Re: [secdir] secdir review of draft-ietf-ospf-encapsulation-cap-06

[<bruno.decraene@orange.com>]

[removing the iesg to limit spamming, adding Alia (responsible AD)]



Hi David,



Sorry to come back on this draft 3 weeks after our latest email, but a late comment is likely to change a sentence in the draft.

As we had discussed that sentence during your secdir review, I feel that it would be honest to come back to you to report that change, even if I don’t feel the change is problematic.



Proposed 2 changes are the following:

§ Operation

OLD:

A tunnel MUST NOT be used if there is no route toward the IP address specified in the Endpoint Sub-TLV (See <xref target="EndpointTLV"/>)

or if the route is not advertised by the router advertising this Tunnel Sub-TLV.



NEW:

A tunnel MUST NOT be used if there is no route toward the IP address specified in the Endpoint Sub-TLV (See <xref target="EndpointTLV"/>)

or if the route is not advertised in the same OSPF domain.





==

The reason is that in multi-area OSPF deployments, the Tunnel Sub-TLV may be flooded domain-wide while the IP prefix may not. Hence both advertisements would not come from the same router.

==





§security

OLD:  It prohibits a destination outside of the OSPF domain and also to other routers within the domain.

NEW: It prohibits a destination outside of the OSPF domain.





===

As a consequence, this slightly increases the capabilities and hence the security implications. However, this still restricts the use of tunnel whose destination is within the OSPF domain (i.e. not Internet wide) which was your original concern. Plus IMO, assuming that an attacker can control the OSPF advertisement is already a significant assumption.

===



Bottom line, I believe the change is quite small from a security standpoint, but wanted to double check with you.



Thanks,

Best regards,

--Bruno



> -----Original Message-----

> From: David Mandelberg [mailto:david@mandelberg.org]

> Sent: Tuesday, September 19, 2017 6:24 PM

> To: Acee Lindem (acee); DECRAENE Bruno IMT/OLN; Robert Raszuk

> Cc: iesg@ietf.org; draft-ietf-ospf-encapsulation-cap.all@ietf.org; secdir@ietf.org

> Subject: Re: secdir review of draft-ietf-ospf-encapsulation-cap-06

>

 > Looks good to me too.

>

 > On 09/19/2017 07:01 AM, Acee Lindem (acee) wrote:

> > Hi Bruno, Robert,

> >

> > Sounds good to me. One nit – replace “e.g. “ with “, e.g., “ in the

> > added text.

> > Thanks,

> > Acee

> >

> > From: Bruno Decraene <bruno.decraene@orange.com

> > <mailto:bruno.decraene@orange.com>>

> > Date: Tuesday, September 19, 2017 at 4:15 AM

> > To: Robert Raszuk <robert@raszuk.net <mailto:robert@raszuk.net<mailto:robert@raszuk.net%20%3cmailto:robert@raszuk.net>>>

> > Cc: The IESG <iesg@ietf.org <mailto:iesg@ietf.org<mailto:iesg@ietf.org%20%3cmailto:iesg@ietf.org>>>, David Mandelberg

> > <david@mandelberg.org <mailto:david@mandelberg.org<mailto:david@mandelberg.org%20%3cmailto:david@mandelberg.org>>>,

> > "draft-ietf-ospf-encapsulation-cap.all@ietf.org

> > <mailto:draft-ietf-ospf-encapsulation-cap.all@ietf.org>"

> > <draft-ietf-ospf-encapsulation-cap.all@ietf.org

> > <mailto:draft-ietf-ospf-encapsulation-cap.all@ietf.org>>,

> > "secdir@ietf.org <mailto:secdir@ietf.org><mailto:secdir@ietf.org%20%3cmailto:secdir@ietf.org%3e>" <secdir@ietf.org

> > <mailto:secdir@ietf.org>>

> > Subject: RE: secdir review of draft-ietf-ospf-encapsulation-cap-06

> > Resent-From: <alias-bounces@ietf.org <mailto:alias-bounces@ietf.org<mailto:alias-bounces@ietf.org%20%3cmailto:alias-bounces@ietf.org>>>

