IETF Logo Mail Archive

Re: [secdir] SecDir review of draft-ietf-trill-o-pw-03

Donald Eastlake <d3e3e3@gmail.com> Wed, 18 December 2013 05:14 UTC

Return-Path: <d3e3e3@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 65FB31ADFBB; Tue, 17 Dec 2013 21:14:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bXVQWI1BEEyn; Tue, 17 Dec 2013 21:14:23 -0800 (PST)
Received: from mail-oa0-x229.google.com (mail-oa0-x229.google.com [IPv6:2607:f8b0:4003:c02::229]) by ietfa.amsl.com (Postfix) with ESMTP id 462841AE00B; Tue, 17 Dec 2013 21:14:23 -0800 (PST)
Received: by mail-oa0-f41.google.com with SMTP id j17so7765265oag.28 for <multiple recipients>; Tue, 17 Dec 2013 21:14:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=zFruQdoVRSztLk0TxsRdBwHqdBjjb134zm1iXZWDRSU=; b=frM5vyPWAZPGR8mDnf4xk67E+gxkdEJ1EYRX82Ewf3gobRqykkTtLqFto9SozN6BUP 8rAHRs3VwJ3Ehj9pm2zIdhSvlrodlALSM0Pr0Sxd8Sn0wxiHp+cPPx5LFns2EVaFjqDk xmkwZyWqkBYLSpUBUT4MDyveOjPLzptgssvbC9sgNQun+0sU3xQZVvFm9hn5YVaNja9r sVqFGM9ZQXDwBjFe9HjIwDDhQKYuX11H2q4vfw7GwGaeBi1K5o6u733ZGADjrELrD3U9 3hRxA8ovdLT0Nie6PqB1QY0hOdJf2DhVW0TIzk/iqEjkVlg+tiiCFXxeBqZfdL/hH+y+ dFTw==
X-Received: by 10.182.117.195 with SMTP id kg3mr18929866obb.17.1387343661842; Tue, 17 Dec 2013 21:14:21 -0800 (PST)
MIME-Version: 1.0
Received: by 10.76.33.102 with HTTP; Tue, 17 Dec 2013 21:14:00 -0800 (PST)
In-Reply-To: <52AA3173.8040100@gmail.com>
References: <52AA3173.8040100@gmail.com>
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Wed, 18 Dec 2013 00:14:00 -0500
Message-ID: <CAF4+nEHjk9KEy-_NjsziBetVGy8AuuPxiVGUTEShbEmO8ozt9A@mail.gmail.com>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "draft-ietf-trill-o-pw.all@tools.ietf.org" <draft-ietf-trill-o-pw.all@tools.ietf.org>, The IESG <iesg@ietf.org>, IETF Security Directorate <secdir@ietf.org>
Subject: Re: [secdir] SecDir review of draft-ietf-trill-o-pw-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Dec 2013 05:14:26 -0000

Hi Yaron,

On Thu, Dec 12, 2013 at 4:58 PM, Yaron Sheffer <yaronf.ietf@gmail.com>
wrote:

> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should
> treat these comments just like any other last call comments.
>
> This document specifies how multiple networks running TRILL can be
> connected using pseudowires.

I am puzzled as to why you think this document has to do with
"multiple networks" or what you mean by that.

As background, a transit TRILL switch acts like a router in the sense
that it logically discards the Layer 2 header on an incoming packet,
decrements the TRILL hop count and discards the packet if it has
counted down, and adds a new Layer 2 header appropriate to the
outgoing link type in the process of sending that packet out a port.

When a TRILL switch port is connected to a port on a different TRILL
switch by a link type that TRILL can use, the TRILL switches peer with
each other (unless TRILL control plane security was configured to
block such peering). It makes no difference what the link technology
is; in particular, there is nothing different at the TRILL level for a
pseudowire link as compared with, say, an Ethernet link or some other
link technology. If the two TRILL switches involved happen to be psrts
of two different TRILL campuses, then this must be the first
connection between those campuses and the connection causes the TRILL
campuses to merge into one TRILL campus with a single shared link
state database. If the two TRILL switches are alrady part of the same
TRILL campus, then this is just a change in topology (unless the two
TRILL switches were already connected by a different link, in which
case there isn't even a change in campus topology (except that their
might be a reduction in link cost due to the availability of greater
bandwidth across the parallel links)).

