[secdir] Secdir review of draft-ietf-ippm-ioam-ipv6-options
Radia Perlman <radiaperlman@gmail.com> Sat, 16 July 2022 00:47 UTC
Return-Path: <radiaperlman@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32018C15790B; Fri, 15 Jul 2022 17:47:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z1Dt_0qEXFLb; Fri, 15 Jul 2022 17:47:20 -0700 (PDT)
Received: from mail-yw1-x1132.google.com (mail-yw1-x1132.google.com [IPv6:2607:f8b0:4864:20::1132]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A163AC14792E; Fri, 15 Jul 2022 17:47:20 -0700 (PDT)
Received: by mail-yw1-x1132.google.com with SMTP id 00721157ae682-31d7db3e6e5so61228087b3.11; Fri, 15 Jul 2022 17:47:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=7umL9wuyEWr/TRs8AdZmwlla5PduOJKYK/ps+mWhYgM=; b=XUP5wU7FHDYWSWOALy9whfT65uZczljXYXdbLSfynNbJq+3o+ySx4BFfc5TuLbqswH ApwoBEhUtRBqfX1I2QtmlJ8NwB0At0OFixr27ukRoRJPudmh4mxaB36BTmcTJ0DSpfhE 1cC92UWdEpn10PygskjAFCTZgqffOhk+hmhBkn29hYgvEOcTPpcipk8sNr++RqdqCYke fxJQ/IRpip1Y9rQ8+Qfi8krt1EDuoeDqm49IA/pomOYGsuvhu8Lt9rFli0cf6U4Tx9MB vjQlEy5ZDtW90ggME6syloxlcu4mHozGbHIpc1OQZXvCcS1vQaio5o4c/cq2Tax2MWJv 8gmw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=7umL9wuyEWr/TRs8AdZmwlla5PduOJKYK/ps+mWhYgM=; b=ATlOPT/AKp/sKa8A0Q1VMIhTJcS7OAtDPZ/4vaEfxO2LYRDVbcqh6O9PTeSKIw8R41 jC/SRuT2QTL1vPtsk7z/aIzeSOm2J2WSe/CCIhCdBhlyKQAMek3+6hT6ttjTT1Hk5Kfy AClFUHj7P9Kb6rro303Fb0PeFA5Xh+YJRSQ9jCjWuTkI4tfSnUAU9oKtkc3MxMYdrNU0 sRqwdsbH9Vpcb0AJsRYEw2H7jeklyICmaoQhhGRFNGXrNoUP7ecy9GbxKYsnNMP714bo 81yea1I4XAm+i1ljXMdY0VZxgdu/UY4PQtwraj8e2UWrmIWIjzStrhR+gwV/JlNSX20+ 0qbQ==
X-Gm-Message-State: AJIora9v4ptLKAQM1fZLl8DMSVKOj5PtztirPazMKSU2F5e7HFXGN9XE MtmPxSXJhe70qfoGAtHG6u71YNI8HjFM/FCnKR43aMXmreI=
X-Google-Smtp-Source: AGRyM1uKPIx14DijTeCsZnzdAln8J0MNMjtLA5hh2jsEUNA7vg1e4jd0OyRqLpm3EoANjBdVcsVoiZQCHTirJGXlJF4=
X-Received: by 2002:a0d:ea47:0:b0:31c:9814:dd81 with SMTP id t68-20020a0dea47000000b0031c9814dd81mr18829783ywe.346.1657932439279; Fri, 15 Jul 2022 17:47:19 -0700 (PDT)
MIME-Version: 1.0
From: Radia Perlman <radiaperlman@gmail.com>
Date: Fri, 15 Jul 2022 17:47:08 -0700
Message-ID: <CAFOuuo4q7fTSs-T1E2C5_W=ad3-tAcP5ZJ0cTNvivde7Kh4=Qg@mail.gmail.com>
To: secdir@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-ippm-ioam-ipv6.all@ietf.org
Content-Type: multipart/alternative; boundary="0000000000001add0505e3e17afd"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/g6R86wLqJHBC7D4T5khm9nfzQTE>
Subject: [secdir] Secdir review of draft-ietf-ippm-ioam-ipv6-options
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Jul 2022 00:47:21 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document concerns embedding In-situ Operations, Administration, and Maintenance (IOAM) data in IPv6 extension headers. IOAM data is telemetry data added by routers to packets as they transit a network, and sometimes removed by routers if the packets leave an "IOAM domain". IOAM extensions can be either Hop-by-Hop options or Destination options. The IOAM data itself is defined in another document (RFC9197). This document has a lot of jargon that makes it difficult to parse for the uninitiated (and I count myself among them). My one concern with respect to security comes from the statement in section 5.1: "OAM data leaks can affect the forwarding behavior and state of network elements outside an IOAM domain. IOAM domains SHOULD provide a mechanism to prevent data leaks or be able to ensure that if a leak occurs, network elements outside the domain are not affected (i.e., they continue to process other valid packets)." The concern is that IOAM domains should be clearly delimited and IOAM extensions should be stripped before a packet leaves the domain and/or as it enters a domain. My concern is that this could be difficult to enforce when IPv6 packets are encapsulated - in particular by IPsec. AH needs to understand which extensions are mutable and which are immutable. I don't know whether the defaults cover these extensions adequately or whether additional specification in necessary. ESP needs to know whether the other end of the security association is in the same IOAM domain so that it knows whether to encapsulate IOAM extensions or drop them. All of this may require additional configuration and may not behave correctly with implementations that are not aware of IOAM data. There may also be a matter of merging IOAM data from an outer envelope with IOAM data from an inner envelope when doing decapsulation. I'm not an expert on either IOAM or IPsec's handling of IPv6 extensions, but someone who is should look at this specification and make sure it is not going to create problems. Radia
- [secdir] Secdir review of draft-ietf-ippm-ioam-ip… Radia Perlman
- [secdir] Fwd: Secdir review of draft-ietf-ippm-io… Martin Duke