> > Resent-To: Xiaohu Xu <xuxiaohu@huawei.com <mailto:xuxiaohu@huawei.com<mailto:xuxiaohu@huawei.com%20%3cmailto:xuxiaohu@huawei.com>>>,

> > Bruno Decraene <bruno.decraene@orange.com

> > <mailto:bruno.decraene@orange.com>>, Robert Raszuk <robert@raszuk.net

> > <mailto:robert@raszuk.net>>, Luis Contreras

> > <luismiguel.contrerasmurillo@telefonica.com

> > <mailto:luismiguel.contrerasmurillo@telefonica.com>>, Luay Jalil

> > <luay.jalil@verizon.com <mailto:luay.jalil@verizon.com<mailto:luay.jalil@verizon.com%20%3cmailto:luay.jalil@verizon.com>>>, Acee Lindem

> > <acee@cisco.com <mailto:acee@cisco.com<mailto:acee@cisco.com%20%3cmailto:acee@cisco.com>>>, <akr@cisco.com

> > <mailto:akr@cisco.com>>, <aretana@cisco.com <mailto:aretana@cisco.com<mailto:aretana@cisco.com%20%3cmailto:aretana@cisco.com>>>,

> > Deborah Brungard <db3546@att.com <mailto:db3546@att.com<mailto:db3546@att.com%20%3cmailto:db3546@att.com>>>, Alia Atlas

> > <akatlas@gmail.com <mailto:akatlas@gmail.com<mailto:akatlas@gmail.com%20%3cmailto:akatlas@gmail.com>>>, Acee Lindem

> > <acee@cisco.com <mailto:acee@cisco.com<mailto:acee@cisco.com%20%3cmailto:acee@cisco.com>>>

> > Resent-Date: Tuesday, September 19, 2017 at 4:15 AM

> >

> >     *From:*rraszuk@gmail.com <mailto:rraszuk@gmail.com>

> >     [mailto:rraszuk@gmail.com] *On Behalf Of *Robert Raszuk

> >

> >     Please replace AS with Administrative Domain.

> >

> >     [Bruno] I replaced AS with “OSPF domain” as indeed, AS is a BGP term

> >     rather than an OSPF one. And as you note, in some cases, the AS and

> >     the IGP domain may be different. Thanks.

> >

> >     If I have three ASes there should be no artificial limits

> >     prohibiting encap to my central collector.

> >

> >     [Bruno]

> >

> >     If your central collector is part of the OSPF domain of the

> >     encapsulator, there is no problem.

> >

> >     Otherwise, if the route to your central collector is advertised in

> >     OSPF by the decapsulator, there is no problem.

> >

> >     Otherwise, if the route to your central collector is advertised in

> >     BGP, then draft-ietf-idr-tunnel-encaps is probably the right tool.

> >

> >     --Bruno

> >

> >     Thx

> >

> >     R

> >

> >     On Sep 19, 2017 08:18, <bruno.decraene@orange.com

> >     <mailto:bruno.decraene@orange.com>> wrote:

> >

> >     > From: David Mandelberg [mailto:david@mandelberg.org <mailto:david@mandelberg.org><mailto:david@mandelberg.org%20%3cmailto:david@mandelberg.org%3e>]

> >       > Sent: Monday, September 18, 2017 9:30 PM

> >     >

> >       > On 09/18/2017 05:08 AM, bruno.decraene@orange.com<mailto:bruno.decraene@orange.com>

> >     <mailto:bruno.decraene@orange.com> wrote:

> >       > >   > (c) is the one that I think is worth looking into. E.g.,

> >     does this new

> >       > >   > extension make it easier for an attacker to route a packet

> >     across AS

> >       > >   > boundaries, by setting a tunnel endpoint outside of the

> >     OSPF-routed network?

> >       > >

> >       > > No. The following text already prohibits even more than this:

> >       > >

> >       > > "  A tunnel MUST NOT be

> >       > >        used if there is no route toward the IP address

> >     specified in the

> >       > >        Endpoint Sub-TLV (See <xref target="EndpointTLV"/>) or

> >     if the route is

> >       > >        not advertised by the router advertising this Tunnel

> >     Sub-TLV."

