Re: [secdir] Secdir early review of draft-ietf-bier-ping-08
David Mandelberg <david@mandelberg.org> Fri, 19 May 2023 21:34 UTC
Return-Path: <david@mandelberg.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 882AEC15107C for <secdir@ietfa.amsl.com>; Fri, 19 May 2023 14:34:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=mandelberg.org header.b="DmkYiqyV"; dkim=pass (2048-bit key) header.d=mandelberg.org header.b="aD0lSVqe"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e0KFsN9ejER3 for <secdir@ietfa.amsl.com>; Fri, 19 May 2023 14:34:23 -0700 (PDT)
Received: from mail-vk1-xa63.google.com (mail-vk1-xa63.google.com [IPv6:2607:f8b0:4864:20::a63]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23818C14CE55 for <secdir@ietf.org>; Fri, 19 May 2023 14:34:23 -0700 (PDT)
Received: by mail-vk1-xa63.google.com with SMTP id 71dfb90a1353d-456d241fcdcso967215e0c.0 for <secdir@ietf.org>; Fri, 19 May 2023 14:34:22 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684532062; x=1687124062; h=content-transfer-encoding:message-id:user-agent:references :in-reply-to:subject:cc:to:from:date:mime-version:dkim-signature :dkim-signature:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=G6eTyrXE+newi9nYishFiqnZe9vlZmEQbWi6jpWRm0E=; b=TZNEswTcEcle3udIz87CutkjfBHshvILEPxsVga/DkoqAKgze7QugPYSq9jg8QPCCa 7CizFOBptXeXfYgGTjQWJZ9Y0TV1rkrZdFt7yVeGo6W1HA1QR2th6B4L1g64adtx5JJt DmlgJkTLsk6E8ylrw+nLBc8sq4oHNNWeuhsbDZyqDRw9fyDkA4dE0H7fDw498Ni/uxN6 lO6JLQTc7oCcridInxy+z3mB2og8d+RmzpNxQnjzrqnJ3Hv4vmTem/uJlhGCT3xENHai u3lFFOVTKO+ZCpl5j0ZOWKvJY0tGCM6VqPveib2x0JXXc0axQrfLJIwpu5L4gnRqZKmr 0Xlw==
X-Gm-Message-State: AC+VfDxl1LrOC+QkMRru+8exTHjOaSJkzJEqgUVLIlYxBkxf+NXrdz5G oyPr0EB9JIzwoGU3BAYHSFJndHp9nQrae1z82eQS/xCIMOKd6YoSRMkL3CCT79D3Mg==
X-Google-Smtp-Source: ACHHUZ6y8+bFYQnGUFb+b7ElNFE/hUHKFpmLdaVY/ecMVfMxuyNtOXvPPfKDNpopY2VfBawL+Zxjem+DGLof
X-Received: by 2002:a1f:6d86:0:b0:43c:551c:ad67 with SMTP id i128-20020a1f6d86000000b0043c551cad67mr1301494vkc.10.1684532061805; Fri, 19 May 2023 14:34:21 -0700 (PDT)
Received: from mail-outbound-e14cf917.virgo.mandelberg.org ([2600:4040:52fd:b906::8]) by smtp-relay.gmail.com with ESMTPS id j38-20020a05612221a600b00443d6a5551bsm500vkd.0.2023.05.19.14.34.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 19 May 2023 14:34:21 -0700 (PDT)
X-Relaying-Domain: mandelberg.org
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=mandelberg.org; i=@mandelberg.org; q=dns/txt; s=mail-outbound-e14cf917-597d7abb; t=1684532061; h=mime-version : date : from : to : cc : subject : in-reply-to : references : message-id : content-type : content-transfer-encoding : from; bh=DVFbEOnI9DMZ7ljNM9StbYIVBPfqW46VFNC80tbFMqg=; b=DmkYiqyVUVYD2/i6m8sFnfpfMLjXmTEygFLi1ZrFBg9w0H+DuTRz3RGXRT4QAWWE0QyZM EAi6igVA7NfObQuCg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mandelberg.org; i=@mandelberg.org; q=dns/txt; s=mail-outbound-e14cf917-e56dad1c; t=1684532061; h=mime-version : date : from : to : cc : subject : in-reply-to : references : message-id : content-type : content-transfer-encoding : from; bh=DVFbEOnI9DMZ7ljNM9StbYIVBPfqW46VFNC80tbFMqg=; b=aD0lSVqezG5nlKJJqN69q3xxsttl3MJnXKSz7flO5nXBcBmVYVF49/zDaFP4obZnY9OcF VllclOmMR3OJeTn9QLEjqBRBfnFnFiDPujyQIDdJ8syCC6Tfa2vDurcU/NVu2CiFkg2eRfQ kwfJZI7NQlLpqwDiDCOfQ663bZ/51LbCJunrNqrUHoWnTGk4ira8JT2MEUR8H50QbpMr8yo LITFzHh8u8Yn7By8Ap3xTHIEDAz8BQrRv3nprkdbtceQXrWXYuYn5KJpjTxodhwB27w2Ws6 AB9TEvFn9v1PYV7R3AODFDg6q2Eszen6DkWGnBdja3AStBVe0Izzcd8Ed0Yg==
