Re: [secdir] secdir review of draft-ietf-mpls-rfc6374-udp-return-path

Stewart Bryant <stewart.bryant@gmail.com> Fri, 18 December 2015 09:57 UTC

Return-Path: <stewart.bryant@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB98D1B3525; Fri, 18 Dec 2015 01:57:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_45=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rZbbszTVzKgQ; Fri, 18 Dec 2015 01:57:57 -0800 (PST)
Received: from mail-wm0-x235.google.com (mail-wm0-x235.google.com [IPv6:2a00:1450:400c:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E40A1B3524; Fri, 18 Dec 2015 01:57:56 -0800 (PST)
Received: by mail-wm0-x235.google.com with SMTP id p187so57087757wmp.0; Fri, 18 Dec 2015 01:57:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-type:content-transfer-encoding; bh=OQAeD0FLI5a9vcakoLQkdtvQquynK8jhO+zYPhX6p5M=; b=Wj5t9hU+xyY+plGVP5eaewg1x5B6ZFOg8Y12GUkz7tAv5DWZOjuTyMUG9ngPm7ypEh laFAtcLwsN4FaYthksguPAEeN0SppNblOVaN7ULHlPRNmk6dzmKonIoB5NUuB9glSBMF 4UnYxElegUM6Rf+HHsGtRLy28rNF/jCmFvzWqa2DNElQnnENdD0Oo/Fn8xULZHLfZA7C RyQ2tmmmGsmSZNmb3lIpKvuUBLDsiI50+cQZ/8zSrTkIhSXQ2es0//shNSLfuUxXqR8f QNMlwlplUtwBdjIzpNDYF5lWQET6oUJm8UBxn5SgsdFo6X0K4Mw37cXRquubhlUrOX8G zKIg==
X-Received: by 10.194.104.5 with SMTP id ga5mr2950031wjb.155.1450432675354; Fri, 18 Dec 2015 01:57:55 -0800 (PST)
Received: from [10.55.98.186] ([173.38.220.53]) by smtp.gmail.com with ESMTPSA id an7sm14127379wjc.44.2015.12.18.01.57.53 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 18 Dec 2015 01:57:53 -0800 (PST)
To: Sandra Murphy <sandy@tislabs.com>, secdir@ietf.org, The IETF <ietf@ietf.org>, draft-ietf-mpls-rfc6374-udp-return-path.all@tools.ietf.org
References: <07A977A4-FD9E-4669-A8D0-7644131E06AD@tislabs.com>
From: Stewart Bryant <stewart.bryant@gmail.com>
Message-ID: <5673D89F.7090409@gmail.com>
Date: Fri, 18 Dec 2015 09:57:51 +0000
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
MIME-Version: 1.0
In-Reply-To: <07A977A4-FD9E-4669-A8D0-7644131E06AD@tislabs.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/XkfG3-RMeduzhRGE4CFwVThP9Ig>
X-Mailman-Approved-At: Fri, 18 Dec 2015 02:51:08 -0800
Subject: Re: [secdir] secdir review of draft-ietf-mpls-rfc6374-udp-return-path
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Dec 2015 09:58:00 -0000

Sandy

Something that may help you understand this is that although
RFC6374 defines the return address object, there is nothing
in  RFC6374 that defines how you use it. You also need to
remember that this type of system operates in a world where
a lot of the operational  parameters are configured rather
than signalled.

The operation of the protocol extension that needs to be
written in such a way as to permit the existing modes
of operation to continue.


