IETF Logo Mail Archive

Re: [secdir] Secdir review of draft-ietf-ospf-rfc6506bis-03

Tero Kivinen <kivinen@iki.fi> Thu, 05 December 2013 10:36 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 908291AD8F5; Thu, 5 Dec 2013 02:36:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9jj-CgGdmDCi; Thu, 5 Dec 2013 02:36:29 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) by ietfa.amsl.com (Postfix) with ESMTP id 4D8D01ADE72; Thu, 5 Dec 2013 02:36:28 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.7/8.14.5) with ESMTP id rB5AaD3j023481 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 5 Dec 2013 12:36:13 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.7/8.12.11) id rB5AaC1o022282; Thu, 5 Dec 2013 12:36:12 +0200 (EET)
X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <21152.22300.316826.240504@fireball.kivinen.iki.fi>
Date: Thu, 05 Dec 2013 12:36:12 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>
In-Reply-To: <20211F91F544D247976D84C5D778A4C32E526B66@SG70YWXCHMBA05.zap.alcatel-lucent.com>
References: <94A203EA12AECE4BA92D42DBFFE0AE470310EECD@eusaamb101.ericsson.se> <15E31E00-23FA-47A4-BE3D-705D4519D2F1@cisco.com> <20211F91F544D247976D84C5D778A4C32E526B66@SG70YWXCHMBA05.zap.alcatel-lucent.com>
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 12 min
X-Total-Time: 23 min
Cc: "draft-ietf-ospf-rfc6506bis.all@tools.ietf.org" <draft-ietf-ospf-rfc6506bis.all@tools.ietf.org>, Acee Lindem <acee.lindem@ericsson.com>, The IESG <iesg@ietf.org>, "<secdir@ietf.org>" <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-ietf-ospf-rfc6506bis-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Dec 2013 10:36:32 -0000

Bhatia, Manav (Manav) writes:
> > Agreed, but the current text essentially says "you can't do that', but
> > in fact "you can do that but it's too much work to do on the router line
> > card". I was suggesting you say that instead.
> 
> While, we can add such a text, I am convinced nobody will *ever* use
> heuristics to figure out the kind of packet they're receiving at
> their line cards. The most important reason being that using
> heuristics does not give you a deterministic result. While it may be
> acceptable to get a few false positives or negatives when forwarding
> traffic through the firewall, this will be unacceptable when
> consuming packets by the router. Then the additional overhead of
> applying heuristics is an issue that I am not even delving into.
> Most of the forwarding from line card to the main CPU card is done
> in HW. You cannot apply heuristics in HW. This means, we assume that
> all CPU bound packets are being punted from the line card to the
> main CPM card via software. This is not how it happens today.

First of all, heuristics is supposed to be done on hardware, but not
all of it is done on the hardware. Hardware parts only consists the
first few steps checking whether packet is ESP and whether we already
know its parameters. If not (i.e. it is new ESP flow), then we drop to
slowpath and do the full analysis. So slowpath processing is only done
on the new ESP Flows.

I.e. if you see SPI you have already analyzed you can check from your
state table whether it is ESP null or not, and process it accordingly.
If you see unknown ESP then you forward packets to the heuristics,
until it returns parameters (or make a call to your IPsec module and
ask definite answer from there :-)

> Applying heuristics requires lot of flow information to be
> maintained, which adds an additional complexity of flow maintenance
> (you need to decide when a flow needs to be deleted if its not being
> hit often enough) in the line cards.

It needs to keep mapping from the IP addresses and SPI to whether it
is ESP null (and parameters) or encrypted ESP flow. I.e few bytes per
ESP flow (+ selector: src IP, dst IP, SPI).

> There are many more points that go against the heuristics,
> especially in the context that we're discussing here. If we are ever
> looking at disambiguating ESP-NULL packets for router consumption,
> then I am pretty sure it's going to be Wrapped ESP.

Which most likely should also be mentioned in the draft.

> My point is that adding text about heuristics may just confuse the
> reader who will most likely not understand the details of what it
> entails to do heuristics on a line card. While you (being the
> Security guru) and I (co-authored Wrapped ESP) understand that this
> is only theoretically possible and practically will never make sense
> -- the same cannot be assumed from somebody from the routing world,
> who is not so security savvy, going through this standard. 
-- 
kivinen@iki.fi

v2.37.1 | Report a Bug | By Email | System Status