Re: [tcpm] Roman Danyliw's Discuss on draft-ietf-tcpm-converters-17: (with DISCUSS and COMMENT)
Roman Danyliw <rdd@cert.org> Sun, 22 March 2020 00:45 UTC
Return-Path: <rdd@cert.org>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50DA53A085D; Sat, 21 Mar 2020 17:45:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cd9OFU0uvTc3; Sat, 21 Mar 2020 17:45:45 -0700 (PDT)
Received: from veto.sei.cmu.edu (veto.sei.cmu.edu [147.72.252.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA74A3A085C; Sat, 21 Mar 2020 17:45:39 -0700 (PDT)
Received: from delp.sei.cmu.edu (delp.sei.cmu.edu [10.64.21.31]) by veto.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 02M0jWKX020508; Sat, 21 Mar 2020 20:45:32 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu 02M0jWKX020508
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1584837932; bh=LA+FPssdnR5lZh9xy1SupgjcagJOQVx5QACtV/DhUgM=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=LCbH5pciz/76n7oad99CwAfsiOQw9gLRokyRWPkwWusk/QTYTMv50Z/0cLPq70Umk 7HFuaCjvCYHN6EPV9WVw1SyjSvp0zUtUpP4BsAIOUcyXbZ3Ig00Su9zufxFCnfD4Ax d+XrY8ln68wDXCcJJQdahl37/V5ZwIdkTOnqBNKw=
Received: from CASSINA.ad.sei.cmu.edu (cassina.ad.sei.cmu.edu [10.64.28.249]) by delp.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 02M0jMFM035637; Sat, 21 Mar 2020 20:45:23 -0400
Received: from MARCHAND.ad.sei.cmu.edu ([10.64.28.251]) by CASSINA.ad.sei.cmu.edu ([10.64.28.249]) with mapi id 14.03.0487.000; Sat, 21 Mar 2020 20:45:22 -0400
From: Roman Danyliw <rdd@cert.org>
To: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, The IESG <iesg@ietf.org>
CC: "draft-ietf-tcpm-converters@ietf.org" <draft-ietf-tcpm-converters@ietf.org>, "tcpm@ietf.org" <tcpm@ietf.org>, Michael Scharf <michael.scharf@hs-esslingen.de>, "tcpm-chairs@ietf.org" <tcpm-chairs@ietf.org>
Thread-Topic: Roman Danyliw's Discuss on draft-ietf-tcpm-converters-17: (with DISCUSS and COMMENT)
Thread-Index: AQHV8qpHae/q539owEKQwyg7WiYShKg57yEAgBnxo6A=
Date: Sun, 22 Mar 2020 00:45:21 +0000
Message-ID: <359EC4B99E040048A7131E0F4E113AFC0216FBA109@marchand>
References: <158338411222.29467.10310159759460758574@ietfa.amsl.com> <787AE7BB302AE849A7480A190F8B93303145F286@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <787AE7BB302AE849A7480A190F8B93303145F286@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.22.6]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/TQBZDvgpBUicuQJ2smtCtHUk8KM>
Subject: Re: [tcpm] Roman Danyliw's Discuss on draft-ietf-tcpm-converters-17: (with DISCUSS and COMMENT)
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Mar 2020 00:45:52 -0000
Hi Med! Thanks for the updated -18 draft. It addressed all of my concerns. I've cleared my ballot. Roman -----Original Message----- From: iesg <iesg-bounces@ietf.org> On Behalf Of mohamed.boucadair@orange.com Sent: Thursday, March 5, 2020 2:33 AM To: Roman Danyliw <rdd@cert.org>; The IESG <iesg@ietf.org> Cc: draft-ietf-tcpm-converters@ietf.org; tcpm@ietf.org; Michael Scharf <michael.scharf@hs-esslingen.de>; tcpm-chairs@ietf.org Subject: RE: Roman Danyliw's Discuss on draft-ietf-tcpm-converters-17: (with DISCUSS and COMMENT) Hi Roman, Thank you for the review. Please see inline. Cheers, Med > -----Message d'origine----- > De : Roman Danyliw via Datatracker [mailto:noreply@ietf.org] Envoyé : > jeudi 5 mars 2020 05:55 À : The IESG Cc : > draft-ietf-tcpm-converters@ietf.org; tcpm-chairs@ietf.org; > tcpm@ietf.org; Michael Scharf; michael.scharf@hs-esslingen.de Objet : > Roman Danyliw's Discuss on draft-ietf-tcpm-converters-17: > (with DISCUSS and COMMENT) > > Roman Danyliw has entered the following ballot position for > draft-ietf-tcpm-converters-17: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut > this introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss- > criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-tcpm-converters/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > ** Deployed without constraints, there would be a number of concerning > attacks given this protocol’s design. Christian Huitema’s SecDir > review (thank you!) notes some of them. Helpfully, this draft > presents various restrictive scoping to mitigate these attacks under > certain circumstances: > > (a) Section 4.1. Transport Converters can be operated by network > operators or > third parties. Nevertheless, this document focuses on the single > administrative deployment case where the entity offering the > connectivity service to a client is also the entity which owns and > operates the Transport Converter. > > (b) Section 9.1. Furthermore, ingress filtering policies MUST be > enforced at the network boundaries [RFC2827]. > > (c) Section 9.2. The Convert Protocol is intended to be used in > managed networks where end hosts can be identified by their IP > address. > > (d) Section 9.2. Stronger mutual authentication schemes MUST be > defined to use the Convert Protocol in more open network environments. > > Unfortunately, the protocol mechanism to operate outside of these > bounds is in scope because (a) and (c) include no normative language. > For example, this document doesn’t address converters operated by > third parties but it explicitly