Re: [secdir] secdir review of draft-ietf-forces-protoextension-04

Jamal Hadi Salim <> Tue, 05 August 2014 12:56 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id BDA0A1A8BAF for <>; Tue, 5 Aug 2014 05:56:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id u5O2GrPG1la7 for <>; Tue, 5 Aug 2014 05:56:07 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 042FF1A0AFF for <>; Tue, 5 Aug 2014 05:56:06 -0700 (PDT)
Received: by with SMTP id la4so1367238vcb.19 for <>; Tue, 05 Aug 2014 05:56:06 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=qWVa2x7ecU004xoiTlIdv4IdbO4d9hZLjGXKFJaisXc=; b=OIp8sRJPfq1qCM8vK1la30hDy4TQzJHGEkfHPCPaskdci9lePu6cH2dkGBhT/Ve+Lh AqdcH1DjTXH4F3HLQ3aHeJsMrsuGxq24NQ10hos/vemFqVZEN15XV7s/laeILq1+6U5Y 14voadTuBpkzDVeAKtda/c5fc+Qzp5dPbe3v99Lw7TOx+m6wtvhpsV3xXYBrCjuMc9Ia N4mk2sdQu1EagKzuEsIm14dKDobOu4di/CHBFL2+deaDStZ27DSYHOA05Xr0gGgLur0q BA1lBR7JjGBwQgmR9XDWMlmso8H1/8PT3uzZ8XuUnXyEBvBqbmKv/v9Shm0m4EKAk7hf pz9A==
X-Gm-Message-State: ALoCoQlM5LO6qV3PRCGAS8KdvNNOt7DiMjDDW2HsXv84qJ8sXQMzpqhcw/moyqKpujTs3xMIHxKB
X-Received: by with SMTP id l4mr3063128vcr.41.1407243365974; Tue, 05 Aug 2014 05:56:05 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Tue, 5 Aug 2014 05:55:44 -0700 (PDT)
In-Reply-To: <>
References: <> <> <>
From: Jamal Hadi Salim <>
Date: Tue, 05 Aug 2014 08:55:44 -0400
Message-ID: <>
To: Tobias Gondrom <>
Content-Type: text/plain; charset="UTF-8"
X-Mailman-Approved-At: Wed, 06 Aug 2014 08:39:26 -0700
Cc:, The IESG <>, secdir <>
Subject: Re: [secdir] secdir review of draft-ietf-forces-protoextension-04
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 05 Aug 2014 12:56:08 -0000

Hi Tobias,

On Tue, Aug 5, 2014 at 7:13 AM, Tobias Gondrom
<> wrote:
> Hi Jamal,
> thanks for the fast reply.
> And thank you for taking the time to answer my questions.
> Please see my answers only as my personal comments and I am no expert in
> the forces spec. So I might very well be wrong.

No worries, an extra pair of eyes with a different view always provides a
perspective we may have overlooked.

>> Hrm. In a cluster of CEs where you have new + older CEs, yes - that is possible.
>> Caveat: The CEs are spec-ed to talk to each other on CE-CE plane. I would expect
>> what you described to be a "buggy" decision by the master CE.
>> Would text that describes this as a faulty setup be reasonable to add
>> to cover this?
> Yes. That might be a useful point.
> But please see my review questions only as personal comment. I would not
> want to make suggestions that go against the WG views.

Ok, will find a spot to discuss this.

> Small add-on question:
> Not sure whether there are potentially two scenarios here:
> 1. the first as you described might be a "buggy" decision by a master CE
> to switching on the "only" new
> EXTENDEDRESULT-TLVs and by that switching off the old codes for the
> other old CEs.
> 2. wondering whether there might be a second scenario where a malicious
> person would intentionally try to insert one new CE and switch the FEs
> to EXTENDEDRESULT-TLVs to "blind" an existing "old" CE network to some
> of the error codes?

An arbitrary CE should not be able to join a cluster or win an election for
mastership without authentication and authorization.
i.e this is all covered by the trust issue i described earlier.
The FE has explicit trust with the CE. If that trust is compromised, security
breach is not limited to just this one issue.
The reason i described the other scenario as buggy is the CEs should be
able to coordinate amongst themselves if they have discrepancies
(although it is outside scope of ForCES to describe how that is achieved)

> Yes. I understand.
> My concern is the following: AFAIK (and I might very well be wrong) so
> far the protocol mostly required many requests to receive the data from
> the FEs. Which is inefficient, but equally put symmetric compute
> resource requirements on both points (CE and FE). Aka, you would see a
> many requests to put a FE to work. With the new "TABLERANGE-TLV", it
> seems I can send one request which will trigger more computing activity
> on the FE.

Note that a single request to get many (possible) responses back already
exists *today*. Example, I can send one message to dump 10M table rows.
Nothing new there. ForCES says to restrict the transaction pipeline window size
(default of 1) so you cant send 10000 of those - and if you could,
then such requests
which will cause problems of starving other possible transactions because you
are hogging both bandwidth and cpu at the FE . It is likely a buggy
control application to do this. But these are *trusted* apps - they are just
bad code as opposed to malice and the transaction windowing should minimize
In our implementation (and specified in RFC 5811) we would lower the priority
of these dump responses in a work conserving way
if there are other high prio requests (like a SET for example).

A simplistic approach to retrieve a table range would be to get all the 10M
table rows and then do the filtering to select 2000 rows in the controller.
This uses more bandwidth and possibly more CPU on the FE (slave) since it
has to dump *all* rows.
What you describe as "more computing activity" boils down  to running the filter
i described above at the FE device instead of the controller.
In my experience this hasnt been an issue - but i am willing to be cautious.

>So yes, you are right with your analogy between brain and
> legs and the trust relationship to the controller. However, before, your
> "brain" could send one command at a time to the legs, now it could send
> a whole marching program to the legs with one single request. And send
> multiple such requests in succession. Could that pose risks for denial
> of service (accidental or malicious) that might not have been
> anticipated in RFC5810?

Not any more than they do today. i.e Malice is solved by the general security
infrastructure; if a CE can get into the cluster, be authenticated and vetted as
legit, wins an election and starts telling the FE what to do, then we have
a bigger problem.
OTOH, bugs may exist and we gotta protect against those.

Thanks again for taking the time.