Re: [tsvwg] TSVWG Working Group Last Call (WGLC) on draft-ietf-tsvwg-ieee-802-11 - David Black's comments
"Tim Szigeti (szigeti)" <szigeti@cisco.com> Wed, 16 August 2017 18:17 UTC
Return-Path: <szigeti@cisco.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06D86132382 for <tsvwg@ietfa.amsl.com>; Wed, 16 Aug 2017 11:17:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.521
X-Spam-Level:
X-Spam-Status: No, score=-14.521 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2-_uB4p9m2Du for <tsvwg@ietfa.amsl.com>; Wed, 16 Aug 2017 11:17:30 -0700 (PDT)
Received: from alln-iport-8.cisco.com (alln-iport-8.cisco.com [173.37.142.95]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAEDD13237B for <tsvwg@ietf.org>; Wed, 16 Aug 2017 11:17:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=14442; q=dns/txt; s=iport; t=1502907449; x=1504117049; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=08xJ5o46xcGGdB8GuV5kMaGF8g8ULUkU+436WJzUwaM=; b=kRB1tpJzi4J/ejSbImzqYTvjZ84V8wdg6U95BtY5fNVZRvJUpF6rBMWL 0+njuJQ4kEMH5nhsch1HRfa5fGRlqXmF+qngHhRg/E0CPWsTkr7yBqvkj RDqj/1uXLSWivphmNwBBeetXD7bvI71NKYdH2BMt0YVFPRTBYPJPrFHhb I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CaAADvipRZ/4YNJK1dDgsBAQEBAQEBAQEBAQcBAQEBAYNaZIEVB44LkBCBbog3jWIOggQshRsChEY/GAECAQEBAQEBAWsohRgBAQEBAw4ZEysUDAQCAQgRBAEBAR4JByERFAkIAQEEAQ0FCIoQAxUQrF86hzkNhBYBAQEBAQEBAQEBAQEBAQEBAQEBAQEYBYMkBIICgy4BgyeCV4FoAQESAUWFTgWXZogjPAKHUoMMhGyEbYIZhWCKbIw2hSSEQAEfOH8LdxUfKoUSBRwZgQ8/docwgSOBDwEBAQ
X-IronPort-AV: E=Sophos;i="5.41,383,1498521600"; d="scan'208";a="472439354"
Received: from alln-core-12.cisco.com ([173.36.13.134]) by alln-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 16 Aug 2017 18:17:28 +0000
Received: from XCH-RCD-016.cisco.com (xch-rcd-016.cisco.com [173.37.102.26]) by alln-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id v7GIHSmr020388 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 16 Aug 2017 18:17:28 GMT
Received: from xch-rcd-010.cisco.com (173.37.102.20) by XCH-RCD-016.cisco.com (173.37.102.26) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Wed, 16 Aug 2017 13:17:27 -0500
Received: from xch-rcd-010.cisco.com ([173.37.102.20]) by XCH-RCD-010.cisco.com ([173.37.102.20]) with mapi id 15.00.1210.000; Wed, 16 Aug 2017 13:17:27 -0500
From: "Tim Szigeti (szigeti)" <szigeti@cisco.com>
To: "Black, David" <David.Black@dell.com>, G Fairhurst <gorry@erg.abdn.ac.uk>, tsvwg WG <tsvwg@ietf.org>
CC: "Jerome Henry (jerhenry)" <jerhenry@cisco.com>, Fred Baker <fredbakersba@gmail.com>
Thread-Topic: TSVWG Working Group Last Call (WGLC) on draft-ietf-tsvwg-ieee-802-11 - David Black's comments
Thread-Index: AdL9iKwSAOxDD+ndQlSPMOl+i2FRxAJn8UbwAi2HR9ABt1YHQA==
Date: Wed, 16 Aug 2017 18:17:27 +0000
Message-ID: <9907583a83dd46ffa05409471a256e5e@XCH-RCD-010.cisco.com>
References: <CE03DB3D7B45C245BCA0D243277949362FB757AF@MX307CL04.corp.emc.com> <9603e1facabb48ec865439a997392120@XCH-RCD-010.cisco.com> <CE03DB3D7B45C245BCA0D243277949362FBC358D@MX307CL04.corp.emc.com>
In-Reply-To: <CE03DB3D7B45C245BCA0D243277949362FBC358D@MX307CL04.corp.emc.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.132.12.130]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/Vls77jtgmsP2OhNYBQMmirIrQck>
Subject: Re: [tsvwg] TSVWG Working Group Last Call (WGLC) on draft-ietf-tsvwg-ieee-802-11 - David Black's comments
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Aug 2017 18:17:33 -0000
Thank you David for catching even these subtle points. I've made the changes exactly as you've recommended below and have uploaded a new draft. Please confirm if this allows us to proceed to the next step. TIA. -tim > -----Original Message----- > From: Black, David [mailto:David.Black@dell.com] > Sent: Monday, August 07, 2017 6:24 PM > To: Tim Szigeti (szigeti); G Fairhurst; tsvwg WG > Cc: Jerome Henry (jerhenry); Fred Baker > Subject: RE: TSVWG Working Group Last Call (WGLC) on draft-ietf-tsvwg- > ieee-802-11 - David Black's comments > > Hi Tim, > > Many thanks for your continued efforts on this draft, and sorry for the > delayed response. The changes generally look good - there were two areas > where I wanted to re-check the revised text: > > A) On Section 5.3, I wrote: > > > > I don't understand what a "trust function" is, so this looks like a > > > circular statement. Once "trust function" is clarified, change > > > "RECOMMENDED to trust DSCP" to "RECOMMENDED to pass through > DSCP" > > > ... but the details of this clarification are crucial as this text > > > is a potentially serious security hole > as currently written. > > The revised text removes the use of the term "trust function" and is much > clearer as a