Re: [secdir] secdir last call review of draft-ietf-mpls-sfc-04
"Adrian Farrel" <adrian@olddog.co.uk> Thu, 31 January 2019 10:52 UTC
Return-Path: <adrian@olddog.co.uk>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 993A0130EBA; Thu, 31 Jan 2019 02:52:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XhvB8kE2SL7b; Thu, 31 Jan 2019 02:52:05 -0800 (PST)
Received: from mta7.iomartmail.com (mta7.iomartmail.com [62.128.193.157]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B0C4C128CE4; Thu, 31 Jan 2019 02:52:04 -0800 (PST)
Received: from vs2.iomartmail.com (vs2.iomartmail.com [10.12.10.123]) by mta7.iomartmail.com (8.14.4/8.14.4) with ESMTP id x0VAq2cR002415; Thu, 31 Jan 2019 10:52:02 GMT
Received: from vs2.iomartmail.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 3EFFB22044; Thu, 31 Jan 2019 10:52:02 +0000 (GMT)
Received: from asmtp1.iomartmail.com (unknown [10.12.10.248]) by vs2.iomartmail.com (Postfix) with ESMTPS id 28F7B22042; Thu, 31 Jan 2019 10:52:02 +0000 (GMT)
Received: from LAPTOPK7AS653V ([87.112.189.92]) (authenticated bits=0) by asmtp1.iomartmail.com (8.14.4/8.14.4) with ESMTP id x0VAq0wP032293 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 31 Jan 2019 10:52:01 GMT
Reply-To: adrian@olddog.co.uk
From: Adrian Farrel <adrian@olddog.co.uk>
To: 'Russ Mundy' <mundy@tislabs.com>, secdir@ietf.org
Cc: draft-ietf-mpls-sfc.all@ietf.org, ietf@ietf.org
References: <5920C065-DDDB-4C1A-83FB-E0436C467D3B@tislabs.com>
In-Reply-To: <5920C065-DDDB-4C1A-83FB-E0436C467D3B@tislabs.com>
Date: Thu, 31 Jan 2019 10:52:02 -0000
Organization: Old Dog Consulting
Message-ID: <055301d4b953$0044f3d0$00cedb70$@olddog.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQKncW31kBUGQFOHrs80y4/8+kj9a6QjqWkA
Content-Language: en-gb
X-Originating-IP: 87.112.189.92
X-Thinkmail-Auth: adrian@olddog.co.uk
X-TM-AS-GCONF: 00
X-TM-AS-Product-Ver: IMSVA-9.0.0.1623-8.2.0.1013-24400.006
X-TM-AS-Result: No--18.325-10.0-31-10
X-imss-scan-details: No--18.325-10.0-31-10
X-TMASE-Version: IMSVA-9.0.0.1623-8.2.1013-24400.006
X-TMASE-Result: 10--18.324600-10.000000
X-TMASE-MatchedRID: 8HTFlOrbAtHxIbpQ8BhdbOYAh37ZsBDCVBDQSDMig9GqvcIF1TcLYGaz bvK3eijuQAvTIQMxZJ9ERAG5H09G8aNmd7pYp+mtTVa+L3Zgqc7Thmt8qRASYJJWUogu623F7kO MrBz6LkmT5dDfN8Tpsa8XLD5qB/Bi8FFFRqZ+F4xu+yxbbkYIFhlgDfyCPcHEFRlN8zTSzj7FQN PEve+5IITQBkTtwk+z3ENKbj/2xt/kQ45DXVbLaBVXx+49zfW3YfCcFySxIqU/17THutn2g0AC5 xm4Bei1M6TEcC5a4IANYIDF+TyWAVqgUVEApa8m84dsinZ5e1gfXzVgO0hVqj9QzIS5KoGBD8FP ruvrBUvDWuH4B0t8VYmrwhubYlODWehFCA8qX0OTeuX4xo2DEM0ENs5LdCH5V6KWY8jugmW8ISQ WFLhHcBnGRpIgNrtwzgEXO60X3oyTsChfABLrkhXbvUeivEs0D8tT5eIcvW2vloAnGr4qhpivGt cLct3uskr7LbqmDOAKeN7VuhdCKynbeaPf0/tqNVRz+HwqL4KCEWSnl/5g9hER5MrEGoh5flSnl 2q/EVO7K1/gwGs4IoAKncS/Ew4TJ97zn9JejhaC7jU7gemo7sMdI0UcXEHzS7VteKmx1/NHSGrl tJ8EhqY82ZOhSgpjhxj+c9KPeTC1DfGM6db7X0NTnAhL0/m3+IfriO3cV8QUnhXZChKvF+k4Q+v wx+h09uF4SmMWdeG7+TULEz66tyaHj+XQ22lLSDkh6bW+bcd5c60gxbJmRTHskkJQ4S5FTe9gr7 g3DKuN3w7wTjCclazIXzN3JNhp516w/ps6lCmeAiCmPx4NwFkMvWAuahr8m5N2YHMD0b8MyrfP9 j+C1SAHAopEd76vq9FgTE9NW8Xe0R7nq7xHrr/LsrUwl3GtF5MdSUA5zQbVhPuECPYLAQ==
X-TMASE-SNAP-Result: 1.821001.0001-0-1-12:0,22:0,33:0,34:0-0
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/TvOL3nZQYkeOiRn5d5-s5_mQfNg>
Subject: Re: [secdir] secdir last call review of draft-ietf-mpls-sfc-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Jan 2019 10:52:07 -0000
Hi Russ, Thanks for reviewing. A few responses ... > Summary: > > This document defines defines a methods to achieve Service Function Chaining (SFC) > using Network Service Header (NSH) in Multiprotocol Label Switching (MPLS) networks. No, it absolutely does not. To quote from the Abstract... This document describes how Service Function Chaining can be achieved in an MPLS network by means of a logical representation of the NSH in an MPLS label stack. The point of this document is exactly that it does not use the NSH. Instead it encodes the fields of the NSH in MPLS headers. This is crucially important because if one wanted to use the NSH in an MPLS network one would apply RFC 8300 and draft-ietf-mpls-sfc-encapsulation. > Issues: > > First, the document and in particular the Security Considerations section points to published RFCs > for discussions of the security properties. In particular, RFC7665 and RFC8300 are referenced > however each of these documents left some significant security descriptions & definitions to be > addressed by implementation documents such as this one. Additionally, the SECDIR reviews of > the IDs prior to publication of these RFCs point out several security related issues that, as far as > I could tell, were primarily addressed by saying that future implementation specifications will > address them. Since this ID is such an implementation specification, referring to the earlier RFCs > for the security properties results in essentially no security properties provided in either the > earlier RFCs or this implementation document - security properties need to be identified avoided > via circular references. I think you have a good