Received: from webmail.mandelberg.org (mail-web-d031b246.virgo.mandelberg.org [10.0.6.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X448 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail-outbound-e14cf917.virgo.mandelberg.org (Postfix) with ESMTPSA id 4QNKqK0c5SzySJ; Fri, 19 May 2023 21:34:21 +0000 (UTC)
MIME-Version: 1.0
Date: Fri, 19 May 2023 17:34:20 -0400
From: David Mandelberg <david@mandelberg.org>
To: Greg Mirsky <gregimirsky@gmail.com>
Cc: secdir@ietf.org, bier@ietf.org, draft-ietf-bier-ping.all@ietf.org
In-Reply-To: <CA+RyBmXYfJhp-Q4QYA9y4VVroK4_B5oQ1X0fBhZGCHc5Y4b2JQ@mail.gmail.com>
References: <168211282687.57523.15929122717485483178@ietfa.amsl.com> <CA+RyBmVb5O2GRt+baZj5uaz4GA0jEO8ddURk8S3Yc02y6rDueA@mail.gmail.com> <cb7865a7-f0c2-10d2-4745-926e40958371@mandelberg.org> <CA+RyBmUnjtfo=guv9_2RRH=zH5OVG9HuX1JKoEnRJVhN=Uf-kA@mail.gmail.com> <70d489f8-36cb-0a30-1af9-4d6c1dae920d@mandelberg.org> <CA+RyBmU5760+j87=YKC0JdVQXf-eOVaJqO4sJ4_vUBDY4JT9WA@mail.gmail.com> <CA+RyBmXYfJhp-Q4QYA9y4VVroK4_B5oQ1X0fBhZGCHc5Y4b2JQ@mail.gmail.com>
User-Agent: Roundcube Webmail/1.4.13
Message-ID: <a93a7ab35ded48aa82a1f6cb5ea92c04@mandelberg.org>
X-Sender: david@mandelberg.org
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/T4uN30NiQrBNgiwRqAbjFKU8Kcw>
Subject: Re: [secdir] Secdir early review of draft-ietf-bier-ping-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 May 2023 21:34:27 -0000
Looks good, thanks! Greg Mirsky schreef op 2023-05-19 15:40: > Hi David, > a new version of the draft includes updates we've discussed. Also, it > includes updates resulting from discussions of reviews by IntDir and > RtgDir experts. I would appreciate it if you could review the updates > (diff between the -08 version and the current version 10 is attached > for your convenience). Please let me know if you have any further > questions. > > Best regards, > Greg > > On Wed, May 10, 2023 at 9:18 PM Greg Mirsky <gregimirsky@gmail.com> > wrote: > >> Hi David, >> thank you for the discussion. Please find my notes below under the >> GIM>> tag. >> >> Regards, >> Greg >> >> On Tue, May 9, 2023 at 5:04 PM David Mandelberg >> <david@mandelberg.org> wrote: >> >>> I'm not familiar with LSP ping, but I just skimmed the security >>> considerations section of that RFC. Unless I missed something >>> (which is >>> possible), it looks like it only talks about DoS attacks against >>> the >>> recipient of the ping, not amplification to attack a third party >>> using >>> the reply. With LSP ping, are the requests and responses roughly >>> the >>> same size? If they are, then that seems to be a key difference >>> between >>> BIER ping and LSP/ICMP ping, so it should be covered in BIER >>> ping's >>> security considerations. >> >> GIM>> I think that LSP Ping and BIER Ping are closer to each other >> functionally than to ICMP. As we noted in the draft, some >> informational elements used in the LSP Ping are equally applicable >> in BIER Ping (DDMAP). >> >>> As for suggesting additional text/reference, how difficult would >>> it be >>> in practice for an attacker to spoof the source address in BIER >>> ping? >>> (That's the part I really don't have a sense of.) If it's pretty >>> difficult, then it's probably enough to just point that out as the >>> >>> reason DDoS amplification isn't a big concern. If it's not that >>> hard, >>> then there might be a bigger problem. >> >> GIM>> I think that such a scenario in BIER is as difficult as in an >> MPLS network. Thank you for the suggestion. I will add that in the >> next version. >> >>> Op 2023-05-09 om 17:43 schreef Greg Mirsky: >>>> Hi David, >>>> that's a valid point. I may compare the scenario you describe >>> with the >>>> commonly used in LSP Ping identical