Re: [secdir] SECDIR review of draft-ietf-pals-mpls-tp-pw-over-bidir-lsp-08
"Christian Huitema" <huitema@huitema.net> Thu, 30 June 2016 04:48 UTC
Return-Path: <huitema@huitema.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63C8512D5A2 for <secdir@ietfa.amsl.com>; Wed, 29 Jun 2016 21:48:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4zg5mdl2TyKz for <secdir@ietfa.amsl.com>; Wed, 29 Jun 2016 21:48:35 -0700 (PDT)
Received: from xsmtp01.mail2web.com (xsmtp01.mail2web.com [168.144.250.230]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B53412D8F9 for <secdir@ietf.org>; Wed, 29 Jun 2016 21:48:33 -0700 (PDT)
Received: from [10.5.2.14] (helo=xmail04.myhosting.com) by xsmtp01.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1bITtr-0006j7-E8 for secdir@ietf.org; Thu, 30 Jun 2016 00:48:32 -0400
Received: (qmail 667 invoked from network); 30 Jun 2016 04:48:26 -0000
Received: from unknown (HELO huitema1) (Authenticated-user:_huitema@huitema.net@[24.16.156.113]) (envelope-sender <huitema@huitema.net>) by xmail04.myhosting.com (qmail-ldap-1.03) with ESMTPA for <draft-ietf-pals-mpls-tp-pw-over-bidir-lsp.all@ietf.org>; 30 Jun 2016 04:48:26 -0000
From: Christian Huitema <huitema@huitema.net>
To: 'Mach Chen' <mach.chen@huawei.com>, iesg@ietf.org, secdir@ietf.org, draft-ietf-pals-mpls-tp-pw-over-bidir-lsp.all@ietf.org
References: <029601d1d259$9d2a1c40$d77e54c0$@huitema.net> <F73A3CB31E8BE34FA1BBE3C8F0CB2AE28CC88BD9@SZXEMA510-MBX.china.huawei.com>
In-Reply-To: <F73A3CB31E8BE34FA1BBE3C8F0CB2AE28CC88BD9@SZXEMA510-MBX.china.huawei.com>
Date: Wed, 29 Jun 2016 21:48:24 -0700
Message-ID: <05cc01d1d28a$a472ecd0$ed58c670$@huitema.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQJppj18XNd2LgZk1IOL006eX+38mQFj5NxLnsaorKA=
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/fpa4vO_43CM3mUjCq0bWF_K1zDE>
Subject: Re: [secdir] SECDIR review of draft-ietf-pals-mpls-tp-pw-over-bidir-lsp-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jun 2016 04:48:36 -0000
On Wednesday, June 29, 2016 7:39 PM, Mach Chen wrote: > > Hi Christian, > > Thanks for your review and comments! You are welcome. > Please see my replies inline... > > > -----Original Message----- > > From: Christian Huitema [mailto:huitema@huitema.net] > > Sent: Thursday, June 30, 2016 6:57 AM > > To: iesg@ietf.org; secdir@ietf.org; > > draft-ietf-pals-mpls-tp-pw-over-bidir-lsp.all@ietf.org > > Subject: SECDIR review of draft-ietf-pals-mpls-tp-pw-over-bidir-lsp-08 > > > > I have reviewed this document as part of the security directorate's ongoing > > effort to review all IETF documents being processed by the IESG. These > > comments were written primarily for the benefit of the security area > directors. > > Document editors and WG chairs should treat these comments just like any > > other last call comments. > > > > The document is ready with 2 nits. > > > > The document specifies an extension to the Label Distribution Protocol (LDP, > > RFC 5036) to provide bindings between Pseudo Wires (PW) and Label Switch > > Paths (LSP) established over MPLS-TP (RFC6773). The goal is to ensure that > > both directions of the PW are mapped to the same LSP, and thus avoid > > asymmetric routing. The document specifies additional LDP extensions to > carry > > the required information. > > > > The security section acknowledges one concern: that attackers could misuse > > the option to force a pseudo wire through an unnatural path, either as a > denial > > of service attack, or to facilitate traffic interception. The proposed > mitigation to > > that attack is essentially "careful Implementation", i.e. only accept binding > > requests where the LSP endpoints match the PW endpoints. Should a > mismatch > > occur, I assume that the endpoint will reject the proposed binding, as > specified > > in section 5, PSN Binding Operation for MS-PW. > > > > And here is one nit: I would like to see the verification behavior specified as > part > > of the binding operations, rather than merely mentioned in the security > section. > > OK, how about adding the following text? > > For SS-PW: > "In addition, if the received PSN tunnel/LSP end points do not match the PW > end points, PE2 MUST reply with a Label Release message with status code set > to "Reject - unable to use the suggested tunnel/LSPs" (TBD4) and the received > PSN Tunnel Binding TLV MUST also be carried." Yes. > For MS-PW: > "In addition, if the received PSN tunnel/LSP end points do not match the PW > Segment end points, the receiving PE MUST reply with a Label Release > message with status code set to "Reject - unable to use the suggested > tunnel/LSPs" (TBD4) and the received PSN Tunnel Binding TLV MUST also be > carried." Yes, that works. > > Also, is there a specific error case for the security failure, or just the generic > > error message? > > Since this is a potential attack, seems it is safer not to deliver more specific > reason to the attacker. I think the generic error message is sufficient. How do > you think? OK. > > The next nit is tied to the general security profile of LDP, which is specified to > > use TCP(MD5). There is no expectation of privacy for LDP data. > > I am not sure that the new extensions increase the "privacy surface" of LDP. > > They do carry global identifiers of source and destination, and inform about > the > > path of packets between these destinations, and it seems that adversaries > > could use that for monitoring and targeting purposes. But it is possible that > the > > information is already present in LDP. A note to that effect in the security > > section would have been nice. > > Actually, the information is already present in both sides of the LDP session, > otherwise the receiving PE cannot bind/match/compare those IDs. IMHO, this > new extension does not increase the "privacy surface" of LDP. > > The aforementioned information is not special/different from other > information (e.g., the FECs, Labels, PE addresses, etc.) that are already > transmitted over the LDP session. I'm incline to not add extra text here if you > are OK with it. If you do not actually increase the privacy surface, then yes, that's OK. -- Christian Huitema
- Re: [secdir] SECDIR review of draft-ietf-pals-mpl… Mach Chen
- Re: [secdir] SECDIR review of draft-ietf-pals-mpl… Mach Chen
- Re: [secdir] SECDIR review of draft-ietf-pals-mpl… Christian Huitema
- [secdir] SECDIR review of draft-ietf-pals-mpls-tp… Christian Huitema
- Re: [secdir] SECDIR review of draft-ietf-pals-mpl… Mach Chen
- Re: [secdir] SECDIR review of draft-ietf-pals-mpl… Andrew G. Malis