[secdir] Secdir review of draft-ietf-6lo-deadline-time-03

Charlie Kaufman <charliekaufman@outlook.com> Mon, 24 December 2018 04:08 UTC

Return-Path: <charliekaufman@outlook.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id B882A130E7A; Sun, 23 Dec 2018 20:08:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=outlook.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id ecCpLIuxUXfH; Sun, 23 Dec 2018 20:08:03 -0800 (PST)
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-oln040092001018.outbound.protection.outlook.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF0D7130E78; Sun, 23 Dec 2018 20:08:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/PfbyMMKXCqhW5ZXXC4AmMkxu+uFrmOHhcdqScnA2NI=; b=qSUH0l1uT2nKBYWZOMQYnyeWfsOHDE+biwDpibiLq7cJ8iLQ8HzcaEk115uVVY31R9/sPIvo7peBYhk2rzveLvkGUXJfyHhjEC4IAUp0HLAiPuoxnOd2Hl+EdeKcbzUORiE2zpPupM5fMhI3WTA8SFRspL8vmBtCzmxY8QyZatqbl5nh7cyTg37TQ5cipvfCJBVtVzu/O2yJuZlTgAA0iOTiEE4quSuu5RHVw0L1AXxdDKhNv7M4r52+zp2J058d6MWiv1XvheUSeefiHi7EUvsew2z+X6e+isJwEFm3aHz4UoBYOV6HTHeD/srx/U4HA82ES5ctMu+6XTyZits8xQ==
Received: from SN1NAM01FT013.eop-nam01.prod.protection.outlook.com ( by SN1NAM01HT121.eop-nam01.prod.protection.outlook.com ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1471.13; Mon, 24 Dec 2018 04:08:02 +0000
Received: from DM6PR04MB5099.namprd04.prod.outlook.com ( by SN1NAM01FT013.mail.protection.outlook.com ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1471.13 via Frontend Transport; Mon, 24 Dec 2018 04:08:02 +0000
Received: from DM6PR04MB5099.namprd04.prod.outlook.com ([fe80::d542:8c2e:1af9:563f]) by DM6PR04MB5099.namprd04.prod.outlook.com ([fe80::d542:8c2e:1af9:563f%4]) with mapi id 15.20.1446.026; Mon, 24 Dec 2018 04:08:02 +0000
From: Charlie Kaufman <charliekaufman@outlook.com>
To: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-6lo-deadline-time.all@ietf.org" <draft-ietf-6lo-deadline-time.all@ietf.org>
Thread-Topic: Secdir review of draft-ietf-6lo-deadline-time-03
Thread-Index: AQHUmz3wn28DKZa1QE+QITpNT8nKbQ==
Date: Mon, 24 Dec 2018 04:08:01 +0000
Message-ID: <DM6PR04MB5099527AC26CD484D373FA09DFBB0@DM6PR04MB5099.namprd04.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
x-incomingtopheadermarker: OriginalChecksum:CE572986C295EA9B3C1EFCC128D6B15CBEBFA731D35AB28F58AAC5AB4D0F7D8E; UpperCasedChecksum:D66C5A5398C209A11A4E3E57E65D0AE7037EE74861081D51476571B137AD0058; SizeAsReceived:7112; Count:43
x-tmn: [dcjZenGzw/VahaTZpOn23WUGBJyxL0IeQczsYBnspn5MYUMl8tS4MrRW741RAjz3]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; SN1NAM01HT121; 6:DSUpremx5Or7wGQZ3VA0WLirfbpA3btWZEAvsWQumYAxctWXuLiVBLy5Mcmxix+9v/ep6clXJvJ8buxYVXbwz/f4dHAMeboXe7ih6dLnpOCjFjaa5HEUg3fW1kSs4dH18pNbibc83tWTR9Y5D19R0hjbseU6lgQplSeL5QZM4TbZRgGn0za3mzDaAvLBPgv5hF5OfJOHlfnthL5wxhsq6J0gxyN5eFyOSbqThwm4I4QFTsVBIUL2pTPRQFsMO6L3m9/PszEoVogUCobzBdaCwNKyV4d+2qUGMBael2+EDGaMyj9T33SfJ8dAnr6OaHrTcDhwKqOIErgqQDaSK+k50eyP/KSuVqZSreUVwqOPxOn7eczQQR464xdoudHezo9tCb2YshsxBHEhkSnBcyK0sBJ/tpF7C847WaJ/RMqU5zLfwWxyRgihSHe6oe/x9lMYT9XwoKSRHtaAjAEVfuoA7g==; 5:wNEE1TpBNQthOC99s73qS8TFtjv75dsDewkPaLqTl9n4pFdBp+RGmfihi6w47AbZNRFPZGOUDzegm7nWcPCUMYuKyE9A2aZn5fzLbx7rfgyUiypJYhbUWkCmQkqVhYJJEnVeQlQRB3pVbxWm38UEQI7ww7csqZLpw9oE/E8nBQY=; 7:iedQ6Upnctd/yn+Yc36G6n3QQiE3febUhnCJdV9tzfK2IXfO1qnIFNPu5LhW/90gowD16zN8gP0/0hMA2cScc6MymIqP08AHyxDOje3tptzUgXxmGqKExwiv3717uSp09vQncJ7X9+5D1ZbNL5os6Q==
x-incomingheadercount: 43
x-eopattributedmessage: 0
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(201702061078)(5061506573)(5061507331)(1603103135)(2017031320274)(2017031323274)(2017031324274)(2017031322404)(1601125500)(1603101475)(1701031045); SRVR:SN1NAM01HT121;
x-ms-traffictypediagnostic: SN1NAM01HT121:
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(4566010)(82015058); SRVR:SN1NAM01HT121; BCL:0; PCL:0; RULEID:; SRVR:SN1NAM01HT121;
x-microsoft-antispam-message-info: fUE9p9e5MK0cUPh1k5JgB0atDjrMqw8DdZjjxshep6VkkoStIoM1ZOvhMMX7/cm8
Content-Type: multipart/alternative; boundary="_000_DM6PR04MB5099527AC26CD484D373FA09DFBB0DM6PR04MB5099namp_"
MIME-Version: 1.0
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 9a4e3081-9524-43cf-bfc3-dcaef82d5da1
X-MS-Exchange-CrossTenant-Network-Message-Id: 8c766fa8-ef47-4039-d8d3-08d6695565cf
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 9a4e3081-9524-43cf-bfc3-dcaef82d5da1
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Dec 2018 04:08:01.9489 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Internet
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1NAM01HT121
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/hKzuWLdlwKb-edZzfzl4Q9L41T0>
Subject: [secdir] Secdir review of draft-ietf-6lo-deadline-time-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Dec 2018 04:08:06 -0000

