[spring] Chair Review of draft-bdmgct-spring-srv6-security-02 (Adoption)
Alvaro Retana <aretana.ietf@gmail.com> Wed, 14 August 2024 22:25 UTC
Return-Path: <aretana.ietf@gmail.com>
X-Original-To: spring@ietfa.amsl.com
Delivered-To: spring@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 139E2C18DBBC; Wed, 14 Aug 2024 15:25:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nOa0xDL8cK7w; Wed, 14 Aug 2024 15:25:27 -0700 (PDT)
Received: from mail-pf1-x435.google.com (mail-pf1-x435.google.com [IPv6:2607:f8b0:4864:20::435]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A65EC1D5304; Wed, 14 Aug 2024 15:25:27 -0700 (PDT)
Received: by mail-pf1-x435.google.com with SMTP id d2e1a72fcca58-7105043330aso303076b3a.0; Wed, 14 Aug 2024 15:25:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723674326; x=1724279126; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date :mime-version:from:from:to:cc:subject:date:message-id:reply-to; bh=98Rek02h5eHQkksNMSpDu4ndzBoheFc+oW0A4VE50ak=; b=hyMmknIQQGyVqKZrZ0P0C+xg7lP06YLn3G3V9MQ0KLGKDpTFQ97I4EZpfhYZswquhq 1DpeEvGkQrv8lKLqQ+u4B46ryWFFuk8ErEnNkI6qBVsXPiI/B9t6e/mGOYlw88lto7L2 /Qo/wwVrOU10P6Do7HWaXyDlaEWQLZudf0VfbVT535RrrEL2HOzC8GeIwwzkRBtkfehA Oe482aZxQ81OB0O4QaEmhxLNBeBYfljoT9Duf68kuJFrXZIMvrRJtkROnmNViwjiTZE9 C7psmUWyb9Car1ikwOretyzSsYQafP4d0dfkM/eb9fxE5Wk191tJ3DuUH7awqzTLoi95 N+MA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723674326; x=1724279126; h=content-transfer-encoding:cc:to:subject:message-id:date :mime-version:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=98Rek02h5eHQkksNMSpDu4ndzBoheFc+oW0A4VE50ak=; b=w9rPZ/z/I252dg9+kyap7nq3L6F0op+qamQFWbsFY5rnemRsrJivEa1+GHNkk8D9Nu 3izOl8dvI9HXZRWHB8cuh1IS+W/LOD+dnYqdj5uLcHBqX2WkvLu1UuxLYBfpuF+WvneE 5TJN5+8jpmoUI+amzaUHKo2poCHqitxJhY1UGUatMQerxXlbyXxuby9Zwri53s5pQ/XM kOOjSy8O8SoaLF4pCPSGaq0pFSt6MfC6Um0F3TSg5TDg8j7706+1aJaJDfF9GyPmhdmD te2UxMZJjUDA5jc+Mb9zi3e5c3OD/dU2+o/RqQTUZGEgktTkaPHfShpMLgMtkBB0MAhr bpYQ==
X-Gm-Message-State: AOJu0YxBy6ItuCBvo+g3MXbp7aicA4ozwdlP2LxSRqK0FhwEoDoCEOPE kCPuDjNEK/Yx9TkOTIHNLwUoKXZcuc4aiJZ5e0VGhEgge+SYOSlnQh8fSYV408QQrgZdAIc7LMg 8b4dI5KsNPLaziGS6rALmCoZZs3cdLXP2vU0=
X-Google-Smtp-Source: AGHT+IG3UlUJrt2YGDaxMQAQfOCHzNiLzrXnU7Jg3YxZlCv2WxaV/HbbBROfuxWcP5TFN750n7tb9S29+lnFDDVe7r0=
X-Received: by 2002:a05:6a21:9184:b0:1c2:8949:5bb3 with SMTP id adf61e73a8af0-1c8eaf63b4bmr5341496637.42.1723674325672; Wed, 14 Aug 2024 15:25:25 -0700 (PDT)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Wed, 14 Aug 2024 17:25:24 -0500
From: Alvaro Retana <aretana.ietf@gmail.com>
MIME-Version: 1.0
Date: Wed, 14 Aug 2024 17:25:24 -0500
Message-ID: <CAMMESsw=x5KkibQmejs0ybDChozJ8F9SN4Ud79t=hrabFV3ayw@mail.gmail.com>
To: draft-bdmgct-spring-srv6-security@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: N5F7JRQNREB7PDK6VAWHNQ46TKE3LPV5
X-Message-ID-Hash: N5F7JRQNREB7PDK6VAWHNQ46TKE3LPV5
X-MailFrom: aretana.ietf@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-spring.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: SPRING WG <spring@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [spring] Chair Review of draft-bdmgct-spring-srv6-security-02 (Adoption)
List-Id: "Source Packet Routing in NetworkinG (SPRING)" <spring.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/spring/mqcUU_VgyuY8_W-edi4STD5p6nU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spring>
List-Help: <mailto:spring-request@ietf.org?subject=help>
List-Owner: <mailto:spring-owner@ietf.org>
List-Post: <mailto:spring@ietf.org>
List-Subscribe: <mailto:spring-join@ietf.org>
List-Unsubscribe: <mailto:spring-leave@ietf.org>
Dear authors: Thank you for taking on this work! I am providing this review with my Chair Hat on in parallel with the adoption call. Please consider it in addition to the other comments you receive. In general, the current draft is a very good start! I know it is a work in progress, and I expect changes along the way. Having said that, I want to highlight some high-level points to consider as you continue the work. (1) Scope §2 and the document generally focus on the data plane, but the control plane plays a significant part in an SRv6 network. The control plane should also be considered. Many possible control plane threats (overclaiming, filtering, etc.) are not specific to SRv6 but may expose themselves differently in an SRv6 network. §6.4 is a start, but I believe more is needed. (2) Threat Model Even though the threat model mentions external attackers, §6 focuses on internal attacks, indicating that "it is assumed that SRv6 is deployed within a limited domain [RFC8799] with filtering at the domain boundaries, forming a trusted domain with respect to