> Summary
>
> Coming from the L3 security community, I am very worried by this
> document and its predecessors. It seems to me that we are creating
> the infrastructure for larger and larger L2 networks, often spanning
> large geographical distances, but the security mechanisms are not
> keeping up with this wider scope.

There is no mention in this draft of "larger L2 networks" or of
"spanning large geographic distances" nor do I see why there should
be. You can construct TRILL campuses spanning a small or large
geographic distance with a small or large number of nodes regardless
of what link technology or set of link technologies you use between
your TRILL switches.

> I am not familiar with either the TRILL or PWE3 standards. Nor am I
> familiar with their real-life implementations. If secure deployments
> are common, I will be happy to be proven wrong (though I would
> expect such best practices to be documented and standardized).
>
> Details
>
> - This document copies the following text from the analogous PPP
> transport RFC: "not all implementations need to include specific
> security mechanisms at the pseudowire layer, for example if they are
> designed to be deployed only in cases where the networking
> environment is trusted or where other layers provide adequate
> security.  A complete enumeration of possible deployment scenarios
> and associated threats and options is not possible and is outside
> the scope of this document.'

Maybe the paragarph you quote part of above should be dropped. I'm
not sure it is necessary since it seems to me that what it says is
normally true.  For example, I would say that it is not always
necessary to use IP security because some combination of the security
of the environment, the security of the link layers over which IP is
running, and/or the security of the application layers running over IP
are adequate. I think the same is true of TRILL.

> I beg to differ. I think Security Considerations should recommend
> such solutions, and discuss the specific issues that come up when
> deploying them in this context: how should endpoints be
> authenticated?

So, for example, would you say that a hypothetical "IP over the Foobaz
link protocol" draft would have to have an extensive discussion of how
IP routers are authenticated to each other and how IP can be secured?
Wouldn't references to IP security and a reference to Foobaz link
security be sufficient in most cases? This document is TRILL over
pseudowires. For various reasons given in the document, this happens
to be specified as, in effect TRILL over PPP over pseudowire.  There
are references to TRILL security, PPP security, and pseudowire
security.

By the way, if by "endpoints" you mean the TRILL switches at the two
ends of the pseudowire, they are authenticated to each other with
TRILL IS-IS Hellos as specified in the TRILL base protocol
specification, RFC 6325, and further detailed in RFC 6327 (being
replaced by draft-ietf-trill-rfc6327bis which is in IETF Last Call
simultaneously with this TRILL over pseudowire draft). But I don't see
why this draft needs to talk about that as it is independent of link
technology.

> What protocol information should be protected?  How do TRILL
> identities map to identities authenticated by the selected security
> protocol etc. In general, although not ALL implementations need
> security mechanisms, I assume an overwhelming majority of them does.

In my opinion, a simple "X over Y" draft, where there are approved
protocol X standards covering the security of X and approved protocol
Y standards covering the security of Y, both referenced by the "X over
Y" draft, does not normally require the re-hashing of security for
either protocol X or protocol Y. You seem to want a complete
re-hashing of TRILL security just because of this effort to specify a
strightforward encoding of TRILL over a link type.

> - Moreover, text such as the following (RFC 6325) strongly hints
> that this traffic will be passing under the radar of many security
> devices: "TRILL ignorant devices with firewall features that cannot
> be detected by RBridges as end stations will generally not be able
> to inspect the content of such frames for security checking
> purposes."

I don't see how this is different from any new protocol. Generally
speaking, looking at a packet, there will be some sort of header for
the new protocol and a device that don't understand that new protocol
will be unable to parse that header or any following information.
Firewall-like devices certainly have the option to discard such
packets, which perhaps should be been explicitly mentioned in RFC
6325. Is it your opinion that the IETF standardization of a protocol
should not be permitted until it has been demonstrated that
understanding of that protocol has been actually deployed to all
firewall-like devices in the universe?

> - The Security Considerations recommend end-to-end security as a
> replacement for link-level security. Though attractive from a
> security point of view, such solutions (security protocols between
> end hosts) are far from ubiquitous in large networks and so cannot
> replace link-level mechanisms.

