IETF Logo Mail Archive

Re: [spring] John Scudder's Discuss on draft-ietf-spring-segment-routing-policy-17: (with DISCUSS and COMMENT)

John Scudder <jgs@juniper.net> Mon, 21 March 2022 21:24 UTC

Return-Path: <jgs@juniper.net>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71B783A0EBD; Mon, 21 Mar 2022 14:24:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.11
X-Spam-Level:
X-Spam-Status: No, score=-2.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=QYerNkKO; dkim=pass (1024-bit key) header.d=juniper.net header.b=CugzwfwE
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id stPYvbFH3Z_S; Mon, 21 Mar 2022 14:24:45 -0700 (PDT)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 072B43A0D2A; Mon, 21 Mar 2022 14:24:41 -0700 (PDT)
Received: from pps.filterd (m0108159.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.1.2/8.16.1.2) with ESMTP id 22LGIBYp013025; Mon, 21 Mar 2022 14:24:36 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=Ns8NIHkfPqVnyrQODz9Mu8Ag5ZeW9ECf58TdkdvmqPM=; b=QYerNkKOpvzXyg8DSBA1dMhdxu8bdjtvVfIkTehsmti6hAZkNuSYMnHQ1lE1uDz53nuR xLBOLKraVIpeTeAX4CDhirD0E6atfdAZ5cTdK7bpE713O8qZGO5tt0cb2VbEDEGMhnFD MeSe+alwCV+F0U7sXWLvF8tYMRQqadycOHeiXwfrsdOfSS9fZY1nwMzQaTdDfKeaksUT r9uE82m5/iDnqSXoBCNvQaVF68ZSzM6P5PS6vmve/N1p9UwybQCx24pCqcab7nCX5xDv qAPLd6dTQtN6youJuWm4y8+oXaLUt1eR9guy4EGGmNMmhod5/U+U22vqHv+WcgYjREcI tA==
Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2170.outbound.protection.outlook.com [104.47.57.170]) by mx0a-00273201.pphosted.com (PPS) with ESMTPS id 3ewd4vv85b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 21 Mar 2022 14:24:35 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MXivzT2TXTyDCJOn75toTGfXLZ5j8t+2z8+e5QKpKRqUAuye4Yp5SZwSIJwHxmBJTw5xtAtiYUB0Nr5feJbnOg57BPD3EFOc/ezA0d7l6TxmoMQ0FtSsNANTvZwFiFTbpIgfsv5F0r5KRwu6VmuqvjqN+JJckfsTwkX1OEi1WmSHp8YuqFTxqw6eA+mIIXv5xxrBoebNsPL9OsKf1k+jLjYsjH70tD7+ShnW09CQCVvQnxRIjEoIWajsIR97boOJNh2Z80AQtX0tjzgWappFyWGFvzDnbLHIjq7jZ1SCyfyC6vEDqmguTKo/HvOXJaJowaLBy4uuTKJ4+cUg4ASQBQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Ns8NIHkfPqVnyrQODz9Mu8Ag5ZeW9ECf58TdkdvmqPM=; b=Pn9y4hZRcpFiYeBb75EPUlUmpBveC2UE6xGNb2nL3SRWxC2uBlO3Qg90fietHyOUPYzKzs+mW2ymBxOCjvc5K11IQ25yIc2d/GM4SdnjW6N0kVGnIY6XtMKoaMTJwiGrfv+IBoNGjeN89fbj+wR3DD4lYA5GQlY4YW+CStsG3TMmqRg2k/ddsmB6uZft1aZ64ym8LtfEcLeddM2q98enpezyaXBcr7ngYxgzTQu0bhftTnvb2aJsRcAocQdPlzlR4edtWIipFzSByQCmmmrOYvc2MxfhmvPzeViXzW9eh4qSi9OANwHv0Kb93KEeduCfC6B/dM592DBXrZV9x93Ydg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ns8NIHkfPqVnyrQODz9Mu8Ag5ZeW9ECf58TdkdvmqPM=; b=CugzwfwEIMSUj6MauqKcQjqtB1G7x2gdaIXb4B6uAx44uDt6/bxp9p/nEym7Nzo3XMWATNSvPYUNAu2uKZciEXID/nW8CX2uqAKKR++xbPkFH5/6gAFfKC2swgx0U+RCgOmSmmU4JZmTjWsoKCAEL9G3fg9snkWVFbpdBq5W0/E=
Received: from MN2PR05MB6109.namprd05.prod.outlook.com (2603:10b6:208:c4::20) by BYAPR05MB6408.namprd05.prod.outlook.com (2603:10b6:a03:c7::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5102.8; Mon, 21 Mar 2022 21:24:32 +0000
