Re: [secdir] Secdir early review of draft-ietf-bier-ping-08
Greg Mirsky <gregimirsky@gmail.com> Fri, 19 May 2023 19:40 UTC
Return-Path: <gregimirsky@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FFCAC14CEFA; Fri, 19 May 2023 12:40:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.407
X-Spam-Level:
X-Spam-Status: No, score=0.407 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_COMMENT_SAVED_URL=1.391, HTML_MESSAGE=0.001, HTML_TAG_BALANCE_BODY=0.1, MANY_SPAN_IN_TEXT=1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_HTML_ATTACH=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dHm57mJ_WFah; Fri, 19 May 2023 12:40:29 -0700 (PDT)
Received: from mail-yw1-x1130.google.com (mail-yw1-x1130.google.com [IPv6:2607:f8b0:4864:20::1130]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C62D3C14F738; Fri, 19 May 2023 12:40:28 -0700 (PDT)
Received: by mail-yw1-x1130.google.com with SMTP id 00721157ae682-561d249f045so31507657b3.2; Fri, 19 May 2023 12:40:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1684525228; x=1687117228; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=/9VbNN2nqZWMnNbv0/s4C08vmhwfeOQ7edQZyjMETzE=; b=NhhhrxvUC25xNMDGbFVuQDHF8A3M7eB4MPFEreLQhiLGk69QPCPAx8jOY/ls6+VfvK Gl4kaax1ppOuGufAjT+itbtPOXTOsUg62qJDZg0c0YfLIS0LZs4gj8bPPWI1L5vrNCEv YdjvwTZ4OIaowgB/Q3tsPJB7HR9h7L4Z2t1EqRANev4JeiF1apwm/fVPF5QtSIHa/8QQ zYT8wAj5jK02zFqeYX/5Mh/mJOWMRAxKMx/+Xzdv9jSBa5iFf1lvwvtl1n2bzr4a+wRM bEwKvM0QCz4CKJzcp7c8yTsyGkLF8wCZXyXODHeAV6Gbkzz28pSA5cucttbCkm3zWWlc FI3Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684525228; x=1687117228; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=/9VbNN2nqZWMnNbv0/s4C08vmhwfeOQ7edQZyjMETzE=; b=KI7NWkTvlZXz5QkKI4vnPpE5f9H50V0wCgXlPhmd/zGm1iwJEc3Cz6WGO/JWiXzRdv NxAeBbBRmvKsZ4Q20oj2+B1l5f/o+VCoZBQdP8nSIc8fjPXymEJrPmoy0KqPwieJh/sO O/v8b5JWRJseM0t8Osvzez9CbxG35HNZ4jDEKb2+X2i0SjtP3h9YNLUaBtokJhHMEZrY 08YaMJwZjbofaj83yZO3TPiDTzxAlumoOI4Akt2GQmGZRE7YfF0qzO2rVUcTK6yQWIjU hJWAwG0XXmhkdJ9cFZnSq/HBYgrPelgQ0S1Il9wDG+F9j0khmcVMVDAIyNxjsWZCBz5h biGw==
X-Gm-Message-State: AC+VfDyvaQNIWSnGqn7l9SG0JQjlsmxiiDCQXBT8PR+wmgJUBmZgkOBX U/m+sNCxdcbALVM09uEGf3nAfA1i311QFcVIlqUvT3P7
X-Google-Smtp-Source: ACHHUZ47x74dNxU255TUcOGl4TrgGnWhxgSzn+tsf82vS5Y5LMmOmv/d/IlNU8xxmECsjM+WvSiZ3JVqeL9xIujoXZ4=
X-Received: by 2002:a0d:ea53:0:b0:561:dd6a:b84 with SMTP id t80-20020a0dea53000000b00561dd6a0b84mr3040583ywe.26.1684525227632; Fri, 19 May 2023 12:40:27 -0700 (PDT)
MIME-Version: 1.0
References: <168211282687.57523.15929122717485483178@ietfa.amsl.com> <CA+RyBmVb5O2GRt+baZj5uaz4GA0jEO8ddURk8S3Yc02y6rDueA@mail.gmail.com> <cb7865a7-f0c2-10d2-4745-926e40958371@mandelberg.org> <CA+RyBmUnjtfo=guv9_2RRH=zH5OVG9HuX1JKoEnRJVhN=Uf-kA@mail.gmail.com> <70d489f8-36cb-0a30-1af9-4d6c1dae920d@mandelberg.org> <CA+RyBmU5760+j87=YKC0JdVQXf-eOVaJqO4sJ4_vUBDY4JT9WA@mail.gmail.com>
In-Reply-To: <CA+RyBmU5760+j87=YKC0JdVQXf-eOVaJqO4sJ4_vUBDY4JT9WA@mail.gmail.com>
From: Greg Mirsky <gregimirsky@gmail.com>
Date: Fri, 19 May 2023 12:40:15 -0700
Message-ID: <CA+RyBmXYfJhp-Q4QYA9y4VVroK4_B5oQ1X0fBhZGCHc5Y4b2JQ@mail.gmail.com>
To: David Mandelberg <david@mandelberg.org>
Cc: secdir@ietf.org, bier@ietf.org, draft-ietf-bier-ping.all@ietf.org
Content-Type: multipart/mixed; boundary="000000000000cf38c205fc11175e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/t5AfZuCE0Xf31TH9d2o-Mp5aMi4>
Subject: Re: [secdir] Secdir early review of draft-ietf-bier-ping-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 May 2023 19:40:31 -0000
Hi David, a new version of the draft includes updates we've discussed. Also, it includes updates resulting from discussions of reviews by IntDir and RtgDir experts. I would appreciate it if you could review the updates (diff between the -08 version and the current version 10 is attached for your convenience). Please let me know if you have any further questions. Best regards, Greg On Wed, May 10, 2023 at 9:18 PM Greg Mirsky <gregimirsky@gmail.com> wrote: > Hi David, > thank you for the discussion. Please find my notes below under the GIM>> > tag. > > Regards, > Greg > > On Tue, May 9, 2023 at 5:04 PM David Mandelberg <david@mandelberg.org> > wrote: > >> I'm not familiar with LSP ping, but I just skimmed the security >> considerations section of that RFC. Unless I missed something (which is >> possible), it looks like it only talks about DoS attacks against the >> recipient of the ping, not amplification to attack a third party using >> the reply. With LSP ping, are the requests and responses roughly the >> same size? If they are, then that seems to be a key difference between >> BIER ping and