[secdir] secdir review of draft-ietf-trill-aa-multi-attach
Sandra Murphy <sandy@tislabs.com> Thu, 27 August 2015 10:47 UTC
Return-Path: <sandy@tislabs.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 870AC1A8879; Thu, 27 Aug 2015 03:47:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.311
X-Spam-Level:
X-Spam-Status: No, score=-1.311 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_55=0.6, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eoC7Y0SgcmzC; Thu, 27 Aug 2015 03:47:53 -0700 (PDT)
Received: from walnut.tislabs.com (walnut.tislabs.com [192.94.214.200]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF0791AD305; Thu, 27 Aug 2015 03:47:52 -0700 (PDT)
Received: from nova.tislabs.com (unknown [10.66.1.77]) by walnut.tislabs.com (Postfix) with ESMTP id 34E6F28B003D; Thu, 27 Aug 2015 06:47:52 -0400 (EDT)
Received: from [IPv6:::1] (localhost.localdomain [127.0.0.1]) by nova.tislabs.com (Postfix) with ESMTP id C9D491F8035; Thu, 27 Aug 2015 06:47:50 -0400 (EDT)
From: Sandra Murphy <sandy@tislabs.com>
X-Pgp-Agent: GPGMail 2.5
Content-Type: multipart/signed; boundary="Apple-Mail=_20A71A94-0240-45A7-B247-7FB96649FA76"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Date: Thu, 27 Aug 2015 06:46:52 -0400
Message-Id: <CBC357D3-31AB-49AB-9B5B-1D5173A92979@tislabs.com>
To: secdir@ietf.org, draft-ietf-trill-aa-multi-attach@tools.ietf.org, trill-chairs@ietf.org
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/pULzv1IkbISIIiAbAln629p8Oh0>
Subject: [secdir] secdir review of draft-ietf-trill-aa-multi-attach
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Aug 2015 10:47:55 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This is a late review, thankfully with no large issues specific to the draft. This draft provides a new TRILL sub-sub-TLV to convey MAC attachment information through the TRILL cloud in a way that permits active-active node attachment point movement in the cloud. As a person not particularly familiar with TRILL, I found that I struggled. Not the authors fault, I was not familiar with the suite of RFCs the draft says it presumes the reader is familiar with. There is a lot of background reading here, so I'd not be surprised to find that I have missed something somewhere. I’ve quoted the RFC’s I’ve read to indicate where I derived my possibly faulty information. General comments first, then security (mostly a discourse on routing security and TRILL authentication) General document comments: I found that Figure 1 in RFC 7379 conveyed the many-many aspect of attachments to the RBridges better than the figure in the draft. I recommend it. I found that RFC7379's explanation of Address Flip-Flop gave a more understandable explanation of what this draft calls "Mac Flip-flopping", which I believe to be the same thing. In particular, it explained the hardware inability to keep multiple MAC-nickname mappings, which is key to the problem. A reference to that RFC would be good, particularly as the purpose of that RFC is to describe that issue (among others). The text is not consistent in the names of the fields - spelling, hyphenation, etc. ---- the "AA LAALP Group RBridges" TRILL APPsub-TLV defined in Section (page 7) vs "LAALP Group RBridges" APPsub-TLV included in the TRILL GENINFO TLV (page 11) in FS-LSPs [RFC7180bis]. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type = AA-LAALP-GROUP-RBRIDGES| (2 bytes) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ and tbd3(254) AA-LAALP-GROUP-RBRIDGES [This document] (page 14) ---- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type = AA-LAALP-GROUP-MAC | (2 bytes) (page 7) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ vs o Type: AA LAALP Grouped MAC (TRILL APPsub-TLV type tbd1) (page 7) and tbd1(252) AA-LAALP-GROUP-MAC [This document] (page 14) ----- 5.3.2. The MAC Reachability TLVs [RFC6165] are composed in a way that (page 7) vs o Length: The MAC-Reachability TLV [RFC6165] is contained in the (page 7) and (many other places) On page 7: +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+...+-+-+ | MAC-Reachability TLV (7 + 6*n bytes) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+...