Re: [secdir] Security review of draft-ietf-isis-extended-sequence-no-tlv-04

Uma Chunduri <> Wed, 01 April 2015 22:07 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 833FA1A8799; Wed, 1 Apr 2015 15:07:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JQvx7k0wAO1p; Wed, 1 Apr 2015 15:07:49 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CD7501A8773; Wed, 1 Apr 2015 15:07:48 -0700 (PDT)
X-AuditID: c6180641-f790b6d000004359-24-551c09dc1be0
Received: from (Unknown_Domain []) by (Symantec Mail Security) with SMTP id DF.42.17241.CD90C155; Wed, 1 Apr 2015 17:08:12 +0200 (CEST)
Received: from ([]) by ([]) with mapi id 14.03.0210.002; Wed, 1 Apr 2015 18:07:41 -0400
From: Uma Chunduri <>
To: "Adam W. Montville" <>, The IESG <>, "" <>, "" <>
Thread-Topic: Security review of draft-ietf-isis-extended-sequence-no-tlv-04
Thread-Index: AQHQbH/Zhsqwc8PAg0OvMaxLgCljg504XO/g
Date: Wed, 01 Apr 2015 22:07:40 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_1B502206DFA0C544B7A60469152008633F61E19Feusaamb105erics_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrNLMWRmVeSWpSXmKPExsUyuXRPrO4dTplQg2cnZCy2PGxjsdh38x27 xYw/E5ktPix8yOLA4rFz1l12jyVLfjJ5fLn8mS2AOYrLJiU1J7MstUjfLoEr49LB/YwF6xoZ K67MiG9gXJHbxcjJISFgIjH53A1mCFtM4sK99WxdjFwcQgJHGSXeP3/MBOEsY5T4Mn8uE0gV m4CexMepP9lBEiIC3xglfj6ezAKSEBbwlvjU3cYGYosI+EhsnvSYHcI2kth07iRYM4uAisS6 SxA1vAK+Ep8+ngVbLSRgI3Fs406wek4BW4l5OyBmMgKd9P3UGrBeZgFxiVtP5jNBnCogsWTP eaizRSVePv7HCmErSuzrnw40hwOoPl/i7XF2iFWCEidnPmGZwCgyC8mkWQhVs5BUQZToSCzY /YkNwtaWWLbwNTOMfebAYyZk8QWM7KsYOUqLU8ty040MNzECY+uYBJvjDsYFnywPMQpwMCrx 8D6QkA4VYk0sK67MPcQozcGiJM5bduVgiJBAemJJanZqakFqUXxRaU5q8SFGJg5OqQbGjotC 4V3WG6cXNU8PfqIeLpyu8n17ytJ37GsyO+642U89lNqwsPx1m8yz49XPWT0XBMQ8Oxc+/8Dq z1JWUoJ3Ck+vMeVTPPBvedWpu1Ofn321t3kWR+i6tYY729dOOXnF2Pz7DJupiRKq/+XDolct OlghGqdyL+Ozov6iQrbTmq43z4V/vZzQqMRSnJFoqMVcVJwIALXdQE2OAgAA
Archived-At: <>
X-Mailman-Approved-At: Wed, 01 Apr 2015 15:11:11 -0700
Subject: Re: [secdir] Security review of draft-ietf-isis-extended-sequence-no-tlv-04
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 01 Apr 2015 22:07:53 -0000

Hi Adam,

Thanks for your review and suggestions.
Please see my replies in-line [Uma]:

-----Original Message-----
From: Adam W. Montville []
Sent: Wednesday, April 01, 2015 6:29 AM
To: The IESG;;
Subject: Security review of draft-ietf-isis-extended-sequence-no-tlv-04

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.

This draft is ready with issues.

There are two circumstances within IS-IS that are subject to replay attacks.  One can happen when adjacencies are brought up and an IS sends an IIH (hello).  The other circumstance pertains to replaying CSNP, which may cause replay of PSNP and thus cause LSP flooding.