LSP/ICMP ping, so it should be covered in BIER ping's >> security considerations. >> > GIM>> I think that LSP Ping and BIER Ping are closer to each other > functionally than to ICMP. As we noted in the draft, some informational > elements used in the LSP Ping are equally applicable in BIER Ping (DDMAP). > >> >> As for suggesting additional text/reference, how difficult would it be >> in practice for an attacker to spoof the source address in BIER ping? >> (That's the part I really don't have a sense of.) If it's pretty >> difficult, then it's probably enough to just point that out as the >> reason DDoS amplification isn't a big concern. If it's not that hard, >> then there might be a bigger problem. >> > GIM>> I think that such a scenario in BIER is as difficult as in an MPLS > network. Thank you for the suggestion. I will add that in the next version. > >> >> >> Op 2023-05-09 om 17:43 schreef Greg Mirsky: >> > Hi David, >> > that's a valid point. I may compare the scenario you describe with the >> > commonly used in LSP Ping identical reply mode, i.e., over IPv4/IPv6 >> > network. In that case, the MPLS label stack may not identify the Echo >> > Request sender, and the receiving node relies on the source IP address >> > in the IP/UDP header that immediately follows the label stack. It seems >> > like methods to mitigate the risk of exploiting LSP Ping as a DDoS >> > attack described the Security Consideration in RFC 8029 accepted as >> > sufficient. In our draft, we point them as equally relevant for BIER >> > Ping. Would you suggest an additional text or reference for >> > draft-ietf-bier-ping? >> > >> > Regards, >> > Greg >> > >> > On Tue, May 9, 2023 at 12:37 PM David Mandelberg <david@mandelberg.org >> > <mailto:david@mandelberg.org>> wrote: >> > >> > The Reply-To TLV stood out to me as the easiest way to redirect >> return >> > traffic to a vicim, but not necessarily the only way. Can the BFIR >> > ID be >> > spoofed to get return traffic sent to an unsuspecting third party? >> > >> > Op 2023-05-08 om 12:16 schreef Greg Mirsky: >> > > Hi David, >> > > thank you for your thoughtful comments. After reviewing the use >> > > scenario, we decided to remove the Reply-To TLV. The BIER Header >> > > includes the BFIR ID that can be used to derive the IP address of >> > the >> > > Sender. I hope that addresses your concern.The new version of the >> > draft >> > > <https://datatracker.ietf.org/doc/draft-ietf-bier-ping/ >> > <https://datatracker.ietf.org/doc/draft-ietf-bier-ping/>> also >> includes >> > > updates addressing early reviews from Rtg and Int areas. >> > > Please let me know if you have any further questions. >> > > >> > > Best regards, >> > > Greg >> > > >> > > On Fri, Apr 21, 2023 at 2:33 PM David Mandelberg via Datatracker >> > > <noreply@ietf.org <mailto:noreply@ietf.org> >> > <mailto:noreply@ietf.org <mailto:noreply@ietf.org>>> wrote: >> > > >> > > Reviewer: David Mandelberg >> > > Review result: Has Nits >> > > >> > > This mostly looks good, I think. >> > > >> > > My only concern is about if/how this could be exploited to >> DDoS >> > > third parties. >> > > It looks like there are a few ways that the responses can be >> > larger >> > > than the >> > > requests, either by responders adding additional TLVs, or by >> > multiple >> > > responders responding to the same request. I'm not sure how >> > much of >> > > a risk >> > > source address spoofing is in the request's outer header, >> but it >> > > looks like the >> > > Reply-To TLV can be used to send responses to another address >> > anyway, >> > > regardless of the source address. So if this were on the open >> > > internet, I'd >> > > expect attackers to abuse it to send lots of data to their >> > targets. >> > > But from >> > > the mentions of MPLS, I'm guessing that this is not meant to >> > be used >> > > on the >> > > open internet? So it might not be an issue in the >> > environments this >> > > is intended >> > > to be deployed in, or there might be some other mitigation. >> > > >> > > >> > >> >
- [secdir] Secdir early review of draft-ietf-bier-p… David Mandelberg via Datatracker
- Re: [secdir] Secdir early review of draft-ietf-bi… Greg Mirsky
- Re: [secdir] Secdir early review of draft-ietf-bi… David Mandelberg
- Re: [secdir] Secdir early review of draft-ietf-bi… Greg Mirsky
- Re: [secdir] Secdir early review of draft-ietf-bi… David Mandelberg
- Re: [secdir] Secdir early review of draft-ietf-bi… Greg Mirsky
- Re: [secdir] Secdir early review of draft-ietf-bi… Greg Mirsky
- Re: [secdir] Secdir early review of draft-ietf-bi… David Mandelberg