IETF Logo Mail Archive

Re: [tsvwg] TSVWG Working Group Last Call (WGLC) on draft-ietf-tsvwg-ieee-802-11 - David Black's comments

"Black, David" <David.Black@dell.com> Tue, 08 August 2017 01:24 UTC

Return-Path: <David.Black@dell.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8984C124207 for <tsvwg@ietfa.amsl.com>; Mon, 7 Aug 2017 18:24:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.72
X-Spam-Level:
X-Spam-Status: No, score=-2.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dell.com header.b=i9Z7kV7D; dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=emc.com header.b=AFJBhNx/
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id glrozEM5qGxn for <tsvwg@ietfa.amsl.com>; Mon, 7 Aug 2017 18:24:21 -0700 (PDT)
Received: from esa7.dell-outbound.iphmx.com (esa7.dell-outbound.iphmx.com [68.232.153.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF254131D37 for <tsvwg@ietf.org>; Mon, 7 Aug 2017 18:24:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=dell.com; i=@dell.com; q=dns/txt; s=smtpout; t=1502155457; x=1533691457; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=M4d5pOClI0FDGOL0YgbiFbajX9ZG8lrfblvMgOZyiLU=; b=i9Z7kV7DhiE0ON+uWRyQdYHN6NpRKtCQz525Dd0O8fTQRk4yDnPhOQ5x fnDbXyZivu87QF6z7nEZY2vU27ccQIaYV1ozAlCwadZ5pUh8p8ezsBuJU gIWXr38Kg7M9fIS6yC9MXI1TETcAB+TgMmyBOpMAvOEoCeJJu5MeVppPX w=;
Received: from esa1.dell-outbound2.iphmx.com ([68.232.153.201]) by esa7.dell-outbound.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Aug 2017 20:24:17 -0500
From: "Black, David" <David.Black@dell.com>
Received: from mailuogwdur.emc.com ([128.221.224.79]) by esa1.dell-outbound2.iphmx.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 08 Aug 2017 07:19:00 +0600
Received: from maildlpprd56.lss.emc.com (maildlpprd56.lss.emc.com [10.106.48.160]) by mailuogwprd51.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id v781OIoA003820 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 7 Aug 2017 21:24:19 -0400
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd51.lss.emc.com v781OIoA003820
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=emc.com; s=jan2013; t=1502155460; bh=qxNkzLIXuQvOJhSdvjFn8NsUpeI=; h=From:To:CC:Subject:Date:Message-ID:References:In-Reply-To: Content-Type:Content-Transfer-Encoding:MIME-Version; b=AFJBhNx//J2L4EjBJ4FHVEoINRTo0NqUD2Rz1x4j7rKQZ+DXNvljBSvxq9dAbkwMR eCf0a3eT4ZjlKGqpVtLUpkVshEE4xuNjQRIds6WVylzqmgakd1s+BtlG94sF1d0+vg 7EXcWqhPnyrLEmqNIParmATGCdJ5BfSprxT1e9v0=
X-DKIM: OpenDKIM Filter v2.4.3 mailuogwprd51.lss.emc.com v781OIoA003820
Received: from mailusrhubprd54.lss.emc.com (mailusrhubprd54.lss.emc.com [10.106.48.19]) by maildlpprd56.lss.emc.com (RSA Interceptor); Mon, 7 Aug 2017 21:24:01 -0400
Received: from MXHUB308.corp.emc.com (MXHUB308.corp.emc.com [10.146.3.34]) by mailusrhubprd54.lss.emc.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.0) with ESMTP id v781O1hG019186 (version=TLSv1.2 cipher=AES128-SHA256 bits=128 verify=FAIL); Mon, 7 Aug 2017 21:24:01 -0400
Received: from MX307CL04.corp.emc.com ([fe80::849f:5da2:11b:4385]) by MXHUB308.corp.emc.com ([10.146.3.34]) with mapi id 14.03.0352.000; Mon, 7 Aug 2017 21:24:00 -0400
To: "Tim Szigeti (szigeti)" <szigeti@cisco.com>, G Fairhurst <gorry@erg.abdn.ac.uk>, tsvwg WG <tsvwg@ietf.org>
CC: "Jerome Henry (jerhenry)" <jerhenry@cisco.com>, Fred Baker <fredbakersba@gmail.com>
Thread-Topic: TSVWG Working Group Last Call (WGLC) on draft-ietf-tsvwg-ieee-802-11 - David Black's comments
Thread-Index: AdL9iKwSAOxDD+ndQlSPMOl+i2FRxAJn8UbwAi2HR9A=
Date: Tue, 08 Aug 2017 01:24:00 +0000
Message-ID: <CE03DB3D7B45C245BCA0D243277949362FBC358D@MX307CL04.corp.emc.com>
References: <CE03DB3D7B45C245BCA0D243277949362FB757AF@MX307CL04.corp.emc.com> <9603e1facabb48ec865439a997392120@XCH-RCD-010.cisco.com>
In-Reply-To: <9603e1facabb48ec865439a997392120@XCH-RCD-010.cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.105.8.135]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Sentrion-Hostname: mailusrhubprd54.lss.emc.com
X-RSA-Classifications: public
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/CCaTimpn1MN_2r1zFX9PCKFbmqI>
Subject: Re: [tsvwg] TSVWG Working Group Last Call (WGLC) on draft-ietf-tsvwg-ieee-802-11 - David Black's comments
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Aug 2017 01:24:26 -0000