SRv6." However, the first set of mitigation methods (§7) concerns the domain boundary. The formulation of the threat model and the assumptions need to be aligned to the mitigations offered. (3) Relationship to Existing Work It is not clear from the current text what the relationship between existing work (specifically the existing Security Considerations) and this document is. I hope that this document will not have to include "everything" (among other reasons because it would require a great deal of duplication) but that it can refer to, complement, or augment (as needed) any existing guidance. IOW, I expect to see more text of the form: "as rfcxxx recommends, use ABC", "rfczzzz already covers this topic", or "in addition to what is recommended in rfcggg....". Even some text like "the recommendation in this document replaces what was recommended in rfchhh". I also included comments in-line (see below). Thanks! Alvaro. [Line numbers from idnits.] ... 123 1. Introduction ... 137 * SRv6 makes use of the SRH which is a new type of Routing Extension 138 Header. Some of the security considerations of the SRH are 139 discussed in [RFC5095] and [RFC8754]. [] The SRH is specified in RFC8754. To be strict, RFC5095 doesn't talk about the SRH. RFC8754 already refers to RFC5095 in its Security Considerations. 141 * SRv6 consists of using the SRH on the IPv6 dataplane, and 142 therefore known security considerations of IPv6 [RFC9099] are 143 applicable to SRv6 as well. [] Please also point to the Security Considerations in rfc8200. 145 * While SRv6 uses what appear to be typical IPv6 addresses, the 146 address space is processed differently by segment endpoints. A 147 typical IPv6 unicast address is comprised of a network prefix, 148 host identifier, and a subnet mask. A typical SRv6 segment 149 identifier (SID) is broken into a locator, a function identifier, 150 and optionally, function arguments. The locator must be routable, 151 which enables both SRv6 capable and incapable devices to 152 participate in forwarding, either as normal IPv6 unicast or SRv6. 153 The capability to operate in environments that may have gaps in 154 SRv6 support allows the bridging of islands of SRv6 devices with 155 standard IPv6 unicast routing. [] Adding references to rfc8986 and draft-ietf-6man-sids (which should soon be an RFC) would be useful. ... 160 2. Scope of this Document ... 181 We note that SRv6 is under active development and, as such, the above 182 documents might not cover all protocols employed in an SRv6 183 deployment. [] For future versions: draft-ietf-6man-sids is in the RFC Editor's queue and draft-ietf-spring-srv6-srh-compression is with the IESG. Both should be RFCs by the time we're done processing this document. ... 205 4. Threat Model ... 223 On-path vs. Off-path: On-path attackers are located in a position 224 that allows interception, modification or dropping of in-flight 225 packets, as well as insertion (generation) of packets. Off-path 226 attackers can only attack by insertion of packets. [] Could an off-path attacker be able to interact with the control plane? The definition seems to be incomplete. Or maybe I'm interpreting "packets" as data plane... 228 The following figure depicts the attacker types according to the 229 taxonomy above. As illustrated in the figure, on-path attackers are 230 located along the path of the traffic that is under attack, and 231 therefore can listen, insert, delete, modify or replay packets in 232 transit. Off-path attackers can insert packets, and in some cases 233 can passively listen to some of the traffic, such as multicast 234 transmissions. [] This taxonomy is focused on the data plane -- I believe the control plane should also be considered. [] "Off-path attackers...can passively listen to some of the traffic, such as multicast transmissions." Even if listening to only "some of the traffic", wouldn't the node be on-path? ... 265 In the context of the current document it is assumed that SRv6 is 266 deployed within a limited domain [RFC8799] with filtering at the 267 domain boundaries, forming a trusted domain with respect to SRv6. 268 Thus, external attackers are outside of the trusted domain. 269 Specifically, an attack on one domain that is invoked from within a 270 different domain is considered an external attack in the context of 271 the current document. [] rfc8799 is not an IETF consensus document. IMO, this document would be better served if a description of what is considered a "limited domain" is included -- instead of doing it by reference. 