Re: [tcpm] [mpls] LDP Security
Joe Touch <touch@strayalpha.com> Sat, 11 November 2017 00:48 UTC
Return-Path: <touch@strayalpha.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34806126C83; Fri, 10 Nov 2017 16:48:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.988
X-Spam-Level:
X-Spam-Status: No, score=-1.988 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xbXk1VYdGbqL; Fri, 10 Nov 2017 16:48:22 -0800 (PST)
Received: from server217-3.web-hosting.com (server217-3.web-hosting.com [198.54.115.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A35CE124B09; Fri, 10 Nov 2017 16:48:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=Content-Type:In-Reply-To:MIME-Version:Date: Message-ID:From:References:Cc:To:Subject:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=8nebyL0TxwZadcJqwHBxGZu3gqk0LJfowsjNXILeJAQ=; b=rE/VEwg3wztEZfvpvXIZqK1uo ZzPp3jHxZCttPFcJhQW8NyC5iXjGw3vlm3r8zt+AMR0Mh5lnEZBIXR7q54VXXf1UzgOs6W0ug5NeR osC3poGV3LzMZQBwRdcednwwGQP4+BgVFyR81bc9UwgYjSNL8GBhw/+YCyN4WTuYGMrFKt3vuSJWe EAKGW0e59yfMVDRV+l0aWZxsL5jUVPz6CNBt8PfRwTQVsflhlaW3jOUYdCi1QT/jzNZEt5+Bf+eMn o4bkLAHZV4Sp/ta/bcKHIgGIqnxFxyU4avgxxokVysyqc1+ZYkblwLb+ENbZGUKD6KTPGaujGZJvD OEJe6/UbQ==;
Received: from cpe-172-250-240-132.socal.res.rr.com ([172.250.240.132]:63103 helo=[192.168.1.189]) by server217.web-hosting.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89) (envelope-from <touch@strayalpha.com>) id 1eDJy6-003UBx-18; Fri, 10 Nov 2017 19:48:21 -0500
To: "Scharf, Michael (Nokia - DE/Stuttgart)" <michael.scharf@nokia.com>, Eric Rescorla <ekr@rtfm.com>, Stewart Bryant <stewart.bryant@gmail.com>, "tcpm@ietf.org" <tcpm@ietf.org>
Cc: "mpls@ietf.org" <mpls@ietf.org>, "pals-chairs@tools.ietf.org" <pals-chairs@tools.ietf.org>, "<rtg-ads@ietf.org>" <rtg-ads@ietf.org>, "mpls-chairs@ietf.org" <mpls-chairs@ietf.org>, "pals@ietf.org" <pals@ietf.org>, "<sec-ads@ietf.org>" <sec-ads@ietf.org>
References: <2da71163-cf29-cba6-df61-d75a2cfc9c43@gmail.com> <5994f353-5306-0fa8-2d2d-024ebdbb10df@gmail.com> <CAA=duU2YLjSg8Q5PDT+u9cxn9u2xsiPu-imBJrnyL3bfkQFW7A@mail.gmail.com> <7ee4fd77-7d8d-0db2-527e-9cf91d87e634@gmail.com> <CAA=duU3nJsS86udidgkH9jhB9ZD+xaRa2A4MniAVL1BpGE78ZQ@mail.gmail.com> <cf0cb5a4-cc21-97e1-1c26-38974bf9c0be@pi.nu> <51b9e5b4-0a44-1449-a4df-91e4f9df5d6b@pi.nu> <CAA=duU2R9kBMWnRdwPPO49LF1Jc1tyrxvwkyTgaE6SC6jsVruw@mail.gmail.com> <02a50f02-779e-bc39-505c-5a51d066b3f0@pi.nu> <CAA=duU1qV-LiU5pR7VtLLVGtb-8nZHrnUqVyOKpST3-6Dr-Xgw@mail.gmail.com> <ce2c75b6-156d-da80-91d7-b7e6ba2059a0@gmail.com> <CAA=duU1xvV0genbR0CBx2rmpOWUkFmRJX3qrMEp21gTd1HOVww@mail.gmail.com> <f0d553da-0ac4-e794-5cd5-d9cc95063dc6@pi.nu> <15335748-e900-280d-554f-24c55c0f3ba5@gmail.com> <CABcZeBOr5x=98nXeBCT8O-wjk90ga1F3EVk2ktMYoAj9Q8tRkg@mail.gmail.com> <AM5PR0701MB25472EFBB94C1C98EA2606B393540@AM5PR0701MB2547.eurprd07.prod.outlook.com>
From: Joe Touch <touch@strayalpha.com>
Message-ID: <4f634e7c-f3b9-f0ab-abc7-80ec1062b52a@strayalpha.com>
Date: Fri, 10 Nov 2017 16:48:12 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <AM5PR0701MB25472EFBB94C1C98EA2606B393540@AM5PR0701MB2547.eurprd07.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------1F1BD7BBF23EC48FC92A7AEF"
Content-Language: en-US
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/8kL5C3a-zaLvLdaE6-RrVYcpHRQ>
X-Mailman-Approved-At: Sat, 11 Nov 2017 08:04:13 -0800
Subject: Re: [tcpm] [mpls] LDP Security
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Nov 2017 00:48:25 -0000