Hi Tim,

Many thanks for your continued efforts on this draft, and sorry for the delayed response.   The changes generally look good - there were two areas where I wanted to re-check the revised text:

A) On Section 5.3, I wrote:

> > I don't understand what a "trust function" is, so this looks like a circular
> > statement.  Once "trust function" is clarified, change "RECOMMENDED to
> > trust DSCP" to "RECOMMENDED to pass through DSCP" ... but the details of
> > this clarification are crucial as this text is a potentially serious security hole > as
> > currently written.

The revised text removes the use of the term "trust function" and is much clearer as a result.

B)

> > Finally, Gorry noted:
> >
> >    (4) I suspect the security section may benefit from a better definition
> >    of the case where the 802.11 network forms the edge of a DS domain. I
> >    suspect other people will suggest text on this.
> >
> > I suspect that some of the changes suggested in this review towards less use
> > of the word "trust" will help with this concern, so I suggest that Gorry and I
> > both take a look at the resulting text to see whether it suffices.   That said, it
> > would help to add a reference from the security considerations text on CS6
> > and CS7 back to section 5.4, which discusses this "edge of a DS domain" case.
> >

Beyond removal of most uses of the word "trust," the security considerations text on CS6 and CS7 was expanded, which obviates the need for a backpointer, however .... this text in Section 5.4 is now  subtly inconsistent with at least the security considerations text:

   When business requirements and/or technical constraints and/or
   administrative policies require QoS markings to be passed through at
   the wireless edge, then it is RECOMMENDED to pass through Layer 3
   DSCP markings (over Layer 2 [IEEE.802.11-2016] UP markings) in the
   upstream direction, for the following reasons:

CS6 and CS7 are exceptions to this "RECOMMENDED" requirement for the security reasons discussed in section 8, and because they should not be generated by hosts for the reasons discussed in section 5.1.   I have a couple of suggested changes.

1) Insert "with the exception of CS6 and CS7" after "in the upstream direction" in the above text.

2) Add a paragraph after the itemized list to explain (mostly by citing the two relevant sections):

   CS6 and CS7 are exceptions to this pass through recommendation because
   wireless hosts SHOULD NOT use them (see Section 5.1) and traffic with
   those two markings poses a threat to operation of the wired network (see
   Section 8.2).  CS6 and CS7 SHOULD NOT be passed through to the wired
   network in the upstream direction unless the access point  has been
   specifically configured to do that by a network administrator or operator.

Does that sound reasonable?

