Re: [secdir] secdir review of draft-ietf-ospf-encapsulation-cap-06

<> Tue, 19 September 2017 07:18 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 13D4A126DFE; Tue, 19 Sep 2017 00:18:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.398
X-Spam-Status: No, score=-5.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id AuCLBgFGeoBA; Tue, 19 Sep 2017 00:18:45 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 15605132620; Tue, 19 Sep 2017 00:18:45 -0700 (PDT)
Received: from (unknown [xx.xx.xx.67]) by (ESMTP service) with ESMTP id 3E173404E9; Tue, 19 Sep 2017 09:18:43 +0200 (CEST)
Received: from Exchangemail-eme2.itn.ftgroup (unknown [xx.xx.31.66]) by (ESMTP service) with ESMTP id 215021A0065; Tue, 19 Sep 2017 09:18:43 +0200 (CEST)
Received: from OPEXCLILM21.corporate.adroot.infra.ftgroup ([fe80::e92a:c932:907e:8f06]) by OPEXCLILMA1.corporate.adroot.infra.ftgroup ([fe80::95e2:eb4b:3053:fabf%19]) with mapi id 14.03.0361.001; Tue, 19 Sep 2017 09:18:42 +0200
From: <>
To: David Mandelberg <>
CC: "" <>, "" <>, "" <>
Thread-Topic: secdir review of draft-ietf-ospf-encapsulation-cap-06
Thread-Index: AQHTHpv/cOgvm+rnt0qxeBuvpFWeWaK0xaZggAAJ/YCAANdoUIAFhL03gADEpyA=
Date: Tue, 19 Sep 2017 07:18:42 +0000
Message-ID: <11040_1505805523_59C0C4D3_11040_226_4_53C29892C857584299CBF5D05346208A4787AC94@OPEXCLILM21.corporate.adroot.infra.ftgroup>
References: <> <3691_1505412243_59BAC493_3691_229_1_53C29892C857584299CBF5D05346208A47872C5B@OPEXCLILM21.corporate.adroot.infra.ftgroup> <> <2597_1505460712_59BB81E8_2597_399_1_53C29892C857584299CBF5D05346208A4787384B@OPEXCLILM21.corporate.adroot.infra.ftgroup> <> <12465_1505725711_59BF8D0F_12465_296_1_53C29892C857584299CBF5D05346208A478787B1@OPEXCLILM21.corporate.adroot.infra.ftgroup> <>
In-Reply-To: <>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [secdir] secdir review of draft-ietf-ospf-encapsulation-cap-06
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 19 Sep 2017 07:18:47 -0000

> From: David Mandelberg []
 > Sent: Monday, September 18, 2017 9:30 PM
 > On 09/18/2017 05:08 AM, wrote:
 > >   > (c) is the one that I think is worth looking into. E.g., does this new
 > >   > extension make it easier for an attacker to route a packet across AS
 > >   > boundaries, by setting a tunnel endpoint outside of the OSPF-routed network?
 > >
 > > No. The following text already prohibits even more than this:
 > >
 > > "  A tunnel MUST NOT be
 > >        used if there is no route toward the IP address specified in the
 > >        Endpoint Sub-TLV (See <xref target="EndpointTLV"/>) or if the route is
 > >        not advertised by the router advertising this Tunnel Sub-TLV."
 > >
 > > - By definition, this Tunnel Sub-TLV is advertised in OSPF i.e. from within the AS.
 > > - The text also prohibits setting a tunnel endpoint to another router within the AS.
 > >
 > >
 > > That being said, within the AS, the point "c" still applies.
 > > However, thinking twice, the probability is even more limited. Indeed, one can only advertise a
 > tunnel to itself. Assuming that the third party can't control the whole routing topology (i.e. routing
 > advertisement from most core routers), it cannot control the path followed by the tunnel. Hence it
 > would need to have monitoring capabilities on specific links that it cannot choose. (the link on
 > the path to itself).
 > > Plus this risk is not new, as the third party could already advertise the destination IP address of
 > the packets (or of the BGP Next-hop of the BGP route matching the packet destination), without
 > using any tunnel.
 > > In conclusion, although I could be wrong, I'm not seeing such new risk. (again, assuming that
 > a third party can modify the OSPF routing is a big assumption).
 > >
 > > But the discussion was useful, thanks for the comments.
 > That explanation is great, thank you. I hadn't realized the implications
 > of the paragraph you quoted, when I initially read it. I'm convinced
 > that there isn't a security issue here, but it would be nice to see your
 > explanation in the document itself, if it's not already obvious to
 > anybody who knows OSPF better than I do.

I've just added the following text in the security section of my local version:
"We note that the last paragraph of <xref target="Operation"/> forbid the establishment of a tunnel toward arbitrary destinations. It prohibits a destination outside of the Autonomous System and also to other routers within the AS. This avoid that a third-party gaining access to an OSPF router be able to send the traffic to other destinations, for e.g. inspection purposes. "

Feel free to comment/propose other text.

Since I've just published -08 a few hours ago, I'll probably delay the upload of this new update.


 > --
 > Freelance cyber security consultant, software developer, and more


Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.