IETF Logo Mail Archive

Re: [secdir] [tsvwg] Secdir last call review of draft-ietf-tsvwg-ecn-l4s-id-26

Bob Briscoe <in@bobbriscoe.net> Wed, 20 July 2022 17:08 UTC

Return-Path: <in@bobbriscoe.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7ADA0C14F72E; Wed, 20 Jul 2022 10:08:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=bobbriscoe.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 00vqFjPMF3vE; Wed, 20 Jul 2022 10:08:33 -0700 (PDT)
Received: from mail-ssdrsserver2.hostinginterface.eu (mail-ssdrsserver2.hostinginterface.eu [185.185.85.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E766C14CF13; Wed, 20 Jul 2022 10:08:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bobbriscoe.net; s=default; h=In-Reply-To:From:References:Cc:To:Subject: MIME-Version:Date:Message-ID:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=3gW6xieTxj6JyB4FUNquFj8exgl6Mydi5rPmHACW1Iw=; b=q7jXMea/8P7SsRgkbMaWJy+M28 RNYKWp8R1iJDacw+rD40rEHU9HqRQA4Hv+EtPJ8W+fU/5QYLta9nKTVtHX3cuOkTzw76jSuNYyJnf Ce/1wm9t5rz28WRzcpcBHxJT31pq0hUMCCzmHG7umHs6T4DFY42Vja/toMAT/z41qsMqsv1+oeYQR allGHK7wUvkN3AlfYdSDLSsZv6NBDkPlimRLTyEWaFcczB/+Ci4Cs1F+2nFHuh8Nb/g4IyeFJuc6Z lns46Arg6eAR+b7QVsi1QHUNINcHAQOdeR3ZE8I/ELgDYYZ6K15WfUh8c7EfNc9Ch19Wi3h1soyxG 8V5IWekA==;
Received: from 67.153.238.178.in-addr.arpa ([178.238.153.67]:52520 helo=[192.168.1.11]) by ssdrsserver2.hostinginterface.eu with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.95) (envelope-from <in@bobbriscoe.net>) id 1oEDBZ-0002hR-UE; Wed, 20 Jul 2022 18:08:28 +0100
Content-Type: multipart/alternative; boundary="------------0G0Su03Wo9ewGJERo5loPPZL"
Message-ID: <6efc828b-eb78-ce05-2a1e-b018476f8da5@bobbriscoe.net>
Date: Wed, 20 Jul 2022 18:08:26 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.1
Content-Language: en-GB
To: Valery Smyslov <valery@smyslov.net>, secdir@ietf.org
Cc: draft-ietf-tsvwg-ecn-l4s-id.all@ietf.org, last-call@ietf.org, tsvwg@ietf.org
References: <165821380763.42590.15229345400729787988@ietfa.amsl.com>
From: Bob Briscoe <in@bobbriscoe.net>
In-Reply-To: <165821380763.42590.15229345400729787988@ietfa.amsl.com>
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - ssdrsserver2.hostinginterface.eu
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - bobbriscoe.net
X-Get-Message-Sender-Via: ssdrsserver2.hostinginterface.eu: authenticated_id: in@bobbriscoe.net
X-Authenticated-Sender: ssdrsserver2.hostinginterface.eu: in@bobbriscoe.net
X-Source:
X-Source-Args:
X-Source-Dir:
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/WRcfDVFQMbR45LFUNFbx9ovaGxM>
Subject: Re: [secdir] [tsvwg] Secdir last call review of draft-ietf-tsvwg-ecn-l4s-id-26
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Jul 2022 17:08:37 -0000

Valery,

Thank you for putting in all the work to review this. See [BB] inline.

On 19/07/2022 07:56, Valery Smyslov via Datatracker wrote:
> Reviewer: Valery Smyslov
> Review result: Has Issues
>
> I have reviewed this document as part of the security directorate's ongoing
> effort to review all IETF documents being processed by the IESG.  These
> comments were written primarily for the benefit of the security area directors.
>   Document editors and WG chairs should treat these comments just like any other
> last call comments.
>
> The draft proposes an experimental Explicit Congestion Notification protocol
> for low latency, low loss and scalable throughput (L4S) networks. The draft
> also proposes a way for L4S and classic traffic to co-exist in the same network
> by marking the L4S traffic with a value ECT(1) in IP header.
>
> The draft contains a Security Considerations section that refers to the
> security considerations in the architecture document for L4S networks
> (draft-ietf-tsvwg-l4s-arch). It also references to Appendix C.1 for discussions
> of the methods used to ensure integrity of congestion notification signals and
> also discusses issues arising when traffic containing different DSCP values is
> encapsulated in a single VPN tunnel - the replay protection mechanism can make
> low priority traffic unable to pass through.
>
> I think that the Security Considerations section lacks discussion of what can
> happen with this protocol if an attacker actively manipulates the signals on
> the path. Discussion in Appendix C.1 looks insufficient to me (and it mostly
> concerned with misbehaved peers and not with active attacker on the path).

