IETF Logo Mail Archive

Re: [secdir] Secdir early review of draft-ietf-bier-ping-08

David Mandelberg <david@mandelberg.org> Fri, 19 May 2023 21:34 UTC

Return-Path: <david@mandelberg.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 882AEC15107C for <secdir@ietfa.amsl.com>; Fri, 19 May 2023 14:34:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=mandelberg.org header.b="DmkYiqyV"; dkim=pass (2048-bit key) header.d=mandelberg.org header.b="aD0lSVqe"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e0KFsN9ejER3 for <secdir@ietfa.amsl.com>; Fri, 19 May 2023 14:34:23 -0700 (PDT)
Received: from mail-vk1-xa63.google.com (mail-vk1-xa63.google.com [IPv6:2607:f8b0:4864:20::a63]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23818C14CE55 for <secdir@ietf.org>; Fri, 19 May 2023 14:34:23 -0700 (PDT)
Received: by mail-vk1-xa63.google.com with SMTP id 71dfb90a1353d-456d241fcdcso967215e0c.0 for <secdir@ietf.org>; Fri, 19 May 2023 14:34:22 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684532062; x=1687124062; h=content-transfer-encoding:message-id:user-agent:references :in-reply-to:subject:cc:to:from:date:mime-version:dkim-signature :dkim-signature:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=G6eTyrXE+newi9nYishFiqnZe9vlZmEQbWi6jpWRm0E=; b=TZNEswTcEcle3udIz87CutkjfBHshvILEPxsVga/DkoqAKgze7QugPYSq9jg8QPCCa 7CizFOBptXeXfYgGTjQWJZ9Y0TV1rkrZdFt7yVeGo6W1HA1QR2th6B4L1g64adtx5JJt DmlgJkTLsk6E8ylrw+nLBc8sq4oHNNWeuhsbDZyqDRw9fyDkA4dE0H7fDw498Ni/uxN6 lO6JLQTc7oCcridInxy+z3mB2og8d+RmzpNxQnjzrqnJ3Hv4vmTem/uJlhGCT3xENHai u3lFFOVTKO+ZCpl5j0ZOWKvJY0tGCM6VqPveib2x0JXXc0axQrfLJIwpu5L4gnRqZKmr 0Xlw==
X-Gm-Message-State: AC+VfDxl1LrOC+QkMRru+8exTHjOaSJkzJEqgUVLIlYxBkxf+NXrdz5G oyPr0EB9JIzwoGU3BAYHSFJndHp9nQrae1z82eQS/xCIMOKd6YoSRMkL3CCT79D3Mg==
X-Google-Smtp-Source: ACHHUZ6y8+bFYQnGUFb+b7ElNFE/hUHKFpmLdaVY/ecMVfMxuyNtOXvPPfKDNpopY2VfBawL+Zxjem+DGLof
X-Received: by 2002:a1f:6d86:0:b0:43c:551c:ad67 with SMTP id i128-20020a1f6d86000000b0043c551cad67mr1301494vkc.10.1684532061805; Fri, 19 May 2023 14:34:21 -0700 (PDT)
Received: from mail-outbound-e14cf917.virgo.mandelberg.org ([2600:4040:52fd:b906::8]) by smtp-relay.gmail.com with ESMTPS id j38-20020a05612221a600b00443d6a5551bsm500vkd.0.2023.05.19.14.34.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 19 May 2023 14:34:21 -0700 (PDT)
X-Relaying-Domain: mandelberg.org
