Re: [secdir] review of draft-ietf-cdni-logging.15

"Francois Le Faucheur (flefauch)" <flefauch@cisco.com> Wed, 04 March 2015 10:24 UTC

Return-Path: <flefauch@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 453171A1A9D; Wed, 4 Mar 2015 02:24:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -13.911
X-Spam-Level:
X-Spam-Status: No, score=-13.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_42=0.6, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i35-3Nk4P-Ck; Wed, 4 Mar 2015 02:24:48 -0800 (PST)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C669D1A1A9B; Wed, 4 Mar 2015 02:24:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=12206; q=dns/txt; s=iport; t=1425464688; x=1426674288; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=DTslvTs3oReJoUZ/EODtVg2lAmuD87TuuxWIU6wZTXI=; b=InTdfle+DAgXkidpDlL6dbrQe8Gmw+ikBB8yoM2DiBhz+sglUoPDIJsP iSvf3y/uZNrYV5YYjmke7+8AutW5lMtebAaLxCuOKatwZOKOb9gLuwNdF G5i36cVkK6CtXwg4tKjNmlHejpaQcMlEHnPC7ejvTmqoK41aq9gN80nf1 g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AKCQA03PZU/5NdJa1RCYMCUk4MBIMHu12IIgIcgQdNAQEBAQEBfIQPAQEBAwEjBA0+BwULAgEGAhgCAiYCAgIwFRACBA4FiCcIn3ucbJoqAQEBAQEBAQEBAQEBAQEBAQEBAQEBF4EhiXGEEygzB4JoL4EUAQSOAIF/hXuDUYEagyWCU4kWg0AjggEBHIFQb4FEfwEBAQ
X-IronPort-AV: E=Sophos;i="5.09,686,1418083200"; d="scan'208";a="128714029"
Received: from rcdn-core-11.cisco.com ([173.37.93.147]) by alln-iport-1.cisco.com with ESMTP; 04 Mar 2015 10:24:47 +0000
Received: from xhc-rcd-x09.cisco.com (xhc-rcd-x09.cisco.com [173.37.183.83]) by rcdn-core-11.cisco.com (8.14.5/8.14.5) with ESMTP id t24AOkfN020389 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 4 Mar 2015 10:24:46 GMT
Received: from xmb-rcd-x10.cisco.com ([169.254.15.156]) by xhc-rcd-x09.cisco.com ([173.37.183.83]) with mapi id 14.03.0195.001; Wed, 4 Mar 2015 04:24:46 -0600
From: "Francois Le Faucheur (flefauch)" <flefauch@cisco.com>
To: "Klaas Wierenga (kwiereng)" <kwiereng@cisco.com>
Thread-Topic: review of draft-ietf-cdni-logging.15
Thread-Index: AQHQVmVv5C9SG+zPj0yqYbUG8Io8tg==
Date: Wed, 4 Mar 2015 10:24:45 +0000
Message-ID: <57CC830A-5092-4BA3-9628-90B148951A16@cisco.com>
References: <493249E6-FD3B-46F3-AA3E-79ED26B594E1@cisco.com>
In-Reply-To: <493249E6-FD3B-46F3-AA3E-79ED26B594E1@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.55.161.202]
Content-Type: text/plain; charset="utf-8"
Content-ID: <023B233F5B82B241BE6B7C5EB45E55BC@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/Y6TfOfGhwRUVlEe48dxQn0YwHHM>
Cc: "draft-ietf-cdni-logging.all@tools.ietf.org" <draft-ietf-cdni-logging.all@tools.ietf.org>, "Francois Le Faucheur \(flefauch\)" <flefauch@cisco.com>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] review of draft-ietf-cdni-logging.15
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Mar 2015 10:24:50 -0000

Hello Klaas,

Thanks for your review. Proposed resolution of comments below:

> On 13 Feb 2015, at 17:05, Klaas Wierenga (kwiereng) <kwiereng@cisco.com> wrote:
> 
> Hi,
> 
> I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the  security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.
> 
> This document specifies the logging format and the exchange protocol for logging information between upstream and downstream CDNs that are interconnected using the CDN interconnection framework.
> 
> The document is well written and easy to read. I have few issues with the main text, but do have some concerns about the security and privacy considerations. I therefore consider the document “ready with issues”
> 
> Detailed comments:
> 
> * Introduction and Figure 1: What is not clear to me from the text is whether there is any functional difference between an uCDN and an dCDN,or that they just happen to be in a hierarchical relation to each other.  I could also find no reference to that in RFC7336. The fact that in Figure 1 dCDN-2 is not also labeled as uCDN-2 led me to believe that there is a functional difference. However from the text it appears that any two DCNs can be in an u-d relation to each other. Please clarify.

Yes, any two CDNs can be in a u-d relationship , and is independent for each direction.
ie CDN1 and CDN2 can be in a  u—>d ,  d—>u , or   u/d<—>u/d  relationship.

