IETF Logo Mail Archive

Re: [Tsvwg] Re: IETF LC comments on draft-ietf-tsvwg-rsvp-ipsec

Magnus Westerlund <magnus.westerlund@ericsson.com> Fri, 17 November 2006 12:47 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gl38R-0004EW-SJ; Fri, 17 Nov 2006 07:47:59 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gl38Q-0004EO-Q7 for tsvwg@ietf.org; Fri, 17 Nov 2006 07:47:58 -0500
Received: from mailgw4.ericsson.se ([193.180.251.62]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Gl38H-00069V-3C for tsvwg@ietf.org; Fri, 17 Nov 2006 07:47:58 -0500
Received: from esealmw126.eemea.ericsson.se (unknown [153.88.254.123]) by mailgw4.ericsson.se (Symantec Mail Security) with ESMTP id 6DC4CBE7; Fri, 17 Nov 2006 13:45:49 +0100 (CET)
Received: from esealmw126.eemea.ericsson.se ([153.88.254.174]) by esealmw126.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Fri, 17 Nov 2006 13:45:49 +0100
Received: from [147.214.30.247] ([147.214.30.247]) by esealmw126.eemea.ericsson.se with Microsoft SMTPSVC(6.0.3790.1830); Fri, 17 Nov 2006 13:45:48 +0100
Message-ID: <455DAEFC.3030103@ericsson.com>
Date: Fri, 17 Nov 2006 13:45:48 +0100
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
User-Agent: Thunderbird 1.5.0.8 (Windows/20061025)
MIME-Version: 1.0
To: Francois Le Faucheur IMAP <flefauch@cisco.com>
Subject: Re: [Tsvwg] Re: IETF LC comments on draft-ietf-tsvwg-rsvp-ipsec
References: <452F627D.9040202@ericsson.com> <2A92368F-729B-4111-8770-0783B4B62B05@cisco.com>
In-Reply-To: <2A92368F-729B-4111-8770-0783B4B62B05@cisco.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 17 Nov 2006 12:45:48.0863 (UTC) FILETIME=[4EC154F0:01C70A46]
X-Brightmail-Tracker: AAAAAA==
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 2857c5c041d6c02d7181d602c22822c8
Cc: Christou Chris <christou_chris@bah.com>, tsvwg <tsvwg@ietf.org>
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
Errors-To: tsvwg-bounces@ietf.org

Francois Le Faucheur IMAP skrev:
> Magnus and all,
> 
> As a follow up from our discussion in San Diego, here is a 
> proposal/request-for-guidance to address the comments below:
> 
> On 13 Oct 2006, at 11:55, Magnus Westerlund wrote:
> 
>> Hi, the IESG received the below comment during the ongoing IETF LC. I 
>> would appreciate some response to it.
>>
>> "I think that the "Security Considerations" section of this
>> document is significantly thin.  There are significant security risks
>> associated with this sort of aggregation that I don't see discussed
>> in much detail.
> 
> "RSVP Aggregation over Generic Aggregate RSVP reservations" as per this 
> document is of course very very similar to "RSVP Aggregation over 
> Aggregate RSVP reservation" as per RFC3175. The issues associated with 
> "this sort of aggregation" were discussed in RFC3175, so we elected to 
> refer to the security considerations in RFC3175. The current text says:
> "
> When generic aggregate reservations are used for aggregation of E2E
> reservations, the security considerations discussed in [RSVP-AGG]
> apply.
> "
> We could either keep it this way or replicate the relevant text. I would 
> personally prefer keeping it that way because some of the security 
> discussions relates to aggregation mechanisms (such as RSVP-E2E-IGNORE) 
> which are specified in details in RFC3175 and only brought into our 
> document by reference to RFC3175.
> But I can bring in the relevant text if you recommend we do so.

I don't think you need to import the text. However it might be worth 
moving the reference earlier in the section and clarify that many 
important issues are present in that document.

> 
> 
>> There should also be at least some mention of traffic
>> analysis issues and the potential DDOS attacks on the network
>> operator arising from this usage.
> 
> Regarding traffic analysis, I am not quite sure what is there to say.
> It seems that if an entity uses RSVP to signal its reservation 
> requirement from point A to point B, someone snooping RSVP signaling 
> would be able to know ... what are the reservation requirement from 
> point A to point B. That seems like a fundamental aspect of signaling.
> Or is the point that using aggregation makes traffic analysis easier 
> because you get the full aggregate requirement by snooping one message?
> Is this worth mentioning this?
> Is there something smarter/more useful that should be said about traffic 
> analysis that is specific to this document?
> 

I have forward the answer to the commenter and is hoping for some 
answers. However I do think you could try to say a bit about these 
issues. With or without the help or feedback from the commenter.

>>
>> Unlike RIPv2 Authentication, RSVP Authentication has never had
>> any measurably large deployment, as near as I can tell.
> 
> Actually, I believe there is significant use of RSVP Authentication in 
> MPLS Traffic Engineering deployments.
> 
>> A practical
>> to deploy key management strategy is not apparent to me right now
>> for RSVP Authentication.  RSVP Auth keys need to be placed in all
>> of the devices along a dynamic and *changing* flow path, so it is
>> much harder to pre-position manual keys along the whole path.
>> By contrast, OSPF and RIP have a well-defined and static set of
>> legitimate participating routers, so one can pre-position manual keys
>> in all of those OSPF/RIP routers (and that has been commonly done
>> in numerous enterprise networks using OSPFv2 Auth or RIPv2 Auth).
> 
> Well, in environments where RSVP is deployed on all routers of a convex 
> cloud, using pre-positioned keys for RSVP seems very similar to using 
> pre-positioned keys for OSPF/RIP. I think pre-positioning keys with RSVP 
> only gets more tricky in environments where you have non-RSVP routers in 
> between RSVP routers.
> 
> But in any case, most of this discussion about general applicability of 
> RSVP Authentication seems beyond the scope of this particular document. 
> The one point I can see which is specific to this document, is that the 
> aggregation mechanisms used here rely on the Aggregator to send an E2E 
> Path message into the Aggregation region without knowing ahead of time 
> which Deaggregator will be used. This aspect is already discussed in the 
> document, which also mentions that one possible solution then is to use 
> the same key across all Aggregators/Deaggregators.
> 
> BTW, Pratik Bose, Fred Baker and I, plan to submit a document proposing 
> a method for IPsec protection of RSVP which could be used in many RSVP 
> environments, including the ones of generic aggregate RSVP. This may 
> offer an alternative approach to the security concern discussed in 
> previous paragraph. But this is future work, and need not be referenced 
> from that document.

Can you please write up some text for the security consideration that 
clarifies when there will be issues in keying RSVP to protect against 
the possible attacks.

Cheers

Magnus Westerlund

IETF Transport Area Director & TSVWG Chair
----------------------------------------------------------------------
Multimedia Technologies, Ericsson Research EAB/TVA/A
----------------------------------------------------------------------
Ericsson AB                | Phone +46 8 4048287
Torshamsgatan 23           | Fax   +46 8 7575550
S-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com
----------------------------------------------------------------------

v2.23.0 | Report a Bug | By Email