IETF Logo Mail Archive

Re: [secdir] [sfc] Secdir last call review of draft-ietf-sfc-oam-framework

"Nagendra Kumar Nainar (naikumar)" <naikumar@cisco.com> Mon, 27 April 2020 14:35 UTC

Return-Path: <naikumar@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8E733A0BF0; Mon, 27 Apr 2020 07:35:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.198
X-Spam-Level:
X-Spam-Status: No, score=-8.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_COMMENT_SAVED_URL=1.391, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_HTML_ATTACH=0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=IF0d63ig; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=XlRZ0eta
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E6uIb3Y2sQh0; Mon, 27 Apr 2020 07:35:47 -0700 (PDT)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 331453A0B72; Mon, 27 Apr 2020 07:35:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=130382; q=dns/txt; s=iport; t=1587998147; x=1589207747; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=3wm/+k0zjSVm2qOnYrRKii57WX/XiZgAkPfuoz5IVTs=; b=IF0d63iguWPHI+PErO23d2akWPvxlwXljaYAJtXc4yJSP9UDbg77BhJ2 hvCEBVT0kMtvtZByTgynGcJub5aFvTdvQYazgWg7CfmLTE8SuQQogpkYG d+VCuSkSk2HFjh7aqi3HA8wWrvhMY18PTXGYD7abFVKH1E3Je4vwabsU4 M=;
X-Files: Diff_ draft-ietf-sfc-oam-framework-13.txt - draft-ietf-sfc-oam-framework-14.txt.html, draft-ietf-sfc-oam-framework-14.txt : 40725, 47705
IronPort-PHdr: 9a23:JqtlvxaHW5W0p204PtjI1nX/LSx94ef9IxIV55w7irlHbqWk+dH4MVfC4el20gabRp3VvvRDjeee87vtX2AN+96giDgDa9QNMn1NksAKh0olCc+BB1f8KavsZi05AcFLTndu/mqwNg5eH8OtL1A=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DUAAB77KZe/4MNJK1mGgEBAQEBAQEBAQMBAQEBEQEBAQICAQEBAYIDgVQkBSgFbBNFIAQLKgqEFYFdgWkDinGCOiUMdYc7gTqOOYFCgRADUAQEBwEBAQwBARgBCgoCBAEBgS8BgV4bgRsCF4IRJDgTAgMBAQsBAQUBAQECAQUEbYUqByUMhXEBAQEBAgEBARAIAQgEBhMBASsBBgUBCwQCAQYCEQEDAQEWCwEJAgICHwYLFwYIAQEEAQ0FDg0HgwQBgksDDiABDpZFkGcCgTmILDV2fzODAAEBBYUlDQuCBwcJgTiCY4cOgSCBLBqCAIEQAScMEIFPSTU+gXsjPgsBAQIBGYECCAIIAQsBBgEoBxgHCweCUzKCLYQYiXsSBgyDBIYUgTaBQIR8BFmCDYNQiy8ySgqCRYQRg36FdIRTY4I6gg0dglszVIdQh1mETIMtgXePeolIgkWNVIMlAgQCBAUCDgEBBYFpIjYwcHAVOyoBgj4JRxgNj16BMiQMF4EDAQmCQkGEU4VCcwECMwIGAQcBAQMJfItbAQEmB4EGATBfAQE
X-IronPort-AV: E=Sophos;i="5.73,324,1583193600"; d="txt'?html'217?scan'217,208,217";a="469614997"
Received: from alln-core-1.cisco.com ([173.36.13.131]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 27 Apr 2020 14:35:45 +0000
Received: from XCH-RCD-004.cisco.com (xch-rcd-004.cisco.com [173.37.102.14]) by alln-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id 03REZjF0030966 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 27 Apr 2020 14:35:45 GMT
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by XCH-RCD-004.cisco.com (173.37.102.14) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 27 Apr 2020 09:35:44 -0500
Received: from xhs-aln-003.cisco.com (173.37.135.120) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 27 Apr 2020 10:35:44 -0400
