Re: [secdir] secdir review of draft-ietf-ospf-node-admin-tag-05

"Acee Lindem (acee)" <acee@cisco.com> Sat, 10 October 2015 19:34 UTC

Return-Path: <acee@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5226E1B452F; Sat, 10 Oct 2015 12:34:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.811
X-Spam-Level:
X-Spam-Status: No, score=-11.811 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uoK-RvOdCEYx; Sat, 10 Oct 2015 12:34:32 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F9B81B453C; Sat, 10 Oct 2015 12:34:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=16976; q=dns/txt; s=iport; t=1444505672; x=1445715272; h=from:to:subject:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=k7k1YaMnAOxU/k1QqJGq3Po7qsEK2Nnwx1LUx1C+pls=; b=DaPxk766g5ya2lhHdeqcxlsHwxPE/0TVd0kMrtbMn7wSNN+tVN+imTWD KQfhgBXMhEiJh50lzjM7Yg3yRd/rrnqBmF6DD2Z97ndEf+T0qNQXjlLQ6 s+ZImh4+cTT2uQZOrjC+RKcRWYUxpbVdAb/ksu1Pbs1nCIpfi3DblM8zj Y=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0COAgAGZxlW/40NJK1eDoMYVG4GvWQBDYFaIYJyggp/AhyBBDgUAQEBAQEBAYEKhCcBAQMBIxFKCwIBCBoCJgICAjAVEAIEARKIJggNr2OTZAEBAQEBAQEBAQEBAQEBAQEBAQEVBIEiik+EIRNggmmBRQWNDIVIgz8BiAiFEYFYhDqDJIoFhFmDbgEfAQFCggwGHIEWPnEBAYYfQ4EGAQEB
X-IronPort-AV: E=Sophos;i="5.17,664,1437436800"; d="scan'208";a="34512195"
Received: from alln-core-8.cisco.com ([173.36.13.141]) by rcdn-iport-7.cisco.com with ESMTP; 10 Oct 2015 19:34:30 +0000
Received: from XCH-ALN-011.cisco.com (xch-aln-011.cisco.com [173.36.7.21]) by alln-core-8.cisco.com (8.14.5/8.14.5) with ESMTP id t9AJYUap000667 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Sat, 10 Oct 2015 19:34:30 GMT
Received: from xch-rcd-015.cisco.com (173.37.102.25) by XCH-ALN-011.cisco.com (173.36.7.21) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Sat, 10 Oct 2015 14:34:22 -0500
Received: from xch-rcd-015.cisco.com ([173.37.102.25]) by XCH-RCD-015.cisco.com ([173.37.102.25]) with mapi id 15.00.1104.000; Sat, 10 Oct 2015 14:34:21 -0500
From: "Acee Lindem (acee)" <acee@cisco.com>
To: Benjamin Kaduk <kaduk@MIT.EDU>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-ospf-node-admin-tag.all@ietf.org" <draft-ietf-ospf-node-admin-tag.all@ietf.org>
Thread-Topic: secdir review of draft-ietf-ospf-node-admin-tag-05
Thread-Index: AQHRAtRkZED+3D3sTk6f1e8MGzkzuJ5lMHaA
Date: Sat, 10 Oct 2015 19:34:21 +0000
Message-ID: <D23ED021.34690%acee@cisco.com>
References: <alpine.GSO.1.10.1510091159450.26829@multics.mit.edu>
In-Reply-To: <alpine.GSO.1.10.1510091159450.26829@multics.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.116.152.199]
Content-Type: text/plain; charset="utf-8"
Content-ID: <2CFDDAC3A4D9D04C94481A983862140B@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/Xs23GFWFAypYJpOx-W5MNxhWpDQ>
Subject: Re: [secdir] secdir review of draft-ietf-ospf-node-admin-tag-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Oct 2015 19:34:35 -0000

Hi Ben, 

As the document shepherd and a long-time OSPF contributor, I’m going to
try and sort out some of your comments. Note that route tagging has been
in use for decades and this document is merely extending the
administrative policies advertisement to the node level.

