Re: [trill] TRILL IPsec encapsulation

Yaron Sheffer <yaronf.ietf@gmail.com> Fri, 31 July 2015 14:50 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: trill@ietfa.amsl.com
Delivered-To: trill@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 746191A896F for <trill@ietfa.amsl.com>; Fri, 31 Jul 2015 07:50:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1
X-Spam-Level:
X-Spam-Status: No, score=-1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 35vQ_AqN_LvR for <trill@ietfa.amsl.com>; Fri, 31 Jul 2015 07:49:58 -0700 (PDT)
Received: from mail-wi0-x22d.google.com (mail-wi0-x22d.google.com [IPv6:2a00:1450:400c:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89A641A896E for <trill@ietf.org>; Fri, 31 Jul 2015 07:49:58 -0700 (PDT)
Received: by wicmv11 with SMTP id mv11so61189250wic.0 for <trill@ietf.org>; Fri, 31 Jul 2015 07:49:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=C08V3EI8OmCskjuNXDpETLLjnabYipgSnqRW8yLbHCs=; b=Ol0JH73Uv+QDnD/LpP4lQqClgM2VgqsU5ZMlPAo1cT9ZHgbSN82XIzpZazXsyh3FVF eF3ZdjuC8DFMCf8H2WhAVoxWW8Gm2P/dA17uRG/RezIjBDYLfXk7Na8dxgxIcUVRZw2G +5oj9Wwq4P5FCMP2FFpll+il6JOVc/NcF3buburyPxgF0Z84X9jnR+IXhCwoY9Wij7NN kAc7VDcIVdA82CBnCCbXl1Whup/5tBO8ydrc9gDsuk/aKvEGHioLK0WX4Vy0tv8O4crl /3iakBNEn5Nf2EP2lGSJ0l0ap7/f1qkPbhVkg2QGMmGu1psfVN42xQ+2s2GzrAC0xThP 3Tpg==
X-Received: by 10.194.175.10 with SMTP id bw10mr6646602wjc.13.1438354197196; Fri, 31 Jul 2015 07:49:57 -0700 (PDT)
Received: from [10.0.0.8] ([109.66.100.105]) by smtp.googlemail.com with ESMTPSA id ib9sm7576221wjb.2.2015.07.31.07.49.54 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 31 Jul 2015 07:49:56 -0700 (PDT)
Message-ID: <55BB8B10.70208@gmail.com>
Date: Fri, 31 Jul 2015 17:49:52 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.8.0
MIME-Version: 1.0
To: Donald Eastlake <d3e3e3@gmail.com>
References: <55AFD772.1010700@gmail.com> <CAF4+nEH3zNsQRKrr2NTKpay8KqLY4tv676kAmQ9yf5uM9LSFvA@mail.gmail.com>
In-Reply-To: <CAF4+nEH3zNsQRKrr2NTKpay8KqLY4tv676kAmQ9yf5uM9LSFvA@mail.gmail.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/trill/Ji5dpRFxat-GGTudT4M2otThxF4>
Cc: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, "trill@ietf.org" <trill@ietf.org>
Subject: Re: [trill] TRILL IPsec encapsulation
X-BeenThere: trill@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Developing a hybrid router/bridge." <trill.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/trill>, <mailto:trill-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/trill/>
List-Post: <mailto:trill@ietf.org>
List-Help: <mailto:trill-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/trill>, <mailto:trill-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jul 2015 14:50:00 -0000

Hi Donald,

Sorry for the late reply.

Please see some comments/responses below.