The sentence in this draft most relevant to your comment above is as
follows:

   "For applications involving sensitive data, end-to-end security
   should always be considered, in addition to link security, to
   provide security in depth."

That doesn't sound like "replacement" to me.

> - This document is analogous to RFC 6361, which uses PPP to bridge the TRILL
> islands. RFC 6361 does in fact discuss specific security mechanisms (yes,
> one wonders about CHAP being recommended in a 2011 document). The current
> document does not do so.

I think the claim you make that RFC 6361 uses PPP to "bridge the TRILL
islands" is incorrect unless you consider every TRILL switch to be a
one node "island" and every link between two TRILL switch ports to be
a "bridge".  There is no difference, from the TRILL protocol point of
view, between links of different technology between TRILL switches
(except that links configured as point-to-point are treated somewhat
differently from multi-access links).

This draft is "Transport of TRILL Using Pseudowires", effectively
specified as TRILL over PPP over pseudowires. Pseudowires are over
either MPLS or IP, and MPLS and IP are over some link protocol. So
link security between two TRILL switch ports connected by a pseudowire
can potentially be protected by security mechanisms provided by (1)
TRILL, (2) PPP, (3) pseudowires, (4) MPLS or IP, and (5) the link
technology being used by MPLS or IP. (Although, the PPP layer is
somewhat vestigial - mostly used to conveniently distinguish TRILL
Data and TRILL IS-IS packets.) I'd be happy to try to clarify in
the Security Considerations section that link security can come from
any combination of these layers. but I do not think the draft is the
appropriate place for detailed discussion of all of these types of
security and their permutations and combinations.

Thanks,
Donald
=============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA
 d3e3e3@gmail.com

> Thanks,
>         Yaron



On Thu, Dec 12, 2013 at 4:58 PM, Yaron Sheffer <yaronf.ietf@gmail.com> wrote:
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the IESG.
> These comments were written primarily for the benefit of the security
> area directors.  Document editors and WG chairs should treat these
> comments just like any other last call comments.
>
> This document specifies how multiple networks running TRILL can be connected
> using pseudowires.
>
> Summary
>
> Coming from the L3 security community, I am very worried by this document
> and its predecessors. It seems to me that we are creating the infrastructure
> for larger and larger L2 networks, often spanning large geographical
> distances, but the security mechanisms are not keeping up with this wider
> scope.
>
> I am not familiar with either the TRILL or PWE3 standards. Nor am I familiar
> with their real-life implementations. If secure deployments are common, I
> will be happy to be proven wrong (though I would expect such best practices
> to be documented and standardized).
>
> Details
>
> - This document copies the following text from the analogous PPP transport
> RFC: "not all implementations need to include specific security mechanisms
> at the pseudowire layer, for example if they are designed to be deployed
> only in cases where the networking environment is trusted or where other
> layers provide adequate security.  A complete enumeration of possible
> deployment scenarios and associated threats and options is not possible and
> is outside the scope of this document.' I beg to differ. I think Security
> Considerations should recommend such solutions, and discuss the specific
> issues that come up when deploying them in this context: how should
> endpoints be authenticated? What protocol information should be protected?
> How do TRILL identities map to identities authenticated by the selected
> security protocol etc. In general, although not ALL implementations need
> security mechanisms, I assume an overwhelming majority of them does.
>
> - Moreover, text such as the following (RFC 6325) strongly hints that this
> traffic will be passing under the radar of many security devices: "TRILL
> ignorant devices with firewall features that cannot be detected by RBridges
> as end stations will generally not be able to inspect the content of such
> frames for security checking purposes."
>
> - The Security Considerations recommend end-to-end security as a replacement
> for link-level security. Though attractive from a security point of view,
> such solutions (security protocols between end hosts) are far from
> ubiquitous in large networks and so cannot replace link-level mechanisms.
>
> - This document is analogous to RFC 6361, which uses PPP to bridge the TRILL
> islands. RFC 6361 does in fact discuss specific security mechanisms (yes,
> one wonders about CHAP being recommended in a 2011 document). The current
> document does not do so.
>
> Thanks,
>         Yaron
> _______________________________________________
> secdir mailing list
> secdir@ietf.org
> https://www.ietf.org/mailman/listinfo/secdir
> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview

v2.23.0 | Report a Bug | By Email