Re: [secdir] Secdir last call review of draft-ietf-pce-pcep-extension-for-pce-controller-10
Yaron Sheffer <yaronf.ietf@gmail.com> Mon, 08 February 2021 09:21 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4668C3A1501; Mon, 8 Feb 2021 01:21:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.506
X-Spam-Level:
X-Spam-Status: No, score=-0.506 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, MALFORMED_FREEMAIL=1.591, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WMrJHsKL4yIy; Mon, 8 Feb 2021 01:21:27 -0800 (PST)
Received: from mail-wr1-x434.google.com (mail-wr1-x434.google.com [IPv6:2a00:1450:4864:20::434]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 776D83A14FF; Mon, 8 Feb 2021 01:21:27 -0800 (PST)
Received: by mail-wr1-x434.google.com with SMTP id v14so616938wro.7; Mon, 08 Feb 2021 01:21:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :references:in-reply-to:mime-version:content-transfer-encoding; bh=/ds6Muv1939XvrLvPOfIo7W5owsP4Zmt6RTOwdPoySk=; b=dduxTCbkDWQUQxQlSR/yOA2nxKIesZw6cxoCpWWTHXA3Ih3PN0Lj+ysOZaV0pcz8YP 0CvY9r2anRahZ4ocVj6rNwWwVcC3PQC8S9kP+gj9jrQyKifHiRdvuvpeNIHzvGZtWGLZ bFd4gYhFEPji2pHfABTQEr3eeo2ePnCOXtYIN4ooUvQYQYSP3ID50R6ul7xB6fOEf6Xv 5rlMOpicdr1EHw9j49OqgyPMEttkTrU8SkgQ7uEdV2BZaZu6FOvVP4W21J4AoDVc+V47 9Yb+bU9U9+gl7fdLVRoj7lKsZlSVbn0wMNfRsmMH28lATXo89bTENQ1KTYqbkoVzycxv iTkQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:references:in-reply-to:mime-version :content-transfer-encoding; bh=/ds6Muv1939XvrLvPOfIo7W5owsP4Zmt6RTOwdPoySk=; b=XFWAaka8q6+F6MgNOvaOIdhlsUMKx/GvDF2cQDK0bgwlaKA2bQxBif2eBCc6xEoTax dVFWCdvgekUkajXWmB6hpodAphmZtoLyNGfODOkZ0uGrHwrt/kDjPKURBc14mcqdTN3l wljxxi6JbnaFs9CMR3lMMyRVq6ichPtFY4g8Kdk0PgP16udZ8Cc57CTkOv+i1QGdkCHD HS/GgqEV/rXBel96y9ulUHgiaDW+gUjGqiTv7JkAV5/XanoWoJHwv+5FSwBtkA4jFpbf zKZJXKyFSrZTxU99G6dPw4QSM+xU3OVFZuY7kKFSR5NV5wPzyQLW4inLTejVG+AXRTJq bD+g==
X-Gm-Message-State: AOAM533vkCdMAgZrWNiKtk1wrIP5jw8nCAjVgPrAP07IhtXoNQXzJq5A 779pi3b62kLIG3+Eq22lMH8FbpxC8P4=
X-Google-Smtp-Source: ABdhPJz0OHPGHA2wVeSuibFkc1ZIwnAZLeG3YRYRC6soqqS70uBsWDdmLlyzay6OuyTkkIEsESBLiw==
X-Received: by 2002:a05:6000:1374:: with SMTP id q20mr18186596wrz.44.1612776086002; Mon, 08 Feb 2021 01:21:26 -0800 (PST)
Received: from [192.168.68.105] (bzq-79-183-113-247.red.bezeqint.net. [79.183.113.247]) by smtp.gmail.com with ESMTPSA id h14sm20887442wmq.45.2021.02.08.01.21.24 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 08 Feb 2021 01:21:25 -0800 (PST)
User-Agent: Microsoft-MacOutlook/16.45.21011103
Date: Mon, 08 Feb 2021 11:21:23 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: "Pengshuping (Peng Shuping)" <pengshuping@huawei.com>, "secdir@ietf.org" <secdir@ietf.org>
CC: "draft-ietf-pce-pcep-extension-for-pce-controller.all@ietf.org" <draft-ietf-pce-pcep-extension-for-pce-controller.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "pce@ietf.org" <pce@ietf.org>
Message-ID: <EDBFF511-E63E-4FCE-8767-94FACD7B31E4@gmail.com>
Thread-Topic: Secdir last call review of draft-ietf-pce-pcep-extension-for-pce-controller-10
References: <161264008418.17090.9500210699717988432@ietfa.amsl.com> <4278D47A901B3041A737953BAA078ADE198A9476@DGGEML532-MBX.china.huawei.com>
In-Reply-To: <4278D47A901B3041A737953BAA078ADE198A9476@DGGEML532-MBX.china.huawei.com>
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/LPJBuWmXq_r53FHvsTBbcOkwYEY>
Subject: Re: [secdir] Secdir last call review of draft-ietf-pce-pcep-extension-for-pce-controller-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Feb 2021 09:21:30 -0000