+-+-+ I presume the "n" here is the same as "n" in RFC6165 where the MAC-Reachability TLV is defined. It would be good to mention it. page 12: All enabled VLANs MUST be consistent on all ports connected to an LAALP. So the enabled VLANs need not be included in the AA-LAALP- GROUP-RBRIDGES TRILL APPsub-TLV. They can be locally obtained from the port attached to that LAALP. Does this mean consistency across all RBridges in the LAALP's AAE? Is that consistency provided by the LAALP? If not, it sounds like a difficult configuration task. Since it appears that this consistency is important to the design of the active-active multi-attachment, I would think that some mention of how to produce or maintain the consistency would be a good idea, even if only a mention that it is provided by XYZ. RFC7357 speaks of the possibility of hundreds or thousands of ESADI routers in an RBridge cloud (section 4), and of all ESADI routers being "directly connected by a multi-access virtual link" (section 2.1) - does this consistency need to be maintained at that scale? RFC6325 section 4.4.3 says that an RBridge maintains a list of enabled VLANs per port, but not how that information is obtained. RFC6345 section 5.3 lists C-VLAN IDs as one of an RBridge's per-port configuration parameters. RFC6345 section 4.9.4 discusses the option for an RBridge to implement a VLAN registration protocol (VRP) to request that a VLAN be enabled on a port. Could the VRP maintain the consistency needed across all RBridges in an LAALP's AAE? I have found some statements that GVRP does not synchronize between switches, but MVRP propagates information to other bridges. However, the text in 4.9.4 indicates that an RBridge requests that a VLAN be enabled on its ports, and that it sends VRP frames to request Designated VLAN traffic but "to not request traffic in any other VLAN". IANA Considerations section: The IANA considerations section of RFC7357 says of registration of new APPsub-TLV Types: The RFC causing such an assignment will also include a discussion of security issues and of the rate of change of the information being advertised. I do not see a discussion of the rate of change of the new TLVs introduced by this draft. The security considerations section of this draft refers to RFC7357 for any discussion of the "extensions transported by TRILL ESADI". +++++++++++++ Security comments and a discourse: I have no security concerns specific to this draft. The security considerations section refers to RFC6325 (which defines TRILL), RFC5310 (which defines authentication for IS-IS, which TRILL uses), and RFC7357 (which defines the ESADI protocol, which is a sub protocol of/in/for TRILL, and which this draft extends). IS-IS authentication, and hence TRILL, hence ESADI, hence this draft, authenticates the speaker (to some granularity), but does not provide authorization information. Any legitimate speaker of the protocol is able to produce bogus information in its packets, speak for other participants, etc. This is recognized, though seldom stated explicitly, in routing protocols in general. The difficulty is not with this draft but the underlying protocols it extends. It is very difficult to protect a routing protocol from bad behavior by legitimate participants. I would not expect that protocol designers would be required to provide such protection. I do wonder if any one is giving any thought to the damage that could be created by a legitimate participant introducing bogus data. (Any such analysis could be mentioned as a caution to the operator.) For example. In TRILL, has anyone considered what would happen if a RBridge sent TRILL Control or TRILL Data packets with another RBridge's nickname? I see several drafts that are concerned with prevention of duplicate nicknames, which would hint that duplicates would be bad for the protocol, but I have not worked out just what damage would be produced. (see the following drafts which mention solutions for nickname collisions draft-hu-trill-pseudonode-nickname-01 draft-perlman-trill-rbridge-multilevel draft-zhang-trill-multilevel-single-nickname-01) RFC5310 notes that the authentication is not to the level of an individual IS-IS speaker: It should be noted that authentication method described in this document is not being used to authenticate the specific originator of a PDU, but is rather being used to confirm that the PDU has indeed been issued by an intermediate system that had access to either the area or domain password, depending upon the kind of PDU it is. RFC6325's Security Considerations section discussion of bad protocol data is focused on rogue end stations, nor rogue RBridges. The best defense against forged TRILL-Hello frames or other IS-IS messages is the use of IS-IS security [RFC5304] [RFC5310]. Rogue end stations would not normally have access to the required IS-IS keying material needed to forge authenticatible messages. RFC7178 (which RFC7175 builds on, where RFC7175 is used by RFC7177, which updates RFC6325) specifically notes the lack of protection of the nickname: See [RFC6325] for general TRILL security considerations. As stated therein, no protection