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Mon, 27 Apr 2020 09:35:44 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Dnd+OsPyY+sl6b9LtDMDMlfFQjYIL5TlTlGMIZrRKfgQvQUh+oOull1rIlcU8kN5GnXExVP2dmsh1DWcLDeWO5+8crBjVSZcwQRp1XzHNwho0aAi0/QGGVT3OaY/GQxm7mi1pNFVs6uBCx0v3+a5oUfmrlQk9rwtln2VrlzA6tqkqeuR6QAb0KdiVmpLgoHmHnqBfauKwF2tDxOU6MzKtVoa3UQ1yZY/7tIRRCdaIiFSl4pDjZcB0wcGy4lFi482vQmd+wawjTTU0fC0X7eXeq2Z20umPOmYDy28bao1j6naSms9bo9exrtxldPo1ZljoEwIUTPFZ8eJQmafPE1gJQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bh8Gl9/hV87eNGTOWP5WbiXhJKz9n9bkiQ86WCKcuBQ=; b=mUQNOfcay1HZYJJIl46XQfLcQciQLYF3/NqaRSbtKzPuHpgBunZck1JySeL7GdPOjdVoZp+JmfB+YLMsGbtR9Gck8d/aa+ZvuZoko//Oow7WnNmIeloRR2hj4xGI12gnQA6fYuAQgUR/OlDiQYlhK5box8DmSDIGZRQfps2XlQOXO0aH2JWZInOCx7R7QsKzX0aW19E1VYXfPyRSJ0YCdulpqIY1qZECBtDA46E3zt0feWtzbUoIGs3ufx5GmLOC2v9TmFCoWDd5fYY2xD76XW62cLKn159qjkQKKynSgBkuwJVULK/93R4Ieu0KxkfjMKlJDgMfWamHGWmsZB2+Aw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bh8Gl9/hV87eNGTOWP5WbiXhJKz9n9bkiQ86WCKcuBQ=; b=XlRZ0eta1hf0m18BgekQ/a8yBRAFcFg82S6S5BcHj3aMY/269swn2+nRVvYUYy5px44mySXe52lHFciqC9qhc6HlgoPhRJK/4b+ZbQ/DLxZ8CHOJjVLgLrGOvG86WsBRtEvBim9d6p5SMRomR8pnu6KdKqIGiFzBkQ0GUB4pi48=
Received: from BN6PR11MB4068.namprd11.prod.outlook.com (2603:10b6:405:7c::31) by BN6PR11MB0065.namprd11.prod.outlook.com (2603:10b6:405:65::34) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2937.22; Mon, 27 Apr 2020 14:35:42 +0000
Received: from BN6PR11MB4068.namprd11.prod.outlook.com ([fe80::cb:ae2d:1f21:7263]) by BN6PR11MB4068.namprd11.prod.outlook.com ([fe80::cb:ae2d:1f21:7263%4]) with mapi id 15.20.2937.023; Mon, 27 Apr 2020 14:35:42 +0000
From: "Nagendra Kumar Nainar (naikumar)" <naikumar@cisco.com>
To: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>, "Carlos Pignataro (cpignata)" <cpignata@cisco.com>
CC: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-sfc-oam-framework@ietf.org" <draft-ietf-sfc-oam-framework@ietf.org>
Thread-Topic: [sfc] Secdir last call review of draft-ietf-sfc-oam-framework
Thread-Index: AdYW4VRPPDX1YR3aSqa2kbIsbH1DggD1H3GAADj+SVAAOXNWAA==
Date: Mon, 27 Apr 2020 14:35:42 +0000
Message-ID: <760DA3B5-3B10-4786-8EC9-B107BFEBAC28@cisco.com>
References: <CY4PR1601MB12541726BC79551C2A2EBBF0EAD40@CY4PR1601MB1254.namprd16.prod.outlook.com> <AEE6AFB3-6EE8-495F-992B-6314CBD2B6F6@cisco.com> <CY4PR1601MB1254E6CD2D9C4558EAFF21F5EAAE0@CY4PR1601MB1254.namprd16.prod.outlook.com>
In-Reply-To: <CY4PR1601MB1254E6CD2D9C4558EAFF21F5EAAE0@CY4PR1601MB1254.namprd16.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.35.20030802
authentication-results: spf=none (sender IP is ) smtp.mailfrom=naikumar@cisco.com;
x-originating-ip: [173.38.117.67]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3815d749-383e-48dd-5880-08d7eab84362