This should be established by RFC6707 and RFC7336 (that refers to the concepts and terminology of RFC6707).
Regarding the specific situation of “uCDN —> dCDN-2 —>dCDN-3” in Figure 1, this situation is discussed in RFC6707. For example, it says:
"
Note that in the case of successive redirections (e.g., CDN1-->CDN2-->CDN3), a given CDN
   (e.g., CDN2) may act as the Downstream CDN for a redirection (e.g.,
   CDN1-->CDN2) and as the Upstream CDN for the subsequent redirection
   of the same request (e.g., CDN2-->CDN3).
“

To make things very clear in cdni-logging I have done the following edits:


OLD:
"
In turn, dCDN2 has a CDNI interconnection with dCDN3.
"
NEW:
"
In turn, dCDN2 has a CDNI interconnection with dCDN-3, where dCDN-2 is acting as an upstream CDN relative to dCDN-3".
"



OLD:
“
A dCDN (e.g., dCDN-2) integrates the relevant Logging information
   obtained from its dCDNs (i.e., dCDN-3) in the Logging information
"


NEW:
“
A downstream CDN relative to uCDN (e.g., dCDN-2) integrates the relevant Logging information obtained from its own downstream CDNs (i.e., dCDN-3) in the Logging information
"



> 
> * Paragraph 3.2  CDNI Logging File Structure
> 
> You state that you chose a format as close as possible to the W3C ELF Format. I’d like to see a short explanation why you can not use that format, and whether it would be an option to extend that format rather than defining a new format that is slightly different but is essentially a form and could over time be significantly different.

The W3C ELF specification, while commonly used, is somewhat underspecified and only a draft document. The document says:
“
This is a W3C Working Draft for review by W3C members and other interested parties. It is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to use W3C Working Drafts as reference material or to cite them as other than "work in progress”.
“
So it does not seem appropriate to simply reuse that spec, or even to use it as a stable base to extend from.


Besides, we’ve really started from ELF and diverged where necessary or useful.
Several of the directives we needed do not have any equivalent in ELF. Quite a few fields we needed do not have an equivalent in ELF, and/or do not have a totally unambigous description.
Also we needed to be able to carry logs for non-HTTP protocols.

> 
> * paragraph 3.3 Directives
> 
> For the Integrity-Hash you write: "hash function of all logging records and directives up to the hash-directive itself”. I have not seen that the directives are in a special order with the Integrity-hast as last one,

The description of each directive includes an “occurence” specification, that defines when, how many times, where that directive can be used.
The “occurrence” text for “Integrity-Hash” directive says:
"When present, the Integrity-Hash field MUST be the last line of the CDNI Logging File.”

So I think we are covered here.

> so it appears that when the integrity-hash directive is the very first one there will be no sensible hash. Unless there is actual order in the directives (write that down) I suggest “has all logging information and directives with the exception of the Integrity-Hash directive itself”
> 
> * Paragraph 7.1 Authentication, Confidentiality, Integrity Protection
> 
> You leave out the 3d A, Authorization, but then you talk about mutual authentication to decide whether an entity is authorised to receive the logs, so I think you should insert it that one too.
> 
> You state that the use of TLS for transport allows for mutual authentication, confidentiality and integrity, that in itself is not true. You need TLS + mutual authentication to get confidentiality and integrity. 


Good points. To address the two comments above, I have incorporated the following edits:

I see.

I did the following edits:

OLD:
“
7.1.  Authentication, Confidentiality, Integrity Protection
"
NEW:
“
7.1.  Authentication, Authorization, Confidentiality, Integrity Protection
"


OLD:
“
The use of TLS for transport of the CDNI Logging feed and CDNI
   Logging File pull allows:

   o  the dCDN and uCDN to authenticate each other (to ensure they are
      transmitting/receiving CDNI Logging File from an authenticated
      CDN)

   o  the CDNI Logging information to be transmitted with
      confidentiality

   o  the integrity of the CDNI Logging information to be protected
      during the exchange
“
NEW:
“
The use of TLS for transport of the CDNI Logging feed and CDNI
   Logging File pull allows:

   o  the dCDN and uCDN to authenticate each other 

and, once they have mutually authenticated each other, it allows:

   o the dCDN and uCDN to authorize each other (to ensure they are
      transmitting/receiving CDNI Logging File to/from an authorized
      CDN)

   o  the CDNI Logging information to be transmitted with
      confidentiality

   o  the integrity of the CDNI Logging information to be protected
      during the exchange
“


> In the text “In an environment where any such protection is required….” TLS is a "SHOULD unless…..”, Why not “MUST unless….”

We have discussed this in teh Working Group, and it was felt that the definition of “SHOULD” as per RFC2119 matches what squarely what we want to say here: 
"This word, or the adjective "RECOMMENDED", mean that there
  may exist valid reasons in particular circumstances to ignore a
  particular item, but the full implications must be understood and
  carefully weighed before choosing a different course.”
So this does say that you are really meant to use TLS, but if you want to do something different, you need to have a good reason and really understand what you’re doing.


> 
> * paragraph 7.2 DoS
> 
> I don’t understand how the use of TLS protects agains DoS, on the contrary I would say, trying to establish a TLS session is costly, so an evil entity could easily mount a DoS by trying to connect and exchange crypto material.


Good point. I corrected the text:

OLD:
“
This document does not define specific mechanism to protect against
   Denial of Service (DoS) attacks on the Logging Interface.  However,
   the CDNI Logging feed and CDNI Logging pull endpoints can be
   protected against DoS attacks through the use of TLS transport and/or
   via mechanisms outside the scope of the CDNI Logging interface such
   as firewalling or use of Virtual Private Networks (VPNs).
"
NEW:
“
This document does not define specific mechanism to protect against Denial of Service (DoS) attacks on the Logging Interface. However, the CDNI Logging feed and CDNI Logging pull endpoints are typically to be accessed only by a very small number of valid remote endpoints and therefore can be easily protected against DoS attacks through the usual conventional DOS protection mechanisms such as firewalling or use of Virtual Private Networks (VPNs).
“

Thanks again.

Francois

> 
> 
> Klaas
> 
> 
> --
> Klaas Wierenga
> Identity Architect
> Cisco Cloud Services
> 
> 
> 
> 
> 
>