Thanks, --David

> -----Original Message-----
> From: Tim Szigeti (szigeti) [mailto:szigeti@cisco.com]
> Sent: Thursday, July 27, 2017 6:35 PM
> To: Black, David <david.black@emc.com>; G Fairhurst
> <gorry@erg.abdn.ac.uk>; tsvwg WG <tsvwg@ietf.org>
> Cc: Jerome Henry (jerhenry) <jerhenry@cisco.com>; Fred Baker
> <fredbakersba@gmail.com>
> Subject: RE: TSVWG Working Group Last Call (WGLC) on draft-ietf-tsvwg-ieee-
> 802-11 - David Black's comments
> 
> Hi David,
> 
> Thank you again for taking the time to do another round of review.
> 
> All changes you've suggested below have been made to the latest version of
> the draft.
> 
> Thank you again for helping us find the right balance on security vs.
> functionality.
> 
> -tim
> 
> > -----Original Message-----
> > From: tsvwg [mailto:tsvwg-bounces@ietf.org] On Behalf Of Black, David
> > Sent: Saturday, July 15, 2017 9:40 AM
> > To: G Fairhurst; tsvwg WG
> > Subject: [tsvwg] TSVWG Working Group Last Call (WGLC) on draft-ietf-tsvwg-
> > ieee-802-11 - David Black's comments
> >
> > In general, the -04 draft is much improved from the -01 draft.  All of my
> > remaining major concerns involve uses of the word "trust" that
> >
> > -- Major
> >
> > Section 3:
> >
> >    This document assumes and RECOMMENDS that all wireless access points
> >    (as the bridges between wired-and-wireless networks) support the
> >    ability to:
> >
> > [... snip ...]
> >
> >    o  trust DSCP markings set by wireless endpoint devices
> >
> > This instance of "trust" appears to have been overlooked.   I suggest
> > changing "trust" to "process."
> >
> > Section 5:
> >
> >    o  DSCP-Trust at the wireless access point (effectively a 1:1 DSCP-
> >       to-DSCP mapping)
> >
> > Aha, the dreaded T-word again.  Suggest: DSCP-Trust -> DSCP-Passthrough,
> > as that not only removes the T-word, but is also more descriptive.   This also
> > affects Section 5.3 ...
> >
> > Section 5.3:
> >
> > Change DSCP-Trust -> DSCP-Passthrough in section title.
> >
> >    It is generally NOT RECOMMENDED to trust DSCP markings from
> >    unauthenticated and unauthorized devices, as these are typically
> >    considered untrusted sources.
> >
> > to trust DSCP markings -> to pass through DSCP markings
> >
> >    When business requirements and/or technical constraints and/or
> >    administrative policies require a trust function at the wireless
> >    edge, then it is RECOMMENDED to trust DSCP (over [IEEE.802.11-2016]
> >    UP markings) markings in the upstream direction, for the following
> >    reasons:
> >
> > I don't understand what a "trust function" is, so this looks like a circular
> > statement.  Once "trust function" is clarified, change "RECOMMENDED to
> > trust DSCP" to "RECOMMENDED to pass through DSCP" ... but the details of
> > this clarification are crucial as this text is a potentially serious security hole
> as
> > currently written.
> >
> > A related minor issue turns up in Section 8.1 - see below.
> >
> > Finally, Gorry noted:
> >
> >    (4) I suspect the security section may benefit from a better definition
> >    of the case where the 802.11 network forms the edge of a DS domain. I
> >    suspect other people will suggest text on this.
> >
> > I suspect that some of the changes suggested in this review towards less use
> > of the word "trust" will help with this concern, so I suggest that Gorry and I
> > both take a look at the resulting text to see whether it suffices.   That said, it
> > would help to add a reference from the security considerations text on CS6
> > and CS7 back to section 5.4, which discusses this "edge of a DS domain"
> case.
> >
> > -- Minor
> >
> > Section 2.1:
> >
> >    Thus the QoS treatment of packets at the access point will depend on
> >    the position of the AP in the network infrastructure and on the WLAN
> >    deployment model.
> >
> > Needs specific examples and/or forward references to what changes with AP
> > position.
> >
> > Sections 5.2, 5.3 and 5.4:
> >
> > These sections are effectively discussing alternatives for access point
> Diffserv
> > functionality.  That structure (do one of these three) is not clear in the draft.
> >
> > Section 8.1:
> >
> >       Additionally, Section 5.3 made it clear
> >       that it is generally NOT RECOMMENDED to trust DSCP markings from
> >       unauthorized and/or unauthenticated devices, as these are
> >       typically considered untrusted sources. This is especially
> >       relevant for IoT deployments, where tens-of-billions of devices
> >       are being connected to IP networks, many of which have little or
> >       no security.
> >
> > In the first sentence: "trust" -> "pass through"
> >
> > In the second sentence as written, "many of which" refers to "IP networks" -
> > I suspect that was not intended, e.g., "tens-of-billions of devices that may
> > have little or no security are being connected to IP networks" may be closer
> > to what was intended.
