Re: [secdir] Secdir review of draft-ietf-idr-bgp-flowspec-oid-13
Magnus Nyström <magnusn@gmail.com> Tue, 04 May 2021 00:48 UTC
Return-Path: <magnusn@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 665593A1B9C; Mon, 3 May 2021 17:48:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uMQR_MK8A2sb; Mon, 3 May 2021 17:48:48 -0700 (PDT)
Received: from mail-il1-x12f.google.com (mail-il1-x12f.google.com [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 65CE03A1B9A; Mon, 3 May 2021 17:48:48 -0700 (PDT)
Received: by mail-il1-x12f.google.com with SMTP id r5so5062726ilb.2; Mon, 03 May 2021 17:48:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=pT/h6J6vRe8muODiS6WbL47lo/kcdJCuKttVtEAhI78=; b=fsB4vowb57WuauWjWs9zWmzlYWmGgKwriSfvsocHXlR35L4jOctYisr+lTYTwQEcp9 IZHsk2ZFF+idqdDSEqcDSGPuvWJC3STD6roOS9bbdzo4Xf5hObDLXIOUZeFEdQbShwKV TOXyggsWk9hSjNxrOtQl5d45KuuU5hCg7BAuGsk7XMnFCeHwJn8HdfoVyOQllZjFxOT0 NmVe4vNky4kjx1BHiandFRjiwyXWtubWdKE5glYfq4Mm8AZsfMntzEo06yc22dX4Pxqm sqnFhCbotebaFlnSYaMjigsJ586f9RdHhUx2G4Nm+CPdjMoluQXKLs7b+KrE+EywMSgI 0aYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=pT/h6J6vRe8muODiS6WbL47lo/kcdJCuKttVtEAhI78=; b=h6DkBz3qxIWH9gecqI6/2i1LiVi9/xU1SCart3g7WNc+7jn0PhJ5DSfEIbktWW9xoC q19fMzV9qCzR5nKWqTNU8cy710GDJPnFSTXY9iJ75wFhZZLhxoh3Sx9nkE3U+pzlAfyW MNwJfn/IdYggldWJILse77w05KaD6qo7TpcTa0GFAili2q4CFqjjCII+6Mh6u4RBmrxp rzfwGNSEcpQ2vmXknZg2ZBZc8POcwtHhlD+xltU5gYldIPQwo+9F9FpLgbLONi9ZP/SR o4fuBKJh6+qOYRpuqL1aKsWpEVZsayuvq5HTzh0HKCs6ZyBIhpiPk/Q1TM6BMQ8+nKP3 v6RA==
X-Gm-Message-State: AOAM531NCZuDANNu/IV32lb6A4HIg8HiOWDWBId8g0nCs3x27fK2Hkz+ dRcbQo0QDfd4M2VnhO1nFo+BWh5emoxMUJJKZFv8T2mg
X-Google-Smtp-Source: ABdhPJwOOKr1/ot58bBkUygm/kvlPVY0XAp/7zhPov7Nq+rmvMXVxFFsc/A7VIZSnp80HmJUJXZU3dCVtNO/WK2wuPI=
X-Received: by 2002:a92:c6ca:: with SMTP id v10mr18586516ilm.97.1620089327013; Mon, 03 May 2021 17:48:47 -0700 (PDT)
MIME-Version: 1.0
References: <CADajj4ZQnWkjKdWpBgsB0oyX8_Kzj6HOL-Vkm=TrByBQMEJfPw@mail.gmail.com> <CADajj4bCTF5EeF6DZkCHpP0_GTnUYQtqa0OE3qf3Z5_AmKWfyA@mail.gmail.com> <CADajj4YxgdNXkWX7dLP0nBDWXLSKFa8M_KWWCPCgfCibYtWkAw@mail.gmail.com> <CADajj4Yw13QWbSqF_hd+P_fcNA4_YvdwqF=OgJ4pdS_1vrWphA@mail.gmail.com> <CADajj4Zw+Js8neUujMbekReVdMMFcz46NDwdHsMdWXob6Upc_w@mail.gmail.com> <CADajj4aoBaSYTFFnvAjcL7mTnfoUJOWzvve=NRhgB3qe5X8uWQ@mail.gmail.com> <CADajj4ZTBoCHo2=RJhYFNMi+5L5JJwc_EqBkeyYUUfYsVk-vVw@mail.gmail.com> <CADajj4aN=cr-sxjMrmiSxsptwpOZWcH73dWhrtPrruahEQcNJg@mail.gmail.com> <DM6PR11MB3194503DF53A14C12FC749E4CD5B9@DM6PR11MB3194.namprd11.prod.outlook.com> <CADajj4bSyqcfGU7JoXz73mgGV+N71gkb2O060Kk2672JcE6VGg@mail.gmail.com> <DM6PR11MB3194CDD275DFB08A7CF91DBCCD5A9@DM6PR11MB3194.namprd11.prod.outlook.com>
In-Reply-To: <DM6PR11MB3194CDD275DFB08A7CF91DBCCD5A9@DM6PR11MB3194.namprd11.prod.outlook.com>
From: Magnus Nyström <magnusn@gmail.com>
Date: Mon, 03 May 2021 17:48:35 -0700
Message-ID: <CADajj4Zi5bJ36fniuQaf62-WpA7AjAwR7iYYMfptRyFeafLNUg@mail.gmail.com>
To: "Juan Alcaide (jalcaide)" <jalcaide@cisco.com>
Cc: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-idr-bgp-flowspec-oid@ietf.org" <draft-ietf-idr-bgp-flowspec-oid@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d753c005c1767015"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/v068zoWXXPyk7GSa8FSAKx_SFMw>
Subject: Re: [secdir] Secdir review of draft-ietf-idr-bgp-flowspec-oid-13
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 May 2021 00:48:54 -0000
