IETF Logo Mail Archive

Re: [secdir] [Idr] Secdir early review of draft-ietf-idr-te-pm-bgp-13

Robert Raszuk <robert@raszuk.net> Fri, 19 October 2018 15:57 UTC

Return-Path: <robert@raszuk.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39597130FBB for <secdir@ietfa.amsl.com>; Fri, 19 Oct 2018 08:57:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=raszuk.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LO5--i6u9rnw for <secdir@ietfa.amsl.com>; Fri, 19 Oct 2018 08:57:49 -0700 (PDT)
Received: from mail-qt1-x830.google.com (mail-qt1-x830.google.com [IPv6:2607:f8b0:4864:20::830]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47508131000 for <secdir@ietf.org>; Fri, 19 Oct 2018 08:57:39 -0700 (PDT)
Received: by mail-qt1-x830.google.com with SMTP id q41-v6so38806953qtq.10 for <secdir@ietf.org>; Fri, 19 Oct 2018 08:57:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=raszuk.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wD2K8eqAMnxf6FzRhiM2a3yH+ae0KbOY7Jvk2KV1RsU=; b=FFP00onP+UQW7iiBiUnnzItqytFlC8EQQSIsP1Cqvyj+5prEnP8ZQOArkQYhm18Nnq gnnsr90dUE1cfVy3/UCNjxm9ACsMEq8SK98VMT0bV6QrHENzHLwemwCeTE7GJTG+xaZT vYbgYocVriemyUiaoK8PzCwWjksYknerVEGtOUZXXyATtoIzCoUqAc7et/Xs8zXTwjpU Z1CzfOyt6i1MSAvQ4OUMF0v7k1y+DOXayn1/ZyE8EP71Qx0RL5lbyjtBb1cqvlhIJy1u Ib5e6UrLilp5/UtH2NtFq6KmtA1HLw5ZPxPRwy/KyHQ3yGRhVgui2ySW6tj0z/m5y9pO CRYA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wD2K8eqAMnxf6FzRhiM2a3yH+ae0KbOY7Jvk2KV1RsU=; b=RLwwjQnZ8bSRWT1/zPujOeIMkvkKqDLc2V2KZVfgOkb/yV1lE3d61lENlhktS+J6E3 LyNCnBEjG0kKC4VoLv6pMs5DPi2FxpkNne2CxSFQj5JXkXkkzsKkT5lZONzBJ8wG4zkZ 4bwkrjvV6Vj9+F0Lp3Rx4pCAkDg84JCffqJoZ6OOYw8baXkwMvtuKx7X4OMUGn0d+Ztc emIEDIqDpOtHMMtKRp/cSylWsAV5Y13QVkxFinJZniH7BBFpX7Hz8iQ+DqTBCRGKtNOX z5pOXqJBawZXP4S+mZyCGtmNQaqh76tp5hP6uNFKejzPehG4rXgR8KfighpAAvucIYFG tzOA==
X-Gm-Message-State: ABuFfog1RAJcHGwzBXCpqCxewnOkDO+meigA8wQlq4nPVek/MlNAOqsY RnlJ3JPTgjQO7tZqQRLjbRX4fgNhNnMzX4614RXDkg==
X-Google-Smtp-Source: ACcGV61cCTU1oqz3ZZpG8YkUqzmifu8LKiKuhCfXfzP/yzSC8Gn0TbFM6aNyaA6yCHef9X4xN8VVdon5mRHCu2Vc18Y=
X-Received: by 2002:ac8:7153:: with SMTP id h19-v6mr34513556qtp.361.1539964658276; Fri, 19 Oct 2018 08:57:38 -0700 (PDT)
MIME-Version: 1.0
References: <153972468642.9298.14442375581871750001@ietfa.amsl.com> <ec43e712e8024930831a206f8e843cbb@XCH-ALN-001.cisco.com> <7655493D-9EF0-42FF-B2D3-B9CE4E78178D@gmail.com> <feec42a72bd64f31afbcb3b340dad52b@XCH-ALN-001.cisco.com> <1FFA9449-D03C-4EB6-9D08-BA4A1AA93FE3@gmail.com> <92af26fef2da470d853f292c84f026a0@XCH-ALN-001.cisco.com> <20181019002642.GX19309@kduck.kaduk.org> <CAOj+MMH1=SBV=ikiNE6UHEe1mzf5xKLPOZXnnqPEvyFHTC=83A@mail.gmail.com> <c22b55313bc54157853d5668a146038c@XCH-ALN-001.cisco.com> <01e201d467c0$fbc6f990$f354ecb0$@ndzh.com>
In-Reply-To: <01e201d467c0$fbc6f990$f354ecb0$@ndzh.com>
From: Robert Raszuk <robert@raszuk.net>
Date: Fri, 19 Oct 2018 17:57:22 +0200
Message-ID: <CAOj+MMGdmoCNQkWfx0XN=9iknk1iVWpe6Ree_a_EKkFEZoeFmg@mail.gmail.com>
To: shares@ndzh.com
Cc: "Les Ginsberg (ginsberg)" <ginsberg@cisco.com>, kaduk@mit.edu, idr@ietf.org, secdir@ietf.org, ietf@ietf.org, Yoav Nir <ynir.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000006c7c70057896f691"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/vH0jg9sAIpM0jP917PnuHUqTIZY>
Subject: Re: [secdir] [Idr] Secdir early review of draft-ietf-idr-te-pm-bgp-13
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Oct 2018 15:58:02 -0000