> >       > >

> >       > > - By definition, this Tunnel Sub-TLV is advertised in OSPF

> >     i.e. from within the AS.

> >       > > - The text also prohibits setting a tunnel endpoint to another

> >     router within the AS.

> >       > >

> >       > >

> >       > > That being said, within the AS, the point "c" still applies.

> >       > > However, thinking twice, the probability is even more limited.

> >     Indeed, one can only advertise a

> >       > tunnel to itself. Assuming that the third party can't control

> >     the whole routing topology (i.e. routing

> >       > advertisement from most core routers), it cannot control the

> >     path followed by the tunnel. Hence it

> >       > would need to have monitoring capabilities on specific links

> >     that it cannot choose. (the link on

> >       > the path to itself).

> >       > > Plus this risk is not new, as the third party could already

> >     advertise the destination IP address of

> >       > the packets (or of the BGP Next-hop of the BGP route matching

> >     the packet destination), without

> >       > using any tunnel.

> >       > > In conclusion, although I could be wrong, I'm not seeing such

> >     new risk. (again, assuming that

> >       > a third party can modify the OSPF routing is a big assumption).

> >       > >

> >       > > But the discussion was useful, thanks for the comments.

> >       >

> >       > That explanation is great, thank you. I hadn't realized the

> >     implications

> >       > of the paragraph you quoted, when I initially read it. I'm convinced

> >       > that there isn't a security issue here, but it would be nice to

> >     see your

> >       > explanation in the document itself, if it's not already obvious to

> >       > anybody who knows OSPF better than I do.

> >

> >     I've just added the following text in the security section of my

> >     local version:

> >     "We note that the last paragraph of <xref target="Operation"/>

> >     forbid the establishment of a tunnel toward arbitrary destinations.

> >     It prohibits a destination outside of the Autonomous System and also

> >     to other routers within the AS. This avoid that a third-party

> >     gaining access to an OSPF router be able to send the traffic to

> >     other destinations, for e.g. inspection purposes. "

> >

> >     Feel free to comment/propose other text.

> >

> >     Since I've just published -08 a few hours ago, I'll probably delay

> >     the upload of this new update.

> >

> >     --Bruno

> >

> >

> >       > --

> >       > Freelance cyber security consultant, software developer, and more

> >       > https://david.mandelberg.org/

> >

> >

> _____________________________________________________________________________

> ____________________________________________

> >

> >     Ce message et ses pieces jointes peuvent contenir des informations

> >     confidentielles ou privilegiees et ne doivent donc

> >     pas etre diffuses, exploites ou copies sans autorisation. Si vous

> >     avez recu ce message par erreur, veuillez le signaler

> >     a l'expediteur et le detruire ainsi que les pieces jointes. Les

> >     messages electroniques etant susceptibles d'alteration,

> >     Orange decline toute responsabilite si ce message a ete altere,

> >     deforme ou falsifie. Merci.

> >

> >     This message and its attachments may contain confidential or

> >     privileged information that may be protected by law;

> >     they should not be distributed, used or copied without authorisation.

> >     If you have received this email in error, please notify the sender

> >     and delete this message and its attachments.

> >     As emails may be altered, Orange is not liable for messages that

> >     have been modified, changed or falsified.

> >     Thank you.

> >

> >

> _____________________________________________________________________________

> ____________________________________________

> >

> >     Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou

> privilegiees et ne doivent donc

> >     pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par

> erreur, veuillez le signaler

> >     a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant

> susceptibles d'alteration,

> >     Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

> >

> >     This message and its attachments may contain confidential or privileged information that

> may be protected by law;

> >     they should not be distributed, used or copied without authorisation.

> >     If you have received this email in error, please notify the sender and delete this message and

> its attachments.

> >     As emails may be altered, Orange is not liable for messages that have been modified,

> changed or falsified.

> >     Thank you.

> >

>

 >

 > --

> Freelance cyber security consultant, software developer, and more

> https://david.mandelberg.org/

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.