IETF Logo Mail Archive

Re: [tcpm] [mpls] LDP Security

Joe Touch <touch@strayalpha.com> Sat, 11 November 2017 00:48 UTC

Return-Path: <touch@strayalpha.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34806126C83; Fri, 10 Nov 2017 16:48:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.988
X-Spam-Level:
X-Spam-Status: No, score=-1.988 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=strayalpha.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xbXk1VYdGbqL; Fri, 10 Nov 2017 16:48:22 -0800 (PST)
Received: from server217-3.web-hosting.com (server217-3.web-hosting.com [198.54.115.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A35CE124B09; Fri, 10 Nov 2017 16:48:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=strayalpha.com; s=default; h=Content-Type:In-Reply-To:MIME-Version:Date: Message-ID:From:References:Cc:To:Subject:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=8nebyL0TxwZadcJqwHBxGZu3gqk0LJfowsjNXILeJAQ=; b=rE/VEwg3wztEZfvpvXIZqK1uo ZzPp3jHxZCttPFcJhQW8NyC5iXjGw3vlm3r8zt+AMR0Mh5lnEZBIXR7q54VXXf1UzgOs6W0ug5NeR osC3poGV3LzMZQBwRdcednwwGQP4+BgVFyR81bc9UwgYjSNL8GBhw/+YCyN4WTuYGMrFKt3vuSJWe EAKGW0e59yfMVDRV+l0aWZxsL5jUVPz6CNBt8PfRwTQVsflhlaW3jOUYdCi1QT/jzNZEt5+Bf+eMn o4bkLAHZV4Sp/ta/bcKHIgGIqnxFxyU4avgxxokVysyqc1+ZYkblwLb+ENbZGUKD6KTPGaujGZJvD OEJe6/UbQ==;
Received: from cpe-172-250-240-132.socal.res.rr.com ([172.250.240.132]:63103 helo=[192.168.1.189]) by server217.web-hosting.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.89) (envelope-from <touch@strayalpha.com>) id 1eDJy6-003UBx-18; Fri, 10 Nov 2017 19:48:21 -0500
To: "Scharf, Michael (Nokia - DE/Stuttgart)" <michael.scharf@nokia.com>, Eric Rescorla <ekr@rtfm.com>, Stewart Bryant <stewart.bryant@gmail.com>, "tcpm@ietf.org" <tcpm@ietf.org>
Cc: "mpls@ietf.org" <mpls@ietf.org>, "pals-chairs@tools.ietf.org" <pals-chairs@tools.ietf.org>, "<rtg-ads@ietf.org>" <rtg-ads@ietf.org>, "mpls-chairs@ietf.org" <mpls-chairs@ietf.org>, "pals@ietf.org" <pals@ietf.org>, "<sec-ads@ietf.org>" <sec-ads@ietf.org>
References: <2da71163-cf29-cba6-df61-d75a2cfc9c43@gmail.com> <5994f353-5306-0fa8-2d2d-024ebdbb10df@gmail.com> <CAA=duU2YLjSg8Q5PDT+u9cxn9u2xsiPu-imBJrnyL3bfkQFW7A@mail.gmail.com> <7ee4fd77-7d8d-0db2-527e-9cf91d87e634@gmail.com> <CAA=duU3nJsS86udidgkH9jhB9ZD+xaRa2A4MniAVL1BpGE78ZQ@mail.gmail.com> <cf0cb5a4-cc21-97e1-1c26-38974bf9c0be@pi.nu> <51b9e5b4-0a44-1449-a4df-91e4f9df5d6b@pi.nu> <CAA=duU2R9kBMWnRdwPPO49LF1Jc1tyrxvwkyTgaE6SC6jsVruw@mail.gmail.com> <02a50f02-779e-bc39-505c-5a51d066b3f0@pi.nu> <CAA=duU1qV-LiU5pR7VtLLVGtb-8nZHrnUqVyOKpST3-6Dr-Xgw@mail.gmail.com> <ce2c75b6-156d-da80-91d7-b7e6ba2059a0@gmail.com> <CAA=duU1xvV0genbR0CBx2rmpOWUkFmRJX3qrMEp21gTd1HOVww@mail.gmail.com> <f0d553da-0ac4-e794-5cd5-d9cc95063dc6@pi.nu> <15335748-e900-280d-554f-24c55c0f3ba5@gmail.com> <CABcZeBOr5x=98nXeBCT8O-wjk90ga1F3EVk2ktMYoAj9Q8tRkg@mail.gmail.com> <AM5PR0701MB25472EFBB94C1C98EA2606B393540@AM5PR0701MB2547.eurprd07.prod.outlook.com>
From: Joe Touch <touch@strayalpha.com>
Message-ID: <4f634e7c-f3b9-f0ab-abc7-80ec1062b52a@strayalpha.com>
Date: Fri, 10 Nov 2017 16:48:12 -0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <AM5PR0701MB25472EFBB94C1C98EA2606B393540@AM5PR0701MB2547.eurprd07.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------1F1BD7BBF23EC48FC92A7AEF"
Content-Language: en-US
X-OutGoing-Spam-Status: No, score=-1.0
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - server217.web-hosting.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - strayalpha.com
X-Get-Message-Sender-Via: server217.web-hosting.com: authenticated_id: touch@strayalpha.com
X-Authenticated-Sender: server217.web-hosting.com: touch@strayalpha.com
X-Source:
X-Source-Args:
X-Source-Dir:
X-From-Rewrite: unmodified, already matched
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/8kL5C3a-zaLvLdaE6-RrVYcpHRQ>
X-Mailman-Approved-At: Sat, 11 Nov 2017 08:04:13 -0800
Subject: Re: [tcpm] [mpls] LDP Security
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 11 Nov 2017 00:48:25 -0000