Hi Sue,

RFC7752 title is: North-Bound Distribution of Link-State and Traffic
Engineering (TE) Information Using BGP

+ section 1:

1 <https://tools.ietf.org/html/rfc7752#section-1>.  Introduction

   The contents of a Link-State Database (LSDB) or of an IGP's Traffic
   Engineering Database (TED) describe only the links and nodes within
   an IGP area.



So assuming that RFC7752 was read with some level of understading on
what LSDB or TED mean there should be no surprise and also no content
today that as LSDB or TED are continue to be extended in their
respected WGs you will see new extensions of information to be added
to RFC7752 vehicle in the forms of new TLV.


Of course we would not have any of this discussions or need for new
drafts if RFC7752 would simply zip and carry those two databases in
binary chunks. Well for some reason authors decided to involve BGP in
that process of carried data validation - but this alone should also
be well understood by approvers of RFC7752.


Kind regards,
R.






On Fri, Oct 19, 2018 at 5:32 PM Susan Hares <shares@ndzh.com> wrote:

> Les:
>
>
>
> Thank you for responding to Robert’s post.
>
>
>
> Your argument that this information would have added to RFC7752 is on
> “thin ice” as the IESG in their approval of RFC7752 was concerned about the
> scope of the information.   The extension of the scope beyond its stated
> scope might have trigger the current discussions at that time.  The authors
> indicated to the IDR chairs the RFC7752 scope would not grow.
>
>
>
> As shepherd I requested this draft to be reviewed by the security
> directorate because we are going beyond the original scope of RFC7752 with
> this draft.  As Shepherd, I do not agree with you that security issues Yoav
> raises are specified in RFC7752.   I
>
>
>
> You are correct that there are many drafts (just BGP-LS extensions and
> segment routing extensions that use BGP-LS).   This draft is just the first
> of a wave of drafts.      It is appropriate to have a solution for the
> security issues that covers all the drafts rather than go through drafts
> one at a time. I suggest that a revision to RFC7752 that addresses these
> issues is appropriate.
>
>
>
> If you are interested in discuss this topic with Yoav, Benjamin, and the
> IDR WG – shall we start a thread on this topic?
>
>
>
> Susan Hares
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *From:* Idr [mailto:idr-bounces@ietf.org] *On Behalf Of *Les Ginsberg
> (ginsberg)
> *Sent:* Friday, October 19, 2018 10:52 AM
> *To:* Robert Raszuk; kaduk@mit.edu
> *Cc:* idr@ietf.org; secdir@ietf.org; ietf@ietf.org;
> draft-ietf-idr-te-pm-bgp.all@ietf.org; ynir.ietf@gmail.com
> *Subject:* Re: [Idr] [secdir] Secdir early review of
> draft-ietf-idr-te-pm-bgp-13
>
>
>
> Robert’s post addresses points I also want to make.
>
>
>
> What is being done here is to add additional BGP-LS codepoints to
> advertise IGP information that was not defined at the time RFC 7752 was
> written. We haven’t changed the  BGP-LS transport mechanism – nor is the
> information being advertised here (some additional TE related link
> attribute information) qualitatively different than a number of existing
> TLVs defined in RFC 7752 (see
> https://tools.ietf.org/html/rfc7752#section-3.3.2 ). If this information
> had already been defined in the IGPs at the time RFC 7752 was written it
> would simply have been included as a section of RFC 7752 and no additional
> changes to RFC 7752 would have been required.
>
>
>
> In theory, we could have simply updated RFC 7752 rather writing a separate
> draft, but practically this would be a poor strategy as it would
> incorrectly suggest that some change was being made to the existing text in
> RFC 7752.
>
>
>
> I appreciate that from the POV of the Security Area you folks are not as
> intimately familiar with the routing drafts and the relationship between
> them. It is therefore understandable that you start looking at the new
> draft as a standalone document – and in that context your comments are
> absolutely correct. But the document you are reviewing is most accurately
> seen as an “addendum” to RFC 7752. The issues you raise have already been
> addressed in RFC 7752 and it is therefore very appropriate that we address
> your concerns by including a reference to the RFC 7752 security discussion.
>
>
>
> I think it is important that you note this relationship, because the
> nature of BGP-LS is that whenever IGP extensions are defined to advertise
