IETF Logo Mail Archive

Re: [secdir] Secdir early review of draft-ietf-bier-ping-08

Greg Mirsky <gregimirsky@gmail.com> Thu, 11 May 2023 04:19 UTC

Return-Path: <gregimirsky@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CAF2C17D664; Wed, 10 May 2023 21:19:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GOT1e5ypJ-RE; Wed, 10 May 2023 21:18:56 -0700 (PDT)
Received: from mail-yb1-xb30.google.com (mail-yb1-xb30.google.com [IPv6:2607:f8b0:4864:20::b30]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3A74C1782C3; Wed, 10 May 2023 21:18:56 -0700 (PDT)
Received: by mail-yb1-xb30.google.com with SMTP id 3f1490d57ef6-b9a6f17f2b6so39328563276.1; Wed, 10 May 2023 21:18:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1683778735; x=1686370735; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=HkVqc5UE3HnQodDazSsTsVbSWg8v8btwISc9B7rIJfM=; b=pk0iKQ9iV4e1FOdALfrq3QsjM1ygOPZnH/9NehMZGNaW2lXEDhUWJbfa6AGZVGr2Pf iPmgwOB7dC6q4bEoSZQMHAjd9yQMbwGpB453HDHoEQFGrWMNoEPUDcgz3sHWQqoR8gQK d+vpeNQUH4KAwrz25Qs1SS74eaRsX9rvXLN58Q+L1LNA6DQDiWbuRVdz2j/a96AzhYl1 5jNCA9tWPwm3iJr8Puhep3ML+/9WfiZIyqHJS9vCNVc/bSM1tGsA4VwhuDEAhnllV29t zIxHKuIGTKRrxYw3FoT0yy/sV9nQZRH+U2insj1+Uvf+hLsPB6evN/isHnmCwsuZfYDt 4bsw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1683778735; x=1686370735; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=HkVqc5UE3HnQodDazSsTsVbSWg8v8btwISc9B7rIJfM=; b=hDC2EkvmaD9xQZSlYqR0nmTspicMEihpLoRAiXQrre7kwOh5Bv51hmzQmx1JhZUB/w mQ6yagz2GQiOo6gI1ho1aFPi88Kti7bc+/UPbcbSpSQCqxx8CYzpHk8JYwveLQgxdTFq eoW1ga8q/YLyDgd0G/l7idyy0Fz68KUZZZrBJ9M653DhwAQifT9CZDRu0enfONhSgoZu +j/gncZatRBotG001cno8bkFz3PDBT4GM0+ukKblDaBRu+y/rQTdkK+waMYRQwVkMRP9 952QKbPACLsC1CIj5vLknyLfoFWLhgyX7A80G5XSg1sbeY17mNUmUm7pHiBWtLkZ3JrD 8x4w==
X-Gm-Message-State: AC+VfDwJiRiGoYCC0HDY6GHvxkjYDvuQ43V8zUlvtIMH5V+zl/6BkamI vA8lsnkTKCNy3B2Zcj7/AnVVfEf7b7BDKnHCMlBimlTm
X-Google-Smtp-Source: ACHHUZ68jkKFeGiqjnGAbwgqu7Q/CSvR5rIs+MY1xqK0uan3YNO5rPFuI/F3msKwF+AhrniOkOpbhCek5WHyRDGJgK4=
X-Received: by 2002:a0d:dfcf:0:b0:55a:416d:5202 with SMTP id i198-20020a0ddfcf000000b0055a416d5202mr17448674ywe.26.1683778735290; Wed, 10 May 2023 21:18:55 -0700 (PDT)
MIME-Version: 1.0
References: <168211282687.57523.15929122717485483178@ietfa.amsl.com> <CA+RyBmVb5O2GRt+baZj5uaz4GA0jEO8ddURk8S3Yc02y6rDueA@mail.gmail.com> <cb7865a7-f0c2-10d2-4745-926e40958371@mandelberg.org> <CA+RyBmUnjtfo=guv9_2RRH=zH5OVG9HuX1JKoEnRJVhN=Uf-kA@mail.gmail.com> <70d489f8-36cb-0a30-1af9-4d6c1dae920d@mandelberg.org>
In-Reply-To: <70d489f8-36cb-0a30-1af9-4d6c1dae920d@mandelberg.org>
From: Greg Mirsky <gregimirsky@gmail.com>
Date: Wed, 10 May 2023 21:18:44 -0700
Message-ID: <CA+RyBmU5760+j87=YKC0JdVQXf-eOVaJqO4sJ4_vUBDY4JT9WA@mail.gmail.com>
To: David Mandelberg <david@mandelberg.org>
Cc: secdir@ietf.org, bier@ietf.org, draft-ietf-bier-ping.all@ietf.org
Content-Type: multipart/alternative; boundary="00000000000065be2405fb634993"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/iCWlvkR1GYhwuJGuNmJSqopPs5o>
Subject: Re: [secdir] Secdir early review of draft-ietf-bier-ping-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 May 2023 04:19:00 -0000

Hi David,
thank you for the discussion. Please find my notes below under the GIM>>
tag.

