[secdir] secdir review of draft-ietf-rift-rift-04

"Scott G. Kelly" <scott@hyperthought.com> Sat, 06 April 2019 13:40 UTC

Return-Path: <scott@hyperthought.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 2D9E0120005 for <secdir@ietfa.amsl.com>; Sat, 6 Apr 2019 06:40:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id gzGXaaC2Di8I for <secdir@ietfa.amsl.com>; Sat, 6 Apr 2019 06:40:01 -0700 (PDT)
Received: from smtp114.iad3a.emailsrvr.com (smtp114.iad3a.emailsrvr.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 389F112009A for <secdir@ietf.org>; Sat, 6 Apr 2019 06:40:01 -0700 (PDT)
Received: from smtp23.relay.iad3a.emailsrvr.com (localhost []) by smtp23.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 29C9623A1B; Sat, 6 Apr 2019 09:40:00 -0400 (EDT)
Received: from app45.wa-webapps.iad3a (relay-webapps.rsapps.net []) by smtp23.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 0F4DD23A11; Sat, 6 Apr 2019 09:40:00 -0400 (EDT)
X-Sender-Id: scott@hyperthought.com
Received: from app45.wa-webapps.iad3a (relay-webapps.rsapps.net []) by (trex/5.7.12); Sat, 06 Apr 2019 09:40:00 -0400
Received: from hyperthought.com (localhost.localdomain []) by app45.wa-webapps.iad3a (Postfix) with ESMTP id F07C46004B; Sat, 6 Apr 2019 09:39:59 -0400 (EDT)
Received: by apps.rackspace.com (Authenticated sender: scott@hyperthought.com, from: scott@hyperthought.com) with HTTP; Sat, 6 Apr 2019 06:39:59 -0700 (PDT)
X-Auth-ID: scott@hyperthought.com
Date: Sat, 06 Apr 2019 06:39:59 -0700
From: "Scott G. Kelly" <scott@hyperthought.com>
To: draft-ietf-rift-rift.all@tools.ietf.org, "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Importance: Normal
X-Priority: 3 (Normal)
X-Type: plain
Message-ID: <1554557999.98244880@apps.rackspace.com>
X-Mailer: webmail/16.3.0-RC
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/PCZQXHrV2zGrUqgu2RSaJFkxJZw>
Subject: [secdir] secdir review of draft-ietf-rift-rift-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Apr 2019 13:40:04 -0000

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

The summary of the review is ready with issues

From the abstract, this document outlines a specialized, dynamic routing protocol for Clos and fat-tree network topologies.

(should that read CLOS?)

Following is a brief summary of comments and questions by section.

5.4.1 includes this sentence:

   The most security conscious operators will want to have full control
   over which port on which router/switch is connected to the respective
   port on the "other side", which we will call the "port-association
   model" (PAM) achievable e.g. by pairwise-key PKI.

What is "pairwise-key PKI"?

Secion 5.4.2 says "Low processing overhead and efficiency messaging are also a goal."

I suggest replacing efficiency with efficient

It also says "Message privacy achieved through full encryption is a non-goal"

I suggest saying "Message confidentiality is a non-goal" instead.

Section 5.4.3
"Length of Fingerprint:  8 bits.  Length in 32-bit multiples of the
      following fingerprint not including lifetime or nonces.  It allows
      to navigate the structure when an unknown key type is present.  To
      clarify a common cornercase a fingerprint with length of 0 bits is
      presenting this field with value of 0."

Does length 0 mean no fingerprint is present (i.e. fingerprints are not provided)? I don't understand that last sentence.

The definition for "Security Fingerprint" includes this	sentence:

"If the fingerprint is shorter than the significant bits are left aligned and remaining bits are set to 0."

I don't	understand this	sentence. I think you mean that	if the fingerprint bit length is not an even multiple of 32, then it is left-aligned, and the rightmost unused bits are set to 0. But that's just a guess.

"Any implementation including RIFT security MUST generate and wrap around local nonces properly"

I see the term "nonce" used elsewhere, but because it can wrap (and therefore repeat with regularity), I think this is a poor choice for naming this field. It seems to be more of a counter. I think most security folks would agree that a nonce used for security purposes should, by definition, repeat only with negligible probability.

On a related note, does this really provide anti-replay protection? Elsewhere in the document (e.g. section 5.4.4) it says that implementations could go up to 5 minutes without incrementing nonces. Can they send multiple packets with the same nonce during this interval? If so, what prevents replay of a captured packet within that interval?

Also, because wrapping (of this 16 bit value) is supported, it's also possible that an earlier packet could be replayed (assuming the peer nonce also aligned), right? The odds of this seem low, but could the protocol/endpoint states be manipulated to improve the odds? Not sure. But if you are assuming this can't happen, this security-relevant assumption should be called out.

5.4.7 says

   "If an implementation supports disabling the security envelope
   requirements while sending a security envelope an implementation
   could shut down the security envelope procedures while maintaining an
   adjacency and make changes to the algorithms on both sides then re
   enable the security envelope procedures but that introduces security
   holes during the disabled period."

Aside from the fact that this needs word-smithing, should this be called out in the security considerations section? This eeems to be saying that it's not a good idea to temporarily maintain adjacency while disabling security, so is this a SHOULD NOT?

section 8.4
flodding -> flooding

section 8.4 also says

   It is expected that an
   implementation detecting too many fake losses or misorderings due to
   the attack on the number would simply suppress its further processing.

what are "fake losses"?

I am not a routing expert, so there may be additional concerns that someone better versed in routing would raise.