> new information it is necessary to define corresponding BGP-LS codepoints.
> This is not the first such BGP-LS extension document – and it is safe to
> say it won’t be the last. It would be helpful to all if we reached a common
> understanding or this discussion will take place every time a BGP-LS
> extension document is being reviewed – which will cost us all time
> needlessly.
>
>
>
>    Les
>
>
>
>
>
> *From:* Robert Raszuk <robert@raszuk.net>
> *Sent:* Thursday, October 18, 2018 11:52 PM
> *To:* kaduk@mit.edu
> *Cc:* Les Ginsberg (ginsberg) <ginsberg@cisco.com>; idr@ietf.org;
> draft-ietf-idr-te-pm-bgp.all@ietf.org; ietf@ietf.org; ynir.ietf@gmail.com;
> secdir@ietf.org
> *Subject:* Re: [Idr] [secdir] Secdir early review of
> draft-ietf-idr-te-pm-bgp-13
>
>
>
> Hello Benjamin,
>
>
>
> Not sure if you have spotted similar comment made to IDR regarding this
> topic, but your comment seems to indicate that here we are about to define
> ways to carry nicely scoped IGP information into BGP. Well that has already
> happened with RFC7752 and your comment or for that matter Yoav's remarks
> are indeed spot on but to the security discussion on RFC7752 and IMO not
> any follow up extensions of it.
>
>
>
> Sure - as observed by Sue - one may argue that providing more information
> about the network to the potential attacker makes the network weaker, but
> the cure for that is to prevent the leaks and reduce probability of
> intercepting new information by unauthorized parties.
>
>
>
> BGP-LS is already defined in a new SAFI what by itself does provide nice
> level of isolation. RFC7752 is pretty clear on that too and says:
>
>
>
> "BGP peerings are not automatic and require configuration; thus, it is the
> responsibility of the network operator to ensure that only trusted
> consumers are configured to receive such information."
>
>
>
> If someone would be still concerned about configuration mistakes and
> negotiating SAFI 71 or 72 to those who should not get this data I recommend
> we reissue the RFC7752 as -bis version and restrict the scope of the
> distribution even further by mandating default use of NO-EXPORT community
> with ability to overwrite it for the selective eBGP peers. Or perhaps we
> could progress Jim's One Administrative Domain draft
> (draft-uttaro-idr-oad-01).
>
>
>
> In either case while both of your comments are great they seems a bit late
> in the game here or at least targeting wrong document.
>
>
>
> Kind regards,
>
> Robert.
>
>
>
>
>
> On Fri, Oct 19, 2018 at 2:27 AM Benjamin Kaduk <kaduk@mit.edu> wrote:
>
> On Thu, Oct 18, 2018 at 06:00:13PM +0000, Les Ginsberg (ginsberg) wrote:
> > Yoav –
> >
> > In regards to the risks associated with advertising the specific
> information covered in this draft we have a statement in the IGP drafts:
> >
> > From RFC7810
> >
> > “The sub-TLVs introduced in this document allow an operator to
> >    advertise state information of links (bandwidth, delay) that could be
> >    sensitive and that an operator may not want to disclose.”
> >
> > In regards to the risks associated with sending information via BGP-LS
> we have a number of statements in RFC 7752 – most relevant is:
> >
> > “Additionally, it may be considered that the export of link-state and
> >    TE information as described in this document constitutes a risk to
> >    confidentiality of mission-critical or commercially sensitive
> >    information about the network.”
> >
> > So long as there are references to both the IGP RFCs and RFC 7752 I am
> therefore hard pressed to understand what else could be usefully said.
> > Certainly the risks associated with the BGP-LS transport mechanism are
> not altered by adding some new TLVs – and since the IGP RFCs have already
> covered risks associated with the specific class of information (not simply
> the risks associated with the transport mechanism) you are going to have to
> provide more specifics on what can meaningfully be said that is not already
> covered in the references.
>
> My apologies for jumping in in the middle, but IIUC the IGP RFCs have
> covered the risks associated with a specific class of information, *under
> the assumption that the transport mechanism is within a single AS and
> administrative domain*.  Yoav is pointing out that the risks for that
> information may change when the distribution is over a broader domain than
> the one for which the previous analysis was performed.
>
> -Ben
>
>

v2.23.0 | Report a Bug | By Email