[secdir] Re: Secdir early review of draft-ietf-bfd-large-packets-11

Jeffrey Haas <jhaas@pfrc.org> Fri, 07 June 2024 23:12 UTC

Return-Path: <jhaas@pfrc.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F555C1654E9; Fri, 7 Jun 2024 16:12:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ch9olmxJrmsg; Fri, 7 Jun 2024 16:12:24 -0700 (PDT)
Received: from slice.pfrc.org (slice.pfrc.org [67.207.130.108]) by ietfa.amsl.com (Postfix) with ESMTP id AA1E5C16941F; Fri, 7 Jun 2024 16:12:23 -0700 (PDT)
Received: from smtpclient.apple (172-125-100-52.lightspeed.livnmi.sbcglobal.net [172.125.100.52]) by slice.pfrc.org (Postfix) with ESMTPSA id A5E741E039; Fri, 7 Jun 2024 19:12:22 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.8\))
From: Jeffrey Haas <jhaas@pfrc.org>
In-Reply-To: <171777138747.9697.6380889634564201784@ietfa.amsl.com>
Date: Fri, 07 Jun 2024 19:12:22 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <9D591974-369D-45FA-9489-35D376AA23A5@pfrc.org>
References: <171777138747.9697.6380889634564201784@ietfa.amsl.com>
To: Joseph Salowey <joe@salowey.net>
X-Mailer: Apple Mail (2.3696.120.41.1.8)
Message-ID-Hash: JMZ3UKMTNP2EGTMKCUKN276TELPFLQ7U
X-Message-ID-Hash: JMZ3UKMTNP2EGTMKCUKN276TELPFLQ7U
X-MailFrom: jhaas@pfrc.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdir.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: secdir@ietf.org, draft-ietf-bfd-large-packets.all@ietf.org, rtg-bfd@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [secdir] Re: Secdir early review of draft-ietf-bfd-large-packets-11
List-Id: Security Area Directorate <secdir.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/k06U_UVAdJt0cFguKJgmxL6JXO4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Owner: <mailto:secdir-owner@ietf.org>
List-Post: <mailto:secdir@ietf.org>
List-Subscribe: <mailto:secdir-join@ietf.org>
List-Unsubscribe: <mailto:secdir-leave@ietf.org>

Joseph,

Thanks for the review.  Unfortunately, I think your comments run contrary to the entire nature of the draft. :-)


> On Jun 7, 2024, at 10:43 AM, Joseph Salowey via Datatracker <noreply@ietf.org> wrote:
> The document is well written and fairly simple.  Referencing the previous
> security considerations does provide some good advice, but it seems that this
> document perhaps adds some considerations about the size of BPDU packets.  It
> seems that it would be possible for excessively large packets could cause
> problems for the sender or receiver.  Perhaps add something to the security
> considerations about: Implementations should consider this and set appropriate
> upper bounds on amount of padding added to these messages and on the length of
> received messages.

The entire point of the feature is the user chooses the size of the PDU in order to test the path MTU.  Thus, the PDU may be at most the max local interface MTU size on purpose.

Similarly, implementations must be, in circumstances where the MTU is the size of the PDU, be willing to receive such PDUs which may be the local interface MTU BFD is received over.

Certainly on the receive side of things, if the operator cares to limit the maximum size of the received PDU smaller than the interface MTU (which seems perverse, but perhaps the path MTU and the interface MTU are intentionally different), such a thing might be doable.  

However, such a limitation would need to be implemented at the appropriate higher encapsulation layer carrying the BFD PDU.  For BFD over IP, this is carried in UDP.  Thus, the limiting mechanism would be a firewall on IP+UDP packets to the relevant BFD port for a given packet size.  This would be outside the scope of BFD as BFD has never made implementation recommendations relying on firewalls.

Please note that fragmentation isn't an expected attack since the specification requires the don't fragment bit when using IPv4.

It's finally worth noting that receive size limitations enforced at layers outside of BFD may negatively impact unidirectional PMTU detection.  Dropped packets will cause the relevant BFD session to go down even if the PDU sent to probe the unidirectional PMTU from the sender had successfully made it through to the receiver.  It becomes, "I will only let you detect MTU up to size X".

-- Jeff