Re: [secdir] SecDir review of draft-ietf-ospf-prefix-hiding-04

"Retana, Alvaro" <alvaro.retana@hp.com> Tue, 10 July 2012 17:38 UTC

Return-Path: <alvaro.retana@hp.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3679121F86DF; Tue, 10 Jul 2012 10:38:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -109.499
X-Spam-Level:
X-Spam-Status: No, score=-109.499 tagged_above=-999 required=5 tests=[AWL=1.100, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vXDUJPQDhBm4; Tue, 10 Jul 2012 10:38:28 -0700 (PDT)
Received: from g1t0029.austin.hp.com (g1t0029.austin.hp.com [15.216.28.36]) by ietfa.amsl.com (Postfix) with ESMTP id 1DFCB21F8690; Tue, 10 Jul 2012 10:38:27 -0700 (PDT)
Received: from G1W3635G.americas.hpqcorp.net (g1w3635g.austin.hp.com [16.193.48.86]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by g1t0029.austin.hp.com (Postfix) with ESMTPS id BAEE4381BD; Tue, 10 Jul 2012 17:38:55 +0000 (UTC)
Received: from G2W1954G.americas.hpqcorp.net (16.238.8.186) by G1W3635G.americas.hpqcorp.net (16.193.48.86) with Microsoft SMTP Server (TLS) id 14.2.283.4; Tue, 10 Jul 2012 17:37:46 +0000
Received: from G2W2446.americas.hpqcorp.net ([169.254.7.17]) by G2W1954G.americas.hpqcorp.net ([16.238.8.186]) with mapi id 14.02.0283.003; Tue, 10 Jul 2012 17:37:45 +0000
From: "Retana, Alvaro" <alvaro.retana@hp.com>
To: Julien Laganier <julien.ietf@gmail.com>
Thread-Topic: SecDir review of draft-ietf-ospf-prefix-hiding-04
Thread-Index: AQHNW7H2jmw/JizKEk62icH9vhErYpccuHkAgABRH4CABcNtQA==
Date: Tue, 10 Jul 2012 17:37:45 +0000
Message-ID: <C03AAF38AD209F4BB02BC0A34B774CE70BF510@G2W2446.americas.hpqcorp.net>
References: <CAE_dhjvtKqfgJF+vjp1un_672sEZ_gw-6q6N_RsCsYgmrjr36g@mail.gmail.com> <CAE_dhjsgQZoC4_4jJ14JVKrp_ajjOfbbo9iTgp0XsK91mVozDw@mail.gmail.com> <C03AAF38AD209F4BB02BC0A34B774CE70B75F3@G2W2446.americas.hpqcorp.net> <16AA6D76-A64E-4191-B874-B4C84EDB286F@ericsson.com>
In-Reply-To: <16AA6D76-A64E-4191-B874-B4C84EDB286F@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [15.217.50.28]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailman-Approved-At: Tue, 10 Jul 2012 12:37:06 -0700
Cc: "secdir@ietf.org" <secdir@ietf.org>, Yi Yang <yiya@cisco.com>, Acee Lindem <acee.lindem@ericsson.com>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-ospf-prefix-hiding.all@tools.ietf.org" <draft-ietf-ospf-prefix-hiding.all@tools.ietf.org>, Abhay Roy <akr@cisco.com>
Subject: Re: [secdir] SecDir review of draft-ietf-ospf-prefix-hiding-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jul 2012 17:38:29 -0000

Julien:

To make sure that your concerns are clarified, I wrote in some new information in the Security Considerations section.   Please see below and let me know if you still have concerns.  We'll publish an update before the deadline on Monday (Jul/9).

Thanks!!

Alvaro.

[Note: the 2 middle paragraphs are new.]

8. Security Considerations

One motivation for this document is to reduce remote attack vulnerability by hiding transit-only networks.  The result should then be that fewer OSPF core networks will be exposed to un-authorized access.

The mechanisms described above result in reachability information from transit-only networks not being installed in the routers' forwarding tables.  The effect is that even if the address of a transit-only network is known, the forwarding information is not present in the routers to reach the destination.  Also, in some cases the address information is completely omitted from the LSA.  

Some information in the LSA (such as the OSPF Router ID) cannot be omitted.  Even though the Router ID is usually taken from an IP address on the router, the configuration can be easily changed.  Note again that having an address doesn't guarantee reachability if the information is hidden from the forwarding tables.

While the steps described in this document are meant to be applied to transit-only networks ONLY, they could be used to hide other networks as well.  It is expected that the same care that users put on the configuration of other routing protocol parameters is used in the configuration of this extension.