Thanks,
	Yaron

On 07/23/2015 01:49 PM, Donald Eastlake wrote:
> Hi Yaron,
>
> Thanks for these comments. Below are a few immediate thoughts of mine.
>
> On Wed, Jul 22, 2015 at 1:48 PM, Yaron Sheffer <yaronf.ietf@gmail.com> wrote:
>> I have read the TRILL-over-IP draft (draft-ietf-trill-over-ip-03) as a kind
>> of early SecDir review, focusing on its use of IPsec. Thanks to Donald
>> Eastlake who graciously provided me with a crash course on TRILL. He's not
>> responsible for any stupidity on my part, of course.
>
> You're welcome. Sorry I was still a bit fuzzy from 12 time zone jet
> lag when we got together.
>
>> So here are some comments:
>>
>> - The draft currently uses IPsec but not IKE or any kind of key management.
>> The end result is that data is being encrypted by very long-lived keys, not
>> enjoying the benefit of forward secrecy etc. Please use IKEv2 and do NOT use
>> IPsec directly. RFC 4107 explains why.
>> - There is in fact IPsec-with-multicast, but it's not widely deployed and is
>> based on the obsolete IKEv1. Instead, I suggest to use unicast encapsulation
>> with IKEv2. I suppose this means that you'd want to only encapsulate data
>> but not IS-IS frames.
>
> I've been thinking about this. TRILL supports broadcast links and
> handles multicast data also.
>
> There are several different cases but, on a broadcast
> (non-point-to-point) TRILL link, there is an elected designated TRILL
> router (called the DRB or Designated RBridge) that, in some sense, is
> in charge of the link. Perhaps the DRB could generate a group key and
> send it to the other TRILL routers/RBridges on the link using pairwise
> security between the DRB and the other RBridges.Of course, if the link
> is actually configured as point-to-point, then you know there will
> only be two RBridges on it and only need straightforward pairwise
> security.

You are proposing to add key management functionality into TRILL, 
specifically for multicast/broadcast cases. It doesn't sound like a good 
idea to me.

If this usage is core to TRILL, you should look at RFC 6407 and the 
other MSEC documents, and bear in mind that they are not widely 
implemented. Otherwise, you're better off sticking to plain IKEv2/IPsec.

>
>> - The draft currently derives encryption keys from IS-IS keys. This is
>> problematic at several levels:
>
> TRILL tries hard to default to be minimum configuration so it defaults
> to bootstrapping from IS-IS keys. This is not meant to prohibit other
> techniques if the network manager wants to use them.
>
>>    * The IS-IS key is common to a large group of devices (a.k.a. "a group
>> key") and so is likely to be compromised.
>
> IS-IS has both area wide keying, for authentication of link state PDUs
> that are flooded area wide, and link scoped keying for link local
> IS-IS PDUs such as Hellos. Link scoped IS-IS keying should be what
> TRILL bootstraps from by default.

Yes, this is a lot better than a global group key.

>
>>    * The key is used directly for encryption, as noted.
>>    * The key is derived using HMAC, which is specified incorrectly in the
>> draft (one parameter instead of two).
>
> Sorry, the concatenation sign should have been a comma.
>
>>    * The derived key is identical for all routers/links.
>> - I would suggest to use a derived key for authentication only, and to
>> derive it differently for each link - although I realize that this does not
>> raise the security level significantly. Something like: link-psk =
>> HMAC(IS-IS-key, 6-byte-system-id-1 | 6-byte-system-id-2).
>
> Right. Since our discussion, it has occurred to me that that is not
> quite adequate because you can have multiple point-to-point links
> between the same pair of RBridges for which you would get the same
> pair of 6-byte IS-IS System IDs. Actually, pairwise security will be
> between two RBridge ports and an RBridge post is uniquely identified
> by the System ID of the RBridge and the locally unique Port ID of the
> port. So we could go for something like
>
> HMAC ( IS-IS key, System ID1 | Port ID1 | System ID2 | Port ID2 )
>
> (Of course, you also need a rules so both ends get the IDs in the same
> order, such as using numeric order treating the System IDs as unsigned
> integers.)

Sounds good.

>
>> - Note that IKE generates a different encryption key for each link even if
>> everybody is using the same authentication key (pre-shared secret). But it's
>> still a bad practice for all principals to have the same key...
>> - Longer term it would improve security hugely if each router had an
>> authenticated identity of its own. In other words, its own certificate and
>> private key.
>> - Please don't define your own MTI algorithms. Just use RFC 7321.
>
> Thanks,
> Donald
> =============================
>   Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
>   155 Beaver Street, Milford, MA 01757 USA
>   d3e3e3@gmail.com
>
>> Thanks,
>>      Yaron
>>
>> _______________________________________________
>> trill mailing list
>> trill@ietf.org
>> https://www.ietf.org/mailman/listinfo/trill
>>