[BB] Once an attacker has broken a network operator's system or physical 
access control to be able to mount on-path attacks, it is surely common 
knowledge that the operator's service is toast. Most of the fields in 
the IP header have little if any protection against on-path attacks 
{Note 1}.

This draft defines an experimental use of one codepoint in a 
pre-existing field in the IP header. I don't believe that warrants 
mentioning the possibility that the access control of a network 
operator's systems could be breached. For instance, as far as I can see, 
there was not even discussion of on-path attacks in RFC791 or RFC2460 
when IPv4 and IPv6 were defined, nor in any of their updates. And none 
in RFC2474 when the DSCP was defined. And none in RFC3168 when ECN was 
defined.

We could write a sentence into the draft saying that this codepoint is 
in the IP header, and everything in the IP header is vulnerable to 
on-path attack if system or physical access control is compromised. But 
I would rather not, because it wouldn't be specifically relevant to this 
draft (although I would not fight hard against it if the sec area  
director insisted).
________
{Note 1}: For instance, an on-path attacker can delete some or all 
passing packets. It can send them out of the wrong interface and 
increment the hop limit, creating a routing loop with no hop limit. It 
can change their source and/or destination addresses (appropriately 
changing their TCP checksums - or not for that matter). It can change 
their (outer) DSCP. It can reduce the hop limit (or TTL in v4) so that 
someone else downstream looks as if they are dropping packets before 
they reach their destination, and so on.


> The
> conclusion made in C.1, that integrity protection of ECT(1) is not needed, must
> be backed up in my opinion.

[BB] Ah! we didn't mean that. I admit it isn't very clear, so how about 
this rewording (HTML format email reader required):

CURRENT:

    It is highly unlikely that ECT(1) will be needed for integrity
    protection in future. The ECN Nonce RFC [RFC3540] as been
    reclassified as historic, partly because other ways have been
    developed to protect feedback integrity of TCP and other
    transports [RFC8311] that do not consume a codepoint in the IP
    header.  For instance:

PROPOSED:

    It is highly unlikely that ECT(1) will be needed*as a nonce *for integrity
    protection*of congestion notifications *in future.  The ECN Nonce RFC [RFC3540]*h*as been
    reclassified as historic, partly because other ways*(that do not consume a codepoint in the IP header)*  have been
    developed to protect feedback integrity of TCP and other
    transports [RFC8311]that do not consume a codepoint in the IP header.  For instance:

Reason:
We didn't mean that integrity protection /of/ ECT(1) is not needed.
We meant use of ECT(1) /for/ integrity protection of the rest of the ECN 
field is not needed, because other integrity protection methods are 
available (without having to burn a scarce codepoint in the IP header).


> The alternative methods to protect feedback
> integrity looks inefficient to me (I admit, that I may be missing something,
> especially with ConEx which I have only looked over, but it looks to me that
> active attacker can fool these methods). What about TCP-AO - it only protects
> TCP packet, so an attacker is still able to manipulate DSCP field.

[BB] What is the actionable request here?

As said earlier, this draft defines an experimental use of one codepoint 
in a pre-existing field in the IP header. It points to three ways that 
congestion notification and feedback in this pre-existing field can 
already be protected. This draft itself doesn't make any of these three 
any less or any more viable.


Paraphrasing, your comment says "I haven't really read or thought about 
these methods deeply, including the output of years of work of the ConEx 
IETF WG, but they're probably inefficient and vulnerable to active 
attack." I hope you agree that this isn't a particularly constructive or 
respectful comment.

Regarding TCP AO, the bullet already says it only protects the feedback 
in the TCP header.


>
> Part of discussion about VPN tunnels in the Security Considerations section is
> a repetition of what was discussed in Section 6.2. The problem of blocking low
> priority traffic by VPN replay protection mechanism is not new, but in my
> opinion it is partly an operation issue depending on a threat model (users
> behind VPN are usually "trusted" to some extend, but I agree that one's mileage
> may vary).

[BB] Are you asking us to change any text?
I think the text already states under which circumstances the 
vulnerability exists (the threat model).

>
> The Security Considerations section also mentions the ACK-splitting attack
> claiming that this recommendations prevent it, but no details are given (except
> for a reference). It would be great if this para is expanded a bit.

[BB] That sentence was from one of the co-authors of all the L4S drafts, 
and I wrote it into the draft without checking that it was actually 
correct. It's very unusual for me to trust someone else without checking 
for myself (!). But now that I look into it, I'm not at all sure it is 
true.

I've emailed my co-authors, and I'll get back to you on this one.


Bob


>
> Nit: to my eye the phrase "optional anti-replay is mandatory in both IPsec and
> DTLS" looks like oxymoron: either it is optional or it is mandatory. Note also,
> that in some conditions anti-replay protection in IPsec cannot be used (with
> multicast traffic).

[BB] The intended meaning was:

     "it is mandatory to allow the anti-replay facility to be disabled in both IPsec and DTLS"


We'll change it to that.


Bob


-- 
________________________________________________________________
Bob Briscoehttp://bobbriscoe.net/

v2.23.0 | Report a Bug | By Email