Re: [secdir] Secdir review of draft-ietf-mpls-ldp-igp-sync-bcast-05

Tobias Gondrom <tobias.gondrom@gondrom.org> Tue, 02 November 2010 16:20 UTC

Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8E31B28C12C for <secdir@core3.amsl.com>; Tue, 2 Nov 2010 09:20:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -95.378
X-Spam-Level:
X-Spam-Status: No, score=-95.378 tagged_above=-999 required=5 tests=[AWL=-0.016, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NB251vgsL8s4 for <secdir@core3.amsl.com>; Tue, 2 Nov 2010 09:20:22 -0700 (PDT)
Received: from lvps83-169-7-107.dedicated.hosteurope.de (lvps83-169-7-107.dedicated.hosteurope.de [83.169.7.107]) by core3.amsl.com (Postfix) with ESMTP id 121E528C105 for <secdir@ietf.org>; Tue, 2 Nov 2010 09:20:21 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=default; d=gondrom.org; b=lihE5ykeEbqAkxiW9WHdSsoXfYLV7cf8t7t3uCdkGjbkKNx/sQaTOofFJtthrQZBfzcCpECd2UEuuCSl20TCL4FTnTuRSHHzzwrrVK2pUnpDOM6Za2zTcDytq0XZ9wJq; h=Received:Received:Message-ID:Date:From:User-Agent:MIME-Version:To:CC:Subject:References:In-Reply-To:X-Enigmail-Version:Content-Type:Content-Transfer-Encoding;
Received: (qmail 22251 invoked from network); 2 Nov 2010 17:19:51 +0100
Received: from 94-194-102-93.zone8.bethere.co.uk (HELO seraphim.heaven) (94.194.102.93) by lvps83-169-7-107.dedicated.hosteurope.de with (DHE-RSA-AES256-SHA encrypted) SMTP; 2 Nov 2010 17:19:51 +0100
Message-ID: <4CD03A2C.3060908@gondrom.org>
Date: Tue, 02 Nov 2010 16:19:56 +0000
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.9) Gecko/20100914 SUSE/3.1.4 Lightning/1.0b2 Thunderbird/3.1.4
MIME-Version: 1.0
To: Sriganesh Kini <sriganesh.kini@ericsson.com>
References: <4CA081F7.60304@gondrom.org> <5A5E55DF96F73844AF7DFB0F48721F0F56F5FDE903@EUSAACMS0703.eamcs.ericsson.se> <4CA8DDAC.3050801@gondrom.org> <5A5E55DF96F73844AF7DFB0F48721F0F56F5FDEF1A@EUSAACMS0703.eamcs.ericsson.se>
In-Reply-To: <5A5E55DF96F73844AF7DFB0F48721F0F56F5FDEF1A@EUSAACMS0703.eamcs.ericsson.se>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: "swallow@cisco.com" <swallow@cisco.com>, Wenhu Lu <wenhu.lu@ericsson.com>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-mpls-ldp-igp-sync-bcast.all@tools.ietf.org" <draft-ietf-mpls-ldp-igp-sync-bcast.all@tools.ietf.org>, "martin.vigoureux@alcatel-lucent.com" <martin.vigoureux@alcatel-lucent.com>, "iesg@ietf.org" <iesg@ietf.org>, "adrian.farrel@huawei.com" <adrian.farrel@huawei.com>, "loa@pi.nu" <loa@pi.nu>
Subject: Re: [secdir] Secdir review of draft-ietf-mpls-ldp-igp-sync-bcast-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Nov 2010 16:20:23 -0000

 Hello Sri,

thank you. I saw the updated draft 05 resolved all my editorial comments
(removed them from this email).
Still one thing remains nagging me:
I appreciate your answers in your email about the topic below, but we
seem to disagree whether that justifies an explanation in the security
considerations or not: I believe it should, but noticed that you didn't
add anything about this in the security considerations in version-05.

Note to the AD: please consider this note only as a COMMENT (not a
DISCUSS) as I still believe it would be good to reflect Sri's
explanations below in the Security considerations, but will not want to
insist on that point.
Btw. the argument that certain problems are not unique to this draft
does not mean you needn't point them out in the security considerations.
;-)

Kind regards and thanks, Tobias




On 10/04/2010 07:07 PM, Sriganesh Kini wrote:
>>
>>>> The document states that there would be no security considerations 
>>>> beyond RFC5443.
>>>> I am not certain of that. Although the idea behind bcast is good, it 
>>>> adds a new mechanism beyond 5443.
>>>> To make sure the security considerations are accurate, I'd like to 
>>>> raise two questions for the authors/WG:
>>>> 1. Which security implications does the WG see for removing a coming 
>>>> up link from the LSDB?
>>> [Sri] Since the link is only delayed from being added to the LSDB we don't believe there are any new/additional 
>>> security implications.
>>>
>> [tg] still the delay is in theory not time limited, but based 
>> on the condition of LDP of the link. In combination with #2 
>> (below) that the cut-edge of the network may actually be 
>> calculated falsely, can this be exploited or lead to unreachability?
>> Note: although your remark is right regarding similarities 
>> with 5443, the criteria in 5443 is much weaker as it only 
>> increases its metric, but does not remove it from LSDB/hold 
>> back its entry. Again, I am not an expert on that layer, but 
>> I am still uncertain that no security considerations derive 
>> from that. Did you consider this scenario when you wrote the 
>> draft? Is it unrealistic that it could be exploited with bad 
>> intentions?
>> If not, which would be the underlying implied pre-conditions 
>> to be met to avoid such or under which pre-conditions could 
>> such a problem occur?
>> (potential input for the security considerations section)
> [Sri] The weaker criteria of RFC 5443 does not ensure that the problem does not exist there. In fact the problem exists in a plain IP network with link-state IGP. If the directly connected path has a higher metric than an alternate path with TTL (say > 255) hops then the standard SPF will conclude that the shortest path is the alternate path although through this path the neighboring node is unreachable. Note that in this case the link is advertised with its normal metric yet there is unreachability in the network.
>>>> 2. Can there be a gap between the algorithm to determine "cut-edge" 
>>>> and TTL (e.g. may not qualify for "cut-edge" and thus be removed from 
>>>> LSDB, but have a large number of links and effectively not be 
>>>> reachable)?
>>> [Sri] This problem is not unique to this draft. Even in RFC 
>>> 5443 when the link has high metric, an alternate path with 
>>> num hops > 255 (but a lower path metric than the directly 
>>> connected link's max metric) can result in unreachability.
>>>