Re: [secdir] secdir review of draft-ietf-ospf-encapsulation-cap-06

David Mandelberg <david@mandelberg.org> Fri, 15 September 2017 16:17 UTC

Return-Path: <david@mandelberg.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7C8871243F6 for <secdir@ietfa.amsl.com>; Fri, 15 Sep 2017 09:17:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GRg9-HWMO3zU for <secdir@ietfa.amsl.com>; Fri, 15 Sep 2017 09:17:40 -0700 (PDT)
Received: from nm26-vm5.access.bullet.mail.bf1.yahoo.com (nm26-vm5.access.bullet.mail.bf1.yahoo.com [216.109.115.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAB5B1335D1 for <secdir@ietf.org>; Fri, 15 Sep 2017 09:17:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1505492258; bh=uX7iCQSfvZvLg5F7OWP/H/S12DtSHxXCMbC+saBSyq0=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From:Subject; b=oC8DLBSgR/qRijIACznTnJ5MylMFFA5vP0NyCciJFolLaOKW43UCSOmYfUhiGKdHJdJf5aDnjjI/xWX5sidTbtfilhFJTTl1J1ubizZEWDxq+AOBgXCFBUwh5JIB1EyXS4feSTALMsOr5NEsrNf4kmh1doJTMKaovWEhIyYeyFkROXWZRDbrFAjrAnCkCyCkc0gqC3KUL06TfGbEE+Jaijn8Rta4jxDjv0v3p+SZFZYnLXfcWimsLgmobvJ5lp+pZ9b4Fk8/YS+V3SN+7ie8d5BlUQkdY/0ibDFRaIoGvV7sZjd+PtvZ2G+3O9GxoT1qpLzPlpDOINiT7MMdLXbsZw==
Received: from [66.196.81.159] by nm26.access.bullet.mail.bf1.yahoo.com with NNFMP; 15 Sep 2017 16:17:38 -0000
Received: from [98.138.226.243] by tm5.access.bullet.mail.bf1.yahoo.com with NNFMP; 15 Sep 2017 16:17:38 -0000
Received: from [127.0.0.1] by smtp114.sbc.mail.ne1.yahoo.com with NNFMP; 15 Sep 2017 16:17:37 -0000
X-Yahoo-Newman-Id: 987347.69157.bm@smtp114.sbc.mail.ne1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: mOyL6s4VM1mGAaC39RrKrm3DA5U1vCDswLHgEpARSeUthzX 4ZjaePnYnAR1upVxmqxz.nL9Hi845cinDkzM.kHLtor.6DXoa3XFMp.VyxP7 008y70HsaHEzvFRVoFdyLWIRW_PZ9iE5GlXnCUTxclRtUEzmr_JBz1q2fLLB Qo406rnBFJO91LDz5n4WMgBXWo.eDJDTqi0pZmv2qZ6mY5TL8bLBayusCy4. iRybXFszFq6hVH1AgcSka6hOb6qlyU_uoRLXD8iV5mqzpgHjYCAj62MN36Sl ny3fB5D9IRiUB2OBrDgFUxjgr1w0PwtnBIk66CbG.CTD9ixgB6Gakf.Zv7yM e_.Z6Tw_pZuFKpUsoscdAEhCElOzOIr9PSpG8e_5LEioebnW8loLljQACR7_ h1h9DV_0EwH0stBedaTy5rrOW7w5a6HrKh3TPX6PBk1NIWWN1tMjOmst_wrT 77oT5p6AD_xszvNkkpDSpkVlnifjksYMCMgFdJzRw9ulxuA--
X-Yahoo-SMTP: 4kJJK.qswBDPuwyc5wW.BPAQqNXdy5j09UNyeAS0pyOQ708-
Received: from [192.168.1.152] (DD-WRT [192.168.1.1]) by uriel.mandelberg.org (Postfix) with ESMTPSA id EFBAC1C60AB; Fri, 15 Sep 2017 12:17:36 -0400 (EDT)
To: Robert Raszuk <robert@raszuk.net>
Cc: "bruno.decraene@orange.com" <bruno.decraene@orange.com>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-ospf-encapsulation-cap.all@ietf.org" <draft-ietf-ospf-encapsulation-cap.all@ietf.org>
References: <475c78dc-c872-8795-2d99-81b28df97aed@mandelberg.org> <3691_1505412243_59BAC493_3691_229_1_53C29892C857584299CBF5D05346208A47872C5B@OPEXCLILM21.corporate.adroot.infra.ftgroup> <ae79dc6a-488a-2772-eca4-c325ea462a5f@mandelberg.org> <2597_1505460712_59BB81E8_2597_399_1_53C29892C857584299CBF5D05346208A4787384B@OPEXCLILM21.corporate.adroot.infra.ftgroup> <656e7eb8-1bbe-5f9c-e3b6-f0bbc23737db@mandelberg.org> <CA+b+ERmxR8z1nCfhQwfj9U9jBxuP63XjLMD_kCsySUxoQvGgQg@mail.gmail.com>
From: David Mandelberg <david@mandelberg.org>
Message-ID: <a922cb18-93f0-94ef-fa9a-59d7565fc836@mandelberg.org>
Date: Fri, 15 Sep 2017 12:17:34 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <CA+b+ERmxR8z1nCfhQwfj9U9jBxuP63XjLMD_kCsySUxoQvGgQg@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/TqFuHcKGlCdP0jGAQjNt_mcKUVw>
Subject: Re: [secdir] secdir review of draft-ietf-ospf-encapsulation-cap-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Sep 2017 16:17:41 -0000

On 09/15/2017 12:02 PM, Robert Raszuk wrote:
> David,
> 
> But how would an external attacker inject this information into OSPF ?

By (partially) compromising a router, for example. I know an attacker 
with that capability can already do a lot of bad stuff, but it's not 
clear to me whether or not this extension gives them any additional 
capabilities.


> Also note that this information is opaque to OSPF itself and it is 
> highly recommended that set of policy rules (protecting from misuse or 
> even accidental mistakes) to be applied on it when reaching the 
> destination code (here encapsulation and forwarding subsystem).

That sounds like a simple and secure way to address my concerns. If the 
document already contains text recommending that local policy be used to 
prevent forwarding outside of the authorized network, then apologies for 
missing/forgetting it. If not, would you mind adding something to the 
security considerations about it?


-- 
Freelance cyber security consultant, software developer, and more
https://david.mandelberg.org/