This draft proposes a sequence to mitigate replay attacks in both circumstances.  The structure of the sequence is defined as a new TLV called "ESN TLV".  It constists of the three fields, Type, Length, and Value, where Value is to be interpreted as two separate fields.  These two fields are known as Extended Session Sequence Number (ESSN; a 64-bit value, which is non-zero and unsigned), and Packet Sequence Number (PSN; a 32-bit value).  A given ESN is associated with a particular Protocol Data Unit (PDU).  A PDU, therefore, "has" an ESSN, which is associated with a monotonically increasing PSN.  If the PSN wraps or if the device needs to be restarted, then the next ESSN must be larger than the previous ESSN.

This is where I see a potential issue, but maybe I'm missing a limit of practicality.  What happens when the ESSN is at 2^64-1 and needs to increment?  Granted that's a large number, so it might be the case that under no practical circumstance would the ESSN ever become that large; but, if that's the case, then it might be best to state so in the draft.

[Uma]: As you stated though this is possible theoretically, it is almost impractical if the right method of encoding is used. For every PDU only 32-bit PSN  increases and only when it wraps ESSN value  is incremented. There are two approaches specified in Appendix (only as mere guidelines) of this draft to encode ESSN (64-bit) value.  If timestamps are used (Appendix A.1) to encode this value I don't see the possibility for this to happen before the lifetime of the router perhaps.  However, in Appendix A.2, non-volatile storage (Page 7)  it's clearly stated that -
    "If the non-volatile
   storage is ever repaired or upgraded such that the contents are lost,
   keys MUST be changed to prevent replay attacks."

In the Appendix, the draft also goes into how timestamps may be leveraged (which are potentially more effective at mitigating replay attacks than are sequences), but does not clearly indicate how neighbors would negotiate the use of timestamps or how exactly the timestamps would be used or which format then must be used (a suggestion to look at RFC5905 is made).

[Uma]:  Appendix only proposes to use timestamps as a potential approach to encode the ESSN field of the TLV to get the ever increasing property in all cases. Please  note the approach for replay attack mitigation here is Extended Sequence numbers as specified in the TLV.  There could be and may be more mechanisms to solve the same problem at hand but those are beyond the scope of this document. There is *no negotiation* required with neighbor on how to encode this value. This is purely a local matter as long as the "ever increasing" property is maintained, when 32-bit PSN is ever wrapped/cold-restart cases as explained in section 3.1.

There may be valid operational reasons to favor a sequence over timestamps for replay mitigation, but such considerations appear absent in this draft.  Is there a reason timestamps are being avoided as the replay mitigation solution?

[Uma]: As I said above sequence number mechanism is the chosen option to solve the problem. For example, IS-IS LSP PDU already has 32-bit sequence number, which can effectively  being used also for mitigating intra-session replay attacks.  The current method is to extend this approach to prevent inter and intra session replay attacks for non-LSP PDUs.  IMO, other possible methods to solve this problem (as you mentioned time stamps, frequent key changes through a key management protocol etc..) is beyond the scope of the current work.


There was at least one area of the text that could probably be clarified for the sake of non-security-familiar folks. The paragraph in section 2.1 could be changed as follows, to make clear that the authenticated case of IIH is where mitigation can be made.

At the time of adjacency bring up an IS sends IIH packet with empty neighbor list (TLV 6) and with or without the authentication information as per provisioned authentication mechanism.  If this packet is replayed later on the broadcast network all ISes in the broadcast network can bounce the adjacency to create a huge churn in the network.

When an adjacency is brought up an IS sends an IIH packet with an empty neighbor list (TLV 6), which can be sent with or without authentication information.  Packets can be replayed later on the broadcast network which may cause all ISes to bounce the adjacency, thus churning the network.  Note that mitigating replay is only possible when authentication information is present.

[Uma]: Sure, I shall change the text as you suggested. Thank you.

In general, I recommend reviewing the draft for clarity.

Kind regards,