[secdir] SECDIR review of draft-ietf-sfc-nsh-18

Christian Huitema <huitema@huitema.net> Fri, 11 August 2017 22:21 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A7BE1326AC for <secdir@ietfa.amsl.com>; Fri, 11 Aug 2017 15:21:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U79_JwbdOZCW for <secdir@ietfa.amsl.com>; Fri, 11 Aug 2017 15:21:12 -0700 (PDT)
Received: from mx36-42.antispamcloud.com (mx36-42.antispamcloud.com [209.126.121.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E99CA1326AE for <secdir@ietf.org>; Fri, 11 Aug 2017 15:21:10 -0700 (PDT)
Received: from xsmtp06.mail2web.com ([168.144.250.232]) by mx3.antispamcloud.com with esmtps (TLSv1:AES256-SHA:256) (Exim 4.89) (envelope-from <huitema@huitema.net>) id 1dgIIh-0003Gf-3m for secdir@ietf.org; Sat, 12 Aug 2017 00:21:09 +0200
Received: from [10.5.2.15] (helo=xmail05.myhosting.com) by xsmtp06.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1dgIIc-0008Is-U8 for secdir@ietf.org; Fri, 11 Aug 2017 18:21:00 -0400
Received: (qmail 14990 invoked from network); 11 Aug 2017 22:20:57 -0000
Received: from unknown (HELO [192.168.1.103]) (Authenticated-user:_huitema@huitema.net@[172.56.42.186]) (envelope-sender <huitema@huitema.net>) by xmail05.myhosting.com (qmail-ldap-1.03) with ESMTPA for <ietf@ietf.org>; 11 Aug 2017 22:20:57 -0000
From: Christian Huitema <huitema@huitema.net>
To: The IESG <iesg@ietf.org>, secdir@ietf.org, draft-ietf-sfc-nsh.all@ietf.org
Cc: IETF Discussion Mailing List <ietf@ietf.org>
Message-ID: <2ad0274f-3385-136d-794b-082192393ebf@huitema.net>
Date: Fri, 11 Aug 2017 15:20:53 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Originating-IP: 168.144.250.232
X-SpamExperts-Domain: xsmtpout.mail2web.com
X-SpamExperts-Username: 168.144.250.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=168.144.250.0/24@xsmtpout.mail2web.com
X-SpamExperts-Outgoing-Class: unsure
X-SpamExperts-Outgoing-Evidence: Combined (0.19)
X-Recommended-Action: accept
X-Filter-ID: PqwsvolAWURa0gwxuN3S5YEa3T7JuZT23fGO2rGt3ZgTCGhDnudOJ80D1c8rffxrus7BTv7Ss8cH d2IQQuvdbtM+m4WpRRDP6YzwkAPgQJackVDEeh/s63C3hq8BP19aND46yZLY9QyX+cRXmooQ3hum JwiT+2brWmQlzkLIcXivpIH4ag6BM/+u9ym+BA23Et8EmwAEDHt/bpQlSQ4WzenAK+xr92ZGK1ua sQ+8Dmh3cwQzo/7QWl8r4aborZJuYOEkjsX7F8KmpUaZQHV+ST61TfxIvi8LwOTvVrRIhaC2G5Pj 7iQJEmtNUzH3idZ6uMF2OhyCCCV83x+RZrKIj0QqMGQOSwmEPwP4wBzM77N8GvkYGGDFjg9NrmGY yNnXsSjdYwfRhjHqxQXDsBKLpIuW2VxLnS94njDgTNmyTXH6lO4FGen962xgCFRckncKfg1XSK9P 1z/R6plfrFWGyb5pE1hv2y98CU17gG3OzcHeNHk15VolAGHS5rCXQKDym+Gab6cuAPzLi/SdAxlO dgkraHgbbAuZgv0Q6mJ3vUcipz1IT62ZEk6+MmovaufbiR3bHfnMCIEU+nrglojKwMr3vOY18GvB wSXAfWcj237jnExji3pN9ZwHGBHd3j58WezJa7xDQcOg5ET5/LmCvakjSWDcjZyDseb0cBFM1p7J 0ZI2Cud2W8ULqpclZpX6+ln3SmdyWNNJvR4I+Hp8ZTqmtKYOlQxywq7X9AiLTGikfdoogjfTpZPs zrPFazX6bpsmzT5sWVD4sfkDnyejRRklgDtVC2Xqa4QCRhTuoCmXPUJkXUk8tGhJsBnmMDbaKcNO SCytRyeT1c4b6jF7f/DKzfOCXnJQjcl9DhaIFtwGXh1z3jjhvha4XAPJdhEh0i13zjCiwPgdt77s k1WBMw==
X-Report-Abuse-To: spam@quarantine5.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/UWlAaJ2nbqrSaecrXKCm7h_Br3w>
Subject: [secdir] SECDIR review of draft-ietf-sfc-nsh-18
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Aug 2017 22:21:13 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

