Re: [secdir] secdir review of draft-ietf-tictoc-multi-path-synchronization-05

Tal Mizrahi <talmi@marvell.com> Mon, 19 September 2016 00:34 UTC

Return-Path: <talmi@marvell.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7760D12B16D; Sun, 18 Sep 2016 17:34:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nXhGXn1FrOLN; Sun, 18 Sep 2016 17:34:41 -0700 (PDT)
Received: from mx0b-0016f401.pphosted.com (mx0a-0016f401.pphosted.com [67.231.148.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63D0112B169; Sun, 18 Sep 2016 17:34:41 -0700 (PDT)
Received: from pps.filterd (m0045849.ppops.net [127.0.0.1]) by mx0a-0016f401.pphosted.com (8.16.0.17/8.16.0.17) with SMTP id u8J0UAr5024934; Sun, 18 Sep 2016 17:34:37 -0700
Received: from il-exch02.marvell.com ([199.203.130.102]) by mx0a-0016f401.pphosted.com with ESMTP id 25h36k4u3h-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Sun, 18 Sep 2016 17:34:37 -0700
Received: from IL-EXCH01.marvell.com (10.4.102.220) by IL-EXCH02.marvell.com (10.4.102.221) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Mon, 19 Sep 2016 03:34:34 +0300
Received: from IL-EXCH01.marvell.com ([fe80::5d63:81cd:31e2:fc36]) by IL-EXCH01.marvell.com ([fe80::5d63:81cd:31e2:fc36%20]) with mapi id 15.00.1104.000; Mon, 19 Sep 2016 03:34:34 +0300
From: Tal Mizrahi <talmi@marvell.com>
To: Watson Ladd <watsonbladd@gmail.com>
Thread-Topic: secdir review of draft-ietf-tictoc-multi-path-synchronization-05
Thread-Index: AQHSEeSgVxkDrkl/jE+0/2Rx8wj6kqB/4pcA///YqYCAADiWMA==
Date: Mon, 19 Sep 2016 00:34:33 +0000
Message-ID: <3993e58a01f4472992ae6fcdfaa8e0f7@IL-EXCH01.marvell.com>
References: <CACsn0cmCGrpaHtiLNEpnN52_+FqM4XiCtUHhZm9XQD1qfbFH3w@mail.gmail.com> <2c34b139112a45ac9a68ff000aa7d934@IL-EXCH01.marvell.com> <CACsn0ckk0egkREuvfhwU6FJV5LBV4BPs5HsNoRk63yWjVdBB_g@mail.gmail.com>
In-Reply-To: <CACsn0ckk0egkREuvfhwU6FJV5LBV4BPs5HsNoRk63yWjVdBB_g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.36.250.51]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-09-18_15:, , signatures=0
X-Proofpoint-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1609020000 definitions=main-1609190006
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/Yyyt1VoRZ7AJiG_lLrsY301xiOU>
Cc: "draft-ietf-tictoc-multi-path-synchronization.all@tools.ietf.org" <draft-ietf-tictoc-multi-path-synchronization.all@tools.ietf.org>, "Karen ODonoghue (odonoghue@isoc.org)" <odonoghue@isoc.org>, "<iesg@ietf.org>" <iesg@ietf.org>, Suresh Krishnan <suresh.krishnan@ericsson.com>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] secdir review of draft-ietf-tictoc-multi-path-synchronization-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Sep 2016 00:34:42 -0000

Dear Watson,

Thanks for the prompt response.

>Multipath shouldn't be discussed as a security measure at all. My reading of
>the document was that it was simply to get more reliable packet delays and
>synchronization. You cannot throw this claim into the security considerations
>alone without explaining the rest of the picture. Why not remove it entirely?
>

The multi-path scheme addresses both an accuracy issue and a security issue. The security aspect is mentioned well before the security considerations section, including in the abstract and in the introduction.

>Real attackers get the job done: they grab the community strings and use
>them to own every single router you have, or own the sysadmins PC and go
>for all the routers at once.  And it's not uncommon for machines to be
>connected to only one router: most desktops and laptops have a single
>Ethernet port. The proposed text makes extremely common things sound
>rare.

