Re: [secdir] Secdir review of draft-ietf-trill-multilevel-unique-nickname-05

Donald Eastlake <d3e3e3@gmail.com> Sun, 04 March 2018 18:58 UTC

Return-Path: <d3e3e3@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0674124C27; Sun, 4 Mar 2018 10:58:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.45
X-Spam-Level:
X-Spam-Status: No, score=-2.45 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KzciUOw4-aZV; Sun, 4 Mar 2018 10:58:27 -0800 (PST)
Received: from mail-it0-x22a.google.com (mail-it0-x22a.google.com [IPv6:2607:f8b0:4001:c0b::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 549121205D3; Sun, 4 Mar 2018 10:58:27 -0800 (PST)
Received: by mail-it0-x22a.google.com with SMTP id e64so7417471ita.5; Sun, 04 Mar 2018 10:58:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=1tWdmPO2wnriAcdkUBLjOvGXX0NmvMUVNIMRmvxkqa0=; b=YsWIEjzoRJXD67dv+xM6NqOhGDH70Hdz4BGsC4HlHrEXALnLWtfCZNF9HL+X8We3xZ HPs7PvX5TwmlSGRGMS01sm7hPz29L68hDdbFuqp4qpHQonM7Ap/wjoKGb7K6wbcptts2 gftGMmD+ggnMQYGHTg/ZkCVPhTyx/wWK0zjJQxJ1ikZjakxJxMi1ePVNFPPnEyjHUVxp EjqrPJWOkCJygsrjIE3wxZImJg5mSTY0GripY+QKsPZc/iBOzUvHU8NC1aEUpg/IqNaD pcZvWGNcv6bE5BIvOc2CGEhmwBTv1SL44syJOQu797Db2CbPNK/SNu7sel/XuQazdeHy x8pQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=1tWdmPO2wnriAcdkUBLjOvGXX0NmvMUVNIMRmvxkqa0=; b=hjcWVPCn1ixXpTdvqqLAC7YlhnErzyTZ72dxEIymSDekm5OdYp+6HTfHQU8/mcXNd1 T0MDRjYkKWoIl1QoEIwxHZHl5ByG/mRaXGjSKY6PrEQaK4LkuEF8Y6ne30gtXXnODF59 FzUrXgk3HT2kwS9nNyi4Uvtw2ahR6/QtFWXpavNImMrzuREIG2xIK9Kk23thSNOOmt56 aNUp9UtzLR/0xPWh0ZBtC40azWxSkvQOtk68JvXhYPaAe2T3seP8qwoL85ZEOycmhhTu Ga/B/NpcRiBtulL3UuNzFU6equGwBkteirtMopstlYoCFrvfen4gAv/SnTC9BeQyNqqB sh6w==
X-Gm-Message-State: AElRT7GkXwfU0TmhILgpFDtrvn50avFwUMUrbKvRLCd1LMg7usYO37Li diSLRqlRgGu60eoNugNN6p+Eq0Y+dte59iALFe07wiJs
X-Google-Smtp-Source: AG47ELswnGkRdBJEPLlA17c2BxkuJ9ANljSe6UZHriuiV33D9CrcEc74Z54ZhnEUlOxX6i3aTTG4qzWBiu16AUb8Ta0=
X-Received: by 10.36.50.196 with SMTP id j187mr10954749ita.85.1520189906365; Sun, 04 Mar 2018 10:58:26 -0800 (PST)
MIME-Version: 1.0
Received: by 10.107.58.193 with HTTP; Sun, 4 Mar 2018 10:58:10 -0800 (PST)
In-Reply-To: <359EC4B99E040048A7131E0F4E113AFC0137F6E1D1@marathon>
References: <359EC4B99E040048A7131E0F4E113AFC0137F6E1D1@marathon>
From: Donald Eastlake <d3e3e3@gmail.com>
Date: Sun, 4 Mar 2018 13:58:10 -0500
Message-ID: <CAF4+nEHUNkiXOJrKpeb-esX75mH6xC6_C1scR4Mf8dOugRHohA@mail.gmail.com>
To: Roman Danyliw <rdd@cert.org>
Cc: "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-trill-multilevel-unique-nickname.all@ietf.org" <draft-ietf-trill-multilevel-unique-nickname.all@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/pin_pmIk9JtE20hcLB6hUtOKRN8>
Subject: Re: [secdir] Secdir review of draft-ietf-trill-multilevel-unique-nickname-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Mar 2018 18:58:30 -0000

