IETF Logo Mail Archive

[secdir] secdir review of draft-ietf-lisp-gpe

Christopher Wood <christopherwood07@gmail.com> Sun, 09 September 2018 18:26 UTC

Return-Path: <christopherwood07@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 305FA130DCD; Sun, 9 Sep 2018 11:26:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.75
X-Spam-Level:
X-Spam-Status: No, score=-1.75 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t9jc5wavLaz5; Sun, 9 Sep 2018 11:26:30 -0700 (PDT)
Received: from mail-it0-x22d.google.com (mail-it0-x22d.google.com [IPv6:2607:f8b0:4001:c0b::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ABE0F1200D7; Sun, 9 Sep 2018 11:26:30 -0700 (PDT)
Received: by mail-it0-x22d.google.com with SMTP id p79-v6so26788831itp.3; Sun, 09 Sep 2018 11:26:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to :content-transfer-encoding; bh=u9961goe8+nxsMpyzOrvVAXFMKLZndG7kiWtwzwx2d8=; b=ng6oMK4NheyruwrW0z2LR1CQU07BoSZ+s4PySpsejvKz6NIbdhymJcUi3Y6pUBhQjj 2pBSNcFXQoDsvdR2xqaAKOXrqKJdM8SSQq0q+Ve0Kc/wYMmdiCfTbBjQqWnmQhSRPw6k FR086pl+ynQSSpQJBMUkv2XUmqMacBWKPMg8rRClJWXff6+EBzMuX/k1XtN6uX1wHClV 9i3Ymz+IhQi3bO4u2Ykwr5BS8cvmqTXojmgafRGvCA4JIV2xfsxfjV0MbcmLsxxO0ScL e8UCeEcOuKppjF+GFc2gpO4nRCE3SMTmgtl6suj7beiYtL4xUXSP/Irbzuw5Lil8Fiho DX7g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-transfer-encoding; bh=u9961goe8+nxsMpyzOrvVAXFMKLZndG7kiWtwzwx2d8=; b=EbFKjf4b9UucQdF8cqPpg0lVQ8gU2CminbmyVvu/VofkTX2dMmmNINZkuG+2CA2uj3 pvhyx58eB4z4m8dkD50jqJ/eSHG7ldD7aRNlpZnbv/cSz2h3uOFT4dQ4IHDnHyZjcz9O /Uleaznff3qZZUGBx4n5/8K/T5jLrFe1F1lQcAhylpyoz+GCV9oU61ZTkJxrfcTzgI1F Kr7hYMD7VK6IPUSF+a/T9W9YdUA9/ARmZZZXg112Dvkdg+kglX9MuYYb4LtjVxPMNIUK Njs8T86+cO8WxQHGPyoeA0uQ4cbk27to0XkIFb11/fz2lE0PHf42M0ZADr4sF8f6XAZC N5XA==
X-Gm-Message-State: APzg51AdNXhsMpwPVX/rVEDy2gGVOsj8UaMkxQIhdOaR2nRYkiUzo58i FPiuy9XYTwPItdPPCiMXafJV5rSsPlozOU/VyF8XMjrV
X-Google-Smtp-Source: ANB0VdbmAHU/uhgO2BdknhB7oKXkpvXfTGcIgbmwk5iwGmBjfD9+6XiRXxBH0dqdhE5Yv+KgUO19w1++1TV488YYV1Y=
X-Received: by 2002:a24:98d6:: with SMTP id n205-v6mr15961712itd.44.1536517589529; Sun, 09 Sep 2018 11:26:29 -0700 (PDT)
MIME-Version: 1.0
From: Christopher Wood <christopherwood07@gmail.com>
Date: Sun, 09 Sep 2018 11:26:18 -0700
Message-ID: <CAO8oSXkv2RAL5w8oG4yY7EZNujsc+nZYmaf+OdCjOzmkY2dnTg@mail.gmail.com>
To: The IESG <iesg@ietf.org>, secdir@ietf.org, draft-ietf-lisp-gpe.all@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/dKrH5JVzVaqAGksfxgPLz1-Mms4>
Subject: [secdir] secdir review of draft-ietf-lisp-gpe
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Sep 2018 18:26:32 -0000

Hello,

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.

   The summary of my review is: Ready with issues.

The proposed extension mechanism is simple to understand. However, my
main concern is regarding the nonce size reduction and implications on
LISP. While the threat models (on-path and off-path) do not change
with this extension, the probability of some off-path attacks might
change. Specifically, the probability of correctly guessing a 16 bit
nonce is not negligible. This might make attacks in which an adversary
tries to convince an ITR of reachability to an otherwise unreachable
ETR more likely. From [1], an ITR that sees the nonce echoed correctly
“knows that the path to and from the ETR is up.” Thus, I think some
discussion of this is necessary in the security considerations.

Beyond that, I have the following minor comments and nits:

- UDP checksums seem to be the only mechanism in place that give ITRs
and ETRs a means of checking datagram integrity. Of course, this means
an on-path adversary can muck with the g-Bit from Section 4.1 so as to
prevent use of the GPE mechanism. This is not new with this extension,
though a comment on the issue might be useful, e.g., in the security
considerations.
- It would be helpful to include packet diagrams similar to Figure 2
wherein (1) P and V are set and (2) only P is set. While I don’t find
the text misleading or confusing, a figure might help other readers.

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |N|L|E|1|I|1|K|K|   Source MV   |    Dest MV    | Next Protocol |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                 Instance ID/Locator-Status-Bits               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

        0                   1                   2                   3
        0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |0|L|0|0|I|1|K|K|           ... 0 ...           | Next Protocol |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
       |                 Instance ID/Locator-Status-Bits               |
       +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

- In Section 4, where it states, "A LISP-GPE router MUST NOT
encapsulate non-IP packets to a non LISP-GPE capable router," I might
replace "to a non LIST-GPE capable router" with "when the P-bit is set
to 0."

[1] https://tools.ietf.org/html/draft-ietf-lisp-rfc6830bis-16#section-10.1

v2.23.0 | Report a Bug | By Email