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

This document specifies a new optional extension in 6LoRHE headers to be used to do fine grained time tracking of packets traversing a network. It supports two functions: tracking the timing of transiting packets for the purpose of performance analysis and diagnostics, and delivery deadline enforcement where the source instructs the network to drop a packet if it cannot be delivered within a specified time bound. This avoids network congestion by quickly discarding packets that are going to be useless by the time they are delivered.

One of the challenges facing this design is maintaining tight clock synchronization between packet forwarding devices. The design assumes that sets of such devices are held in tight synchronization through unspecified mechanisms. These groupings are called "time zones". It also calls for the origination time and delivery deadline fields be updated when a packet transitions between "time zones" (which assumes that packet forwarding devices on separating two time zones be aware of the time difference between them so that it can update those fields).

The issues raised below may be covered in companion documents, but they are what occurred to me while reviewing this one.

Security issues:

Section 6 specifies that when one of these packets is encapsulated and sent through an IPv6 in IPv6 tunnel, and tunnel exit the time fields must be copied from the outer header to the inner header before the packet is forwarded on. This would be true of any form of encapsulation, in particular including IPsec tunnelling.

Many time synchronization protocols - particularly those that target subsecond synchronization - assume they are running on a secure network (or that attackers would not be motivated to mess up time synchronization). If the time synchronization between the packet forwarding devices were to be broken such that there was substantial drift between the devices, that could be used as a denial of service attack if that could be used to cause most or all data packets to be discarded as expired.

Non-security issues:

The length of the time fields is specified in the OTL and DTL headers to have a length of between 1 and 8 octets. I could not tell from the spec whether it was intended that the sender was supposed to pick a size big enough to represent the entire time field or whether it was OK to pick a smaller size and place the low order bits of the time in the field. Placing the low order bits there would normally work, though it makes size comparisons more complex (particularly in cases where there are just barely enough bits to avoid wrapping before the packet expires).

I was initially confused by the presence of two fields OT and DT when one should be sufficient to enforce packet expiration. Reading between the lines of the spec, I eventually concluded that only the DT field was intended to be used for this purpose and the OT field was intended to be used to track delivery performance and is not used in the calculation of packet lifetime. Assuming I have that right, it would be good if it were more explicit in the document.

The bit bummer in me was offended by the fact that the TU and EXP fields had two different ways of representing 1 second time granularity (TU=00/EXP=110 and TU=01/EXP=000). Given that time granularity greater than 10 seconds is never likely to be needed, the need for the TU=01 code point is questionable, but at the least perhaps the spec should say which is the preferred encoding. I also could not tell whether the encoding was expected to be constant within a Time Zone (in which case the fields would not be necessary in every packet) or whether packet relay nodes were expected to canonicalize the time representation whenever it parses a packet. But this is only a matter of taste.