On 16/12/2015 18:27, Sandra Murphy wrote:
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG. These comments were written primarily for the benefit of the
> security area directors. Document editors and WG chairs should treat
> these comments just like any other last call comments.
>
> This document draft-ietf-mpls-rfc6374-udp-return-path-04 describes the
> procedure and TLV format for a URO (UDP Return Object).  The URO is
> used in the Packet Loss and Delay Measurement for MPLS Networks
> protocol to indicate the out-of-band response destination when sent
> over a IP/UDP return path.
>
> I am not well versed in the MPLS document set, but I did review
> RFC6374.  However, my comments could be based on a lack of thorough
> knowledge or understanding.
>
> I do have some comments.  Three major comments and some nits.
>
> ------------
>
> page 4 section 4 vs page 5 section 4.2 vs page 6 section 5.
>
> There's some confusion to me about the necessity to include a URO, to
> include either a URO or an Address object (and what Address object),
> or to configure an out-of-band response without signalling.
>
> Section 4:
>
>   If the URO is expected but is not present in a query message and an
>   MPLS-PLDM Response is requested out-of-band, the query message MUST
>   NOT be processed further, and if possible an "Error - Invalid
>   Message" ([RFC6374] Section 3.1) SHOULD be send to the querier and
>   the operator notified via the management system (see Section 4.2 for
>   further details.
>
> Not sure what "expected" means here.  oob response request is
> specifically mentioned, so does "expected" mean something more than
> presence of a oob control code?  And section 4.2 indicates that an
> error is sent if both the URO and an Address object are missing, not
> just a missing URO.  Does this paragraph indicate just a missing URO
> might induce an error message, in those cases when a URO was
> "expected"?
>
> Section 5 indicates that some systems rely on configuration, not
> signalling, to determine the return path, and that the URO may be
> omitted.  What does this paragraph mean in that case?  Does "expected"
> have to do with configuration rather than packet contents?
Expected covers all cases where the responder was expecting a URO.

>
> Section 4.2
>
>
>   If an Out-of-band response is requested and the Address object or the
>   URO is missing, the query SHOULD be dropped in the case of a
>   unidirectional LSP.  If both these TLVs are missing on a
>   bidirectional LSP, the control code of Response message should set to
>   0x1C indicating "Error - Invalid Message" ([RFC6374] Section 3.1) and
>   the response SHOULD be sent over the reverse LSP.  The receipt of
>   such a mal-formed request SHOULD be notified to the operator through
>   the management system, taking the normal precautions with respect to
>   the prevention of overload of the error reporting system.
>
> The first sentence says that both the Address object and the URO must
> be present or the query is dropped - right?  I'm reading this as
>
>       (if not(Address) OR not(URO)) then drop.
>
> What Address object - there are three - Return, Source and
> Destination.  I'm betting on Return, but the text should be clear.

That is return address - I will update the text.
>
> "should be set" - is that a SHOULD?  As always with "should" - when
> would it not be?  When it is not, is it set to something different?
> or not sent? or not set at all?

I think that should be SHOULD.

There is only one error code that we can respond with in the protocol
so SHOULD allows for the case where some other more important
error code needs to be sent.

Whilst the protocol would be harder to manage if the error was
not reported this way, omission would not lead to interoperability
issues and thus "send unless you have a good reason not to send"
makes more sense than "send under all circumstances". Hence
should or SHOULD.

>
> Section 4 says just the absense of an "expected" URO might induce the
> error report.  Is that a mis-wording or a separate case that should be
> noted here?
You could be configured with the address, but not the UDP port.

>
> Section 5 says that some systems rely on configuration, not
> signalling, to determine the return path, and that the URO may be
> omitted.  Does this paragraph mean that such a system should be
> configured with a (Return) Address object, to avoid the error code in
> the response as noted here?
In these circumstances the URO would not be expected and thus
there would be no error.

>
> Section 5
>
>
>   Nothing in this document precludes the use of a configured UDP/IP
>   return path in a deployment in which configuration is preferred to
>   signalling.  In these circumstances the URO MAY be omitted from the
>   MPLS-PLDM messages.
>
> In light of section 4.2, what about the (Return) Address object?  If
> configuration is preferred, is signalling the Return Address
> acceptable (to avoid the error code noted in section 4.2.)?  Or would
> such a system avoid requesting an oob response?
This is a world where we need to permit flexibility.

One example where you would find a configured address and
a return address would be where configured address was the
default, but for some measurements you wanted to use a
different collector.

>
> ---------
>
> page 5 section 4.3 and page 6 section 4.4
>
> I was confused about handling a response at a recipient collector
> other than the querier. That is mentioned in the introduction, but
> later text seems to presume that the recipient of a response is the
> querier.
>
> page 5 section 4.3
>
>   As shown in Figure 1 the Associate Channel Header (ACH)
>   [RFC5586] is not included.  The information provided by the ACH is
>   not needed since the correct binding between the query and response
>   messages is achieved though the UDP Port and the session indentifier
>   contained in the RFC6374 message.
>
> page 6 section 4.4
>
>   If the Response was received over UDP/IP and an out-of-band response
>   was not requested,
>
> The idea here is to allow "bistatic" (a new word for me, woohoo!)
You need to read more books on radar :)
> collection, the receiver of a response might be a collector other than
> the querier.  Right?  So is there a way for a collector know that a
> query was made, much less whether the query requested an oob response?
That is out of scope.