Thanks Juan, yes, to me this is at least clearer about the risk. At this point I leave it to the Security Area directors if they'd like to see any other modifications. Thanks! Magnus On Mon, May 3, 2021 at 5:17 PM Juan Alcaide (jalcaide) <jalcaide@cisco.com> wrote: > Magnus, > > > > Yes, they’ll be opening to risk. It’s the risk described in the draft. But > this risk is necessary for route-servers to work with flowspec. And as > mentioned, perhaps route servers can be configured to avoid that risk. > > > > > > I wanted to use the term ‘remain’ instead of ‘become’.. We went from > RFC4271 (rule optional) -> RFC8955 (rule mandatory) -> this draft (rule > again optional) > > Would the below make sense (I changed the first sentence): > > > > This document makes the original AS_PATH validation rule ([RFC4271] > section 6.3) again optional > > (section 4.2) for Flow Specification Address Family (the rule is no > longer mandatory as it was specified by [RFC8955]). > > If that original rule is not enforced for Flow Specification it may > introduce some new security risks. > > A peer (or a client of a route server peer) in AS X could advertise a > rogue Flow > > Specification route whose first AS in AS_PATH was Y (assume Y is the > > first AS in the AS_PATH of the best-match unicast route). This risk > > is impossible to prevent if the Flow Specification route is received > > from a route server peer. If that peer is known for a fact not to be > > a route server, that optional rule SHOULD be enforced for Flow > > Specification routes. Note that identifying those peers that are route > servers may suppose an > > operational challenge. If the condition of the peer is unknown, the > rule SHOULD not be > > enforced. > > > > A route server itself may be in a good position to enforce the AS_PATH > validation rule described > > in the previous paragraph. If a route server knowns it’s not peering > with any other route server, > > it can enforce the AS_PATH validation rule across all its peers. If, in > addition to that, > > the route server is trusted, the security threat described above > disappears. > > > > > > > > > > *From:* Magnus Nyström <magnusn@gmail.com> > *Sent:* Monday, May 3, 2021 9:39 PM > *To:* Juan Alcaide (jalcaide) <jalcaide@cisco.com> > *Cc:* secdir@ietf.org; draft-ietf-idr-bgp-flowspec-oid@ietf.org > *Subject:* Re: Secdir review of draft-ietf-idr-bgp-flowspec-oid-13 > > > > Thanks Juan. > > For the editorial ones, agree on the first one and I think the second you > could change to "with this memo, becomes optional." or similar. > > For the new text, perhaps I am misunderstanding something, but this > sentence: > > Note that identifying those peers that are route servers may suppose an > operational challenge. If the condition of the peer is unknown, the rule > SHOULD not be enforced. > > Is it correctly understood, that you're saying that if a validator is > unable to determine if the peer is a route server, they should not enforce > the rule? If so, doesn't that mean "failing open, i.e., opening themselves > to risk? Sorry if I misunderstand. > > > > > > On Mon, May 3, 2021 at 3:36 AM Juan Alcaide (jalcaide) <jalcaide@cisco.com> > wrote: > > Thanks for your comments, Magnus > > > > Inline.. > > > > *From:* Magnus Nyström <magnusn@gmail.com> > *Sent:* Monday, May 3, 2021 6:44 AM > *To:* secdir@ietf.org; draft-ietf-idr-bgp-flowspec-oid@ietf.org > *Subject:* Secdir review of draft-ietf-idr-bgp-flowspec-oid-13 > > > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the IESG. > These comments were written primarily for the benefit of the security area > directors. Document editors and WG chairs should treat these