Received: from MN2PR05MB6109.namprd05.prod.outlook.com ([fe80::8cd3:9859:9c55:6eb8]) by MN2PR05MB6109.namprd05.prod.outlook.com ([fe80::8cd3:9859:9c55:6eb8%5]) with mapi id 15.20.5102.015; Mon, 21 Mar 2022 21:24:32 +0000
From: John Scudder <jgs@juniper.net>
To: Ketan Talaulikar <ketant.ietf@gmail.com>
CC: "james.n.guichard@futurewei.com" <james.n.guichard@futurewei.com>, "draft-ietf-spring-segment-routing-policy@ietf.org" <draft-ietf-spring-segment-routing-policy@ietf.org>, SPRING WG <spring@ietf.org>, "spring-chairs@ietf.org" <spring-chairs@ietf.org>, The IESG <iesg@ietf.org>
Thread-Topic: [spring] John Scudder's Discuss on draft-ietf-spring-segment-routing-policy-17: (with DISCUSS and COMMENT)
Thread-Index: AQHYI1ajQRbh7M614068Bbz53eGtPayWiSeAgAAKsYCAM/mVgA==
Date: Mon, 21 Mar 2022 21:24:32 +0000
Message-ID: <AF504BCF-E8E3-4971-A297-7B3DA1822857@juniper.net>
References: <164503079307.9996.17286143339105134181@ietfa.amsl.com> <CAH6gdPzo+OAoHHQkJD82OdyO=rth8qPPAcco-8STjucnaXNsew@mail.gmail.com> <A7535E25-8DE8-4CBF-9C25-2F12A4692917@juniper.net>
In-Reply-To: <A7535E25-8DE8-4CBF-9C25-2F12A4692917@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3696.80.82.1.1)
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 54ff7b86-457e-4004-a3f6-08da0b813100
x-ms-traffictypediagnostic: BYAPR05MB6408:EE_
x-ms-exchange-atpmessageproperties: SA|SL
x-microsoft-antispam-prvs: <BYAPR05MB640850B774A02D273E9ADF5BAA169@BYAPR05MB6408.namprd05.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: BOhuPvzeqQVVMbL8cLHkTVvY0/NE83EU2rrMJnfO0riBagE/MHXXbLdR5LTVWUj0qrE30h08Z5q51Qq3XVQmwnJkyh9bMwkNWZlLtHePZv5wmtFTZf3ClihoEiCLS6bnV/PdmNDKpf0vDX4vw4QMMEI5D+3GvdSIig7BllbFCvmX5+UGsMxuPatGzI7l2dRwFIYV4whka0umq3KlxdOg6zYYNTYbr6aoAAvGxMrOpaFJ70IhWuChPJe6JD8n2btKI/ZbhgdipUxP3lMn0IU8gOWzLhOhrAUbEdGoo6qRztkjSGbeghLZ4QiJm4plgnnByf47QyS8MJ17kvfGS8tlGF0ztyQjHsklUKD5gjBexTymSP1hYhjrVo23FMppXRoGx+EVyBm+8uPjOFpKDmSP2HZu5jmP3CvlI0PxEcTsmU6YHn6/R7cBc8u8Gf2I9USNK78fhDHcbV1IaDJIApuX0I5qy0ee6KJvdYNNQEpRBLjjFjh7IaDEUIl6yNJYbbViriYHI6BZUcVAwAVDmUJZKyxeosYB2IaJZ4IopwNynWxIqoyAyD9umeLhBA/e9iOfuCjaSR1cMlPAFCMWpoPgX6+cCQZGoG0Q9Hs2jTmlhioN21njqEold33kgeE4ynQbxiEc9uA/BJaDTpltGLDnueqE6gWGkQzJVuVWgZwCSWgVOGIlAhwVh57U8cIPL5J5jlaNegOwHEZPqIGrTSmYpOs0ERKAnIeL8xz4nbUc6+yz7oEJk2bNezLOMxqxb1tuaiUV3KyKv6Bnom6jCxdvmAHOSThqKxWF0VU/j4hmaIM=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR05MB6109.