IETF Logo Mail Archive

Re: [spring] John Scudder's Discuss on draft-ietf-spring-segment-routing-policy-17: (with DISCUSS and COMMENT)

Ketan Talaulikar <ketant.ietf@gmail.com> Tue, 22 March 2022 18:31 UTC

Return-Path: <ketant.ietf@gmail.com>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 226CE3A0F40; Tue, 22 Mar 2022 11:31:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.006
X-Spam-Level:
X-Spam-Status: No, score=-2.006 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PAk3T-QICKJV; Tue, 22 Mar 2022 11:30:53 -0700 (PDT)
Received: from mail-vs1-xe36.google.com (mail-vs1-xe36.google.com [IPv6:2607:f8b0:4864:20::e36]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8E9E3A0FD7; Tue, 22 Mar 2022 11:30:50 -0700 (PDT)
Received: by mail-vs1-xe36.google.com with SMTP id a127so11781183vsa.3; Tue, 22 Mar 2022 11:30:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=So5Jr8zg6Qr0NQvgCAj5GsHX9aDRAEzRPvfC8GuOSZE=; b=DHldJkzcH/1tl2ES0oF6LZ8qDcrDDuTrY08x8vbYjE7mArhAyLRnVCyFz0m+9f/HAy 5FCG6scFYP9sb3KYT6e1q2a0+u6s1w9G0AsC4WzNvbog8VFUyd45OMESDCrQb0IslXQ+ YvUVxYvr0oQk/Nszopo/wsD28/5XCAI1Kcxoex9a8ceOI6rac9O828wXefvDS1ZOoQv5 nuZksE/OriFoj7HG5JiMyke3/hYHYVZt1Rch4r6VH3UbWFDj7+1olgtQRY/e4TxHkhBs EGcqdxWtR17j0JWrlm8Uy7/8gc3Y2Kt2wvLzUdlsCB/N1RXTVrs7GpTeDGrQY5zV0vt4 IZpw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=So5Jr8zg6Qr0NQvgCAj5GsHX9aDRAEzRPvfC8GuOSZE=; b=OeVSArdCDNyglVjKWMT+VuABB6CZ49j3YbAA7fbISjmB75HkOKU2P6vOFj2dEhgTMP qFkhpoV97VBnAnUMGjvW8JDqQIIfvLoPS0Cq8k855UzfkDKgqEoDbwYf88Smq2KF9eTp KsRwXS5aoYRtxbZts2yfy6l6/JLoXy/IVySj3Q9aJfZWBn4Y1e4dnwW/XgMss//pDyzB FfNgqv5QiMXyJB7tKOTSvqyFOvN8x335nbBurj2QGpSl8p63uhoZQDVeIKAXtAsJTIX2 VBxt4KDk0l2K9d1LTLvAYaqy1LbtLrBMalHux+lEHIZCV66JvOjVD674fxsEcIShg/O5 mJIg==
X-Gm-Message-State: AOAM5320qbfBQlej7eUvODdJZjTCMv6JsDecXmU9cjrYAcjK84c6byEk 4gwgWzGo8EBYkX12a+13nWAwD+7PjPobQ3pI2pnAWzFX
X-Google-Smtp-Source: ABdhPJwRMSkYweWYnxBVTggdglmpJsESN73RVLLhqnzbvYtWclm6ukaEd+wsV9PbDKCrHJagTplr5tRsP6GUT42gCJ0=
X-Received: by 2002:a05:6102:510c:b0:322:b84a:4212 with SMTP id bm12-20020a056102510c00b00322b84a4212mr10776441vsb.64.1647973849513; Tue, 22 Mar 2022 11:30:49 -0700 (PDT)
MIME-Version: 1.0
References: <164503079307.9996.17286143339105134181@ietfa.amsl.com> <CAH6gdPzo+OAoHHQkJD82OdyO=rth8qPPAcco-8STjucnaXNsew@mail.gmail.com> <A7535E25-8DE8-4CBF-9C25-2F12A4692917@juniper.net> <AF504BCF-E8E3-4971-A297-7B3DA1822857@juniper.net> <CAH6gdPwqsnAndMFgx0f-AJ=w62SvT9kHDQtbci3WxVz8n40TpA@mail.gmail.com> <6E8C015A-C0AE-4775-9B49-09F7DA40B9B2@juniper.net> <CAH6gdPzmfH34cq7XFO9WO=5FYFytoY6DR2Fk+wxjfUJ6hKLa5w@mail.gmail.com> <C2E55EE9-BC36-4F41-834B-3604B8C98A70@juniper.net>
In-Reply-To: <C2E55EE9-BC36-4F41-834B-3604B8C98A70@juniper.net>
From: Ketan Talaulikar <ketant.ietf@gmail.com>
Date: Wed, 23 Mar 2022 00:00:37 +0530
Message-ID: <CAH6gdPyWO8ekPPsWWaH4nhh-B7p9WxZqj3mNdEP3mvio9HRuJw@mail.gmail.com>
To: John Scudder <jgs@juniper.net>
Cc: james.n.guichard@futurewei.com, draft-ietf-spring-segment-routing-policy@ietf.org, SPRING WG <spring@ietf.org>, spring-chairs@ietf.org, The IESG <iesg@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e6408605dad2cf42"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/YAqWYfKELG3sLQr7n6u8_lyGLOc>
Subject: Re: [spring] John Scudder's Discuss on draft-ietf-spring-segment-routing-policy-17: (with DISCUSS and COMMENT)
X-BeenThere: spring@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Source Packet Routing in NetworkinG \(SPRING\)" <spring.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spring>, <mailto:spring-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring/>
List-Post: <mailto:spring@ietf.org>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spring>, <mailto:spring-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Mar 2022 18:31:01 -0000

