[secdir] Secdir last call review of draft-ietf-detnet-mpls-05

Watson Ladd via Datatracker <noreply@ietf.org> Wed, 11 March 2020 03:22 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 83D033A103E; Tue, 10 Mar 2020 20:22:10 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Watson Ladd via Datatracker <noreply@ietf.org>
To: <secdir@ietf.org>
Cc: detnet@ietf.org, draft-ietf-detnet-mpls.all@ietf.org, last-call@ietf.org, watsonbladd@gmail.com
X-Test-IDTracker: no
X-IETF-IDTracker: 6.120.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <158389693039.16158.6977515080330200081@ietfa.amsl.com>
Reply-To: Watson Ladd <watsonbladd@gmail.com>
Date: Tue, 10 Mar 2020 20:22:10 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/wlwFOH2x-TfKH8rjNKFUEOHrEAY>
Subject: [secdir] Secdir last call review of draft-ietf-detnet-mpls-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Mar 2020 03:22:11 -0000

Reviewer: Watson Ladd
Review result: Not Ready

This is the secdir review of draft-ietf-detnet-mpls-05. Authors should treat
these as any other Last Call comments.

Apologies for the delays in completing this review.

I am concerned that this document (and the related work) introduces some
substantial differences from existing Internet architecture, and that
inadequate attention is paid to the consequent security implications. Pointing
to a separate, in progress draft I don't think is an adequate security
consideration section. That's particularly true when we're discussing the
network providing functions like duplicate packet dropping that are potentially
quite expensive and which attackers may exploit to consume large amounts of
resources. Saying that one can mitigate DoS on the edge of a DetNet domain
isn't enough: how do you mitigate the DoS, or detect it? What if the edge is
the problem? Are there resources that can be consumed in the center the edge
doesn't know about?

With confidentiality this draft mentions the possibility of link to link
protection, ignoring the possibility of malicious nodes, and doesn't describe
the way one actually uses that integration. It's not clear to me what the
security goals are, and saying a mechanism may be used, without indicating how
doesn't make it remediation for a security problem. I can think of a few ways
to abuse the one-packet only service to rewrite flows with great ease.

The Internet is composed of smart nodes at the edge and dumb forwarders in the
middle. DetNet is a very different design, with significant complexity and
state in the network, and guarantees not maintained by end nodes. This means
that a lot that has been learned about Internet security doesn't apply, which
raises a whole host of questions: what threat model is applied? Is it
realistic? Are the properties such as bounded latency and low jitter maintained
even in the face of adversarial behavior? While this may be appropriately
handled at greater length in a separated draft, a tighter link to the
mechanisms defined in this draft would be useful.

It's very likely these have been discussed in the detnet wg at length as
evidenced by the security considerations, but I'd like to see the MPLS draft
reflect some of that conversation more directly.