Hi Roman,

Thanks for doing a review. See responses below.

On Fri, Mar 2, 2018 at 9:00 PM, Roman Danyliw <rdd@cert.org>; wrote:
> Reviewer: Roman Danyliw
> Review result: Ready with nits
>
> I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.
>
> The summary of the review is Ready with nits.
>
> My feedback is as follows:
>
> (1) Section 4.1, Multilevel TRILL Basics, Page 8
>
> Thus Level 1 link state
> information stays within a Level 1 area and Level 2 link state
> information stays in Level 2 unless there are specific provisions for
> leaking (copying) information between levels.
>
> ** What are these provisions where such leakage of information should occur beyond expected routing behavior?

Typically "link state" information stays within a Level 1 area or
within the Level 2 routers. Occasionally there is information that it
is desirable to  flood throughout the domain at both Level 1 and Level
2. IS-IS "link state" information is in the form of TLVs. Typically
this domain wide flooding is accomplished by using two flags in the
value portion of the TLV. One flag indicates the the TLV is to be
flooded domain wide while the other is initially zero and is set when
the TLV is flooded from Level 2 to Level 1 -- this second flag is to
stop a TLV from being flooded from Level 2 to Level 1 and then back to
Level 2 again resulting in TLV looping. See, for example, the IS-IS
Router Capabilities TLV D and S flags as specified in Section 2 of RFC
7981.  This is all standard IS-IS machinery that someone familiar with
IS-IS would know -- there is nothing TRILL specific about it.

> (2) Section 4.2, Nickname Allocation, Page 8-9.
>
> Level 2 RBridges contend for nicknames in the range from 0xF000
> through 0xFBFF the same way as specified in [RFC6325], using Level 2
> LSPs. The highest priority border router for a Level 1 area should
> contend with others in Level 2 for smallish blocks of nicknames for
> the range from 0x0001 to 0xEFFF. Blocks of 64 aligned on multiple of
> 64 boundaries are RECOMMENDED in this document.
>
> ** This text provides guidance to allocate nicknames from the range 0x0001 - 0xFBFF (0x0001 - 0xEFFF and 0xF000 - 0xFBFF); and Section 3.7 of RFC6325 says that 0xFFC0 - 0xFFFF and 0x0 are reserved.  Collectively, these two documents leave the range of 0xFC00 - 0xFFBF unspecified.  If that's intentional, describe how these values should be handled. Or, perhaps there a typo and L2 Rbridges should allocate from 0xF000 - 0xFFBF (i.e., s/0xFBFF/0xFFBF/)?

I believe it's a typo and is should by 0xF000 - 0xFFBF.

> ** (Editorial) The language "smallish blocks of nicknames" seems imprecise.

I think we could just delete the word "smallish".

> (3) Section 6, Security Considerations, Page 12.
>
> With TRILL multilevel, flooding of control traffic for link state
> information of Level 1 and Level 2 is separated. This addresses the
> TRILL scalability issues as specified in Section 2 of [RFC8243] and
> also confines the effective scope of possible malicious events.
>
> ** Per the sentence "With TRILL ... is separated", I recommend clarifying the language on what and in what way there is separation

This is basic to multilevel IS-IS and anyone familiar with that would
understand. We could add a reference to IS-IS.

> ** Per the follow-up sentence, "... also confines the effective scope of possible malicious events", I recommend discussing in more detail how the scope of malicious events is reduced with this approach.