Thanks John for your inputs and suggestions.

Thanks,
Ketan


On Tue, 22 Mar, 2022, 11:51 pm John Scudder, <jgs@juniper.net> wrote:

> Looks good, thanks. I’ve cleared my discuss, thanks for your work on this.
>
> —John
>
> On Mar 22, 2022, at 2:11 PM, Ketan Talaulikar <ketant.ietf@gmail.com>
> wrote:
>
>
>
> Hi John,
>
> Thanks for your guidance with the text. Very much appreciated - especially
> in the middle of the busy IETF week.
>
> I've just posted an update to the draft with slight modifications to your
> text (so as to cover both sec 2.1 and 2.6 and suggest the use of the
> well-defined identifiers as a mitigation approach instead of relying solely
> on the symbolic names.
>
>
> https://datatracker.ietf.org/doc/html/draft-ietf-spring-segment-routing-policy-22
> <https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draft-ietf-spring-segment-routing-policy-22__;!!NEt6yMaO-gk!TPdw7ZdqeCRS2htB1JCtU9oqzfUS0akoP3b2FGoZfrye6NBL-A_CpxzRhVlz1g$>
>
> Please let us know if this addresses your concerns.
>
> Thanks,
> Ketan
>
>
> On Tue, Mar 22, 2022 at 11:20 PM John Scudder <jgs@juniper.net> wrote:
>
>> Hi Ketan,
>>
>> Thanks as always for your quick reply.
>>
>> > On Mar 22, 2022, at 4:54 AM, Ketan Talaulikar <ketant.ietf@gmail.com>
>> wrote:
>> >
>> >
>> > Hi John,
>> >
>> > I dug into my emails and you are right that while we had a discussion
>> on point 4 (i.e. security considerations associated with the use of
>> symbolic names), it was not concluded. My apologies for the same.
>> >
>> > It might be helpful to place a context on why the draft uses symbolic
>> names in the first place. The closest analogies that come to my mind are
>> tunnels (different types - TE, IPinIP, IPsec) and MPLS LSPs (or paths).
>> These constructs have had symbolic names associated with them for a long
>> time now - both for local use on routers (some implementation-specific -
>> others specified by IETF)
>>
>> Sure. Anything local to the router isn’t related to my concern, which is
>> specific to the opportunity for a remote attacker to mislead someone on the
>> local router. I hope it’s clear by now that I have no issue with
>> associating a symbolic name with a SR Policy (or any other thing), as such.
>>
>> > and also signaled via routing protocols.
>>
>> Now that you point it out, I do see a few such, e.g. the
>> SYMBOLIC-PATH-NAME in RFC 8231. That particular example has arguably
>> different threat properties since the relationship between a PCE and its
>> clients isn’t mediated through other routers; the trust relationship is
>> clearer and the “remote attacker” is not so very remote. But I imagine
>> there are other examples to be found, and I don’t want to split hairs on
>> this detail.
>>
>> > Operators are therefore quite familiar with their usage and hence their
>> introduction in the SR Policy construct. I don't believe the WG would want
>> to take the option of their removal (it was a suggested option).
>>
>> I didn’t really expect you to; I was just laying out some points in the
>> solution space.
>>
>> > Then we get to option of adding specific text to the draft (in the
>> security considerations?) that would discuss your concerns. Such text may
>> be addressed to implementators and/or operators. As mentioned above, the
>> use of symbolic names for constructs similar to SR Policy name and SR
>> Policy Candidate Path name is not "new" for both sets of readers.
>> Therefore, I am not sure if we need to cover or add anything new in this
>> document and I could not find text that I could borrow from other RFCs or
>> point to other RFCs. e.g.,
>> https://www.rfc-editor.org/rfc/rfc8231.html#section-7.3.2
