Re: [secdir] secdir review of draft-ietf-lisp-gpe
Christopher Wood <christopherwood07@gmail.com> Fri, 14 September 2018 13:30 UTC
Return-Path: <christopherwood07@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2A204130E5B; Fri, 14 Sep 2018 06:30:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mC-0nLYdx3vn; Fri, 14 Sep 2018 06:30:14 -0700 (PDT)
Received: from mail-io1-xd2f.google.com (mail-io1-xd2f.google.com [IPv6:2607:f8b0:4864:20::d2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D074130EC4; Fri, 14 Sep 2018 06:30:14 -0700 (PDT)
Received: by mail-io1-xd2f.google.com with SMTP id w11-v6so6043013iob.2; Fri, 14 Sep 2018 06:30:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=1fAL8SoWNK+ETWlHUyCD6E8oPCMnIvauSUpHL43HjxA=; b=uP/Vh3Psy5l7ITIz8y03AerkdUs7uTzDEx89dzgCH5goBIaYiUXeJk+4NYuf2R2OUw YjGktRAN++6IM4JU/4LLkJhMsFusrcLPpjUdm4fmDnPEnoXf+TB+vBOSie+mINtOLGk1 VDUQthxduDl3w5onTDUczURTM1kHK16nVTbDNA78dPZj8Ra3DRfOpEhviL1ZGeuLV8G8 E2Y8f12qTHUoGkCYvrbr7T7bu3yTTKIM4kYjEvn+7xwkhn489223nvuiyxKwGgdr8bZW 9vfaT7/mf/jDtzIz1iJLNh6s/Df6AdNcWBESNzK0rkOgLlv173C0t1OQfpRo5uMDwuSL +iGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=1fAL8SoWNK+ETWlHUyCD6E8oPCMnIvauSUpHL43HjxA=; b=lrzo+cyyGt7CL4lRi4FDlqAh4+oMls3iA3Tqfg8CN9tmdDxvTCkeb5yIhzz/uh0AxO IxJsqYx5H1bfwDJt9oJcJwaa9/Gx4mM49lan5Y5Aekivul3mMM/hlB7mgvTCaaaxHHbx 5T5/mi8+oyHo0zs+LqmajD1DaTi8XJHVbem46zIeXW9wW1W0qghw7VIB76vMz4jAae+J iRelUq9rSazF6qG0Y0rfaupqO43mFYT8H7sBBLBGMvWXPwD9xJxtE2TD5ZZQyvvnOorN /5vBNlh5aATkCUeC00c7yvHroZ0R50mAIT5xe2SjkQCgx7WX8VuREuxmB1gnq0qTf1fH w48Q==
X-Gm-Message-State: APzg51C1Loap5DhGCeQt6GLBTQxo2ciSi5u+lcVxTuY85rtHBnjmGaLc uRnpd72fL7MeRmeHFgbtuY2PRbqc9tBM2ma1G0zFym6m
X-Google-Smtp-Source: ANB0VdZm/JKmvRBHXuRAuEeNPJ0/E74ZBXMXFgmji+8qdNZ+Tr4nFn3Hr/mR49BfHFrAkSwD2nzDKFE866kqCp7nAyU=
X-Received: by 2002:a6b:7846:: with SMTP id h6-v6mr7911588iop.204.1536931813134; Fri, 14 Sep 2018 06:30:13 -0700 (PDT)
MIME-Version: 1.0
References: <CAO8oSXkv2RAL5w8oG4yY7EZNujsc+nZYmaf+OdCjOzmkY2dnTg@mail.gmail.com> <7aedf62f-780b-6ebd-16eb-d7c2031be91d@cisco.com>
In-Reply-To: <7aedf62f-780b-6ebd-16eb-d7c2031be91d@cisco.com>
From: Christopher Wood <christopherwood07@gmail.com>
Date: Fri, 14 Sep 2018 06:29:59 -0700
Message-ID: <CAO8oSX=9NU_wg2pfRKoS5xgiAWa=Efwf_zRqkupU373-z7=VPg@mail.gmail.com>
To: fmaino@cisco.com
Cc: The IESG <iesg@ietf.org>, secdir@ietf.org, draft-ietf-lisp-gpe.all@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/NF1qQf2fg9GYnsAtndLyuewqIXs>
Subject: Re: [secdir] secdir review of draft-ietf-lisp-gpe
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Sep 2018 13:30:26 -0000
Hi Fabio, Thanks for the quick response! Your proposed additions address my concerns. I assume you all will work out what is best for the diagrams. Best, Chris On Wed, Sep 12, 2018 at 5:12 PM Fabio Maino <fmaino@cisco.com> wrote: > > On 9/9/18 11:26 AM, Christopher Wood wrote: > > Hello, > > > > I have reviewed this document as part of the security directorate's > > ongoing effort to review all IETF documents being processed by the > > IESG. These comments were written primarily for the benefit of the > > security area directors. Document editors and WG chairs should treat > > these comments just like any other last call comments. > > > > The summary of my review is: Ready with issues. > > > > The proposed extension mechanism is simple to understand. However, my > > main concern is regarding the nonce size reduction and implications on > > LISP. While the threat models (on-path and off-path) do not change > > with this extension, the probability of some off-path attacks might > > change. Specifically, the probability of correctly