x-ms-traffictypediagnostic: BN6PR11MB0065:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <BN6PR11MB0065C70486813511F6540615C6AF0@BN6PR11MB0065.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 0386B406AA
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN6PR11MB4068.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(396003)(136003)(366004)(39860400002)(376002)(346002)(6512007)(2616005)(99936003)(8676002)(86362001)(5660300002)(478600001)(966005)(6636002)(91956017)(36756003)(6486002)(26005)(316002)(53546011)(71200400001)(8936002)(81156014)(33656002)(66576008)(64756008)(66556008)(66476007)(66946007)(66446008)(76116006)(110136005)(4326008)(6506007)(2906002)(54906003)(186003); DIR:OUT; SFP:1101;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 6s4U5SEpoLUSbnTAJtri72Jl8SDuF43mqw7UG55ThFjbhHB6G3nyGjMfSIHVL2cbiZLQtD312BU84Nq5micdlpzYrz5+VKi8Zg8Wb7NzIG+/7C0h0QDu/T96Mi0xy/Gu5Z7QjrjLTvJTaHKQJbrLQ3bfIFLnOzBbZr7b/knCglvJjryExaB9xAh8R+8YJaP+EUDhWuGkv0Gg81b+zmrYhy8ngXEmIUFXIstyZO7jmmilh3MB37KZQavB1DZVDgaPTk37bs17o+RAWdDInUP/R6d0EK6rlzTPOzr63KjrzDbGEB6mFPxwLOdgLaZ9RRPHBt7YkvYFylnkRH1SVtoMtritQfaLEPYBt+IWIs1Zi8tNyDiGAyf//4PcxDiWzUbdrlwzu59iLke8RRjbryGAdi6OMbs16PWFax18w6bFc1WdMYvsmmyxDszPP6e5NzBN/zClrwTdF11dJQqyTOnAwpYJSbLG9wJztNuR7IsAONuaCI/5c9lXQPLRAd3UMashnD6ocTrao29moSXpNZ6kpg==
x-ms-exchange-antispam-messagedata: lSSnoI0hz8MuY1qVFr0eW7PNTJkGYcdbgf+zjqeH7sahsg4cpMRZ1DqZ3uXFSjqhjZzYFj8LvMymjvDn03kDR1yje8Q0chCgWtphQfUTjcdGCuQlb+TslBSPQ5J/hjDxemEHHl8IPrmEjxJnvfaJ3Qkad2VrVZi8Nv+E2LdvcuYr/mNAuGRZgsVIOmBX81c8Ms+nN52CBmX+v1Pg+FLgGk3E/RnU5NWp+keyOr7YDnuqYnArpmZas7pvhvl0QnSuhsbQa+u9amWdxuICAiRnwHK3rIooWCi61FjiAdLfRddzH7UYo3+hBeDTZBQC7uSysgQY6KCF2ATdEY9TZ6Oqt2XSYngdn48slBGdFWvnMDUlF6KBIVEGVOKLY1gwZPMcEj9b/WPmMxh4/Zuz/2+vOn5S8I73cNbH7s8zbXWIaWoVUCgeIC+GMOMOaBOLxTjWAURLfyoB78HIbO25MOnYKfI+Lr3PNllWL1XI93c7nUeXLTjNfjgNFMD3lee6OuBkiFa1Z1s6y7Vu/ZKm5v6Ppv0GS9rzRsJ1GTfuYJ6XejldxYSm6GCxEyNo4isAO3ykiu2gqZ6WidsLp9BMKsDo/yfu+lrlEbsQiAKMX9rSn5Ep/cLt36TEDe71MP28yFw95HqGqzrzJdi083J2s3Gyb9yAMMIZDDaUroev8fQAtS5MOgixdBsE6aKEh9M4LSNkUafNauxWv+XtqKeETTySrH5zDqN5YcwE6ZW/NzBRGmDFpbwvmONglHg9Rc1pPpkP2azE96+nRHKWf/c5LVAKu70iWGMiv+ze+Cc2vZmU2rg=
Content-Type: multipart/mixed; boundary="_003_760DA3B53B1047868EC9B107BFEBAC28ciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 3815d749-383e-48dd-5880-08d7eab84362
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Apr 2020 14:35:42.0266 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: KTkyl1t7EzJIw6gv/xldRAoApXGe/UH0aQdCuwB885iLh9tYO0Iwk4W2mOB15zmZSXpNotCEikcaZ98Xi4LLxg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR11MB0065
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.14, xch-rcd-004.cisco.com
X-Outbound-Node: alln-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/u0RUK1kiqwCtmFgR4N8SrEJ7qfM>
Subject: Re: [secdir] [sfc] Secdir last call review of draft-ietf-sfc-oam-framework
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Apr 2020 14:35:53 -0000