273 Following the spirit of [RFC8402], the current document mandates a 274 filtering mechanism that eliminates the threats from external 275 attackers. This approach limits the scope of the attacks described 276 in this document to within the domain (i.e., internal attackers). [] "mandates a filtering mechanism" I couldn't find the MUST/REQUIRED text. The statement feels out of place when describing the threat model -- if you keep it here, point to the section where the requirement is specified. ... 292 5. Impact 294 One of the important aspects of a threat analysis is the potential 295 impact of each threat. SRv6 allows for the sending of IPv6 packets 296 via arbitrary paths. An attack on SRv6 may cause packets to traverse 297 arbitrary paths within an SR domain. This may allow an attacker to 298 perform a number of attacks on the victim networks and hosts that 299 would be mostly unfeasible for a non-SRv6 environment. [] s/sending of IPv6 packets/forwarding of IPv6 packets [] "SRv6 allows for the sending of IPv6 packets via arbitrary paths. An attack on SRv6 may cause packets to traverse arbitrary paths within an SR domain." I guess this text means that the attack uses a *different* set of "arbitrary paths" (when compared to the intended forwarding path). Please clarify. 301 The threat model in [ANSI-Sec] classifies threats according to their 302 potential impact, defining six categories. For each of these 303 categories we briefly discuss its applicability to SRv6 attacks. 305 * Unauthorized Access: an attack that results in unauthorized access 306 might be achieved by having an attacker leverage SRv6 to 307 circumvent security controls as a result of security devices being 308 unable to enforce security policies in the presence of IPv6 309 Extension Headers (see [RFC9098]), or by directing packets through 310 paths where packet-filtering policies are not enforced. [] [ANSI-Sec] doesn't explicitly define what "Unauthorized Access" is. As you're doing here, it explains it by example. However, I believe that doing it this way is non-exhaustive and can easily leave out important examples/considerations. For example, the examples above are about circumventing access control. But that is not comprehensive (or even a representative example). "Unauthorized system access to carry out attacks" is an example given in [ANSI-Sec] that is also applicable to SRv6: an internal attacker could gain unauthorized access to a node inside the SR domain. rfc3552 calls this impact "Unauthorized Usage" or "Inappropriate Usage". An example of "inappropriate usage" may be directing packets through a path that is not intended for the traffic (because it is reserved for other traffic, has low resources, or whatever else). All this is to say: please use well-understood/defined concepts (like the ones in §2/rfc3552). [] Also, I searched the document for other mentions of "Unauthorized Access", but didn't find any. What is the purpose of defining the impact if it won't be mentioned later (when discussing specific attacks or possible mitigations)? [Disclaimer: I didn't look in detail at the other impact terms in this section.] ... 357 6.1. Attack Abstractions 359 Packet manipulation and processing attacks can be implemented by 360 performing a set of one or more basic operations. These basic 361 operations (abstractions) are as follows: [] These abstractions focus on the data plane. What about control plane-related abstractions? On one hand, similar basic operations can be listed for the control plane. On the other hand, the operations are not specific to SRv6. For example, it's possible to listen passively to routing protocols, independently of whether SRv6 is used or not. Consider referencing rfc4593. ... 419 6.2.3. Impact ... 434 Preferring a specific path: The packet can be manipulated to avert 435 packets to a specific path. This attack can result in allowing 436 various unauthorized services such as traffic acceleration. 437 Alternatively, an attacker can avert traffic to be forwarded 438 through a specific node that the attacker has access to, thus 439 facilitating more complex on-path attacks such as passive 440 listening, recon and various man-in-the-middle attacks. It is 441 noted that the SR modification attack is performed by an on-path 442 attacker who has access to packets in transit, and thus can 443 implement these attacks directly. However, SR modification is 444 relatively easy to implement and requires low processing resources 445 by an attacker, while it facilitates more complex on-path attacks 446 by averting the traffic to another node that the attacker has 447 access to and has more processing resources. [] "man-in-the-middle" is not inclusive. The usual replacement term is "on-path". ... 