Hi, all,

I don't see a problem if there's a need for updating TCP-AO to
include/require other algorithms. It was intended to be extensible.

I agree with the issue of key management. There was some work on
extensions to IKE to enable its use to manage TCP-AO parameters and
keys, but it stalled twice:

M. Jethanandani, B. Weis, K. Patel, D. Zhang, S. Hartman, U. Chunduri,
A. Tian, J. Touch, “Negotiation for Keying Pairwise Routing Protocols in
IKEv2 <http://www.isi.edu/touch/pubs/draft-mahesh-karp-rkmp-05.txt>,”
(RFC in progress), Nov. 2013.

U. Chunduri, A. Tian, J. Touch, “Using IKEv2 with TCP-AO
<http://www.isi.edu/touch/pubs/draft-chunduri-karp-using-ikev2-with-tcp-ao-06.txt>,”
(RFC in progress), Feb. 2014.

AFAICT, that would go a long way towards addressing the issues with its
use outside routing environments where keys are already considered
sufficiently managed.

However, the larger problem with TCP-AO is that there are no
implementations available in end system OSes (AFAICT). Designing a new
solution simply to avoid implementing an existing one would be a
significant waste of time.

Joe


On 11/10/2017 8:21 AM, Scharf, Michael (Nokia - DE/Stuttgart) wrote:
>
> +TCPM
>
>  
>
> Please free to discuss changes to TCP-AO on the TCPM list, or speak up
> at the upcoming TCPM meeting.
>
>  
>
> The addition of SHA-256 has been discussed in TCPM already (see
> draft-nayak-tcp-sha2-02), but so far there was not much energy and no
> interest from potential TCP-AO implementers or users.
>
>  
>
> Michael
>
> (TCPM co-chair)
>
>  
>
>  
>
> *From:* mpls [mailto:mpls-bounces@ietf.org] *On Behalf Of *Eric Rescorla
> *Sent:* Wednesday, November 08, 2017 7:00 PM
> *To:* Stewart Bryant <stewart.bryant@gmail.com>
> *Cc:* mpls@ietf.org; pals-chairs@tools.ietf.org; <rtg-ads@ietf.org>
> <rtg-ads@ietf.org>; mpls-chairs@ietf.org; pals@ietf.org;
> <sec-ads@ietf.org> <sec-ads@ietf.org>
> *Subject:* Re: [mpls] LDP Security
>
>  
>
> Hi Stewart
>
>  
>
> Thanks for your note.
>
>  
>
> My overall sense of the state of play is, I think much like yours.
>
>  
>
> TCP-MD5 is inadequate in two major respects:
>
> - It uses weak algorithms
>
> - It has a bad negotiation/setuop story (manual key management)
>
>  
>
> TCP-AO is intended to be a drop-in replacement for TCP-MD5 and so
> remedies the algorithm
>
> issue but not the key management issue [0]. We haven't made much
> progress on the key
>
> management story, and that seems to be a major impediment to deploying
> either of these
>
> technologies (which I am given to understand don't see a lot of use).
> We should probably
>
> talk in Singapore about that, but that's not going to get better any
> time soon.
>
>  
>
> In the interim, I think the text you have is OK, and "TBD" should read
> "SHA-256", with
>
> the fallback being SHA-256 -> SHA-1 -> MD5.
>
>  
>
> -Ekr
>
>  
>
>  
>
> [0] Technically It has better support for rollover, but this is not a
> huge improvement.
>
> [1] tcpcrypt is kind of orthogonal here as it's unauthenticated but
> opportunistic.  That said,
>
> it would provide defense against attackers who gain access to the link
> after connection
>
> setup and doesn't require configuration.
>
>  
>
> On Wed, Nov 8, 2017 at 9:27 AM, Stewart Bryant
> <stewart.bryant@gmail.com <mailto:stewart.bryant@gmail.com>> wrote:
>
>     To the SEC and RTG ADs,
>
>     I am sending the following message on behalf of the MPLS and the
>     PALS WG Chairs.
>
>     There is a concern shared among the security community and the
>     working groups that develop the LDP protocol that LDP is no longer
>     adequately secured. LDP currently relies on MD5 for cryptographic
>     security of its messages, but MD5 is a hash function that is no
