IETF Logo Mail Archive

Re: [secdir] [Roll] Secdir last call review of draft-ietf-roll-turnon-rfc8138-12

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Mon, 07 September 2020 06:24 UTC

Return-Path: <tirumaleswarreddy_konda@mcafee.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 800AE3A15AC for <secdir@ietfa.amsl.com>; Sun, 6 Sep 2020 23:24:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O6fU7C-oKcI7 for <secdir@ietfa.amsl.com>; Sun, 6 Sep 2020 23:24:21 -0700 (PDT)
Received: from us-smtp-delivery-140.mimecast.com (us-smtp-delivery-140.mimecast.com [63.128.21.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC2193A15AB for <secdir@ietf.org>; Sun, 6 Sep 2020 23:24:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=mimecast20190606; t=1599459860; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=RzoMIbHxk6nWZR5ygJJhG1CBjaaYZDHVIX95zWqwKPs=; b=DwfkXlzPjj90KMFTwCCGfRTnuralAJA2v6oX4/MA+gaRHjqD+960bBLP3rGSLbDEBrjRLo PKw7dZaOZwTpZwh2WNse3YQNE/ezJT4of7vCsrfqOIFTTkUcI6fiY7C0liBZOENwPhLlgX HkZyDiKt6BJPelZ1AD/knGxU0b4gD9Y=
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2174.outbound.protection.outlook.com [104.47.58.174]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-204-A52VRWzMN2aWKHBU0_JtDw-1; Mon, 07 Sep 2020 02:24:18 -0400
X-MC-Unique: A52VRWzMN2aWKHBU0_JtDw-1
Received: from MWHPR16MB1535.namprd16.prod.outlook.com (2603:10b6:320:27::22) by MWHPR1601MB1181.namprd16.prod.outlook.com (2603:10b6:300:eb::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3348.16; Mon, 7 Sep 2020 06:24:17 +0000
Received: from MWHPR16MB1535.namprd16.prod.outlook.com ([fe80::2c6f:d09b:e22a:4a47]) by MWHPR16MB1535.namprd16.prod.outlook.com ([fe80::2c6f:d09b:e22a:4a47%11]) with mapi id 15.20.3348.019; Mon, 7 Sep 2020 06:24:17 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, Routing Over Low power and Lossy networks <roll@ietf.org>
CC: "draft-ietf-roll-turnon-rfc8138.all@ietf.org" <draft-ietf-roll-turnon-rfc8138.all@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Thread-Topic: [secdir] [Roll] Secdir last call review of draft-ietf-roll-turnon-rfc8138-12
Thread-Index: AdaDbUeaqdHV2jK6QYKG8VqxeX1QTwA/l14AABwPsvA=
Date: Mon, 07 Sep 2020 06:24:17 +0000
Message-ID: <MWHPR16MB15357DAE2C99DCB5242F744BEA280@MWHPR16MB1535.namprd16.prod.outlook.com>
References: <MWHPR16MB15352A9604389BC647A87A5FEA2A0@MWHPR16MB1535.namprd16.prod.outlook.com> <1440.1599410092@localhost>
In-Reply-To: <1440.1599410092@localhost>
Accept-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.5.0.60
dlp-reaction: no-action
x-originating-ip: [49.37.200.126]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2a5ceeae-74a0-4049-9962-08d852f6a5f4
x-ms-traffictypediagnostic: MWHPR1601MB1181:
x-microsoft-antispam-prvs: <MWHPR1601MB1181778351D816576EBC8410EA280@MWHPR1601MB1181.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 2lwu/nN0tYcyhZp+TXFG0Sq8e+UFX5g4bm4C4dCXgMcf460gfFtSUq8zi/m5aSK+TcJkN6xwseVkEVHNAP9ry5cQq7+wtf/JRp43Yw1DXUZn/AZ6h/kuAkZdFaYyBKZPvDmYrO+xhBy/O+XKGFI2ffTPAJqybqE4saRIHBOMobbzEIjKdJjVDR/FMDzyN9g7PCLQSSVthDpJZLt0wgxL1StkTLift6oaZDk06uXEl9ZL6Yqs/hgxvWp01KOor2gtJKakA52s68/NzbGGLTRKMdqsAo1A5W8OR07jYlNOAlk8M1kLdfCdsijG1NTEY3E3KKvAi07r2GAHUd7dkbQLv9hyziII/43UmmRN/sqP8LbSIuaMUst96ehFTonCozQN0FEt6xV2EqYIn2G4D8mpsA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MWHPR16MB1535.namprd16.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(136003)(346002)(39860400002)(396003)(366004)(32952001)(9686003)(8676002)(7696005)(55016002)(66946007)(186003)(2906002)(76116006)(66476007)(66556008)(64756008)(66446008)(8936002)(5660300002)(6506007)(53546011)(52536014)(110136005)(316002)(478600001)(26005)(54906003)(86362001)(66574015)(4326008)(33656002)(83380400001)(71200400001)(85282002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: aLvBnW0YzYEpjagCT7X1cmI/++ACBTu6ckzUhYQrsIO8u5HJcHpvV8HWwIp5rsTry0ZUNxUGcLEfQxbX9xSPJ/FL03XCWRcbY8pQPiZ6ArFWGWZ5imJVxkXRCExX+j1vQpuQrltKAO1zqmRyY+MjQVKmR1sQwUAJ8MENSi07El3PoOpcmOzr7MxVHVkCO4JberBzQHCDVc3uoj9x8L2+hV57/oyCnGmQHKktUDUE1qfVu11tQ4mDKSQbcwgK5jKiCN0g+qopeWxW3bYo7OJSy9p40PhjTXVD/Og54O36MhwWAaJt6wZDK/oHzOxmIRQsp0BH6XZv1zLkX3KlWVm3ErFLS6dqGlnYCRgUGH9lLQSfkiV7JyacF/8I51lQRikc56grClMlQZ8bC1hsg442hFZDaGF5+9iFcUZVltbyVx/qUlI25pHU/mK/Bp1H1gqoa897uv4mh+SzyMVEKKNlQVtkfpnduVuo1m+yAv3i4IO8dNoQrTR/MbhdA53bahgkKD6UeaFoV0r7dA3gOb9kfikk+kaKNMUrWKl7Hi0pGp3VFOkHobTd6XEzM6ZZ3asJvIpuSW/+oMKW7fx/OC+ov02DTTfiDUUhSgMpdJN8NS25vUSRufASDmrvPmj90uutqFtv0WON7cxDAL3wMaeuiQ==
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: mcafee.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MWHPR16MB1535.namprd16.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2a5ceeae-74a0-4049-9962-08d852f6a5f4
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Sep 2020 06:24:17.1548 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: nNHA+IVHanad/F2pGbpPqTBPMTLFNH/5zaf1VngQkwRYNM2WMBCmUdj40PkktK/hiIXY4MGTT9HrfmwgvuTgARdm/+GoPCzLFYLzXJADPwu2G/yMN+T69z10AFDc2I0y
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR1601MB1181
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA40A35 smtp.mailfrom=tirumaleswarreddy_konda@mcafee.com
X-Mimecast-Spam-Score: 0.004
X-Mimecast-Originator: mcafee.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: base64
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/we0QJyLwdX_MeupoBx_YP1KeWhU>
Subject: Re: [secdir] [Roll] Secdir last call review of draft-ietf-roll-turnon-rfc8138-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Sep 2020 06:24:24 -0000