On 10/9/15, 4:52 PM, "Benjamin Kaduk" <kaduk@MIT.EDU> wrote:

>I have reviewed this document as part of the security directorate's
>ongoing effort to review all IETF documents being processed by the
>IESG.  These comments were written primarily for the benefit of the
>security area directors.  Document editors and WG chairs should treat
>these comments just like any other last call comments.
>
>I will preface these comments with a note that my routing background is
>quite weak, and I needed to read RFC 2328 and RFC 4970 to have enough
>context to be able to say much useful about what's going on here; I may
>still be suffering from some misconceptions.
>
>On the whole, this document leaves me feeling unsatisfied; it spends maybe
>three pages talking about the actual new protocol extension and then gives
>four pages of example usage, all the while claiming that the actual tag
>values are only meaningful within a single administrative domain/network,
>are for generic use, and do not require an IANA registry.  That is, it is
>trying to walk a middle line between "this document allocates a value in
>the OSPF TLVs registry for site-local use, use it as you will" and "this
>document specifies a complete protocol extension for tagging OSPF nodes
>for traffic engineering, LFA, and other purposes".  That is a hard middle
>line to follow, and I am not sure that this document does so successfully.
>I will not try to reopen the question of whether it would be better to
>take one of the non-middle paths, and continue on the assumption that this
>document will take the middle path.  I think there are a few things that
>are missing before this document should be published, and that it might be
>worth considering a more drastic restructuring as well.
>
>It would probably be good to include some text with the reasoning behind
>the choice of the "middle line" -- the current text attempting to enforce
>it, "new OSPF extensions MUST NOT require use of per-node administrative
>tags or define well-known tag values", seems unenforcable, as a future RFC
>updating this one could just remove that restriction.

The intent here is that this TLV is to be solely for locally defined
policies. If there were to be a TLV for well-known tags and policies, this
could be accomplished with a separate OSPF RI TLV. I agree that the
normative text should be softened from “MUST NOT” to “are not expected
to”. 

>
>It looks like there's now an -06, but the changes from the -05 are not
>significant.  The security considerations in the -05 correctly note what
>are essentially privacy considerations regarding the contents of the admin
>tags.  However, it seems like there are also potential security
>considerations on the actual operation of the network that are not
>discussed here, nor in RFC 2328 (OSPFv2) or RFC 5340 (OSPFv3).  RFC 5340's
>security considerations explicitly disclaims protections against
>compromised, malfunctioning, or misconfigured routers, deferring to RFC
>4593, "Generic Threats to Routing Protocols".  I believe that the security
>considerations of this document should address, either directly or
>indirectly, protections against compromised, malfunctioning, or
>misconfigured routers, and additionally protection against malicious
>actors with access to the layer-3 network (and maybe lower layers as
>well).
>
>That probably means mentioning RFC 4593 directly, or maybe just pointing
>out that RFC 5340 does so.  There are still additional considerations
>introduced by this document, though; unfortunately, because the bulk of
>the interpretation of the admin tags is left to the site administrator, it
>is hard to give a comprehensive security analysis, but the examples and
>the protocol description itself do give some areas for consideration.

The document could reference RFC 4593/RFC 6863 and state that
authentication as specified in RFC 7474 or RFC 7166 SHOULD be used in
deployments where attackers have access to the physical networks included
in the OSPF domain are vulnerable.


>
>The RI LSAs carrying administrative tags can be at link-, area-, or
>AS-level scope; an administrator assigning tag values and associated
>policies should consider what would happen if a given tag was advertised
>at a different scope than intended.  Compliant implementations MUST NOT
>generate the same tag at different scopes, but a receiver would need to
>take some action if it happened, whether due to network glitch or
>malicious action -- what should they do?

I’m not an author, but this is what I’d recommend:

   The conflicting tag SHOULD not be used and this situation SHOULD be
logged as an error including the tag with conflicting scopes and the
originator(s). 

There is a case that must be allowed - the same tag could be received by
an ABR at both the AS scope and the area scope in a stub or NSSA area.


>
>Another potential issue lies in the "stickiness" of the admin tags -- the
>text "the node administrative tags associated with a node for the purpose
>of any computation or processing SHOULD be a superset of node
>administrative tags from all the TLVs in all instances of the RI LSA
>originated by that node" seems to mean that once a tag is set, it cannot
>(easily) be unset.  Would force-expiring an LSA be enough to reset the
>tag, or something else?

Yes - this is standard for any OSPF LSA. However, since the OSPF RI LSA
may include other TLVs or even other tags, a tag could also be withdrawn
by reoriginating the RI LSA without the TLV or with a TLV that doesn’t
include the withdrawn tag.

> How disruptive would that be?  It would be
>helpful to see some discussion of how a tag would be removed.

I may of worked on OSPF for too long but this should be obvious to anyone
implementing the draft from the specification.


>
>That is particularly easy for an attacker when the null OSPF
>authentication mechanism is in use (how common is that?  I saw some
>websites indicating it was the default behavior, at least sometimes).  I
>do not see a need to turn this document into "security considerations for
>OSPF authentication", but maybe it is worth mentioning some things: the
>md5 scheme seems pretty week at this point (though probably not trivially
>broken), the hmac-sha scheme of RFC 5709 is only from 2009, and RFC 7474
>(only six months old) points out cases where both are susceptible to
>replay attacks.  Just looking at the security considerations of this
>document and the core OSPF v2/v3 specs does not convey this to the reader,
>so I would like to see at least a pointer to such considerations.  (The
>stance of RFC 2328 that "all OSPF protocol exchanges are authenticated"
>seems particularly disingenous given the presence of the null
>authentication scheme.)