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(86362001)(2616005)(6506007)(83380400001)(36756003)(26005)(8936002)(53546011)(6512007)(2906002)(186003)(8676002)(66476007)(4326008)(66446008)(64756008)(508600001)(66556008)(66946007)(5660300002)(71200400001)(38100700002)(38070700005)(33656002)(54906003)(6916009)(316002)(91956017)(76116006)(122000001)(6486002)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: XeNgx7ygNYQQqEKvYy32DHNnRcsY3MNIacXITTI81dlRwrHm86VG5TEzNU5zzwIhVbhXqWB3CdIMuSyxzm0X5HGFJMsaGWVSNHAsN4g1Rysoqmk7scB6f2nArEPJ214/J0iYfY68gTDE25Rm48AHqOV8HpJVXLAQXq9mKTXrt7qG8iVsXTd5iB2zNJQu508WftCZl5WAV9sgjy8ekZmmHxciYIgfpBGlEQSwggKubJO2CyVN032DQ8xrLpiAu/adxxTJrsMiRYDAz2Jx6ZTY1QJge5ivgGGA+9jROE2KvMVucEZ0jgKC5g3oqPQEE9mHLMi0K2Des1xnvDuFgmXV6T0To1e+3Ae+phPBvECe1+6YpcPbEae7/Q50goHyNeDzfgj18C8ggaujTpYOXXrwjPibLjjbyMhbD/zbaOJJ9y4Upc7NBI64cMPhdADo4xm7l2AKAe4ZBqgYBBglOBm72pXCcZhdGpqDGf6iqgEHxPhCOwOUbi1iyWb85ntAcIq4I7JlgHCs5/buXwYoXHl5By20kngr4db6Nf7XUw3qukLgJ8CRoo90wnE3vSvfyR+tnv+M55oVckEuTqkzrtzrUgLVP5cJn7CV40awaD0dVyqA8hob1er690k/yYmlED11G96onolxLOxyMAkCTzEk2UGqNeXK318wmkiNcndAPLcJ2wcrdo9JovBj28t2tMtEnBDf8EXrcXlnk6QaraDqkeK1hEok6cufw5LfW/zw0fjZd2dzvU+t2v/cGszf6Q254mamRAzqZOj43GQWMRE/5BpxIW4idnDxzwkCUZ6DfMsAvdBcgLLVIE6Bhwu/NRaLLzsx/cnQEAQne7IwsXOa1qhhn1hPV+4tQqvNaHOzbUmATO/RQPgOZdsF+MfLEOg1jNfN3b+vPRePhxboVl4RDQN6XVAmcWswECGbAVZNF9UoWoKqrjcDIGP5wx6fNpMp39dw8e9P1HTrwlEUhP5E+rIhW7c5PR25Qx4pOXzpSnpR1cQq7Cae3KePa20Nl2I/soAgHUPDLZpLrblR7YrcwTus+i0ew68H7oAdiwCuI6nipIp8tDtj6zlefaN5iaFwYPnPiwGMguG74PDGpecPmueMWqENJKA/DOeKveUOiuDeXtjINZF8PTEek6yxTOWMfQvvoasbtDGbpC0s5yyDCcNUMeph1lyYVPXvSDKHlSMH3hOkQvFGtAFR6q15c9jrXYsEA8m/aWd+GWshOTFCF6Ww08kTjFPWQai6mGMug0FMng06RGqZ6oPDFZr+ukxg6zWdURUvWVrc25n8OyxNbfiIJ0UN1CQrz32n1wYJ6duZ15jFYpDSN7olv8nKSGh23ESeS6syR3XuCTWgytK1CPjoK8dR6t+a6vSEVQCXIATcYcKf/LHz4CsVo8r/PrS9SiEM2p0ABwHpoDptShG3m+tb2VpYNuQAY9PI0ZpFtTNVXgUJwWgLlWszU39JEBoBXh6NXi6ulwF9uxaSZ8FQnA==
Content-Type: text/plain; charset="utf-8"
Content-ID: <E7F1DBC96DBC9C49BF90F113D63B604D@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR05MB6109.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 54ff7b86-457e-4004-a3f6-08da0b813100
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Mar 2022 21:24:32.6065 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 3I7yAIa/jfazbVvoXZUSI+9i7EXzyMmNlrsIdtzZtV9M7v+ypF64/dfFMVMpmD2s
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB6408
X-Proofpoint-GUID: dvTpfYGzP17wzmMTb6T-vVOZtdUiVNei
X-Proofpoint-ORIG-GUID: dvTpfYGzP17wzmMTb6T-vVOZtdUiVNei
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.205,Aquarius:18.0.850,Hydra:6.0.425,FMLib:17.11.64.514 definitions=2022-03-21_09,2022-03-21_01,2022-02-23_01
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 bulkscore=0 spamscore=0 adultscore=0 lowpriorityscore=0 suspectscore=0 malwarescore=0 mlxscore=0 impostorscore=0 priorityscore=1501 clxscore=1015 mlxlogscore=999 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2202240000 definitions=main-2203210136
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/E-LypD5aNlb61jnQr7ICzAy8S9w>
Subject: Re: [spring] John Scudder's Discuss on draft-ietf-spring-segment-routing-policy-17: (with DISCUSS and COMMENT)
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Mar 2022 21:24:51 -0000