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=mandelberg.org; i=@mandelberg.org; q=dns/txt; s=mail-outbound-e14cf917-597d7abb; t=1684532061; h=mime-version : date : from : to : cc : subject : in-reply-to : references : message-id : content-type : content-transfer-encoding : from; bh=DVFbEOnI9DMZ7ljNM9StbYIVBPfqW46VFNC80tbFMqg=; b=DmkYiqyVUVYD2/i6m8sFnfpfMLjXmTEygFLi1ZrFBg9w0H+DuTRz3RGXRT4QAWWE0QyZM EAi6igVA7NfObQuCg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mandelberg.org; i=@mandelberg.org; q=dns/txt; s=mail-outbound-e14cf917-e56dad1c; t=1684532061; h=mime-version : date : from : to : cc : subject : in-reply-to : references : message-id : content-type : content-transfer-encoding : from; bh=DVFbEOnI9DMZ7ljNM9StbYIVBPfqW46VFNC80tbFMqg=; b=aD0lSVqezG5nlKJJqN69q3xxsttl3MJnXKSz7flO5nXBcBmVYVF49/zDaFP4obZnY9OcF VllclOmMR3OJeTn9QLEjqBRBfnFnFiDPujyQIDdJ8syCC6Tfa2vDurcU/NVu2CiFkg2eRfQ kwfJZI7NQlLpqwDiDCOfQ663bZ/51LbCJunrNqrUHoWnTGk4ira8JT2MEUR8H50QbpMr8yo LITFzHh8u8Yn7By8Ap3xTHIEDAz8BQrRv3nprkdbtceQXrWXYuYn5KJpjTxodhwB27w2Ws6 AB9TEvFn9v1PYV7R3AODFDg6q2Eszen6DkWGnBdja3AStBVe0Izzcd8Ed0Yg==
Received: from webmail.mandelberg.org (mail-web-d031b246.virgo.mandelberg.org [10.0.6.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X448 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail-outbound-e14cf917.virgo.mandelberg.org (Postfix) with ESMTPSA id 4QNKqK0c5SzySJ; Fri, 19 May 2023 21:34:21 +0000 (UTC)
MIME-Version: 1.0
Date: Fri, 19 May 2023 17:34:20 -0400
From: David Mandelberg <david@mandelberg.org>
To: Greg Mirsky <gregimirsky@gmail.com>
Cc: secdir@ietf.org, bier@ietf.org, draft-ietf-bier-ping.all@ietf.org
In-Reply-To: <CA+RyBmXYfJhp-Q4QYA9y4VVroK4_B5oQ1X0fBhZGCHc5Y4b2JQ@mail.gmail.com>
References: <168211282687.57523.15929122717485483178@ietfa.amsl.com> <CA+RyBmVb5O2GRt+baZj5uaz4GA0jEO8ddURk8S3Yc02y6rDueA@mail.gmail.com> <cb7865a7-f0c2-10d2-4745-926e40958371@mandelberg.org> <CA+RyBmUnjtfo=guv9_2RRH=zH5OVG9HuX1JKoEnRJVhN=Uf-kA@mail.gmail.com> <70d489f8-36cb-0a30-1af9-4d6c1dae920d@mandelberg.org> <CA+RyBmU5760+j87=YKC0JdVQXf-eOVaJqO4sJ4_vUBDY4JT9WA@mail.gmail.com> <CA+RyBmXYfJhp-Q4QYA9y4VVroK4_B5oQ1X0fBhZGCHc5Y4b2JQ@mail.gmail.com>
User-Agent: Roundcube Webmail/1.4.13
Message-ID: <a93a7ab35ded48aa82a1f6cb5ea92c04@mandelberg.org>
X-Sender: david@mandelberg.org
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/T4uN30NiQrBNgiwRqAbjFKU8Kcw>
Subject: Re: [secdir] Secdir early review of draft-ietf-bier-ping-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 May 2023 21:34:27 -0000

