSdz495IJpJxZQFpi +T8OkLCogLJEw4wHzBMYeWch6ZiFpGMWQscCRuZVjLIpuVW6uYmZOcWpybrFyYl5ealFuoZ6 uZkleqkppZsYwWElybOD8cwbr0OMAhyMSjy8K8TrIoRYE8uKK3MPMUpyMCmJ8nY8ro0Q4kvK T6nMSCzOiC8qzUktPsQowcGsJMJ79TdQOW9KYmVValE+TEqag0VJnLdqRWWEkEB6Yklqdmpq QWoRTFaGg0NJgncyc32EkGBRanpqRVpmTglCmomDE2Q4D9Dw1UxANbzFBYm5xZnpEPlTjIpS 4rx2IM0CIImM0jy4XlDcS2Tvr3nFKA70ijDvbpB2HmDKgOt+BTSYCWjwdZ1qkMEliQgpqQbG xPguL4bYAGU5+w39+5doBiwRXaFx99H5rZEXTZ5z7mFseeJj9cEvacqhCfPsAzMZdv0svTGf L2yT/t/AKvWpcX+2fJ57I3vuiSW7lnS8LFv7a+e0knUBr/lDLIK9Pu3tT07k2JA+7XJP6hOX 5sqeWAf+jJks8wz8VC6zd4dcSo6TtJy094mGEktxRqKhFnNRcSIA1IZTfdYCAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/KaiVCjdJVovCj049ksWXoot6B98>
Subject: [secdir] secdir review of draft-ietf-mpls-residence-time-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jan 2017 06:00:43 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document is Almost Ready. This document describes a mechanism for recording the residence time of timing packets along a network path, so that time protocols (NTP, PTP) can obtain more accurate estimates of transit time. (Well, the document just claims to record the residence time and I am inferring the bit about more accurate estimates; maybe there should be an explicit mention.) It is limited (at present) to MPLS networks established using RSVP-TE, to the exclusion of LSPs established via LDP and non-MPLS networks. The residence time measurement is performed in a Generic Associated Channel, and several new data structures (and sub-data structures) and corresponding type values (and sub-type values) are established to carry the needed information. I almost marked this document as Ready with Issues (discussion below), but ended up changing to Almost Ready, since I think the document structure needs some more work in order to clearly describe what an interoperable implementation would need and how the pieces fit together, as is required for Standards-Track documents. The security considerations section incorporates that section from RFC 5586 by reference, but 5586's security considerations are basically just pointers to those considerations in RFCs 4385 and 5085. This document also mentions RFC 7384, whose entirety is security requirements of time procotols, which probably contains more detail than this document would need if discussion was inline. However, the security considerations of draft-ietf-mpls-residence-time-12 also contains discussion about how PTP-aware nodes on the path are required to modify the messages, and the needed trust model involves these nodes being trusted to perform those modifications. That seems true and is probably fine for a protocol that is running on "trusted infrastructure", but the claim is also made that the messages modified by intermediate nodes "cannot be authenticated". This is only somewhat true, as one can create complex crypto schemes that involve giving key material to intermediate nodes that can let them make authenticated (but detectable) modifications. Such schemes seem far too complex for the topic at hand, though, as they are likely to increase the processing delay for the time packets, and it seems fine to defer investigating them in the same way that it is fine to defer investigating authenticating/encrypting the RTM data that does not need to be modified by intermediate nodes, which is explicitly noted in the security considerations. I do think there are some relevant security considerations that are not mentioned, though -- for the two-step flow, an RTM-capable node is required to wait for the follow-up RTM message and make the corresponding residence time update. This requirement is unbounded and could lead to a resource leak if that follow-up packet fails to arrive, for an implementation that blindly follows the spec without resorting to practical engineering knowledge. I do not expect there to be any such implementations, but this document should probably indicate that timing out is okay within "reasonable" bounds, or whatever similar workaround is best practice in this domain. In terms of other security/privacy considerations that are new in this document, there is some information exposure about nodes along the path that could potentially be used for fingerprinting, but since the timing packets carry destination addresses already, and the LSP setup appears to involve declaring the path anyway, this doesn't seem to merit any concern. The other main issue I have with this document is