Time protocols have a pretty unique property: even if you use the strongest cryptographic mechanisms, the protocol can still easily be attacked by a man-in-the-middle who simply adds a constant delay to some of the packets, and thereby easily manipulates the protocol. The only way to mitigate delay attacks is by redundancy: multiple time sources and/or multiple network paths.
The delay attack is one of the most significant threats in time protocols, and therefore we defined delay attack protection as a MUST in RFC 7384.
Security is an important aspect of multi-path synchronization, and I believe the current draft has to talk about this aspect.

Best regards,
Tal.



>-----Original Message-----
>From: Watson Ladd [mailto:watsonbladd@gmail.com]
>Sent: Monday, September 19, 2016 2:59 AM
>To: Tal Mizrahi
>Cc: <iesg@ietf.org>; secdir@ietf.org; draft-ietf-tictoc-multi-path-
>synchronization.all@tools.ietf.org; Suresh Krishnan; Karen ODonoghue
>(odonoghue@isoc.org)
>Subject: Re: secdir review of draft-ietf-tictoc-multi-path-synchronization-05
>
>On Sun, Sep 18, 2016 at 4:22 PM, Tal Mizrahi <talmi@marvell.com> wrote:
>> Dear Watson,
>>
>> Thanks for reviewing the draft.
>>
>> To address your comments, I would like to suggest the following text for the
>Security Considerations section.
>> Please let us know if this addresses the comments:
>>
>>
>> The security aspects of time synchronization protocols are discussed in
>detail in [TICTOCSEC]. The methods describe in this document propose to run
>a time synchronization protocol through redundant paths, and thus allow to
>detect and mitigate man-in-the-middle attacks, as described in [DELAY-ATT].
>It should be noted that when using multiple paths, these paths may partially
>overlap, and thus an attack that takes place in a common segment of these
>paths is not mitigated by the redundancy. Moreover, an on-path attacker may
>in some cases have access to more than one router, or may be able to
>migrate from one router to another. Therefore, when using multiple paths it is
>important for the paths to be as diverse and as independent as possible,
>making the redundancy scheme more tolerant to on-path attacks.
>
>Multipath shouldn't be discussed as a security measure at all. My reading of
>the document was that it was simply to get more reliable packet delays and
>synchronization. You cannot throw this claim into the security considerations
>alone without explaining the rest of the picture. Why not remove it entirely?
>
>Real attackers get the job done: they grab the community strings and use
>them to own every single router you have, or own the sysadmins PC and go
>for all the routers at once.  And it's not uncommon for machines to be
>connected to only one router: most desktops and laptops have a single
>Ethernet port. The proposed text makes extremely common things sound
>rare.
>
>>
>>
>>
>> Regards,
>> Tal.
>>
>>>-----Original Message-----
>>>From: Watson Ladd [mailto:watsonbladd@gmail.com]
>>>Sent: Sunday, September 18, 2016 10:41 PM
>>>To: <iesg@ietf.org>; secdir@ietf.org; draft-ietf-tictoc-multi-path-
>>>synchronization.all@tools.ietf.org
>>>Subject: secdir review of
>>>draft-ietf-tictoc-multi-path-synchronization-05
>>>
>>>I have reviewed this document as part of the security directorate's
>>>ongoing effort to review all IETF documents being processed by the
>>>IESG.  These comments were written primarily for the benefit of the
>>>security area directors.  Document editors and WG chairs should treat
>>>these comments just like any other last call comments.
>>>
>>>The document presents a mechanism for servers and clients to conduct
>>>synchronization protocols over multiple paths. I didn't see anything
>>>wrong with the mechanism, but I am worried that its security benefits
>>>are
>>>overstated: independent paths may only be partially independent, and
>>>attackers can easily migrate from one router to another in most networks.
>>>
>>>Sincerely,
>>>Watson Ladd
>
>
>
>--
>"Man is born free, but everywhere he is in chains".
>--Rousseau.