> >
> >       Setting a trust boundary reflective of business objectives and
> >       policy, such that traffic from authorized users and/or
> >       applications and/or endpoints will be accepted by the network;
> >       otherwise packet markings will be "bleached" (i.e. remarked to
> >       DSCP DF and/or UP 0).
> >
> > I have some idea of what a "trust boundary" is, but suspect that "traffic
> > conditioning policy" may be clearer and closer to what was intended.
> >
> > Section 8.2:
> >
> > Every paragraph in this section is bidirectional in scope, applying to both
> > wired->wireless and wireless-> wired traffic, except for this paragraph:
> >
> >    If such marking/mapping were not controlled, then, for example, a
> >    malicious user could cause WLAN DoS by flooding traffic marked CS7
> >    DSCP downstream.  This codepoint would map by default to UP 7 and
> >    would be assigned to the Voice Access Category (AC_VO).  Such a flood
> >    could cause Denial-of-Service to not only wireless voice
> >    applications, but also to all other traffic classes.
> >
> > I suggest making this paragraph bidirectional by providing the example in
> > both directions and then making it clear that the following paragraph:
> >
> >    Therefore, to mitigate such an attack, it is RECOMMENDED that all
> >    packets marked to Diffserv Codepoints not in use over the wireless
> >    network be mapped to UP 0.
> >
> > applies to both access points and wireless device operating systems.
> >
> >
> > -- Editorial
> >
> > Section 1.1:
> >
> >    Note: [RFC4594] is intended to be viewed as a set of "project plans"
> >    for building all the (diffserv) furniture that one might want.  Thus,
> >    it describes different types of traffic expected in IP networks and
> >    provides guidance as to what DSCP marking(s) should be associated
> >    with each traffic type.  As such, this document draws heavily on
> >    [RFC4594], [RFC5127], and [RFC8100].
> >
> > The first sentence seems a bit too informal, suggest:
> >
> > OLD
> >    Note: [RFC4594] is intended to be viewed as a set of "project plans"
> >    for building all the (diffserv) furniture that one might want.
> > NEW
> >    Note: [RFC4594] is intended to be viewed as a framework and guidelines
> >    for supporting Diffserv in any network, including wireless networks.
> >
> > Section 2.1:
> >
> >    It is important to recognize that the wired-to-wireless edge may or
> >    may not equate to the edge of the Diffserv domain.
> >
> > equate to the edge of the Diffserv domain -> function as an edge of a
> > Diffserv domain or a domain boundary.
> >
> > Section 8:
> >
> > Initial paragraph seems overly defensive, suggest:
> >
> > OLD
> >    The recommendations put forward in this document do not present any
> >    additional security concerns that do not already exist in wired and
> >    wireless devices.  In fact, several of the recommendations made in
> >    this document serve to mitigate and protect wired and wireless
> >    networks from potential abuse arising from existing vulnerabilities.
> > NEW
> >    The recommendations in this document concern existing wired and
> > wireless
> >    network functionality, and for that reason do not add significant security
> >    concerns.   Some of the recommendations help protect wired and wireless
> >    networks from potential abuse, e.g., as discussed further in this section.
> >
> > Section 8.2:
> >
> >    It should be strongly noted that in the wireless deployment model
> >
> > I suggest deleting "It should be strongly noted that"
> >
> > Thanks, --David
> >
> >
> > > -----Original Message-----
> > > From: tsvwg [mailto:tsvwg-bounces@ietf.org] On Behalf Of G Fairhurst
> > > Sent: Thursday, July 6, 2017 3:11 AM
> > > To: tsvwg WG <tsvwg@ietf.org>
> > > Subject: [tsvwg] TSVWG Working Group Last Call (WGLC) on
> > > draft-ietf-tsvwg-
> > > ieee-802-11-01 to conclude 10th Jul 2017
> > >
> > > This email announces a second TSVWG Working Group Last Call (WGLC)
> on:
> > >
> > >              DiffServ to IEEE 802.11 Mapping
> > >              draft-ietf-tsvwg-ieee-802-11-01
> > > https://datatracker.ietf.org/doc/draft-ietf-tsvwg-ieee-802-11-01
> > >
> > > This WGLC will last for about 2 weeks weeks. The purpose of this call
> > > is to provide further feedback (if required) on changes made since the
> > > first WGLC concluded.
> > >
> > > Comments should be sent to thetsvwg@ietf.org
> > > <mailto:tsvwg@ietf.org>list, although purely editorial comments may be
> > > sent directly to the authors. Please cc: the WG chairs
> > > attsvwg-chairs@ietf.org <mailto:tsvwg-chairs@ietf.org>  if you would
> > > like the chairs to track such editorial comments as part of the WGLC
> > > process.
> > >
> > > No IPR disclosures have been submitted directly on
> > > draft-ietf-tsvwg-ieee-802-11-01
> > >
> > > Thanks,
> > > Gorry
> > > (TSVWG Co-Chair)

v2.23.0 | Report a Bug | By Email