is provided by TRILL against forging of the Ingress Nickname in a TRILL Data formatted channel message or the Outer.MacSA in a native RBridge Channel frame on an Ethernet link. (I did not find this "stated therein" in RFC6325, unless you could call absence of statement as a statement.) For many routing protocols, the excuse/reason for not considering rogue participants is that the protocol is used by a single operator, so damage would be limited. RFC7455 (TRILL Fault Management) says this clearly: Generally, a single operator manages each TRILL campus; hence, there is no risk of security exposure. However, in the event of multi- operator deployments, operators should be aware of possible exposure of device-specific information, and appropriate measures must be taken. Recently, however, there has been work to extend TRILL to BGP environments. (See draft-hao-idr-trill-ls and draft-ietf-l2vpn-trill-evpn-02.) The use case is frequently data centers, which you might argue is still a single operator. But a feature built into BGP, intended for use in such restricted circumstances, could be used in other inter-domain environments. In either scenario, TRILL carried inter-domain would present security problems, if only in configuration of the authentication strings/keys. Authentication keying material: The chain of RFCs describing authentication keying makes it look like the configuration of keying material for inter-domain transport of TRILL PDUs might be complicated. Or maybe operators are used to this configuration by now. Or maybe they just configure all the authentication keys to be the same (likely, but I'm not recommending that and it would not work well in inter-domain). RFC5310 says that the Level 1 Sequence Number and Link State PDUs (TRILL uses only Level 1) are authenticated using the "Area Authentication string" and HELLO PDUs are authenticated using the "Link Level Authentication string". [Level 2 PDUs have a "domain authentication string" - which means that multi-level TRILL, currently under consideration in the TRILL wg, may have to stipulate what key TRILL will use.] RFC6325 says only that IS-IS authentication should be used, but not which string to use. Perhaps it was too obvious to mention that the TRILL HELLO protocol will use the "Link Level Authentication string" just as for IS-IS HELLO, and the TLVs defined in RFC7156 that are carried in IS-IS LSPs will use the "Area Authentication string". RFC6325 says to use IS-IS authentication for the IS-IS PDUs but says nothing about the Data PDUs. (So perhaps the absence of any stated protection for TRILL Data packets is what RFC7178 meant by the "stated therein" mentioned above.) Countermeasures are available such as to configure the TRILL IS-IS and ESADI protocols to use IS-IS security [RFC5304] [RFC5310] and ignore unauthenticated TRILL control and ESADI frames received. RBridges using IS-IS security will need configuration. (I like the "need configuration" part - sorts of sums it up, doesn't it?) RFC7357 (ESADI) says that ESADI packets are carried as TRILL Data packets: TRILL ESADI packet payloads are structured like IS-IS Extended Level 1 Circuit Scope (E-L1CS) LSP, CSNP, and PSNP PDUs [RFC7356], except as indicated below, but are always TRILL encapsulated on the wire as if they were TRILL Data packets. which if I interpret RFC6325 about authentication correctly (see above about Data PDUs) means that TRILL does not provide IS-IS authentication for ESADI. However, a ESADI PDU may include its own Authentication TLV. The ESADI authentication key can be derived from the TRILL key: The ESADI authentication keying material used is derived from the IS-IS LSP shared secret keying material as detailed below. ... HMAC-SHA256 ( "TRILL ESADI", IS-IS-LSP-shared-key ) and "LSP" part seems consistent with the obvious suggestion above that TRILL would be using the IS-IS "Area Authentication string", as that is what is used with LSPs. RFC7175 (TRILL BFD Support) says that the BFD key is derived from the TRILL key: The BFD authentication keys between neighbor RBridges by default are derived from the IS-IS shared secret authentication keys for Hellos between those RBridges as detailed below. However, such BFD authentication keys MAY be configured to some other value. HMAC-SHA256 ( ( "TRILL BFD Control" | originPortID | originSysID ), IS-IS-shared-key ) which if I'm right about the TRILL HELLO protocol would mean that the IS-IS-shared-key would be the IS-IS "Link Level Authentication string". --Sandy
- [secdir] secdir review of draft-ietf-trill-aa-mul… Sandra Murphy
- Re: [secdir] secdir review of draft-ietf-trill-aa… Donald Eastlake