IETF Logo Mail Archive

Re: [secdir] secdir review of draft-ietf-rtgwg-cl-requirement-10

Curtis Villamizar <curtis@ipv6.occnc.com> Thu, 20 June 2013 17:19 UTC

Return-Path: <curtis@ipv6.occnc.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF8CD21F9D98; Thu, 20 Jun 2013 10:19:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.495
X-Spam-Level:
X-Spam-Status: No, score=-0.495 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WdT64bDH8RSy; Thu, 20 Jun 2013 10:18:58 -0700 (PDT)
Received: from gateway1.orleans.occnc.com (unknown [173.9.106.132]) by ietfa.amsl.com (Postfix) with ESMTP id 9D85921F9E8B; Thu, 20 Jun 2013 10:18:54 -0700 (PDT)
Received: from harbor1.ipv6.occnc.com (harbor1.ipv6.occnc.com [IPv6:2001:470:1f07:1545::2:819]) (authenticated bits=0) by gateway1.orleans.occnc.com (8.14.5/8.14.5) with ESMTP id r5KHHaaW004832; Thu, 20 Jun 2013 13:17:38 -0400 (EDT) (envelope-from curtis@ipv6.occnc.com)
Message-Id: <201306201717.r5KHHaaW004832@gateway1.orleans.occnc.com>
To: Tom Yu <tlyu@MIT.EDU>
From: Curtis Villamizar <curtis@ipv6.occnc.com>
In-reply-to: Your message of "Wed, 19 Jun 2013 23:58:21 EDT." <ldvbo71v3fm.fsf@cathode-dark-space.mit.edu>
Date: Thu, 20 Jun 2013 13:17:36 -0400
X-Mailman-Approved-At: Thu, 20 Jun 2013 10:20:13 -0700
Cc: draft-ietf-rtgwg-cl-requirement.all@tools.ietf.org, iesg@ietf.org, secdir@ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-rtgwg-cl-requirement-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: curtis@ipv6.occnc.com
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jun 2013 17:19:04 -0000

In message <ldvbo71v3fm.fsf@cathode-dark-space.mit.edu>
Tom Yu writes:
> 
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
>  
> This document states many requirements on properties of proposed
> solutions, but it seems that none of these requirements is a security
> requirement.  If nodes need to send new information that existing
> routing or signaling protocols do not currently send, what level of
> protection does that information require?

Hi Tom,

> In the Security Considerations section, I'm not sure what the intent
> is in using the phrasing "man-in-the-middle confidentiality breach".
> I generally consider "man-in-the-middle" to mean an active attacker
> (one that can receive, suppress, modify, and transmit arbitrary data);
> this type of attacker primarily has consequences for integrity.  (An
> active attacker could also compromise the confidentiality of a channel
> that is secure against passive attackers).  A passive attack is often
> sufficient to compromise confidentiality, especially if a protocol
> sends information in the clear.

The entire one paragraph section is:

   This document specifies a set of requirements.  The requirements
   themselves do not pose a security threat.  If these requirements are
   met using MPLS signaling as commonly practiced today with
   authenticated but unencrypted OSPF-TE, ISIS-TE, and RSVP-TE or LDP,
   then the requirement to provide additional information in this
   communication presents additional information that could conceivably
   be gathered in a man-in-the-middle confidentiality breach.  Such an
   attack would require a capability to monitor this signaling either
   through a provider breach or access to provider physical transmission
   infrastructure.  A provider breach already poses a threat of numerous
   tpes of attacks which are of far more serious consequence.  Encrption
   of the signaling can prevent or render more difficult any
   confidentiality breach that otherwise might occur by means of access
   to provider physical transmission infrastructure.

What is meant by "man-in-the-middle confidentiality breach" is a
man-in-the-middle situation in which the extent of damage is loss of
confidentiality due to routing protocols generally being authenticated
but in the clear, in this case the OSPF-TE and ISIS-TE.  This is no
different, except now additional information is present, such as
delay.  Providers already feel that topology is sensitive information
that they would prefer competitors didn't have and delay would be at
least as sensitive.

The sentence in question is the first third "If these requirements are
met using MPLS signaling as commonly practiced today with
authenticated but unencrypted OSPF-TE, ISIS-TE, and RSVP-TE or LDP,
then the requirement to provide additional information in this
communication presents additional information that could conceivably
be gathered in a man-in-the-middle confidentiality breach."

> What scope of compromise does "provider breach" designate?

What is meant by "provider breach" is any breach in which equipment
used in the provider infrastructure or management of that
infrastructure is fully compromised.  It is well known that really bad
things can happen if a router is compromised and can inject bad
information.  It is also well known that bad things can happen if
there is a compromise of management systems and in some cases
workstations involved in network management.

The access to physical transmission infrastructure means being able to
listen in on microwave or being able to put a bend in fiber and get
som light to leak out or somehow otherwise monitoring the signal,
demodulating it, and looking at anything in the clear.

The entire section is acknowledging an imperfect status quo and trying
to say that it makes it no worse.  Perhaps is does so unclearly.
Maybe we could just replace the section with the standard boilerplate:

   The security considerations for MPLS/GMPLS and for MPLS-TP are
   documented in
   <xref target="RFC5920" /> and
   <xref target="RFC6941" />.
   This document does not impact the security of MPLS, GMPLS, or
   MPLS-TP.

That would certainly be more clear.  This type of boilerplate is in
the framework document but could be moved to the requirements
document.  See draft-ietf-rtgwg-cl-framework.

Would you prefer a wholesale replacement, or fixing up the existing
wording to make it more clear?  If the latter, can you please suggest
text that you feel is clear.  I prefer the two sentence replacement
above since it is clear and simple and accurate.

> Editorial:
>  
> This document uses many acronyms without expanding them -- almost all
> of them, from what I can see.  Some of the more prominent ones include
> DSCP, LDP, LSP, PW, RSVP-TE.  Arguably terms such as MPLS, VLAN, and
> VPN count as well-known acronyms in the IETF community.

Stewart Bryant pointed this out and I have made changes and sent the
diffs to Stewart.

Curtis

v2.23.0 | Report a Bug | By Email