Hi Tirumaleswar,

Hope you are doing good.

Thank you for the review and the comments/suggestions. Please find the diff attached that incorporates the comments.

We will submit the new version with the changes. Let us know if you have any further comments.

Thanks,
Nagendra 

On 4/26/20, 3:24 AM, "sfc on behalf of Konda, Tirumaleswar Reddy" <sfc-bounces@ietf.org on behalf of TirumaleswarReddy_Konda@McAfee.com> wrote:

    Hi Carlos,
    
    Please see inline 
    
    > -----Original Message-----
    > From: Carlos Pignataro (cpignata) <cpignata@cisco.com>
    > Sent: Saturday, April 25, 2020 9:29 AM
    > To: Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>
    > Cc: secdir@ietf.org; sfc@ietf.org; draft-ietf-sfc-ioam-nsh.all@ietf.org
    > Subject: Re: [sfc] Secdir last call review of draft-ietf-sfc-oam-framework
    > 
    > CAUTION: External email. Do not click links or open attachments unless you
    > recognize the sender and know the content is safe.
    > 
    > Hi, Tiru,
    > 
    > Many thanks for the review, and great to hear from you!
    > 
    > I hope all is well — Please see inline.
    
    Thanks, I’m fine, and I hope all is well with you too.
    
    > 
    > > 2020/04/20 午前3:28、Konda, Tirumaleswar Reddy
    > <TirumaleswarReddy_Konda@McAfee.com>のメール:
    > >
    > > Reviewer: Tirumaleswar Reddy
    > > Review result: Ready with issues
    > >
    > >
    > > I reviewed this document as part of the security directorate's ongoing
    > > effort to review all IETF documents entering the IESG..  These comments
    > are directed at the security area director(s).  Document editors and WG
    > chairs should treat these comments like any other last call comments.
    > >
    > > This document provides a reference framework for OAM for SFC.
    > >
    > > Comments:
    > >
    > > 1. The document in Section 8 discusses various attacks (including both
    > > security and privacy) but does not discuss any protection mechanisms
    > other than proposing rate-limiting.  It is suggesting drafts proposing the OAM
    > solution should address the attacks but I don’t see any security mechanisms
    > discussed in draft-ietf-sfc-ioam-nsh to address the attacks.
    > >
    > 
    > Since the document already clarifies that it does not define solutions, it
    > cannot define security consideration for those solutions, beyond saying that
    > those solutions ought to address security considerations in those areas. Any
    > security measures must be included and explained in the respective solution
    > document. I believe this comment requires potentially action on draft-ietf-
    > sfc-ioam-nsh but not on this draft.
    
    Yup. I see three solutions from SFC WG a) sfc-ioam-nsh b) ietf-sfc-proof-of-transit (Experimental) c) penno-sfc-trace (Expired). sfc-ioam-nsh is the only current standards track specification and it should address these attacks.
     
    > 
    > That said you are right regarding the specifics of the rate-liming
    > recommendation. See the next answer for text.
    > 
    > Also, in re-reading Section 8, seems like this:
    > 
    >    To address the above concerns, SFC and SF OAM may provide mechanism
    >    for:
    > 
    > 
    > Should say
    > 
    >    To address the above concerns, SFC and SF OAM should provide
    > mechanisms
    >    for preventing:
    
    Yes.
    
    > 
    > 
    > 
    > > 2. More discussion is required on the internal attacks.
    > > (a) How are attack packets bypassing SFC detected and blocked ?
    > > (b) How is sensitive information protected from eavesdroppers ?
    > > (c) How is DoS/DDoS attack of misusing the OAM channel is mitigated ?
    > > (d) Rate-limiting blocks both good and bad OAM probes and is a weak
    > mitigation strategy. Anomaly detection (e.g., deep learning techinques) and
    > identifying the attacker look like a better strategy.
    > >
    > 
    > 
    > This is a good point. How about.
    > 
    > OLD:
    > 
    >    The documents proposing the OAM solution for SF component should
    >    consider rate-limiting the OAM probes at a frequency guided by the
    >    implementation choice.  Rate-limiting may be applied at the SFF or
    >    the SF . The OAM initiator may not receive a response for the probes
    >    that are rate-limited resulting in false negatives and the
    >    implementation should be aware of this.
    > 
    > 
    > NEW:
    > 
    > 
    >    The documents proposing the OAM solution for SF component should
    >    consider rate-limiting the OAM probes at a frequency guided by the
    >    implementation choice.  Rate-limiting may be applied at the SFF or
    >    the SF.  The OAM initiator may not receive a response for the probes
    >    that are rate-limited resulting in false negatives and the
    >    implementation should be aware of this. To mitigate any attacks that
    >    Leverage OAM packets, future documents proposing OAM solutions
    >    should describe the use of any techniques to detect
    >    and mitigate anomalies and various security  attacks.
    
    Works for me.
    
    Cheers,
    -Tiru
    
    > 
    > 
    > Would that work?
    > 
    > Please feel free to suggest textual improvements or changes.
    > 
    > Thanks,
    > 
    > Carlos.
    > 
    > > Cheers,
    > > -Tiru
    > > _______________________________________________
    > > sfc mailing list
    > > sfc@ietf.org
    > > https://www.ietf.org/mailman/listinfo/sfc
    
    _______________________________________________
    sfc mailing list
    sfc@ietf.org
    https://www.ietf.org/mailman/listinfo/sfc

v2.23.0 | Report a Bug | By Email