comments just > like any other last call comments. > > > > This document describes "a modification to the validation procedure > defined for the dissemination > > of BGP Flow Specifications." More specifically. the memo describes a > mechanism which relaxes the existing validation rule that requires Flow > Specifications to be originating from the originator of the best-match > unicast route, and now allows such specifications to be originated within > the same AS as the validator. As a result. the Security Considerations > section does call out: "The original AS_PATH validation rule ([RFC4271] > section 6.3 <https://tools.ietf.org/html/rfc4271#section-6.3>) becomes > hereby optional (section 4.2 > <https://tools.ietf.org/html/draft-ietf-idr-bgp-flowspec-oid-13#section-4.2>). > If that original rule is actually not enforced it may introduce some > security risks. A peer (or a client of a route server peer) in AS X could > advertise a rogue Flow Specification route...." and "If t[the originator of > a rule] is known for a fact not to be a route server, that optional rule > SHOULD be enforced for Flow Specification routes." > > > > It is not clear to me how a validator would now "for a fact" that a peer > isn't a route server, and thus that it would have to enforce the > now-optional path validation rule. It seems some clarity on this would be > good such that implementations have less of a risk of accepting flow > specifications from unauthorized parties, even if they are on the same AS. > > > > [JUAN]: This paragraph was not intended to pressure the operator to know > if the peer was a route server, it was just a ‘if’. Note it’s the same case > for RFC4271 : > > > > If the UPDATE message is received from an external peer, the local > > system MAY check whether the leftmost (with respect to the position > > of octets in the protocol message) AS in the AS_PATH attribute is > > equal to the autonomous system number of the peer that sent the > > message. > > > > > > Note that the same challenge of identifying route servers applies for > other address-families. > > Note also that the route-server itself may enforce the rule. > > > > What about for clarity: > > > > The original AS_PATH validation rule ([RFC4271] section 6.3) remains > hereby still optional > > (section 4.2) for Flow Specification Address Family (changes introduced > in [RFC5575] are cancelled). > > If that original rule is not enforced for Flow Specification it may > introduce some new security risks. > > A peer (or a client of a route server peer) in AS X could advertise a > rogue Flow > > Specification route whose first AS in AS_PATH was Y (assume Y is the > > first AS in the AS_PATH of the best-match unicast route). This risk > > is impossible to prevent if the Flow Specification route is received > > from a route server peer. If that peer is known for a fact not to be > > a route server, that optional rule SHOULD be enforced for Flow > > Specification routes. Note that identifying those peers that are route > servers may suppose an > > operational challenge. If the condition of the peer is unknown, the > rule SHOULD not be > > enforced. > > > > A route server itself may be in a good position to enforce the AS_PATH > validation rule described > > in the previous paragraph. If a route server knowns it’s not peering > with any other route server, > > it can enforce the AS_PATH validation rule across all its peers. If, in > addition to that, > > the route server is trusted, the security threat described above > disappears. > > > > > > > > Anybody feel free to reword the two paragraphs above if it helps them for > clarity. > > > > > > > > Editorial: > > - "Let's consider the particular case where the Flow Specification is > originated in any location within the same autonomous system than the > speaker performing the validation (for example by a centralized BGP route > controller), and the best-match unicast route is originated in another > autonomous system." - should the word "than" be replaced with "that" here? > > [JUAN]: Thanks for pointing that out. A few googling tells me the even > better grammatical choice would be ‘same as’ in this case. I’ll be using > ‘same as’ unless you disagree. > > > > - In the security considerations section, "becomes hereby optional" > could probably be simplified to "becomes optional" or similar, and > "actually" could be removed. > > [JUAN]: Hmmm, I thought that it was important to emphasize it becomes > optional because of **this** draft redefinition of rules. Don’t you think > it’s important? (whatever wording you want to use). Regardless, refer to my > new reworded 2 paragraphs above for that section . > > > > > > > > Thanks, > > -- Magnus > > > > > > -- > > -- Magnus > -- -- Magnus
- [secdir] Secdir review of draft-ietf-jmap-mail-14 Magnus Nyström
- Re: [secdir] Secdir review of draft-ietf-jmap-mai… Neil Jenkins
- [secdir] Secdir review of draft-ietf-ipsecme-impl… Magnus Nyström
- Re: [secdir] Secdir review of draft-ietf-ipsecme-… Benjamin Kaduk
- Re: [secdir] FW: Secdir review of draft-ietf-ipse… Daniel Migault
- [secdir] Secdir review of draft-ietf-dnsop-rfc284… Magnus Nyström
- [secdir] Secdir review of draft-iesg-nomcom-eligi… Magnus Nyström
- [secdir] (Early) Secdir review of draft-ietf-netc… Magnus Nyström
- Re: [secdir] (Early) Secdir review of draft-ietf-… Kent Watsen
- Re: [secdir] (Early) Secdir review of draft-ietf-… Magnus Nyström
- Re: [secdir] (Early) Secdir review of draft-ietf-… Kent Watsen
- Re: [secdir] (Early) Secdir review of draft-ietf-… Magnus Nyström
- Re: [secdir] (Early) Secdir review of draft-ietf-… Sandra Murphy
- Re: [secdir] (Early) Secdir review of draft-ietf-… Sandra Murphy
- Re: [secdir] (Early) Secdir review of draft-ietf-… Sandra Murphy
- Re: [secdir] (Early) Secdir review of draft-ietf-… Kent Watsen
- Re: [secdir] (Early) Secdir review of draft-ietf-… Kent Watsen
- Re: [secdir] (Early) Secdir review of draft-ietf-… Sandra Murphy
- Re: [secdir] (Early) Secdir review of draft-ietf-… Kent Watsen
- [secdir] Secdir review of draft-ietf-quic-qpack Magnus Nyström
- Re: [secdir] Secdir review of draft-ietf-quic-qpa… Magnus Nyström
- [secdir] Secdir review of draft-ietf-detnet-tsn-v… Magnus Nyström
- Re: [secdir] Secdir review of draft-ietf-detnet-t… Balázs Varga A
- [secdir] Secdir review of draft-ietf-idr-bgp-flow… Magnus Nyström
- Re: [secdir] Secdir review of draft-ietf-idr-bgp-… Juan Alcaide (jalcaide)
- Re: [secdir] Secdir review of draft-ietf-idr-bgp-… Magnus Nyström
- Re: [secdir] Secdir review of draft-ietf-idr-bgp-… Juan Alcaide (jalcaide)
- Re: [secdir] Secdir review of draft-ietf-idr-bgp-… Magnus Nyström
- [secdir] Secdir review of draft-ietf-drip-rid-07 Magnus Nyström
- Re: [secdir] Secdir review of draft-ietf-drip-rid… Robert Moskowitz
- [secdir] Secdir review of draft-ietf-acme-authori… Magnus Nyström
- [secdir] Secdir review of draft-rosen-rfcefdp-upd… Magnus Nyström
- [secdir] Secdir review of draft-ietf-avtcore-rtp-… Magnus Nyström
- Re: [secdir] Secdir review of draft-ietf-avtcore-… Michael.Faller@gd-ms.com