guessing a 16 bit > > nonce is not negligible. This might make attacks in which an adversary > > tries to convince an ITR of reachability to an otherwise unreachable > > ETR more likely. From [1], an ITR that sees the nonce echoed correctly > > “knows that the path to and from the ETR is up.” Thus, I think some > > discussion of this is necessary in the security considerations. > > Good point. I'll add the following text to the Security Section, after > the very first paragraph: > > "The Echo Nonce Algorithm described in [I-D.ietf-lisp-rfc6830bis] relies > on the nonce to detect reachability from ITR to ETR. In LISP-GPE the use > of a 16-bit nonce, compared with the 24-bit nonce used in LISP, > increases the probability of an off-path attacker to correctly guess the > nonce and force the ITR to believe that a non-reachable RLOC is > reachable. However, the use of common anti-spoofing mechanisms such as > uRPF prevents this form of attack." > > > > Beyond that, I have the following minor comments and nits: > > > > - UDP checksums seem to be the only mechanism in place that give ITRs > > and ETRs a means of checking datagram integrity. Of course, this means > > an on-path adversary can muck with the g-Bit from Section 4.1 so as to > > prevent use of the GPE mechanism. This is not new with this extension, > > though a comment on the issue might be useful, e.g., in the security > > considerations. > > I will add this paragraph to the security section: > > "LISP-GPE, as many encapsulations that use optional extensions, is > subject to on-path adversaries that by manipulating the g-Bit and the > packet itself can remove part of the payload. Typical integrity > protection mechanisms (such as IPsec) SHOULD be used in combination with > LISP-GPE by those protocol extensions that want to protect from on-path > attackers." > > > > - It would be helpful to include packet diagrams similar to Figure 2 > > wherein (1) P and V are set and (2) only P is set. While I don’t find > > the text misleading or confusing, a figure might help other readers. > > > > 0 1 2 3 > > 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 > > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > |N|L|E|1|I|1|K|K| Source MV | Dest MV | Next Protocol | > > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > | Instance ID/Locator-Status-Bits | > > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > > > 0 1 2 3 > > 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 > > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > |0|L|0|0|I|1|K|K| ... 0 ... | Next Protocol | > > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > | Instance ID/Locator-Status-Bits | > > +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ > > I'd prefer to use diagrams that are congruent with those used in > RFC6830bis. I'll defer this comment to the authors of RFC6830bis, and > follow whatever convention they will decide to follow. > > > > > - In Section 4, where it states, "A LISP-GPE router MUST NOT > > encapsulate non-IP packets to a non LISP-GPE capable router," I might > > replace "to a non LIST-GPE capable router" with "when the P-bit is set > > to 0." > > I will use the following text: > > "A LISP-GPE router MUST NOT encapsulate non-IP packets (that have the > P-bit set to 1) to a non-LISP-GPE capable router." > > > Thanks, > Fabio > > > > > > [1] https://tools.ietf.org/html/draft-ietf-lisp-rfc6830bis-16#section-10.1 > >
- [secdir] secdir review of draft-ietf-lisp-gpe Christopher Wood
- Re: [secdir] secdir review of draft-ietf-lisp-gpe Fabio Maino
- Re: [secdir] secdir review of draft-ietf-lisp-gpe Christopher Wood