Re: [secdir] Secdir review of draft-ietf-opsawg-large-flow-load-balancing-11

Chris Inacio <inacio@cert.org> Fri, 02 May 2014 04:25 UTC

Return-Path: <inacio@cert.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08AC71A09E9; Thu, 1 May 2014 21:25:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.701
X-Spam-Level:
X-Spam-Status: No, score=-3.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_22=0.6, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T2aPE_9I-oIB; Thu, 1 May 2014 21:25:32 -0700 (PDT)
Received: from shetland.sei.cmu.edu (shetland.sei.cmu.edu [192.58.107.44]) by ietfa.amsl.com (Postfix) with ESMTP id 216C41A09CA; Thu, 1 May 2014 21:25:32 -0700 (PDT)
Received: from timber.sei.cmu.edu (timber.sei.cmu.edu [10.64.21.23]) by shetland.sei.cmu.edu (8.14.4/8.14.4/1408) with ESMTP id s424PSbD020649; Fri, 2 May 2014 00:25:28 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cert.org; s=jthatj15xw2j; t=1399004728; bh=p3I0NK6HAsQlTeRBdmGV1a6sOvlxCGPuuykeZIJR01I=; h=From:To:CC:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:Content-ID:Content-Transfer-Encoding:MIME-Version: Sender:Reply-To; b=GyGJhZStVtkWo0v7bfBdKLJ/H0amu3yx3dBMcquk1lRaSGNlwrdo2sRjqqzVcgEQb 3sKQkRDO0AibZJgRPeCctBhs0qA6EjdBpEfZ+rm2s5neVyt+pdUw7sAfUL3vPC+mvR +qGjXtdHMRvH26iISKGoXh37ZkGJbeegEJQwkS78=
Received: from CASCADE.ad.sei.cmu.edu (cascade.ad.sei.cmu.edu [10.64.28.248]) by timber.sei.cmu.edu (8.14.4/8.14.4/1456) with ESMTP id s424PQSB017278; Fri, 2 May 2014 00:25:26 -0400
Received: from MARATHON.ad.sei.cmu.edu ([10.64.28.250]) by CASCADE.ad.sei.cmu.edu ([10.64.28.248]) with mapi id 14.02.0347.000; Fri, 2 May 2014 00:25:26 -0400
From: Chris Inacio <inacio@cert.org>
To: Yoav Nir <ynir.ietf@gmail.com>
Thread-Topic: [secdir] Secdir review of draft-ietf-opsawg-large-flow-load-balancing-11
Thread-Index: AQHPYuiKVsIQX6Dr/kenvSMwEYGFopss+k8A
Date: Fri, 2 May 2014 04:25:25 +0000
Message-ID: <E1F7C495-9A31-44B4-932E-A51F3E2E1DFA@cert.org>
References: <0D637AC0-FD4F-4865-8D14-ADB75BAB072E@gmail.com>
In-Reply-To: <0D637AC0-FD4F-4865-8D14-ADB75BAB072E@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.100.102]
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <50A7F9D82C3B4849B44E623EA7E51842@sei.cmu.edu>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/PFtnrGyfMLlLnOceKRKKoUd-pv0
Cc: "draft-ietf-opsawg-large-flow-load-balancing.all@tools.ietf.org" <draft-ietf-opsawg-large-flow-load-balancing.all@tools.ietf.org>, "<iesg@ietf.org> IESG" <iesg@ietf.org>, "<secdir@ietf.org>" <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-ietf-opsawg-large-flow-load-balancing-11
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 May 2014 04:25:34 -0000

> 




On Apr 28, 2014, at 9:47 AM, Yoav Nir <ynir.ietf@gmail.com>; wrote:

> Hi
> 
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
> 
> tl;dr version: the document is ready.
> 
> I was a little surprised by the way the document is organized, and I’m not sure who the target audience is. On the one hand it is very verbose on explanations (that’s a good thing!) and I could very well understand it even though I lack any background on the matter.  On the other hand, the order in which things are explained seems strange:
> 
> The introduction talks about large flows vs small flows, long-lived flows vs short-lived flows, and Large flows vs Small flows (no, I’m not repeating myself, capitalize Large is different from lower-case large and in fact means both “large” and “long-lived”).  But three things are totally missing: What is a flow? How large does a flow have to be to be considered “large” (lower case), and how long must a flow continue to be considered “long-lived”. Even the terminology section (1.2) defines Large, Small and small again, but not what a flow is.  These concepts are finally explained in sections 4.1, 4.3.1, and 4.3.2.
> 
> The document describes how load balancing can be achieved by moving large flows around between links and by removing loaded links from the hash table, so that Small (or actually un-classified) new flows will not go to overloaded links. This is an improvement over the assumed default that is statically assigning flows to links based on a hash.
> 
> The document has a short security considerations section that says that it does not impact the security of the Internet infrastructure or applications. I tend to agree, because the parts of the network where these protocols tends to be mostly stateless, so moving flows from one component to another should not make a difference. It would be different if there were supposed to be firewalls on the nodes.
> The security considerations also says that load balancing might help in resisting DoS attacks, for example if an attacker can create traffic where the hash would collide with some Large flow. With load balancing either the attacker’s flow or the Large flow is moved, eliminating the contention. Again, I tend to agree, although this will allow a more powerful attacker to overload all the links, not just the ones they can target with the hash function. Still, an attacker powerful enough to overload all the links is likely to be able to create traffic that collides with all links anyway.
> 
> I don’t think there’s anything missing from the security considerations.
> 
> Hope this helps
> 
> Yoav
> 
> 



> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.

After reading Yoav’s review, I was curious about this document.

I would agree, roughly, with Yoav’s comments on flow description.  The table at the beginning of the document (section 2) I feel would be much better served with its Y axis labeled as bandwidth, and not flow scale.

>From a technical point of view, the only issue I have with the document is that I feel that it misses how long lived flows are identified.  I understand the technical challenge that this presents: how should a middle box understand/guess the intention of the end points for the duration of a flow?  There are likely to be some heuristics that could be developed/included that would be likely to have some indication as to the lifetime.  For example, SSH keep alives with an otherwise minimal (smallest of small) flow, or VPN identification.  (Of course with VPN, the flow can quickly switch from small to large and back to small.)  Devices with enhanced flow inspection can obviously label the traffic via inspection.

I have 2 possible security considerations:

Assuming the multi paths might lead to equal but diverse Internet connections (anycast), does moving flows between paths provide an attacker who has already penetrated an enterprise, the possibility to further evade detection of border monitoring devices via flow flopping?  Possibly evading stateful inspection at the border?

And less likely: From a security point of view, sophisticated attackers, persistent attackers, like to map their target environment (hosts and network) before attempting their actual attack (DoS, exfiltration, destruction, etc.).  Does the movement of flows across otherwise redundant links expose more network structure, especially with respect to traceroute for an attacker.  



--
Chris Inacio
inacio@cert.org