Hi, all, I don't see a problem if there's a need for updating TCP-AO to include/require other algorithms. It was intended to be extensible. I agree with the issue of key management. There was some work on extensions to IKE to enable its use to manage TCP-AO parameters and keys, but it stalled twice: M. Jethanandani, B. Weis, K. Patel, D. Zhang, S. Hartman, U. Chunduri, A. Tian, J. Touch, “Negotiation for Keying Pairwise Routing Protocols in IKEv2 <http://www.isi.edu/touch/pubs/draft-mahesh-karp-rkmp-05.txt>,” (RFC in progress), Nov. 2013. U. Chunduri, A. Tian, J. Touch, “Using IKEv2 with TCP-AO <http://www.isi.edu/touch/pubs/draft-chunduri-karp-using-ikev2-with-tcp-ao-06.txt>,” (RFC in progress), Feb. 2014. AFAICT, that would go a long way towards addressing the issues with its use outside routing environments where keys are already considered sufficiently managed. However, the larger problem with TCP-AO is that there are no implementations available in end system OSes (AFAICT). Designing a new solution simply to avoid implementing an existing one would be a significant waste of time. Joe On 11/10/2017 8:21 AM, Scharf, Michael (Nokia - DE/Stuttgart) wrote: > > +TCPM > > > > Please free to discuss changes to TCP-AO on the TCPM list, or speak up > at the upcoming TCPM meeting. > > > > The addition of SHA-256 has been discussed in TCPM already (see > draft-nayak-tcp-sha2-02), but so far there was not much energy and no > interest from potential TCP-AO implementers or users. > > > > Michael > > (TCPM co-chair) > > > > > > *From:* mpls [mailto:mpls-bounces@ietf.org] *On Behalf Of *Eric Rescorla > *Sent:* Wednesday, November 08, 2017 7:00 PM > *To:* Stewart Bryant <stewart.bryant@gmail.com> > *Cc:* mpls@ietf.org; pals-chairs@tools.ietf.org; <rtg-ads@ietf.org> > <rtg-ads@ietf.org>; mpls-chairs@ietf.org; pals@ietf.org; > <sec-ads@ietf.org> <sec-ads@ietf.org> > *Subject:* Re: [mpls] LDP Security > > > > Hi Stewart > > > > Thanks for your note. > > > > My overall sense of the state of play is, I think much like yours. > > > > TCP-MD5 is inadequate in two major respects: > > - It uses weak algorithms > > - It has a bad negotiation/setuop story (manual key management) > > > > TCP-AO is intended to be a drop-in replacement for TCP-MD5 and so > remedies the algorithm > > issue but not the key management issue [0]. We haven't made much > progress on the key > > management story, and that seems to be a major impediment to deploying > either of these > > technologies (which I am given to understand don't see a lot of use). > We should probably > > talk in Singapore about that, but that's not going to get better any > time soon. > > > > In the interim, I think the text you have is OK, and "TBD" should read > "SHA-256", with > > the fallback being SHA-256 -> SHA-1 -> MD5. > > > > -Ekr > > > > > > [0] Technically It has better support for rollover, but this is not a > huge improvement. > > [1] tcpcrypt is kind of orthogonal here as it's unauthenticated but > opportunistic. That said, > > it would provide defense against attackers who gain access to the link > after connection > > setup and doesn't require configuration. > > > > On Wed, Nov 8, 2017 at 9:27 AM, Stewart Bryant > <stewart.bryant@gmail.com <mailto:stewart.bryant@gmail.com>> wrote: > > To the SEC and RTG ADs, > > I am sending the following message on behalf of the MPLS and the > PALS WG Chairs. > > There is a concern shared among the security community and the > working groups that develop the LDP protocol that LDP is no longer > adequately secured. LDP currently relies on MD5 for cryptographic > security of its messages, but MD5 is a hash function that is no > longer considered to meet current security requirements. > > In RFC5036 (published 2007) Section 5.1 (Spoofing) , List element > 2. Session communication carried by TCP