>> <https://urldefense.com/v3/__https://www.rfc-editor.org/rfc/rfc8231.html*section-7.3.2__;Iw!!NEt6yMaO-gk!TPdw7ZdqeCRS2htB1JCtU9oqzfUS0akoP3b2FGoZfrye6NBL-A_Cpxzu_nJ4ug$>
>> >
>> > I did look at RFC9003 but its context is very different. From your
>> DISCUSS comment, I see that your concern is that a string does not have any
>> sanity checking - the operator is free to use any text.
>>
>> Correct. As long as you assume good will on the part of “the operator”
>> it’s all good. If you start thinking in terms of an attacker in some
>> distant part of the network injecting a policy, it becomes potentially
>> concerning.
>>
>> > I agree. Do we want implementations to restrict something? Do we want
>> to give some naming guidelines or precautions to the operators?
>>
>> I don’t think the concern is addressable on the origination side, since
>> it assumes a bad actor to begin with, and they’re not going to be bothered
>> by what we write in an RFC. That was why in my suggestion I was thinking in
>> terms of display conventions. I’m not super excited by my own idea, though,
>> because it reminds me uncomfortably much of the disclaimer my IT department
>> slaps on every incoming email, “[External Email. Be cautious of content]”.
>> It’s not particularly actionable, and it’s annoying. :-(
>>
>> > In a previous response, your suggestions for the text for operators
>> were (somewhat?) of the nature - "beware the name of the SR Policy may not
>> actually be correct or may be misleading because someone might have hacked
>> into the network". I am not sure if something of that nature helps. If the
>> names stop being meaningful then they are no more relevant? Isn't the
>> security aspect to be taken care of here is to prevent hacking? Something
>> beyond the scope of this draft?
>>
>> “Security is everyone’s responsiblity.”
>>
>> > I'll admit that I am running out of ideas on what would be a meaningful
>> text to add to address your concerns. Would appreciate some text suggestion
>> that is relevant to this specific context.
>>
>> In the end, maybe it’s true that there’s not much to be done, which
>> sucks, but that’s life. But even if we throw our hands in the air and say
>> “nothing to be done”, which is I think where we’re getting to, I don’t
>> think there would be any harm in putting a sentence or two in the Security
>> Considerations such as you mention just above. Something along the lines of,
>>
>> “In Section 2.1 we mention that a symbolic name MAY be signaled along
>> with a candidate path. While the value of symbolic names for display
>> clarity is indisputable, as with any unrestricted freeform text received
>> from external parties, there can be no absolute assurance that the
>> information the text purports to show is accurate or even truthful. For
>> this reason, users of implementations that display such information would
>> be well-advised not to rely on it without question. Furthermore,
>> implementations that display such information might wish to display it in
>> such a fashion as to differentiate it from known-good information. (Such
>> display conventions are inherently implementation-specific; one example
>> might be use of a distinguished text color or style for information that
>> should be treated with caution.)”
>>
>> Let’s be honest, the “oooh be careful” text provides about as much
>> protection as wet tissue paper, and displaying the string in magenta not a
>> whole lot more than that — but it’s still better to disclose the cocnern
>> than not to.
>>
>> Regards,
>>
>> —John
>>
>> > Thanks,
>> > Ketan
>> >
>> > On Tue, Mar 22, 2022 at 2:54 AM John Scudder <jgs@juniper.net> wrote:
>> >> Hi Ketan,
>> >>
>> >> You asked "whether the responses and draft updates address [my]
