Re: [secdir] Secdir last call review of draft-ietf-roll-efficient-npdao-10
Rahul Arvind Jadhav <rahul.jadhav@huawei.com> Sat, 25 May 2019 02:19 UTC
Return-Path: <rahul.jadhav@huawei.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC3111200D6; Fri, 24 May 2019 19:19:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id klMmgoaOEuvC; Fri, 24 May 2019 19:19:54 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2C421200B2; Fri, 24 May 2019 19:19:53 -0700 (PDT)
Received: from lhreml702-cah.china.huawei.com (unknown [172.18.7.108]) by Forcepoint Email with ESMTP id 3D658702811EBA2B322A; Sat, 25 May 2019 03:19:52 +0100 (IST)
Received: from BLREML701-CAH.china.huawei.com (10.20.4.170) by lhreml702-cah.china.huawei.com (10.201.108.43) with Microsoft SMTP Server (TLS) id 14.3.408.0; Sat, 25 May 2019 03:19:51 +0100
Received: from BLREML503-MBX.china.huawei.com ([169.254.9.12]) by blreml701-cah.china.huawei.com ([::1]) with mapi id 14.03.0439.000; Sat, 25 May 2019 07:49:41 +0530
From: Rahul Arvind Jadhav <rahul.jadhav@huawei.com>
To: Brian Weis <bew.stds@gmail.com>, "secdir@ietf.org" <secdir@ietf.org>
CC: "draft-ietf-roll-efficient-npdao.all@ietf.org" <draft-ietf-roll-efficient-npdao.all@ietf.org>, "roll@ietf.org" <roll@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-roll-efficient-npdao-10
Thread-Index: AQHVEF+kPZOse9hlP0Gpjn3Hi0irHKZ7FCTQ
Date: Sat, 25 May 2019 02:19:40 +0000
Message-ID: <982B626E107E334DBE601D979F31785C5DEC4384@BLREML503-MBX.china.huawei.com>
References: <155850309037.2348.11704172157194914151@ietfa.amsl.com>
In-Reply-To: <155850309037.2348.11704172157194914151@ietfa.amsl.com>
Accept-Language: en-IN, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.18.157.44]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/dZ70hVvnfJhMTPUG-RjJ6MFXUlM>
Subject: Re: [secdir] Secdir last call review of draft-ietf-roll-efficient-npdao-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 May 2019 02:19:56 -0000
Thanks Brian for the review. The comments will be addressed in the next draft update. > -----Original Message----- :::: > > >From a security considerations perspective then, we can’t usually > >expect more > than for a node to validate that a trusted peer has sent this data. RPL can > validate this using a MAC (keyed by either a group or pair-wise key, or a > digital signature. This document describes these options, and this is good. > However, note that there doesn't seem to be a facility for verifying that any > part of the message propagated by a "peer of a peer", etc. is accurate. > > However, I believe that the network flow of this DCO brings in some > additional risks in the context of a distance vector protocol. The security > considerations does mention that a rogue ancestor could imitate a malicious > route invalidation, and that’s a good statement. But I think the risk goes > beyond that. > > This document adds a signal (the “I” bit) to an upstream RPL routing message. > This “I” bit indicates that any ancestor should invalidate any previous routes > that it has. The intent is for the node initiating a legitimate routing change to > request an ancestor having more than one downstream route to that node > to send a DCO down the old route. But if any node along the path can create > this header, then not only the initiating node can add the "I" bit — any > malicious node forwarding the RPL frame upstream can also add it. That > would (I think for the first time) allow a malicious node to explicitly cause > another off-path route to be destroyed — potentially leaving a target with > no routes to it at all. This attack should be described in the security > considerations as a risk. [RJ] Yes this risk will be added in the security considerations. Thank you for noticing this point. > It’s at a very least a problem when all of the nodes share a MAC key, and if > I’m correct that only neighbor MACs or signatures are verified in RPL then it’s > a problem even if the secure version of messages is deployed because a > “peer of a peer” or earlier node could have added the “I” bit. > > Another aspect of this new network flow is that previously a node could have > protected itself from attacks deleting routes by only accepting a change of > route from an adjacency representing the routed path. Spoofed “delete path” > messages could be ignored from other adjacencies. That seems no longer > possible with the DCO, since by definition it comes downstream rather than > upstream direction from the node (possibly) changing its routes. If there’s > any operational mitigation possible by which a node could protect itself > against spoofed “delete path” messages then this should be added to > security considerations. [RJ] Even with DCO traversing downstream, the adjacencies have to be verified i.e., the nodes in the path sending the DCO needs to have the routing entry for the target node along with the right state information (in the form of Path Sequence).
- [secdir] Secdir last call review of draft-ietf-ro… Brian Weis via Datatracker
- Re: [secdir] Secdir last call review of draft-iet… Rahul Arvind Jadhav