reply mode, i.e., over >>> IPv4/IPv6 >>>> network. In that case, the MPLS label stack may not identify the >>> Echo >>>> Request sender, and the receiving node relies on the source IP >>> address >>>> in the IP/UDP header that immediately follows the label stack. >>> It seems >>>> like methods to mitigate the risk of exploiting LSP Ping as a >>> DDoS >>>> attack described the Security Consideration in RFC 8029 accepted >>> as >>>> sufficient. In our draft, we point them as equally relevant for >>> BIER >>>> Ping. Would you suggest an additional text or reference for >>>> draft-ietf-bier-ping? >>>> >>>> Regards, >>>> Greg >>>> >>>> On Tue, May 9, 2023 at 12:37 PM David Mandelberg >>> <david@mandelberg.org >>>> <mailto:david@mandelberg.org>> wrote: >>>> >>>> The Reply-To TLV stood out to me as the easiest way to >>> redirect return >>>> traffic to a vicim, but not necessarily the only way. Can >>> the BFIR >>>> ID be >>>> spoofed to get return traffic sent to an unsuspecting third >>> party? >>>> >>>> Op 2023-05-08 om 12:16 schreef Greg Mirsky: >>>>> Hi David, >>>>> thank you for your thoughtful comments. After reviewing >>> the use >>>>> scenario, we decided to remove the Reply-To TLV. The BIER >>> Header >>>>> includes the BFIR ID that can be used to derive the IP >>> address of >>>> the >>>>> Sender. I hope that addresses your concern.The new >>> version of the >>>> draft >>>>> <https://datatracker.ietf.org/doc/draft-ietf-bier-ping/ >>>> <https://datatracker.ietf.org/doc/draft-ietf-bier-ping/>> >>> also includes >>>>> updates addressing early reviews from Rtg and Int areas. >>>>> Please let me know if you have any further questions. >>>>> >>>>> Best regards, >>>>> Greg >>>>> >>>>> On Fri, Apr 21, 2023 at 2:33 PM David Mandelberg via >>> Datatracker >>>>> <noreply@ietf.org <mailto:noreply@ietf.org> >>>> <mailto:noreply@ietf.org <mailto:noreply@ietf.org>>> wrote: >>>>> >>>>> Reviewer: David Mandelberg >>>>> Review result: Has Nits >>>>> >>>>> This mostly looks good, I think. >>>>> >>>>> My only concern is about if/how this could be >>> exploited to DDoS >>>>> third parties. >>>>> It looks like there are a few ways that the responses >>> can be >>>> larger >>>>> than the >>>>> requests, either by responders adding additional >>> TLVs, or by >>>> multiple >>>>> responders responding to the same request. I'm not >>> sure how >>>> much of >>>>> a risk >>>>> source address spoofing is in the request's outer >>> header, but it >>>>> looks like the >>>>> Reply-To TLV can be used to send responses to another >>> address >>>> anyway, >>>>> regardless of the source address. So if this were on >>> the open >>>>> internet, I'd >>>>> expect attackers to abuse it to send lots of data to >>> their >>>> targets. >>>>> But from >>>>> the mentions of MPLS, I'm guessing that this is not >>> meant to >>>> be used >>>>> on the >>>>> open internet? So it might not be an issue in the >>>> environments this >>>>> is intended >>>>> to be deployed in, or there might be some other >>> mitigation. >>>>> >>>>> >>>>
- [secdir] Secdir early review of draft-ietf-bier-p… David Mandelberg via Datatracker
- Re: [secdir] Secdir early review of draft-ietf-bi… Greg Mirsky
- Re: [secdir] Secdir early review of draft-ietf-bi… David Mandelberg
- Re: [secdir] Secdir early review of draft-ietf-bi… Greg Mirsky
- Re: [secdir] Secdir early review of draft-ietf-bi… David Mandelberg
- Re: [secdir] Secdir early review of draft-ietf-bi… Greg Mirsky
- Re: [secdir] Secdir early review of draft-ietf-bi… Greg Mirsky
- Re: [secdir] Secdir early review of draft-ietf-bi… David Mandelberg