Hi Shuping, Frankly I don't know if this addresses my comments, that is, if these are all the additional security considerations that apply to SDN, compared to a basic PCEP deployment. But thank you for the new text which does improve the Security Considerations significantly. Thanks, Yaron On 2/8/21, 08:58, "Pengshuping (Peng Shuping)" <pengshuping@huawei.com> wrote: Dear Yaron, Thank you for your comments! We have made an update based on your comments. Please suggest further text if required. The Security section is further expended and more details are provided, especially the new section on the Malicious PCC is added as below. 9.2. Malicious PCC The PCECC mechanism described in this document requires the PCE to keep labels (CCI) that it downloads and relies on the PCC responding (with either an acknowledgment or an error message) to requests for LSP instantiation. This is an additional attack surface by placing a requirement for the PCE to keep a CCI/label replica for each PCC. It is RECOMMENDED that PCE implementations provide a limit on resources (in this case the CCI) a single PCC can occupy. [RFC8231] provides a notification mechanism when such threshold is reached. Please also find the working copy and the diff. Working copy: https://raw.githubusercontent.com/dhruvdhody/ietf/master/draft-ietf-pce-pcep-extension-for-pce-controller-11.txt Diff: https://tools.ietf.org/tools/rfcdiff/rfcdiff.pyht?url1=draft-ietf-pce-pcep-extension-for-pce-controller-10&url2=https://raw.githubusercontent.com/dhruvdhody/ietf/master/draft-ietf-pce-pcep-extension-for-pce-controller-11.txt Best Regards, Shuping > -----Original Message----- > From: Yaron Sheffer via Datatracker [mailto:noreply@ietf.org] > Sent: Sunday, February 7, 2021 3:35 AM > To: secdir@ietf.org > Cc: draft-ietf-pce-pcep-extension-for-pce-controller.all@ietf.org; > last-call@ietf.org; pce@ietf.org > Subject: Secdir last call review of > draft-ietf-pce-pcep-extension-for-pce-controller-10 > > Reviewer: Yaron Sheffer > Review result: Not Ready > > This document defines PCEP extensions for the RFC 8283 architecture, where > the PCE acts as a central controller in an SDN. The document is focused on > specific use cases, referred to as "basic PCECC mode". > > Let me state up front that I am not familiar with the PCE architecture other > than what I read up in order to review this document. Having said that, I > suspect that there would be significant value in a security analysis of the > architecture defined here. Having each connection "authenticated and > encrypted" > is table stakes nowadays, but is it really enough for very large SDN > deployments that require this level of protocol sophistication? > > Details > > 9.1: "authenticated and encrypted" TLS sessions are typically only > authenticated by the server. Please point out explicitly that mutual > authentication is required. Also, is there no authorization? I would assume a > peer PCE Controller is allowed to do different things than a PCC. Are all PCCs > allowed to issue the same commands/queries, targeted at the same > resources? > > - RFC 8283 which defines the architecture that is implemented by this draft > says: > > [The] security implications of SDN have not been fully discussed or > described. > Therefore, protocol and applicability work-around solutions for this > architecture must take proper account of these concerns. > > It is expected that each new document that is produced for a specific use > case will also include considerations of the security impacts of the use of a > PCE-based central controller on the network type and services being > managed. > > I don't think that the current document addresses this challenge. > > In general, this looks like a very monolithic architecture, where everybody > trusts everybody else once they've been authenticated. Although Sec. 9.1 > discusses the case of a malicious PCE (which would be rather catastrophic), I > would encourage the authors to consider whether a malicious PCC can also > disrupt the PCE's operations and cause "major impact to the network". >
- [secdir] Secdir last call review of draft-ietf-pc… Yaron Sheffer via Datatracker
- Re: [secdir] Secdir last call review of draft-iet… Pengshuping (Peng Shuping)
- Re: [secdir] Secdir last call review of draft-iet… Yaron Sheffer
- Re: [secdir] [Last-Call] Secdir last call review … Benjamin Kaduk