Re: [secdir] Secdir last call review of draft-ietf-mpls-lsp-ping-lag-multipath-05
Mach Chen <mach.chen@huawei.com> Mon, 18 February 2019 10:11 UTC
Return-Path: <mach.chen@huawei.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8B23130EEF; Mon, 18 Feb 2019 02:11:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wrqx0-ZKzI1m; Mon, 18 Feb 2019 02:11:38 -0800 (PST)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2734A130EEC; Mon, 18 Feb 2019 02:11:38 -0800 (PST)
Received: from lhreml703-cah.china.huawei.com (unknown [172.18.7.108]) by Forcepoint Email with ESMTP id 5B44719CC5C6C19F10FE; Mon, 18 Feb 2019 10:11:36 +0000 (GMT)
Received: from DGGEML423-HUB.china.huawei.com (10.1.199.40) by lhreml703-cah.china.huawei.com (10.201.108.44) with Microsoft SMTP Server (TLS) id 14.3.408.0; Mon, 18 Feb 2019 10:11:35 +0000
Received: from DGGEML510-MBX.china.huawei.com ([169.254.2.6]) by dggeml423-hub.china.huawei.com ([10.1.199.40]) with mapi id 14.03.0415.000; Mon, 18 Feb 2019 18:11:24 +0800
From: Mach Chen <mach.chen@huawei.com>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: Linda Dunbar <linda.dunbar@huawei.com>, "secdir@ietf.org" <secdir@ietf.org>, "mpls@ietf.org" <mpls@ietf.org>, "draft-ietf-mpls-lsp-ping-lag-multipath.all@ietf.org" <draft-ietf-mpls-lsp-ping-lag-multipath.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
Thread-Topic: [secdir] Secdir last call review of draft-ietf-mpls-lsp-ping-lag-multipath-05
Thread-Index: AQHUkY+Xr7eIQ7lWe0az4uRG6fBCdqV9d+SwgERX9oCAHShNQIADyugAgALw4PA=
Date: Mon, 18 Feb 2019 10:11:24 +0000
Message-ID: <F73A3CB31E8BE34FA1BBE3C8F0CB2AE29288DC3E@dggeml510-mbx.china.huawei.com>
References: <154455986336.13151.8483284555885294015@ietfa.amsl.com> <F73A3CB31E8BE34FA1BBE3C8F0CB2AE2927B2883@dggeml510-mbx.china.huawei.com> <20190126211729.GJ49072@kduck.mit.edu> <F73A3CB31E8BE34FA1BBE3C8F0CB2AE292889888@dggeml510-mbx.china.huawei.com> <20190216202815.GD82217@kduck.mit.edu>
In-Reply-To: <20190216202815.GD82217@kduck.mit.edu>
Accept-Language: en-US, zh-CN
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.111.194.201]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/pRx1l-DkjZHeA0S5--SwWtxw23Y>
Subject: Re: [secdir] Secdir last call review of draft-ietf-mpls-lsp-ping-lag-multipath-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Feb 2019 10:11:41 -0000
Hi Benjamin, > -----Original Message----- > From: Benjamin Kaduk [mailto:kaduk@mit.edu] > Sent: Sunday, February 17, 2019 4:28 AM > To: Mach Chen <mach.chen@huawei.com> > Cc: Linda Dunbar <linda.dunbar@huawei.com>; secdir@ietf.org; > mpls@ietf.org; draft-ietf-mpls-lsp-ping-lag-multipath.all@ietf.org; > ietf@ietf.org > Subject: Re: [secdir] Secdir last call review of draft-ietf-mpls-lsp-ping-lag- > multipath-05 > > Hi Mach, > > My apologies as well for the delay. > > On Thu, Feb 14, 2019 at 03:02:07AM +0000, Mach Chen wrote: > > Hi Benjamin, > > > > Sorry for the delayed response! > > > > Please see my response inline... > > > > > -----Original Message----- > > > From: Benjamin Kaduk [mailto:kaduk@mit.edu] > > > Sent: Sunday, January 27, 2019 5:17 AM > > > To: Mach Chen <mach.chen@huawei.com> > > > Cc: Linda Dunbar <linda.dunbar@huawei.com>; secdir@ietf.org; > > > mpls@ietf.org; draft-ietf-mpls-lsp-ping-lag-multipath.all@ietf.org; > > > ietf@ietf.org > > > Subject: Re: [secdir] Secdir last call review of > > > draft-ietf-mpls-lsp-ping-lag- > > > multipath-05 > > > > > > On Fri, Dec 14, 2018 at 02:11:21AM +0000, Mach Chen wrote: > > > > Hi Linda, > > > > > > > > Thanks for the review! > > > > > > > > Some responses inline... > > > > > > > > > -----Original Message----- > > > > > From: ietf [mailto:ietf-bounces@ietf.org] On Behalf Of Linda > > > > > Dunbar > > > > > Sent: Wednesday, December 12, 2018 4:24 AM > > > > > To: secdir@ietf.org > > > > > Cc: mpls@ietf.org; > > > > > draft-ietf-mpls-lsp-ping-lag-multipath.all@ietf.org; > > > > > ietf@ietf.org > > > > > Subject: Secdir last call review of > > > > > draft-ietf-mpls-lsp-ping-lag-multipath-05 > > > > > > > > > > Reviewer: Linda Dunbar > > > > > Review result: Ready > > > > > > > > > > I have reviewed this document as part of the security > > > > > directorate's ongoing effort to review all IETF documents being > > > > > processed by the IESG. These comments were written primarily > > > > > for the benefit of the security area directors. Document > > > > > editors and WG chairs should treat these comments just like any > other last call comments. > > > > > > > > > > The summary of the review is Ready with comment > > > > > > > > > > The described mechanism for LSP Multipath Ping is very clear. > > > > > The Security Consideration re-uses the description of RFC8029, > > > > > which is very comprehensive. > > > > > It would be