Re: [secdir] SECDIR review of draft-ietf-pals-mpls-tp-pw-over-bidir-lsp-08

"Christian Huitema" <huitema@huitema.net> Thu, 30 June 2016 04:48 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63C8512D5A2 for <secdir@ietfa.amsl.com>; Wed, 29 Jun 2016 21:48:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4zg5mdl2TyKz for <secdir@ietfa.amsl.com>; Wed, 29 Jun 2016 21:48:35 -0700 (PDT)
Received: from xsmtp01.mail2web.com (xsmtp01.mail2web.com [168.144.250.230]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B53412D8F9 for <secdir@ietf.org>; Wed, 29 Jun 2016 21:48:33 -0700 (PDT)
Received: from [10.5.2.14] (helo=xmail04.myhosting.com) by xsmtp01.mail2web.com with esmtps (TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.63) (envelope-from <huitema@huitema.net>) id 1bITtr-0006j7-E8 for secdir@ietf.org; Thu, 30 Jun 2016 00:48:32 -0400
Received: (qmail 667 invoked from network); 30 Jun 2016 04:48:26 -0000
Received: from unknown (HELO huitema1) (Authenticated-user:_huitema@huitema.net@[24.16.156.113]) (envelope-sender <huitema@huitema.net>) by xmail04.myhosting.com (qmail-ldap-1.03) with ESMTPA for <draft-ietf-pals-mpls-tp-pw-over-bidir-lsp.all@ietf.org>; 30 Jun 2016 04:48:26 -0000
From: Christian Huitema <huitema@huitema.net>
To: 'Mach Chen' <mach.chen@huawei.com>, iesg@ietf.org, secdir@ietf.org, draft-ietf-pals-mpls-tp-pw-over-bidir-lsp.all@ietf.org
References: <029601d1d259$9d2a1c40$d77e54c0$@huitema.net> <F73A3CB31E8BE34FA1BBE3C8F0CB2AE28CC88BD9@SZXEMA510-MBX.china.huawei.com>
In-Reply-To: <F73A3CB31E8BE34FA1BBE3C8F0CB2AE28CC88BD9@SZXEMA510-MBX.china.huawei.com>
Date: Wed, 29 Jun 2016 21:48:24 -0700
Message-ID: <05cc01d1d28a$a472ecd0$ed58c670$@huitema.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQJppj18XNd2LgZk1IOL006eX+38mQFj5NxLnsaorKA=
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/fpa4vO_43CM3mUjCq0bWF_K1zDE>
Subject: Re: [secdir] SECDIR review of draft-ietf-pals-mpls-tp-pw-over-bidir-lsp-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Jun 2016 04:48:36 -0000

On Wednesday, June 29, 2016 7:39 PM, Mach Chen wrote:
> 
> Hi Christian,
> 
> Thanks for your review and comments!

You are welcome.
 
> Please see my replies inline...
> 
> > -----Original Message-----
> > From: Christian Huitema [mailto:huitema@huitema.net]
> > Sent: Thursday, June 30, 2016 6:57 AM
> > To: iesg@ietf.org; secdir@ietf.org;
> > draft-ietf-pals-mpls-tp-pw-over-bidir-lsp.all@ietf.org
> > Subject: SECDIR review of draft-ietf-pals-mpls-tp-pw-over-bidir-lsp-08
> >
> > I have reviewed this document as part of the security directorate's
ongoing
> > effort to review all IETF documents being processed by the IESG.  These
> > comments were written primarily for the benefit of the security area
> directors.
> > Document editors and WG chairs should treat these comments just like any
> > other last call comments.
> >
> > The document is ready with 2 nits.
> >
> > The document specifies an extension to the Label Distribution Protocol
(LDP,
> > RFC 5036) to provide bindings between Pseudo Wires (PW) and Label Switch
> > Paths (LSP) established over MPLS-TP (RFC6773). The goal is to ensure
that
> > both directions of the PW are mapped to the same LSP, and thus avoid
> > asymmetric routing. The document specifies additional LDP extensions to
> carry
> > the required information.
> >
> > The security section acknowledges one concern: that attackers could
misuse
> > the option to force a pseudo wire through an unnatural path, either as a
> denial
> > of service attack, or to facilitate traffic interception. The proposed
> mitigation to
> > that attack is essentially "careful Implementation", i.e. only accept
binding
> > requests where the LSP endpoints match the PW endpoints. Should a
> mismatch
> > occur, I assume that the endpoint will reject the proposed binding, as
> specified
> > in section 5, PSN Binding Operation for MS-PW.
> >
> > And here is one nit: I would like to see the verification behavior
specified as
> part
> > of the binding operations, rather than merely mentioned in the security
> section.
> 
> OK, how about adding the following text?
> 
> For SS-PW:
> "In addition, if the received PSN tunnel/LSP end points do not match the
PW
> end points, PE2 MUST reply with a Label Release message with status code
set
> to "Reject - unable to use the suggested tunnel/LSPs" (TBD4) and the
received
> PSN Tunnel Binding TLV MUST also be carried."

Yes.

> For MS-PW:
> "In addition, if the received PSN tunnel/LSP end points do not match the
PW
> Segment end points, the receiving PE MUST reply with a Label Release
> message with status code set to "Reject - unable to use the suggested
> tunnel/LSPs" (TBD4) and the received PSN Tunnel Binding TLV MUST also be
> carried."

Yes, that works.

> > Also, is there a specific error case for the security failure, or just
the generic
> > error message?
> 
> Since this is a potential attack, seems it is safer not to deliver more
specific
> reason to the attacker. I think the generic error message is sufficient.
How do
> you think?

OK.

> > The next nit is tied to the general security profile of LDP, which is
specified to
> > use TCP(MD5). There is no expectation of privacy for LDP data.
> > I am not sure that the new extensions increase the "privacy surface" of
LDP.
> > They do carry global identifiers of source and destination, and inform
about
> the
> > path of packets between these destinations, and it seems that
adversaries
> > could use that for monitoring and targeting purposes. But it is possible
that
> the
> > information is already present in LDP. A note to that effect in the
security
> > section would have been nice.
> 
> Actually, the information is already present in both sides of the LDP
session,
> otherwise the receiving PE cannot bind/match/compare those IDs. IMHO, this
> new extension does not increase the "privacy surface" of LDP.
> 
> The aforementioned information is not special/different from other
> information (e.g., the FECs, Labels, PE addresses, etc.) that are already
> transmitted over the LDP session. I'm incline to not add extra text here
if you
> are OK with it.

If you do not actually increase the privacy surface, then yes, that's OK. 

-- Christian Huitema