arguably not an issue at all, but it relates to the plethora of TLVs and sub-TLVs and TLVs in other registries, with an IANA considerations section that sometimes does not clearly indicate what registry is to be updated. As per the checklist at https://www.ietf.org/iesg/template/doc-writeup-essay-style.html, the IANA considerations shoudl refer to registries by their exact names, which probably means the name of the sub-registry and the overarching parent registry should be clearly written out. It might also be nice to have more descriptive names, so I do not have to keep track that there are RTM G-ACh packets whose values are sometimes sub-TLVs in the PTP case; RTM Capability (or is it Capabilities?) sub-TLVs that can be contained in any of OSPFv2, IS-IS, and maybe OSPFv3 data structures; an RTM_SET TLV whose presence is indicated as an Attribute Flag from some registry that does not seem to be named; sub-TLVs within those RTM_SET messages; and also the RTM sub-TLVs that get a registry created for them in section 8.3 and I apparently missed when paging through the document to create this list. The names used to refer to these structures have me flipping back and forth to figure out which is which, whereas a name like "RTM_SET address identifier" (viz. section 8.6) would help the reader a lot. In a similar vein, it would be nice to have some test vectors that show the encoding of these structures and their encapsulation in the parent data structures, to make sure that the implementor gets all the right layers of T+L wrapping in place. Alternately (or additionally!), more clear text that the T+L in the figures here are included in the encoded data that is the contents of a specific, named, parent data structure would be useful. Some other more nit-level things: In the example in section 4.6, when F is updating the correction field of the PTP message, I assume that F should also use its measurement of the residence time on F in addition to the value received in the scratch pad field, but the example seems to not indicate that. A couple paragraphs later, "[a]n ingress node that is configured to perform RTM [...] verifies that the selected egress [node supports RTM]"; should that be a MUST-level requirement that the verification is done? On page 12, last paragraph, we have some text "If no RTM_SET TLV has been found, then the LSP setup MUST fail [...]". Is this only in the case when the RTM_SET flag is set? If so, that should probably be made more clear in the text, as on my first reading I was surprised, since the RTM_SET generally goes in the LSP_ATTRIBUTES and not the LSP_REQUIRED_ATTRIBUTES, and as such would not be globally mandatory. Section 5 makes an offhand note that a 4.6 nanosecond error would probably be ignorable, which leads to the question: what is the actual measurment precision that is needed for this scheme to be useful? The scratch pad uses an IEEE double to count nanoseconds, so potentially sub-nanosecond values are in-scope, but as someone not well-versed in PTP I really have no idea how good things can/need to be. The "A" and "B" subcases mentioned in section 7 get multiple paragraphs each; it might be more clear to make them subsections instead. I'm also left puzzled by the last paragraph of section 7; it seems to say that the *last* RTM(-capable) node of the LSP will generate the follow-up message, but I thought it was generally an earlier node that would be setting the S bit and generating the follow-up message. This document uses several abbreviations/acronyms without introduction that do not appear on the RFC Editor's abbreviations list (https://www.rfc-editor.org/materials/abbrev.expansion.txt) as not needing expansion: G-ACh (also appears in the abstract; the RFC Editor will likely want to not use the acronym at all in the abstract), RSVP-TE, and PW are ones I noted. (LDP is also used without expansion, but does appear on the list as "well-known".) There are also a lot of grammar nits (including very many missing instances of the definite article), but it does not seem worth enumerating them here. I will try to send a diff to the authors later this week, but time is a bit short at the moment. -Ben
- [secdir] secdir review of draft-ietf-mpls-residen… Benjamin Kaduk
- Re: [secdir] secdir review of draft-ietf-mpls-res… Greg Mirsky
- Re: [secdir] secdir review of draft-ietf-mpls-res… Benjamin Kaduk
- Re: [secdir] secdir review of draft-ietf-mpls-res… Greg Mirsky