Regards,
Greg

On Tue, May 9, 2023 at 5:04 PM David Mandelberg <david@mandelberg.org>
wrote:

> I'm not familiar with LSP ping, but I just skimmed the security
> considerations section of that RFC. Unless I missed something (which is
> possible), it looks like it only talks about DoS attacks against the
> recipient of the ping, not amplification to attack a third party using
> the reply. With LSP ping, are the requests and responses roughly the
> same size? If they are, then that seems to be a key difference between
> BIER ping and LSP/ICMP ping, so it should be covered in BIER ping's
> security considerations.
>
GIM>> I think that LSP Ping and BIER Ping are closer to each other
functionally than to ICMP. As we noted in the draft, some informational
elements used in the LSP Ping are equally applicable in BIER Ping (DDMAP).

>
> As for suggesting additional text/reference, how difficult would it be
> in practice for an attacker to spoof the source address in BIER ping?
> (That's the part I really don't have a sense of.) If it's pretty
> difficult, then it's probably enough to just point that out as the
> reason DDoS amplification isn't a big concern. If it's not that hard,
> then there might be a bigger problem.
>
GIM>> I think that such a scenario in BIER is as difficult as in an MPLS
network. Thank you for the suggestion. I will add that in the next version.

>
>
> Op 2023-05-09 om 17:43 schreef Greg Mirsky:
> > Hi David,
> > that's a valid point. I may compare the scenario you describe with the
> > commonly used in LSP Ping identical reply mode, i.e., over IPv4/IPv6
> > network. In that case, the MPLS label stack may not identify the Echo
> > Request sender, and the receiving node relies on the source IP address
> > in the IP/UDP header that immediately follows the label stack. It seems
> > like methods to mitigate the risk of exploiting LSP Ping as a DDoS
> > attack described the Security Consideration in RFC 8029 accepted as
> > sufficient. In our draft, we point them as equally relevant for BIER
> > Ping. Would you suggest an additional text or reference for
> > draft-ietf-bier-ping?
> >
> > Regards,
> > Greg
> >
> > On Tue, May 9, 2023 at 12:37 PM David Mandelberg <david@mandelberg.org
> > <mailto:david@mandelberg.org>> wrote:
> >
> >     The Reply-To TLV stood out to me as the easiest way to redirect
> return
> >     traffic to a vicim, but not necessarily the only way. Can the BFIR
> >     ID be
> >     spoofed to get return traffic sent to an unsuspecting third party?
> >
> >     Op 2023-05-08 om 12:16 schreef Greg Mirsky:
> >      > Hi David,
> >      > thank you for your thoughtful comments. After reviewing the use
> >      > scenario, we decided to remove the Reply-To TLV. The BIER Header
> >      > includes the BFIR ID that can be used to derive the IP address of
> >     the
> >      > Sender. I hope that addresses your concern.The new version of the
> >     draft
> >      > <https://datatracker.ietf.org/doc/draft-ietf-bier-ping/
> >     <https://datatracker.ietf.org/doc/draft-ietf-bier-ping/>> also
> includes
> >      > updates addressing early reviews from Rtg and Int areas.
> >      > Please let me know if you have any further questions.
> >      >
> >      > Best regards,
> >      > Greg
> >      >
> >      > On Fri, Apr 21, 2023 at 2:33 PM David Mandelberg via Datatracker
> >      > <noreply@ietf.org <mailto:noreply@ietf.org>
> >     <mailto:noreply@ietf.org <mailto:noreply@ietf.org>>> wrote:
> >      >
> >      >     Reviewer: David Mandelberg
> >      >     Review result: Has Nits
> >      >
> >      >     This mostly looks good, I think.
> >      >
> >      >     My only concern is about if/how this could be exploited to
> DDoS
> >      >     third parties.
> >      >     It looks like there are a few ways that the responses can be
> >     larger
> >      >     than the
> >      >     requests, either by responders adding additional TLVs, or by
> >     multiple
> >      >     responders responding to the same request. I'm not sure how
> >     much of
> >      >     a risk
> >      >     source address spoofing is in the request's outer header, but
> it
> >      >     looks like the
> >      >     Reply-To TLV can be used to send responses to another address
> >     anyway,
> >      >     regardless of the source address. So if this were on the open
> >      >     internet, I'd
> >      >     expect attackers to abuse it to send lots of data to their
> >     targets.
> >      >     But from
> >      >     the mentions of MPLS, I'm guessing that this is not meant to
> >     be used
> >      >     on the
> >      >     open internet? So it might not be an issue in the
> >     environments this
> >      >     is intended
> >      >     to be deployed in, or there might be some other mitigation.
> >      >
> >      >
> >
>

v2.23.0 | Report a Bug | By Email