Hi Ketan,

You asked "whether the responses and draft updates address [my] concerns”. I’d say that while I’m not completely happy about certain things (e.g., I remain unconvinced that the companion IDR doc shouldn’t be a normative reference) I don’t need to continue holding a DISCUSS on them: we’ve had a discussion, we don’t completely agree, these things happen. On point 4 however, I don’t think our discussion has concluded. At least, if you replied to this, I missed it:

> On Feb 16, 2022, at 2:42 PM, John Scudder <jgs=40juniper.net@dmarc.ietf.org> wrote:
> 
>> 4. In §2.1 you talk about the signaling of symbolic names for candidate paths.
>> Although you are careful to say that such symbolic names are only used for
>> presentation purposes, it seems to me they still could be considered a new
>> potential source of vulnerability, since a string that has no sanity-checking
>> whatsoever applied by the protocol can display literally anything to an
>> operator viewing it. Shouldn’t this be addressed in your Security
>> Considerations? (For an example of a related Security Considerations, see RFC
>> 9003. It’s probably not the best example, but it’s the one I had at my
>> fingertips…)
>> 
>> KT> RFC9003 uses UTF-8 while this document uses printable ASCII. As such, I am not aware of security issues around printable ASCII - please do point me to any references.
> 
> You’re thinking too much like a protocol designer. The kind of concern I’m thinking about has to do with using the string as a vector to put some words in front of an operator, as part of a larger social engineering attempt. I don’t have a detailed attack scenario to paint for you, but a quick sketch is along the lines of
> 
> - Attacker manages to inject a candidate path with the name “Big_Bank_Low_Latency”
> - ProTip: the candidate path does not actually terminate at Big_Bank
> - Attacker then phones NOC, feigns urgency, asks NOC to redirect Big_Bank traffic onto that path
> 
> You get the idea, I hope.

More snipped, but this is the meat of it. In case you haven’t looked at RFC 9003’s security section, here’s a snip from it:

   As BGP Shutdown Communications are likely to appear in syslog output,
   there is a risk that carefully constructed Shutdown Communication
   might be formatted by receiving systems in a way to make them appear
   as additional syslog messages. 

(FWIW, I didn’t contribute that text.)

Please don’t obsess about “syslog” in the example above, it’s not central to the point, just like UTF-8 vs ASCII isn’t central. The point, again, is that by introducing a way for an attacker to cause a target system to display arbitrary strings, it would seem reasonable to wonder if that creates an opportunity for mischief that doesn’t ordinarily exist in our protocols, involving misleading people looking at the displayed string in a user interface.

There are various ways this concern could be mitigated (if we were to come to agreement that it’s even a concern). One would be to remove the “signal arbitrary strings” idea; this is clearly the solidest way to do it. Another would be to mandate (or strongly suggest) that symbolic names gleaned from something other than configuration be displayed in such a way as to make the operator aware of their status. At a minimum, one might add a paragraph or two identifying the concern. I’m sure there are other things that could be contemplated.

Regards,

—John

v2.43.4 | Report a Bug | By Email | System Status