472 6.2.4. Overview [] It feels like a new section header is needed before this subsection: "Recon Attack" ?? ... 554 6.4.3. Impact 556 A compromised control plane or management plane can impact the 557 network in various possible ways. SR policies can be manipulated by 558 the attacker to avoid specific paths or to prefer specific paths, as 559 described in Section 6.2.3. Alternatively, the attacker can 560 compromise the availability, either by defining SR policies that load 561 the network resources, as described in Section 6.2.3, or by 562 blackholing some or all of the SR policies. A passive attacker can 563 use the control plane or management plane messages as a means for 564 recon, in a similar manner to Section 6.2.3. [] It is true that some of the results from §6.2.3 can be seen, but some of them may require multiple nodes to be compromised. Consider expanding on that. [] "blackholing" is not inclusive. Consider "dropping". ... 586 7.1.1. SRH Filtering 588 SRv6 packets rely on the routing header in order to steer traffic 589 that adheres to a defined SRv6 traffic policy. Thus, SRH filtering 590 can be enforced at the ingress and egress nodes of the SR domain, so 591 that packets with an SRH cannot be forwarded into the SR domain or 592 out of the SR domain. Specifically, such filtering is performed by 593 detecting Next Header 43 (Routing Header) with Routing Type 4 (SRH). [] Several places, including this text from §4, talk about the assumptions...and then the text focuses on the threats and mitigations inside the SRv6 domain: In the context of the current document it is assumed that SRv6 is deployed within a limited domain [RFC8799] with filtering at the domain boundaries, forming a trusted domain with respect to SRv6. IOW, external attacks are not considered anywhere, except the first few mitigation methods. I'm pointing this out not to say that they should be out of scope, but to say that they were not considered before. 595 Because of the methodologies used in SID compression 596 [I-D.ietf-spring-srv6-srh-compression], SRH compression does not 597 necessarily use an SRH. In practice this means that when compressed 598 segment lists are used without an SRH, filtering based on the Next 599 Header is not relevant, and thus filtering can only be applied baed 600 on the address range, as described below. [] rfc8754 says that "the SRH MAY be omitted". IOW, this case applies to all cases, not just when using C-SIDs. ... 625 7.3. Hashed Message Authentication Code (HMAC) ... 638 * The HMAC TLV is OPTIONAL. [] "OPTIONAL" is an rfc2119 keyword...but it is not used Normatively in this case (the Normative statement is in rfc8754). s/OPTIONAL/optional ... 656 8.1. Limitations in Filtering Capabilities 658 [RFC9288] provides recommendations on the filtering of IPv6 packets 659 containing IPv6 extension headers at transit routers. SRv6 relies on 660 the routing header (RH4). Because the technology is reasonably new, 661 many platforms, routing and otherwise, do not posses the capability 662 to filter and in some cases even provide logging for IPv6 next-header 663 43 Routing type 4. [] This is true...but the text may not age well. Considering including something like "at the time of this writing..." 665 8.2. Middlebox Filtering Issues ... 672 The security devices on SRv6 networks need to take care of SRv6 673 packets. However, the SRv6 packets usually use loopback address of 674 the PE device a as source address. As a result, the address 675 information of SR packets may be asymmetric, resulting in improper 676 filter traffic problems, which affects the effectiveness of security 677 devices. For example, along the forwarding path in SRv6 network, the 678 SR-aware firewall will check the association relationships of the 679 bidirectional VPN traffic packets. And it is able to retrieve the 680 final destination of SRv6 packet from the last entry in the . When 681 the <source, destination> tuple of the packet from PE1 to PE2 is 682 <PE1-IP-ADDR, PE2-VPN-SID>, and the other direction is <PE2-IP-ADDR, 683 PE1-VPN-SID>, the source address and destination address of the 684 forward and backward VPN traffic are regarded as different flow. 685 Eventually, the legal traffic may be blocked by the firewall. [] s/in the ./in the SRH. [] TBH, you lost me in the description above. Wouldn't the same issue be present in IPv6 networks that don't use SR? ... 788 14. References [] I didn't check the status of the references. [EoR-02]
- [spring] Chair Review of draft-bdmgct-spring-srv6… Alvaro Retana
- [spring] Re: Chair Review of draft-bdmgct-spring-… Nick Buraglio