point here that, although the aspects of security related to SFC are inherited from whatever documents the SFC WG produces (complete with whatever flaws exist in that set of documents that need to be patched by that WG), *this* document needs to talk about the security of the mechanisms that it defines. That means some discussion of the security of the MPLS forwarding plane (with references) and some discussion about what would happen if someone was able to tamper with a packet (noting that if someone can successfully tamper with an MPLS packet in flight then they can do a lot of other bad things as well). > Next, the Security Considerations section identifies that the certain elements of the design must > be a ‘trusted resource’ and that some functions must also be trusted. The term “trusted” in > relationship to computing and software has a wide range of different meanings (as shown by > many years of research in the CS field). In the context of this document, my guess is that it > means that some unidentified (but not defined) entity believes (“trusts”) that the software > will do the “right thing” - to me (from a security perspective) it also means trusting that the > software will not do the wrong thing. All of this is very abstract (both the Security > Considerations text & this critique) which in my view is why the 'trust' section is very > inadequate for an implementation document. If there is an IETF security definition of "trust" that we could look at, that would help. "Do the right thing" is probably not quite what we mean. I think we mean "Not act maliciously so as to wilfully break the network or send traffic to/via the wrong places." But this is all a little like how we "trust" a router. A malign router could drop or redirect packets contrary to the routing information it has received. We typically test for that in the lab, and maybe watch for it in the field, but other procedures (such as checking software images) are generally out of scope for protocol documents. > Additionally, the last paragraph of the Security Considerations section asserts: > > Thus the security vulnerabilities are addressed (or should be > addressed) in all the underlying technologies used by this design, > which itself does not introduce any new security vulnerabilities. > > As far as I could see, the assertion is not supported anywhere in the document > itself or other referenced documents, i.e., what vulnerabilities should the > implementation be concerned with (e.g. passive monitoring, active attacks > on metadata, etc??) that result from this implementation. Since the > document does not provide a clear identification of it's security requirement, > any security services it does (or might) provide nor require from underlying > technologies, the assertion should be clarified, supported by additional > information or removed from the section. I *do* understand where you are coming from on this, but I'm not sure where we go with it. Let's consider for a moment the case of email being carried over an MPLS network. There is a security vulnerability that passive monitoring of MPLS packets would allow inspection of the contents of the email. There are a number of ways to protect against this including encryption at the application layer (i.e. of the email) and encryption at the transport layer, and encryption at the IP layer. There is also the possibility to encrypt the underlying transport (such as MACsec). Now, you are asking about whether this document should discuss the security of any metadata carried in the MPLS encoding of an SFC system (I realise this is just one example of the concerns you are raising). And I would say that it should not. It should observe that metadata is an SFC concept (SFC is the application using MPLS) and encryption of that data is a function of the "SFC layer". So maybe a bolder statement could be added to the document... "The MPLS forwarding plane does not include any security mechanisms. That means that procedures described in this document rely on three basic principles: - The MPLS network is often considered to be a closed network such that insertion, Modification, or inspection of packets by an outside party is not possible. - The underlying transport mechanisms (such as Ethernet) between adjacent MPLS Nodes may offer security mechanisms that can be used to defend packets "on the Wire" - The SFC-capable devices participating in the network are responsible for verifying And protecting packets and their contents. Deployments of any SFC system will need to consider these issues, especially the last point. It is expected that a deployment of the techniques defined in this document would benefit from the more general security mechanisms defined for SFC." Thanks, Adrian
- [secdir] secdir last call review of draft-ietf-mp… Russ Mundy
- Re: [secdir] secdir last call review of draft-iet… Adrian Farrel
- Re: [secdir] secdir last call review of draft-iet… Russ Mundy
- [secdir] secdir last call review of draft-ietf-mp… Russ Mundy