[secdir] Security review of draft-ietf-teas-sr-rsvp-coexistence-rec-02
"Hilarie Orman" <hilarie@purplestreak.com> Fri, 20 April 2018 21:35 UTC
Return-Path: <hilarie@purplestreak.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85FFC127023; Fri, 20 Apr 2018 14:35:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.62
X-Spam-Level:
X-Spam-Status: No, score=-2.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MfyQ2IuxpHbm; Fri, 20 Apr 2018 14:35:14 -0700 (PDT)
Received: from out02.mta.xmission.com (out02.mta.xmission.com [166.70.13.232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C5B61243FE; Fri, 20 Apr 2018 14:35:14 -0700 (PDT)
Received: from in02.mta.xmission.com ([166.70.13.52]) by out02.mta.xmission.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.87) (envelope-from <hilarie@purplestreak.com>) id 1f9dgW-0002n8-Ul; Fri, 20 Apr 2018 15:35:12 -0600
Received: from [72.250.219.84] (helo=rumpleteazer.rhmr.com) by in02.mta.xmission.com with esmtpsa (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.87) (envelope-from <hilarie@purplestreak.com>) id 1f9dgW-0001tZ-4R; Fri, 20 Apr 2018 15:35:12 -0600
Received: from rumpleteazer.rhmr.com (localhost [127.0.0.1]) by rumpleteazer.rhmr.com (8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id w3KLYmVi016976; Fri, 20 Apr 2018 15:34:48 -0600
Received: (from hilarie@localhost) by rumpleteazer.rhmr.com (8.14.4/8.14.4/Submit) id w3KLYlMY016971; Fri, 20 Apr 2018 15:34:47 -0600
Date: Fri, 20 Apr 2018 15:34:47 -0600
Message-Id: <201804202134.w3KLYlMY016971@rumpleteazer.rhmr.com>
From: Hilarie Orman <hilarie@purplestreak.com>
Reply-To: Hilarie Orman <hilarie@purplestreak.com>
To: iesg@ietf.org, secdir@ietf.org
Cc: draft-ietf-teas-sr-rsvp-coexistence-rec.all@tools.ietf.org
X-XM-SPF: eid=1f9dgW-0001tZ-4R; ; ; mid=<201804202134.w3KLYlMY016971@rumpleteazer.rhmr.com>; ; ; hst=in02.mta.xmission.com; ; ; ip=72.250.219.84; ; ; frm=hilarie@purplestreak.com; ; ; spf=none
X-XM-AID: U2FsdGVkX18HCnAlTyyablYDE/Y8vUMN
X-SA-Exim-Connect-IP: 72.250.219.84
X-SA-Exim-Mail-From: hilarie@purplestreak.com
X-Spam-DCC: XMission; sa06 1397; Body=1 Fuz1=1 Fuz2=1
X-Spam-Combo: ****;iesg@ietf.org, secdir@ietf.org
X-Spam-Relay-Country:
X-Spam-Timing: total 483 ms - load_scoreonly_sql: 0.04 (0.0%), signal_user_changed: 2.9 (0.6%), b_tie_ro: 1.90 (0.4%), parse: 1.08 (0.2%), extract_message_metadata: 4.3 (0.9%), get_uri_detail_list: 1.61 (0.3%), tests_pri_-1000: 3.1 (0.6%), tests_pri_-950: 1.43 (0.3%), tests_pri_-900: 1.16 (0.2%), tests_pri_-400: 20 (4.1%), check_bayes: 19 (3.8%), b_tokenize: 6 (1.2%), b_tok_get_all: 6 (1.2%), b_comp_prob: 2.5 (0.5%), b_tok_touch_all: 2.5 (0.5%), b_finish: 0.64 (0.1%), tests_pri_0: 443 (91.6%), check_dkim_signature: 0.46 (0.1%), check_dkim_adsp: 219 (45.3%), tests_pri_500: 4.4 (0.9%), rewrite_mail: 0.00 (0.0%)
X-SA-Exim-Version: 4.2.1 (built Thu, 05 May 2016 13:38:54 -0600)
X-SA-Exim-Scanned: Yes (on in02.mta.xmission.com)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/dDKJt5s_arSNRC5toifxM3YoBPw>
Subject: [secdir] Security review of draft-ietf-teas-sr-rsvp-coexistence-rec-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Apr 2018 21:35:16 -0000
Security review of Recommendations for RSVP-TE and Segment Routing LSP co-existence draft-ietf-teas-sr-rsvp-coexistence-rec-02 Do not be alarmed. I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. When two independent protocols are used to manage bandwidth on one shared link, the problem of efficient use of the total bandwidth will depend on how much information the traffic engineering database has about the utilization and reservations handled by the two protocols. This situation occurs when RSVP-TE and Segment Routing LSP are used simultaneously. The draft rules out centralized controllers for RSVP-TE as an option. It also notes that the co-existence of two protocols might be a temporary situation arising during a transition from RSVP-TE to SR LSP. This seems to imply that the recommendations are a stopgap measure. Although there is a claim of "no new security considerations", I think that the proposed solution, of giving SR traffic demands the best preemption priority in the network, could be a problem in terms of covert channels and denial of service. If the adjustments in the TED result in any observable change in traffic patterns, then a malicious party might be able to infer usage on an SR channel or even disrupt the RSVP-TE channels by driving up demand on the SR channel. Moreover, it might be possible to send the traffic management algorithms into some kind of resonance crisis by increasing and diminishing demand rapidly. Although the proposed solution has a damping factor, I would be concerned about systems operating in parallel that might exhibit second order effects. Could the draft address the security and stability concerns in some reassuring way? Like, "don't let this happen"? In section 3.5, this sentence threw me for a loop: However, changing the maximum bandwidth for the TE link will prevent any compute engine for SR or RSVP to decipher the real static bandwidth of the TE link After rereading it several times, I think that "decipher" has no cryptographic significance and should be replaced by "determine" or "measure", and rewritten in the form "will prevent any compute engine ... from determining ...". Hilarie
- [secdir] Security review of draft-ietf-teas-sr-rs… Hilarie Orman
- Re: [secdir] Security review of draft-ietf-teas-s… Harish Sitaraman
- Re: [secdir] Security review of draft-ietf-teas-s… Hilarie Orman