> -----Original Message-----
> From: Acee Lindem [mailto:acee.lindem@ericsson.com]
> Sent: Friday, July 06, 2012 9:33 PM
> To: Retana, Alvaro
> Cc: Julien Laganier; Yi Yang; Abhay Roy; secdir@ietf.org; draft-ietf-
> ospf-prefix-hiding.all@tools.ietf.org; iesg@ietf.org
> Subject: Re: SecDir review of draft-ietf-ospf-prefix-hiding-04
> 
> Actually, with this draft, the OSPF LSAs do not necessarily contain any
> IP addresses - only topology information. The OSPF Router ID certainly
> doesn't have to be a routable IP address and can be explicitly
> configured to avoid the default of configured address selection
> supported by most implementations.
> Thanks,
> Acee
> 
> On Jul 6, 2012, at 4:50 PM, Retana, Alvaro wrote:
> 
> > Julien:
> >
> > Hi!
> >
> > [Thanks for forwarding.]
> >
> > In short, avoiding installation of the routing information (even if
> still carried in the LSAs) means that the routers don't have forwarding
> information to reach a specific transit interface.  IOW, even if you
> know my IP address you can't send me a packet (if you're more than one
> hop away).
> >
> > We'll expand on the security considerations.
> >
> > Thanks!!
> >
> > Alvaro.
> >
> >> -----Original Message-----
> >> From: Julien Laganier [mailto:julien.ietf@gmail.com]
> >> Sent: Friday, July 06, 2012 4:00 PM
> >> To: Retana, Alvaro
> >> Subject: Fwd: SecDir review of draft-ietf-ospf-prefix-hiding-04
> >>
> >> FYI.
> >>
> >>
> >> ---------- Forwarded message ----------
> >> From: Julien Laganier <julien.ietf@gmail.com>
> >> Date: Fri, Jul 6, 2012 at 12:44 PM
> >> Subject: SecDir review of draft-ietf-ospf-prefix-hiding-04
> >> To: secdir@ietf.org, draft-ietf-ospf-prefix-
> hiding.all@tools.ietf.org,
> >> The IESG <iesg@ietf.org>
> >>
> >>
> >> I have reviewed this document as part of the security directorate's
> >> ongoing effort to review all IETF documents being processed by the
> >> IESG.  These comments were written primarily for the benefit of the
> >> security area directors.  Document editors and WG chairs should
> treat
> >> these comments just like any other last call comments.
> >>
> >> Disclaimer: I am no routing or OSPF expert and might be missing
> >> something obvious...
> >>
> >> According to its abstract the draft describes a mechanism that
> allows
> >> hiding transit-only networks in OSPF:
> >>
> >>  A transit-only network is defined as a network connecting routers
> >>  only.  In OSPF, transit-only networks are usually configured with
> >>  routable IP addresses, which are advertised in Link State
> >>  Advertisements (LSAs) but not needed for data traffic.  In
> addition,
> >>  remote attacks can be launched against routers by sending packets
> to
> >>  these transit-only networks.  This document presents a mechanism to
> >>  hide transit-only networks to speed up network convergence and
> >>  minimize remote attack vulnerability.
> >>
> >> While the desire to speed up the network convergence is probably
> >> obvious and not of concern, I think the document and its security
> >> considerations section in particular could do a better job at
> >> explaining what the mechanism achieves in terms of minimizing remote
> >> attack vulnerability.
> >>
> >> As per my understanding, the proposed mechanism essentially remove
> the
> >> subnet / netmask information from Link State Advertisements, but
> these
> >> still contain the routers' IP addresses.
> >>
> >> It is not clear to me how removing the subnet / netmask information
> >> actually minimizes the risk of remote attacks.
> >>
> >> First of all, the type of remote attacks that minimized should be
> made
> >> more explicit. What is the target of the remote attacks? Is it any
> >> address in the subnet? Or the address of a router? If the latter,
> then
> >> it is not clear how the mechanism actually improves -- the router's
> IP
> >> addresses are still in the LSAs so presumably an attacker can still
> >> launch remote attacks on these addresses, no? If the former, then it
> >> is not clear how effective is omission of the subnet in avoiding
> >> attacks avoid addresses within that subnet -- addresses in the
> >> (unknown) subnet can still be inferred from addresses of the
> routers,
> >> no? Or is it the case that the LSAs containing the IP addresses of
> the
> >> routers will not be propagated outside of an area that the attacker
> >> has no access to?
> >>
> >> Expanding the security considerations might help answering these
> >> questions...
> >>
> >> --julien