the following statements > is made: > > "LDP specifies use of the TCP MD5 Signature Option to provide for > the authenticity and integrity of session messages. > > "[RFC2385] asserts that MD5 authentication is now considered by > some to be too weak for this application. It also points out that > a similar TCP option with a stronger hashing algorithm (it cites > SHA-1 as an example) could be deployed. To our knowledge, no such > TCP option has been defined and deployed. However, we note that > LDP can use whatever TCP message digest techniques are available, > and when one stronger than MD5 is specified and implemented, > upgrading LDP to use it would be relatively straightforward." > > We note that BGP has already been through this process, and > replaced MD5 with TCP-AO in RFC 7454. I would be logical to follow > the same approach to secure LDP. However, as far as we are able to > ascertain, there is currently no recommended, mandatory to > implement, cryptographic function specified. We are concerned that > without such a mandatory function, implementations will simply > fall back to MD5 and we will be no further forward > > We think that the best way forward is to publish a draft similar > to RFC 7454 that contains the following requirement: > > "Implementations conforming to this RFC MUST implement TCP-AO to > secure the TCP sessions carrying LDP in addition to the currently > required TCP MD5 Signature Option. Furthermore, the TBD > cryptographic mechanism must be implemented and provided to TCP-AO > to secure LDP messages. The TBD mechanism is the preferred option, > and MD5 is only to be used when TBD is unavailable." > > We are not an experts on this part of the stack, but it seems that > TCP security negotiation is still work in progress. If we are > wrong, then we need to include a requirement that such negotiation > is also required. In the absence of a negotiation protocol, > however, we need to leave this as a configuration process until > such time as the negotiation protocol work is complete. On > completion of a suitable negotiation protocol we need to issue a > further update requiring its use. > > Additionally we should note that no cryptographic mechanism has an > indefinite lifetime, and that implementation should note the IETF > anticipates updating the default cryptographic mechanism over time. > > The TBD default security function will need to be chosen such that > it can reasonably be implemented on a typical router route > processor, and which will provide adequate security without > significantly degrading the convergence time of an LSR. Without a > function that does not significantly impact router convergence we > simply close one vulnerability and open another. > > As experts on the LDP protocol, but not on security mechanisms, > we need to ask the security area for a review of our proposed > approach, and help correcting any misunderstanding of the security > issues or our misunderstanding of the existing security > mechanisms. We also need the recommendations of a suitable > security function (TBD in the above text). > > Best regards > > The MPLS WG Chairs > The PALS WG Chairs > > > > > > _______________________________________________ > tcpm mailing list > tcpm@ietf.org > https://www.ietf.org/mailman/listinfo/tcpm
- Re: [tcpm] [mpls] LDP Security Scharf, Michael (Nokia - DE/Stuttgart)
- Re: [tcpm] [mpls] LDP Security Joe Touch
- Re: [tcpm] [mpls] LDP Security Jeff Tantsura
- Re: [tcpm] [mpls] LDP Security Joe Touch
- Re: [tcpm] [mpls] LDP Security Susan Hares
- Re: [tcpm] [mpls] LDP Security Ignas Bagdonas
- Re: [tcpm] [mpls] LDP Security Joe Touch