Remember that RFC6374 is a stateless system so the messages can
be configured to contain all of the necessary information.
> Does section 4.4 apply only when the receiver of the response was the
> querier?  Is that noted by the session identifier mentioned in section
> 4.3?  If the recipient is a collector other than the querier, is there
> a way to detect duplicate session identifiers across queriers?

The session identifier is scoped on the source. If the source is not
implicitly known, it would need to be explicitly indicated through
the source address TLV.


> ---------
>
> Security Considerations section
>
> The security considerations section refers to the section in RFC6374
> and the assumption that MPLS and MPLS-PLDM are deployed in well
> managed private and service provider networks.  One presumes there's
> an underlying assumption there that all nodes are trustworthy and
> error free.
>
> Be that as it may, this draft presents a feature that sure looks to me
> like a reflection attack vector.  I am not sure if the size of the
> response makes the reflection into an amplification attack, except
> that multiple response destination addresses could be requested -
> could they all be the same address?  The design note in section
> 3.1. indicates that "the combined size of the two objects [ed: an
> Address object and a UDP object] was large".
Remember that to create such an attack you first have to get
an MPLS packet into the systems. MPLS networks are designed,
indeed fundamentally require, that to be a hard problem.

I would expect that most systems would be configured to only
respond to the first address, except in the case of Ipv4/6 migration.

>
> The RFC6374 out-of-band response feature and the "Return Address"
> object seem to indicate the potential exists in RFC6374 as well.
> RFC6374's security consideration section does not mention the
> reflection attack possibility, only the integrity of the return
> out-of-band path and the possibility of affecting the validity of the
> measurements.  But even if the assumptions of well-managed, private,
> service provider networks are met, I believe that the potential and
> increased need for careful configuration should be mentioned.  "Note:
> the feature can be misused, so take care".  Perhaps a manageability
> section caution about checking the Return Address or URO to ensure
> addresses are within the private or service provider network.
> something?  Or presume all will be well, because this is to be used in
> well managed private and service provider networks?
I will look at adding some text, although the assumption is that
MPLS networks are well managed, and there are many other ways
they would break if they were not.

>
> ---------
>
>
> nits
>
> MPLS-PM occurs in section headings (and in the file name of a related
> draft draft-ietf-mpls-pm-udp-return-00) but the text always says
> MPLS-PLDM.  Are they different?  If not a typo, there should be an
> expansion somewhere.
This is an oversight that results from the development of the protocol.
You have to remember there are three types of query, loss, delay and 
loss+delay.
I will fix it.

>
> page 2 section 1
>
>   Currently the MPLS-PLDM protocol does not have any mechanism to
>   deliver the PLDM Response message to particular node within a multi-
>   CPU LSR.
>
> "to a particular node"
yes.
>
> page 2 section 3
>
>   This document specifies that, unless configured otherwise, if a UDP
>   Return Object (URO) is present in a MPLS-PLDM Query, the responder
>   MUST use the IP address and UDP port in the URO to reply back to the
>   querier.
>
> Not sure how the responder would be configured otherwise.  Is the
> otherwise configuration: "ignore any URO and always send to this
> address" or "ignore URO (always send response to the querier)"?  could
> be either?
Yes, you could have config override the object.
>
> page 2-3 section 3
>
>                                       In this document, the term
>   bidirectional LSP includes the co-routed bidirectional LSP defined in
>   [RFC3945] and the associated bidirectional LSP that is constructed
>   from a pair of unidirectional LSPs (one for each direction) that are
>   associated with one another at the LSP's ingress/egress points
>   [RFC5654].
>
> On first read, I thought "the associated bidirectional LSP" meant the
> previously mentioned "co-routed bi-directional LSP", but further down
> in the sentence it looks like it means the bidirectional LSP
> associated with a pair of LSPs.  No biggie, and a wordsmithing quibble,
> but "includes both the ... and also the...." would help.

The MPLS-TP references explain these cases.
>
> page 5 section 4.2
>
>                                      If both these TLVs are missing on a
>   bidirectional LSP, the control code of Response message should set to
>
> of the Response message
>
> should be set to
yes
>
>
> page 5 section 4.3
>
>                             The source IP address and the source UDP Port
>   of Response packet
>
> of the Response packet
>
yes.

- Stewart