I think both RFC 7474 and RFC 7176 should be referenced. The OSPF
vulnerability to replay attacks to OSPFv2/OSPFv3 routers implementing
these specifications is extremely small and has been reduced as much as
practical. If you are still concerned, I suggest you discuss with Sam
Hartman (also once affiliated with MIT).

>
>There is also the possibility that an attacker could block delivery of an
>LSA, causing a tag that should be set to not be seen.  This seems unlikely
>for wired point-to-point links, but is more plausible in other
>environments, such as radio links.  I think I can imagine scenarios where
>this would cause drastic damage to the routing topology.

The description and mitigation of such a generic threat doesn’t belong in
a minor (though important) OSPF specification. The effect of blocking
control traffic is never positive ;^). At least OSPF uses reliable
flooding so it will be retransmitted.


>
>The parenthetical in section 3.2 wherein routers might advertise a
>per-node aministrative tag "without knowing (or even explicitly
>supporting) functionality implied by the tag" seems potentially dangerous,
>since it sounds like the routers in question are lying about their
>capabilities.  Would the document suffer harm if the parenthetical was
>removed?

In my opinion, no harm to remove - misconfiguration is almost always an
issue. 

>
>One reason I am unsatisfied by making the interpretation of the tag values
>specific to an administrative domain is that a misconfigured border router
>might erroneously use tag values from one domain on the other side of the
>border. 
> Perhaps the other damage from a router misconfigured in such a
>fashion would dwarf the additional damage from the misinterpreted tags and
>so my concern is invalid; I really can't say.

Again, I don’t think misconfiguration needs to be covered - "emptor
cavete”. 

Thanks for the editorial review as well. Speak as WG chair, I appreciate
this. 

Thanks,
Acee 


>
>
>
>
>I also have some editorial comments unrelated to the secdir review:
>
>Section 3.2 reads rather like a jumbled list and could benefit from some
>additional structure.
>
>Similarly, I would find it helpful if there was some text motivating the
>"middle patch" mentioned above, towards the beginning of the technical
>(non-example) portion of the document.
>
>For a construction as weakly structured as these administrative tags,
>preventing any internal structure or dependencies between tags (as this
>document attempts to do) seems correct.  However, this sentiment seems to
>be expressed differently in several different places in the document, and
>it would be good to consolidate and coordinate them.  In particular,
>paragraph 3 of section 3.2 explicitly says that tag order has no meaning,
>but paragraph 4 has the weaker "SHOULD be considered an unordered list".
>(The word "set" might be appropriate here.)
>
>Paragraph 7 of section 3.2 seems to be trying to say that the
>administrative tags must indicate inherent or administratively configured
>properties of a node and must not be used to convey attributes of the
>routing topology.  (The word "tie" seems insufficiently clear.)
>
>Many (but not all) of the acronyms/abbreviations should be expanded at
>first use -- the ones marked with a '*' at
>https://www.rfc-editor.org/materials/abbrev.expansion.txt are assumed to
>be common knowledge and do not need expansion.  Other things, like traffic
>engineering, router information, link statement advertisement, autonomous
>system, etc., should be written out in full at their first use, with the
>abbreviated version in parentheses afterwards.
>
>The first paragraph of section 1 contains a list of potential
>applications; please use some XML markup to preserve the list structure in
>the rendered document.
>
>Plase give an informative reference for Loop Free Alternate backup
>selection at its first appearance.
>
>The divider between the type and length fields in Figure 1 is placed one
>bit to the left of the correct division for two 16-bit fields.  (In many
>cases the position indicators above the diagram are offset by one space so
>they land over the '-'s instead of the '+'s, but there is some argument
>for putting them in their current location, as well.)
>
>In the seventh paragraph of section 3.2, I think it would be fine to just
>remove the "but not limited to" clause, which is not quite correct grammar
>and is not really needed.
>
>The last paragraph of section 3.2 could probably be written more clearly.
>In particular, "in any instance of the RI-LSA" is not entirely clear to me
>(but then again, I don't really understand how LSAs normally work).  Is it
>enough to just say that implementations MUST detect when the
>administrative tags associated with a given node change, and update their
>state accordingly?
>
>In section 4.5, I do not see that the constraint "Traffic from A nodes to
>I nodes must not go through R and T nodes" can be satisfied for the
>leftmost pair of A nodes.
>
>I am also attaching a diff to the xml sources with some grammar fixes not
>worth enumerating explicitly.
>
>-Ben Kaduk