>     longer considered to meet current security requirements.
>
>     In RFC5036 (published 2007) Section 5.1 (Spoofing) , List element
>     2. Session communication carried by TCP the following statements
>     is made:
>
>     "LDP specifies use of the TCP MD5 Signature Option to provide for
>     the authenticity and integrity of session messages.
>
>     "[RFC2385] asserts that MD5 authentication is now considered by
>     some to be too weak for this application.  It also points out that
>     a similar TCP option with a stronger hashing algorithm (it cites
>     SHA-1 as an example) could be deployed.  To our knowledge, no such
>     TCP option has been defined and deployed.  However, we note that
>     LDP can use whatever TCP message digest techniques are available,
>     and when one stronger than MD5 is specified and implemented,
>     upgrading LDP to use it would be relatively straightforward."
>
>     We note that BGP has already been through this process, and
>     replaced MD5 with TCP-AO in RFC 7454. I would be logical to follow
>     the same approach to secure LDP. However, as far as we are able to
>     ascertain, there is currently no recommended, mandatory to
>     implement, cryptographic function specified. We are concerned that
>     without such a mandatory function, implementations will simply
>     fall back to MD5 and we will be no further forward
>
>     We think that the best way forward is to publish a draft similar
>     to RFC 7454 that contains the following requirement:
>
>     "Implementations conforming to this RFC MUST implement TCP-AO to
>     secure the TCP sessions carrying LDP in addition to the currently
>     required TCP MD5 Signature Option. Furthermore, the TBD
>     cryptographic mechanism must be implemented and provided to TCP-AO
>     to secure LDP messages. The TBD mechanism is the preferred option,
>     and MD5 is only to be used when TBD is unavailable."
>
>     We are not an experts on this part of the stack, but it seems that
>     TCP security negotiation is still work in progress. If we are
>     wrong, then we need to include a requirement that such negotiation
>     is also required. In the absence of a negotiation protocol,
>     however, we need to leave this as a configuration process until
>     such time as the negotiation protocol work is complete. On
>     completion of a suitable negotiation protocol we need to issue a
>     further update requiring its use.
>
>     Additionally we should note that no cryptographic mechanism has an
>     indefinite lifetime, and that implementation should note the IETF
>     anticipates updating the default cryptographic mechanism over time.
>
>     The TBD default security function will need to be chosen such that
>     it can reasonably be implemented on a typical router route
>     processor, and which will provide adequate security without
>     significantly degrading the convergence time of an LSR. Without a
>     function that does not significantly impact router convergence we
>     simply close one vulnerability and open another.
>
>     As experts on the LDP protocol, but not on security mechanisms,
>     we  need to ask the security area for a review of our proposed
>     approach, and help correcting any misunderstanding of the security
>     issues or our misunderstanding of the existing security
>     mechanisms. We also need the recommendations of a suitable
>     security function (TBD in the above text).
>
>     Best regards
>
>     The MPLS WG Chairs
>     The PALS WG Chairs
>
>  
>
>
>
> _______________________________________________
> tcpm mailing list
> tcpm@ietf.org
> https://www.ietf.org/mailman/listinfo/tcpm

v2.23.0 | Report a Bug | By Email