The summary of this review is a puzzled reviewer. Why was I asked to 
review this? Why is the IETF even working on such specifications? What
does this have to do with the Internet? And why such disregard
for privacy and security? In any case, this document has significant
issues. It does not explaining where exactly the proposed Network
Service Header would be inserted (MPLS or IPv6?). The security
provisions boil down to lip-service mentions of IPSEC, and that's way
insufficient given the nature of the protocol.

Sometimes you read a document and it gives you a glimpse of an alternate
universe in which the Internet has been replaced by a mad pile-up of
middle boxes. Of course, they will not be called that. Instead, we will
speak of "service functions" providing such essential features as NAT
and deep packet inspection. I suppose that censorship and surveillance
are not desirable key words in marketing brochures, and that metadata
collection and the insertion of adverts are better described in yet to
be published extensions.

As far as I can tell, the so called "Service Function Chaining
Architecture" tries to standardize this pile-up of middleboxes, so that
service providers can procure them from multiple vendors. The draft that
I am reviewing, draft-ietf-sfc-nsh-18, defines a clear-text "network
service header" (NSH) that would inserted between the "transport" used
in the domain and the IPv4 or IPv6 packet itself. Boxes could look at
this header, add metadata to it, and forward it to other boxes along a
"service path". I mentioned IPv4 or IPv6, but there are also provisions
for passing pure NSH information, probably for maintaining the "service
path", or passing Ethernet, MPLS or experimental frames, because why not.

The specification itself is appropriately baroque, with the header
composed of three components and multiple options, but the basic idea is
to allow different boxes to see the packet so they can read, update and
process the metadata. As far as I can tell, there are no serious attempt
to provide any kind of security or privacy protection except maybe some
basic ingress filtering, which means that the metadata can be observed
by any entity able to tap the path, or can be spoofed by any system
inserted on the path, such as for example a virus infected box. The only
security reference is a short note that deployments "could use IPSEC",
through a token reference to RFC 6071.

When first reading the document, I was under the impression that the
"transport" used in the domain would be some kind of close layer 2
system, MPLS or maybe Ethernet. That would give some assurance that the
collection of middle boxes would be part of a somewhat controlled
domain. It was only the reference to IPSEC that enlightened me. If IPSEC
is plausible, it probably means that the packet would be composed of an
IP header, the SFH, and the original IP payload. So the proposed usage
implies carrying metadata like subscriber information and identification
of content in clear text  over long distance paths. What could possibly
go wrong? And if that was not enough, imagine what an adversary could
achieve by spoofing the service packets.

Of course, the same threats would still apply if the protocol was
strictly carried over layer 2, as several adversaries are quite capable
of snooping and spoofing layer 2 traffic.

Coming at the end of this review, I hesitate between two options. One
would be to just express my disgust, wash my hands, and hope that the
effort will fail under its own weight, maybe after a couple of
catastrophic security failures. The other option is to provide some
advice on how to solve the most blatant issues. In a spirit of
cooperation, I choose the latter, and here is the two steps advice:

The first step to better security and privacy there would be to present
the practical deployment conditions. I could only make guesses, and
that's silly. There should be some kind of diagram explaining how the
SFH is inserted in packets, and where it sits between Ethernet, MPLS and
IP.

The next step is to develop a protection model. Given that the goal of
the architecture is to decorate the packets with sensitive metadata,
there need to be some thinking about who should be able to see it. How
would path encryption like IPSEC be deployed? Should all elements on
path really be able to access all metadata, or should some of it be
further protected?

Please fix that before the document is published.


-- 
Christian Huitema