I suggest the following replacement text:

   Since TRILL multilevel uses the existing IS-IS multilevel
facilities [IS-IS], flooding of control traffic for link state
information is automatically confined to a Level 1 area or to Level 2
except (for limited types of information that can be specifically
flagged for wider flooding). This addresses the TRILL scalability
issues as specified in Section 2 of [RFC8243] and also, except of the
wider flooding case, this confines the scope of the effects of
malicious events that could be communicated through the link state.

> (4) Section 6, Security Considerations, Page 12.
>
> However, due to the nature that unique nickname areas share a unique
> nickname space, border RBridges still have to leak nickname
> information between levels. For this purpose, border RBridges need to
> fabricate the nickname announcements as specified in Section 4.3.
>
> ** As it is raised as an issue with a mitigation, I recommend articulating the implication of leaking nicknames across levels.

Since nicknames must be unique across the multi-level domain, and
nicknames in TRILL are auto-allocated, clearly RBridges inside an area
need to know what nicknames are in use, which is the effect and
purpose of leaking nickname claim information across levels. I suggest
the following wording:

    However, due to the nature that unique nickname areas share a
common nickname space, border RBridges still have to leak nickname
information between levels. Such leaking means that nickname related
events in one area can affect other areas. For this purpose, border
RBridges need to fabricate the nickname announcements as specified in
Section 4.3.

> (5) Section 6, Security Considerations, Page 12.
>
> Malicious devices may also fake the NickBlockFlags APPsub-TLV to
> announce a range of nicknames. By doing this, the attacker can
> attract TRILL data packets that are originally to reach a bunch of
> other RBridges.
>
> ** Recommend articulating the implications of a rogue device changing the path -- it might deny service, expose traffic to inspection, etc.

This is not that much different from an RBridge announcing low cost to
some MAC address to attract data packets. It is typical that all
routers in some routing domain have to be, to a reasonable extent,
trusted since there is a large variety of information they could
maliciously announce to cause problems. If a rogue router makes false
announcements to attract traffic, typically the traffic goes to that
router and not to the intended destination. Anyone familiar with
common routing techniques would be aware of this.

> ** (Editorial) Recommend alternate language for the colloquial "... bunch of other RBridges"

bunch -> number

> (6) Section 6, Security Considerations, Page 12.
>
> For this reason, RBridges SHOULD be configured to
> include the IS-IS Authentication TLV (10) in the IS-IS PDUs that
> contains the NickBlockFlags APPsub-TLV, so that IS-IS security
> ([RFC5304] [RFC5310]) can be used to secure the network.
>
> ** Should a preference be expressed for RFC5310 over RFC5304?  To quote RFC5310, "[while at the time of this writing there are no openly published attacks on the HMAC-MD5 mechanism, some reports ([Dobb96a], [Dobb96b]) create concern about the ultimate strength of the MD5 cryptographic hash function."

I would agree that RFC 5310 security is superior to RFC 5304 security.
Perhaps references to 5304 can be removed.

> ** Recommend being more specific with the language "to secure the network".  Perhaps "For this reason, RBridges SHOULD authenticate their peer by using the IS-IS Authentication TLV (10) in the IS-IS PDUs that contains the NickBlockFlags APPsub-TLV."

Suggest replacing "to secure the network" with "to authenticate those
PDUs and discard them if they are forged."

> (7) Section 6, Security Considerations, Page 12.
>
> If border RBridges do not prune multi-destination distribution tree
> traffic in Data Labels that are configured to be area local, then
> traffic that should have been contained within an area might be
> wrongly delivered to end stations in that Data Label in other areas.
> This would generally violate security constraints.
>
> ** Recommend being more specific on the security constraints being violated

OK.

Thanks,
Donald
===============================
 Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
 155 Beaver Street, Milford, MA 01757 USA
 d3e3e3@gmail.com