Re: [Spud] Can Malicious users can use PLUS layer to force their traffic through firewalls in the network?

Mirja Kühlewind <mirja.kuehlewind@tik.ee.ethz.ch> Tue, 06 September 2016 14:41 UTC

Return-Path: <mirja.kuehlewind@tik.ee.ethz.ch>
X-Original-To: spud@ietfa.amsl.com
Delivered-To: spud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D64E12B324 for <spud@ietfa.amsl.com>; Tue, 6 Sep 2016 07:41:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.708
X-Spam-Level:
X-Spam-Status: No, score=-5.708 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.508] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NhHcoF8smEoX for <spud@ietfa.amsl.com>; Tue, 6 Sep 2016 07:41:29 -0700 (PDT)
Received: from smtp.ee.ethz.ch (smtp.ee.ethz.ch [129.132.2.219]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68B9512B216 for <spud@ietf.org>; Tue, 6 Sep 2016 07:41:00 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by smtp.ee.ethz.ch (Postfix) with ESMTP id 88B3FD9304; Tue, 6 Sep 2016 16:40:58 +0200 (MEST)
X-Virus-Scanned: by amavisd-new on smtp.ee.ethz.ch
Received: from smtp.ee.ethz.ch ([127.0.0.1]) by localhost (.ee.ethz.ch [127.0.0.1]) (amavisd-new, port 10024) with LMTP id BIcScIJhE5AR; Tue, 6 Sep 2016 16:40:58 +0200 (MEST)
Received: from [10.2.115.110] (public-docking-etx-0876.ethz.ch [10.2.115.110]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: mirjak) by smtp.ee.ethz.ch (Postfix) with ESMTPSA id 51055D9302; Tue, 6 Sep 2016 16:40:58 +0200 (MEST)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: =?utf-8?Q?Mirja_K=C3=BChlewind?= <mirja.kuehlewind@tik.ee.ethz.ch>
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F657F164DA@dfweml501-mbb>
Date: Tue, 6 Sep 2016 16:40:57 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <AD08B222-DEF6-4E88-BE90-D41AB0085306@tik.ee.ethz.ch>
References: <4A95BA014132FF49AE685FAB4B9F17F657F164DA@dfweml501-mbb>
To: Linda Dunbar <linda.dunbar@huawei.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/spud/c9Ys-FAKu75Q2jcTd10DgQpEnN8>
Cc: Brian Trammell <ietf@trammell.ch>, "ted.ietf@gmail.com" <ted.ietf@gmail.com>, "spud@ietf.org" <spud@ietf.org>
Subject: Re: [Spud] Can Malicious users can use PLUS layer to force their traffic through firewalls in the network?
X-BeenThere: spud@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Session Protocol Underneath Datagrams <spud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spud>, <mailto:spud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spud/>
List-Post: <mailto:spud@ietf.org>
List-Help: <mailto:spud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spud>, <mailto:spud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Sep 2016 14:41:33 -0000

Hi Linda,

thanks for you  question. Please see below.

> Am 20.08.2016 um 00:32 schrieb Linda Dunbar <linda.dunbar@huawei.com>;:
> 
> Brian, etc, 
>  
> I have a couple of questions for PLUS: 
>  
> ·        PLUS allowing end points to expose more information to middle boxes. But how do end points know what kind of middle boxes their traffic will traverse through?

In the usual case not at all. Because we are mostly talking about declarative signaling where endpoints provide information to the path that could be used by an network element if present on this path. However, there is no guarantee that a certain treatment will be performed.

Depending on what PLUS might look like in future there could also be mechanism that enables it to identify a specific middlebox on the path and talk to it directly. However, I would rather see that you’d have a separate out-of band mechanism for that.

>  
> ·        Malicious users  can use this PLUS layer to force their traffic through firewalls in the network. How can middle boxes trust the bits encoded in the PLUS layer?

Here we mostly rely on the same mechanism as used today e.g. with firewall that reply on TCP semantics. However, the goal is to enable the same kind of firewall treatment for non-TCP in a transport-idenpendent way such that the firewall would not need to update for each new protocol separately (and delaying deployment of new protocols). The details here are something we are currently working on, however, the solution will still reply on un-trusted bits that support state management in middleboxes, e.g. by demonstrating cooperation between both endpoints.

Mirja and Brian


>  
> Thanks, Linda Dunbar
>  
> _______________________________________________
> Spud mailing list
> Spud@ietf.org
> https://www.ietf.org/mailman/listinfo/spud