better if the draft describes how to prevent > > > > > intermediate LSRs in between the Initiating LSR and Responding > > > > > LSR from mis-using the detailed link information (e.g. > > > > > forwarding to > > > somewhere else). > > > > > > > > The Echo Request and Reply messages are directly exchanged between > > > > the > > > Initiating LSR and the Responding LSR, those intermediate LSRs just > > > forward the messages as normal packets, they will not see the > > > detailed link information unless if they inspect and do DPI on every > > > packet forwarded by them. > > > > > > > > The detailed link information is supplied to the Initiating LSR > > > > for using, the > > > intermediate LSRs will not try to use it even if they received the > > > information, because there is no corresponding Echo Request to the > received Echo Reply. > > > > > > The intermediate LSRs still will have access to the plaintext > > > information, even if in normal operation they do not need to act upon > that information. > > > Generally in this sort of situation we will either explicitly state > > > that the intermediate nodes must be trusted to not abuse the > > > information in question, or provide some mechanism for end-to-end > > > confidentiality protection. > > > > "Intermediate nodes must be trusted to not abuse the information" is > normally assumed. For the intermediate nodes, there is no different > between the Echo Reply messages and any other data traffic, control > messages. They just forward the Echo Reply messages as normal packets. I > am not sure it needs to explicitly state this. Do you suggest to add such a > statement in the security consideration section? > > The concern is not about the normal operation, but rather about abnormal > operation, e.g., if an intermediate node gets compromised by an attacker. > We need to document the new abilities an attacker gets, when comparing > the original case of "an attacker compromises an intermediate node that is > using MPLS without this mechanism" to the new case of "an attacker > compromises an intermediate node that is using MPLS with this mechanism". > So, while I do suggest adding a statement to the security considerations > section, the statement I want does not relate to the normal operation case > (when intermediate nodes ignore the contents of the message). OK, will add such a statement in the security considerations section. > > > > > > > Also (noting that I only skimmed the document so this may not make > > > sense), the security considerations seem to suggest using an IP ACL > > > for determining which messages are trusted; IP ACLs are generally > > > not recommended in favor of cryptographic mechanisms at this point. > > > > IP ACLs was introduced in RFC 8029 and is reused in this document, > > it's > > I did not find a clear and explicit declaration in RFC 8029 of the concept of an > IP ACL; I assume you are referring to: > > To protect against unauthorized sources using MPLS echo request > messages to obtain network information, it is RECOMMENDED that > implementations provide a means of checking the source addresses of > MPLS echo request messages against an access list before accepting > the message. Yes, this is that I am referring to. > > I do not think anyone is going to say "do not filter based on IP source > address", but there would be general skepticism about relying upon it as a > sole security mechanism. > > > just one of the security mechanisms. This document is an extension to > > (Could you remind me of the other mechanisms? I don't think I have a good > handle on them.) You are right, for protecting against unauthorized sources, IP ACL is the only way proposed in RFC 8029 and this document. > > > RFC 8029, as stated in this document, all security considerations > > defined in RFC 8029 apply to this document. Do you have any specific > > suggestion to the current security consideration? > > I am mostly just lamenting the state of affairs; this is a sufficiently > incremental change that it is inappropriate to require dramatic changes in the > security mechanisms. I agree with you. Does it mean that you are OK with the current security considerations, given that a statement regarding the intermediate node's process will be added. Best regards, Mach > > -Ben
- [secdir] Secdir last call review of draft-ietf-mp… Linda Dunbar
- Re: [secdir] Secdir last call review of draft-iet… Mach Chen
- Re: [secdir] Secdir last call review of draft-iet… Benjamin Kaduk
- Re: [secdir] Secdir last call review of draft-iet… Mach Chen
- Re: [secdir] Secdir last call review of draft-iet… Benjamin Kaduk
- Re: [secdir] Secdir last call review of draft-iet… Mach Chen
- Re: [secdir] Secdir last call review of draft-iet… Benjamin Kaduk