> -----Original Message-----
> From: secdir <secdir-bounces@ietf.org> On Behalf Of Michael Richardson
> Sent: Sunday, September 6, 2020 10:05 PM
> To: Routing Over Low power and Lossy networks <roll@ietf.org>
> Cc: draft-ietf-roll-turnon-rfc8138.all@ietf.org; secdir@ietf.org
> Subject: Re: [secdir] [Roll] Secdir last call review of draft-ietf-roll-turnon-
> rfc8138-12
> 
> 
> Thank you for the review.
> 
> Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>
> wrote:
>     > [1] You may want to clarify how the attacker manages to modify a
>     > protected configuration including the "T" flag introduced in this
>     > spec.
> 
> Every router within every routing protocol can do wrong things :-) RPL is an
> IGP, so all routers are within the same security control, and at the same level.
> 
> An attacker would have to introduce malware into the device to modify data.
> RFC7416 lays out all of these threats: they are no different for the T-bit than
> other bits.

Got it. A reference to RFC7416 will be helpful to understand the threat model.

> 
>     > [2] Is it possible to identify the attacker (or compromised router) who
>     > set the "T" flag to remediation measures ?
> 
> Maybe. Probably not.
> There are few things we can do within any routing protocol to identify mis-
> behaving routers.

Please add a reference to the techniques that can be used to detect mis-behaving routers.

> 
>     > [3] If due to an human error one or more of the on-path routers are not
>     > upgraded or if the router sees both settings, I presume an alert could
>     > be sent to the network management for troubleshooting. You may want
> to
>     > add text to discuss the same.
> 
> At present, RPL does not include a standard off-path alerting mechanism.
> This remains a todo item for the WG.
> Some use NETCONF or HTTP to collect statistics in a proprietary way.

I think a proprietary way can also be discussed to showcase the current practices for troubleshooting.

> We can send ICMPs, but since the affects how the packets are encoded, we
> likely can't send an ICMP to a relevant router, just one hop in the direction it
> came from.

>     > [4] What do you mean by "subDAG" (I don't see any definition in this
> spec and RFC8138) ?
> 
> It's a sub-portion of a DAG. A sub-tree.

Okay, you may want to expand "subDAG".

-Tiru

> 
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>            Sandelman Software Works Inc, Ottawa and Worldwide
> 
> 
>

v2.23.0 | Report a Bug | By Email