allows for their possibility with no > discussion of the impact. > > As this is an experimental document where implementation experience > likely is needed for refinement, could a compromise be found with an > applicability statement that shrinks the threat model and provide > better normative guidance. > For example (paraphrasing): > > Applicability statement: Transport Converters MUST only be deployed in > a single administrative domain deployment model. The entity offering > the connectivity service to a client MUST also be entity which owns > and operates the Transport Converter, with no transit over a > third-party network. > [Med] We need to align the language with the RECOMMENDED in the security section (see below). I made the following changes: - Added a new applicability scope early in the document: NEW: 1.3. Applicability Scope 0-RTT TCP Convert Protocol specified in this document SHOULD be used in a single administrative domain deployment model. That is, the entity offering the connectivity service to a client is also be entity which owns and operates the Transport Converter, with no transit over a third-party network. Deployment of Transport Converters by third parties MUST adhere to the mutual authentication requirements in Section 9.2 to prevent illegitimate traffic interception (Section 9.4), in particular. - and deleted: OLD: Transport Converters can be operated by network operators or third parties. Nevertheless, this document focuses on the single administrative deployment case where the entity offering the connectivity service to a client is also the entity which owns and operates the Transport Converter. > For the Security Considerations: The Convert Protocol is RECOMMENDED > to be used in a managed network where end hosts can be identified by > their IP address. If such control is not exerted and there is a more > open network environment, a strong mutual authentication scheme MUST > be defined to use the Convert Protocol. [Med] Works for me. > > ** Section 9.1. Per “Given its function and its location in the > network, a Transport Converter has access to the payload of all the > packets that it processes.”, it’s a per more than that. It is in a > position to observe all packets, so that’s payload, meta-data and the > ability to profile and conduct traffic analysis. Perhaps something on > the order of “Given its function and location in the network, a > Transport Convert is in a position to observe all packets, to include > payloads and meta-data; and has the ability to profile and conduct > traffic analysis of user behavior”. > [Med] The converter has only access to part of the traffic that it is explicitly sent to it. That traffic != all the traffic from a given user. I went with this change: NEW: Given its function and location in the network, a Transport Convert is in a position to observe all packets that it processes, to include ^^^^^^^^^^^^^^^^^^ payloads and meta-data; and has the ability to profile and conduct some traffic analysis of user behavior. ^^^^ Better? > ** Section 9.1. Per “As such, it MUST be protected as a core IP > router (e.g., [RFC1812])”, no disagreement on the need to protect this > router. > However, what > exact practices are being suggested? Given the RFC1812, reference, > what specific sections apply? > [Med] Section 10 in general (authorization and control matters, in particular). I updated the text with a pointer to the that section. > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > ** Section 1.2. Given that Section 4.1. outlines that the architecture > consists of clients, converter and servers, the language in the list > following “In particular, a Transport Converter achieves the following > :” might benefit from consistency (i.e., final target server vs. > server; and server vs. > converter) > [Med] Will be fixed. > ** Section 6.2.5. Per “Upon reception of an Extended Connect TLV, a > Transport Converter first checks whether it supports the TCP Options > listed in the 'TCP Options' field. If not, it returns an error > message (Section 6.2.8).”, what error does it return? > [Med] It returns: Unsupported TCP Option (33). Updated the text accordingly. > ** Section 9.1 Per “The Transport Converter is designed to not leak > such sensitive information outside a local domain.”, can you clarify > what that means. > [Med] As indicated in the text, the converter has access to sensitive data such as subscriber credentials (IMSI, for example). The converter does not insert any metadata (or any payload in general) in packets it forwards on the external realm. > ** Editorially, the guidance in Section 9.2 and 9.5 needs to link > Section 9.2 provide an authentication/authorization solution given a > certain topology, and does Section 9.5. > [Med] Fair. Will be fixed. > ** Editorial Nit > -- Section 2. Typo. s/a important/an important/ > -- Section 4.4.1. Typo. s/the the/the/ > [Med] Fixed. Thanks. >
- [tcpm] Roman Danyliw's Discuss on draft-ietf-tcpm… Roman Danyliw via Datatracker
- Re: [tcpm] Roman Danyliw's Discuss on draft-ietf-… mohamed.boucadair
- Re: [tcpm] Roman Danyliw's Discuss on draft-ietf-… Roman Danyliw