Looks good, thanks!

Greg Mirsky schreef op 2023-05-19 15:40:
> Hi David,
> a new version of the draft includes updates we've discussed. Also, it
> includes updates resulting from discussions of reviews by IntDir and
> RtgDir experts. I would appreciate it if you could review the updates
> (diff between the -08 version and the current version 10 is attached
> for your convenience). Please let me know if you have any further
> questions.
> 
> Best regards,
> Greg
> 
> On Wed, May 10, 2023 at 9:18 PM Greg Mirsky <gregimirsky@gmail.com>
> wrote:
> 
>> Hi David,
>> thank you for the discussion. Please find my notes below under the
>> GIM>> tag.
>> 
>> Regards,
>> Greg
>> 
>> On Tue, May 9, 2023 at 5:04 PM David Mandelberg
>> <david@mandelberg.org> wrote:
>> 
>>> I'm not familiar with LSP ping, but I just skimmed the security
>>> considerations section of that RFC. Unless I missed something
>>> (which is
>>> possible), it looks like it only talks about DoS attacks against
>>> the
>>> recipient of the ping, not amplification to attack a third party
>>> using
>>> the reply. With LSP ping, are the requests and responses roughly
>>> the
>>> same size? If they are, then that seems to be a key difference
>>> between
>>> BIER ping and LSP/ICMP ping, so it should be covered in BIER
>>> ping's
>>> security considerations.
>> 
>> GIM>> I think that LSP Ping and BIER Ping are closer to each other
>> functionally than to ICMP. As we noted in the draft, some
>> informational elements used in the LSP Ping are equally applicable
>> in BIER Ping (DDMAP).
>> 
>>> As for suggesting additional text/reference, how difficult would
>>> it be
>>> in practice for an attacker to spoof the source address in BIER
>>> ping?
>>> (That's the part I really don't have a sense of.) If it's pretty
>>> difficult, then it's probably enough to just point that out as the
>>> 
>>> reason DDoS amplification isn't a big concern. If it's not that
>>> hard,
>>> then there might be a bigger problem.
>> 
>> GIM>> I think that such a scenario in BIER is as difficult as in an
>> MPLS network. Thank you for the suggestion. I will add that in the
>> next version.
>> 
>>> Op 2023-05-09 om 17:43 schreef Greg Mirsky:
>>>> Hi David,
>>>> that's a valid point. I may compare the scenario you describe
>>> with the
>>>> commonly used in LSP Ping identical reply mode, i.e., over
>>> IPv4/IPv6
>>>> network. In that case, the MPLS label stack may not identify the
>>> Echo
>>>> Request sender, and the receiving node relies on the source IP
>>> address
>>>> in the IP/UDP header that immediately follows the label stack.
>>> It seems
>>>> like methods to mitigate the risk of exploiting LSP Ping as a
>>> DDoS
>>>> attack described the Security Consideration in RFC 8029 accepted
>>> as
>>>> sufficient. In our draft, we point them as equally relevant for
>>> BIER
>>>> Ping. Would you suggest an additional text or reference for
>>>> draft-ietf-bier-ping?
>>>> 
>>>> Regards,
>>>> Greg
>>>> 
>>>> On Tue, May 9, 2023 at 12:37 PM David Mandelberg
>>> <david@mandelberg.org
>>>> <mailto:david@mandelberg.org>> wrote:
>>>> 
>>>> The Reply-To TLV stood out to me as the easiest way to
>>> redirect return
>>>> traffic to a vicim, but not necessarily the only way. Can
>>> the BFIR
>>>> ID be
>>>> spoofed to get return traffic sent to an unsuspecting third
>>> party?
>>>> 
>>>> Op 2023-05-08 om 12:16 schreef Greg Mirsky:
>>>>> Hi David,
>>>>> thank you for your thoughtful comments. After reviewing
>>> the use
>>>>> scenario, we decided to remove the Reply-To TLV. The BIER
>>> Header
>>>>> includes the BFIR ID that can be used to derive the IP
>>> address of
>>>> the
>>>>> Sender. I hope that addresses your concern.The new
>>> version of the
>>>> draft
>>>>> <https://datatracker.ietf.org/doc/draft-ietf-bier-ping/
>>>> <https://datatracker.ietf.org/doc/draft-ietf-bier-ping/>>
>>> also includes
>>>>> updates addressing early reviews from Rtg and Int areas.
>>>>> Please let me know if you have any further questions.
>>>>> 
>>>>> Best regards,
>>>>> Greg
>>>>> 
>>>>> On Fri, Apr 21, 2023 at 2:33 PM David Mandelberg via
>>> Datatracker
>>>>> <noreply@ietf.org <mailto:noreply@ietf.org>
>>>> <mailto:noreply@ietf.org <mailto:noreply@ietf.org>>> wrote:
>>>>> 
>>>>> Reviewer: David Mandelberg
>>>>> Review result: Has Nits
>>>>> 
>>>>> This mostly looks good, I think.
>>>>> 
>>>>> My only concern is about if/how this could be
>>> exploited to DDoS
>>>>> third parties.
>>>>> It looks like there are a few ways that the responses
>>> can be
>>>> larger
>>>>> than the
>>>>> requests, either by responders adding additional
>>> TLVs, or by
>>>> multiple
>>>>> responders responding to the same request. I'm not
>>> sure how
>>>> much of
>>>>> a risk
>>>>> source address spoofing is in the request's outer
>>> header, but it
>>>>> looks like the
>>>>> Reply-To TLV can be used to send responses to another
>>> address
>>>> anyway,
>>>>> regardless of the source address. So if this were on
>>> the open
>>>>> internet, I'd
>>>>> expect attackers to abuse it to send lots of data to
>>> their
>>>> targets.
>>>>> But from
>>>>> the mentions of MPLS, I'm guessing that this is not
>>> meant to
>>>> be used
>>>>> on the
>>>>> open internet? So it might not be an issue in the
>>>> environments this
>>>>> is intended
>>>>> to be deployed in, or there might be some other
>>> mitigation.
>>>>> 
>>>>> 
>>>>

v2.23.0 | Report a Bug | By Email