>> concerns”. I’d say that while I’m not completely happy about certain things
>> (e.g., I remain unconvinced that the companion IDR doc shouldn’t be a
>> normative reference) I don’t need to continue holding a DISCUSS on them:
>> we’ve had a discussion, we don’t completely agree, these things happen. On
>> point 4 however, I don’t think our discussion has concluded. At least, if
>> you replied to this, I missed it:
>> >>
>> >> > On Feb 16, 2022, at 2:42 PM, John Scudder <jgs=
>> 40juniper.net@dmarc.ietf.org> wrote:
>> >> >
>> >> >> 4. In §2.1 you talk about the signaling of symbolic names for
>> candidate paths.
>> >> >> Although you are careful to say that such symbolic names are only
>> used for
>> >> >> presentation purposes, it seems to me they still could be
>> considered a new
>> >> >> potential source of vulnerability, since a string that has no
>> sanity-checking
>> >> >> whatsoever applied by the protocol can display literally anything
>> to an
>> >> >> operator viewing it. Shouldn’t this be addressed in your Security
>> >> >> Considerations? (For an example of a related Security
>> Considerations, see RFC
>> >> >> 9003. It’s probably not the best example, but it’s the one I had at
>> my
>> >> >> fingertips…)
>> >> >>
>> >> >> KT> RFC9003 uses UTF-8 while this document uses printable ASCII. As
>> such, I am not aware of security issues around printable ASCII - please do
>> point me to any references.
>> >> >
>> >> > You’re thinking too much like a protocol designer. The kind of
>> concern I’m thinking about has to do with using the string as a vector to
>> put some words in front of an operator, as part of a larger social
>> engineering attempt. I don’t have a detailed attack scenario to paint for
>> you, but a quick sketch is along the lines of
>> >> >
>> >> > - Attacker manages to inject a candidate path with the name
>> “Big_Bank_Low_Latency”
>> >> > - ProTip: the candidate path does not actually terminate at Big_Bank
>> >> > - Attacker then phones NOC, feigns urgency, asks NOC to redirect
>> Big_Bank traffic onto that path
>> >> >
>> >> > You get the idea, I hope.
>> >>
>> >> More snipped, but this is the meat of it. In case you haven’t looked
>> at RFC 9003’s security section, here’s a snip from it:
>> >>
>> >>    As BGP Shutdown Communications are likely to appear in syslog
>> output,
>> >>    there is a risk that carefully constructed Shutdown Communication
>> >>    might be formatted by receiving systems in a way to make them appear
>> >>    as additional syslog messages.
>> >>
>> >> (FWIW, I didn’t contribute that text.)
>> >>
>> >> Please don’t obsess about “syslog” in the example above, it’s not
>> central to the point, just like UTF-8 vs ASCII isn’t central. The point,
>> again, is that by introducing a way for an attacker to cause a target
>> system to display arbitrary strings, it would seem reasonable to wonder if
>> that creates an opportunity for mischief that doesn’t ordinarily exist in
>> our protocols, involving misleading people looking at the displayed string
>> in a user interface.
>> >>
>> >> There are various ways this concern could be mitigated (if we were to
>> come to agreement that it’s even a concern). One would be to remove the
>> “signal arbitrary strings” idea; this is clearly the solidest way to do it.
>> Another would be to mandate (or strongly suggest) that symbolic names
>> gleaned from something other than configuration be displayed in such a way
>> as to make the operator aware of their status. At a minimum, one might add
>> a paragraph or two identifying the concern. I’m sure there are other things
>> that could be contemplated.
>> >>
>> >> Regards,
>> >>
>> >> —John
>> >
>>
>
>

v2.29.0 | Report a Bug | By Email | System Status