result. > > B) > > > > Finally, Gorry noted: > > > > > > (4) I suspect the security section may benefit from a better definition > > > of the case where the 802.11 network forms the edge of a DS domain. I > > > suspect other people will suggest text on this. > > > > > > I suspect that some of the changes suggested in this review towards > > > less use of the word "trust" will help with this concern, so I suggest that > Gorry and I > > > both take a look at the resulting text to see whether it suffices. That > said, it > > > would help to add a reference from the security considerations text > > > on CS6 and CS7 back to section 5.4, which discusses this "edge of a DS > domain" case. > > > > > Beyond removal of most uses of the word "trust," the security > considerations text on CS6 and CS7 was expanded, which obviates the need > for a backpointer, however .... this text in Section 5.4 is now subtly > inconsistent with at least the security considerations text: > > When business requirements and/or technical constraints and/or > administrative policies require QoS markings to be passed through at > the wireless edge, then it is RECOMMENDED to pass through Layer 3 > DSCP markings (over Layer 2 [IEEE.802.11-2016] UP markings) in the > upstream direction, for the following reasons: > > CS6 and CS7 are exceptions to this "RECOMMENDED" requirement for the > security reasons discussed in section 8, and because they should not be > generated by hosts for the reasons discussed in section 5.1. I have a couple > of suggested changes. > > 1) Insert "with the exception of CS6 and CS7" after "in the upstream > direction" in the above text. > > 2) Add a paragraph after the itemized list to explain (mostly by citing the two > relevant sections): > > CS6 and CS7 are exceptions to this pass through recommendation because > wireless hosts SHOULD NOT use them (see Section 5.1) and traffic with > those two markings poses a threat to operation of the wired network (see > Section 8.2). CS6 and CS7 SHOULD NOT be passed through to the wired > network in the upstream direction unless the access point has been > specifically configured to do that by a network administrator or operator. > > Does that sound reasonable? > > Thanks, --David > > > -----Original Message----- > > From: Tim Szigeti (szigeti) [mailto:szigeti@cisco.com] > > Sent: Thursday, July 27, 2017 6:35 PM > > To: Black, David <david.black@emc.com>; G Fairhurst > > <gorry@erg.abdn.ac.uk>; tsvwg WG <tsvwg@ietf.org> > > Cc: Jerome Henry (jerhenry) <jerhenry@cisco.com>; Fred Baker > > <fredbakersba@gmail.com> > > Subject: RE: TSVWG Working Group Last Call (WGLC) on > > draft-ietf-tsvwg-ieee- > > 802-11 - David Black's comments > > > > Hi David, > > > > Thank you again for taking the time to do another round of review. > > > > All changes you've suggested below have been made to the latest > > version of the draft. > > > > Thank you again for helping us find the right balance on security vs. > > functionality. > > > > -tim > > > > > -----Original Message----- > > > From: tsvwg [mailto:tsvwg-bounces@ietf.org] On Behalf Of Black, > > > David > > > Sent: Saturday, July 15, 2017 9:40 AM > > > To: G Fairhurst; tsvwg WG > > > Subject: [tsvwg] TSVWG Working Group Last Call (WGLC) on > > > draft-ietf-tsvwg- > > > ieee-802-11 - David Black's comments > > > > > > In general, the -04 draft is much improved from the -01 draft. All > > > of my remaining major concerns involve uses of the word "trust" that > > > > > > -- Major > > > > > > Section 3: > > > > > > This document assumes and RECOMMENDS that all wireless access > points > > > (as the bridges between wired-and-wireless networks) support the > > > ability to: > > > > > > [... snip ...] > > > > > > o trust DSCP markings set by wireless endpoint devices > > > > > > This instance of "trust" appears to have been overlooked. I suggest > > > changing "trust" to "process." > > > > > > Section 5: > > > > > > o DSCP-Trust at the wireless access point (effectively a 1:1 DSCP- > > > to-DSCP mapping) > > > > > > Aha, the dreaded T-word again. Suggest: DSCP-Trust -> DSCP- > Passthrough, > > > as that not only removes the T-word, but is also more descriptive. This > also > > > affects Section 5.3 ... > > > > > > Section 5.3: > > > > > > Change DSCP-Trust -> DSCP-Passthrough in section title. > > > > > > It is generally NOT RECOMMENDED to trust DSCP markings from > > > unauthenticated and unauthorized devices, as these are typically > > > considered untrusted sources. > > > > > > to trust DSCP markings -> to pass through DSCP markings > > > > > > When business requirements and/or technical constraints and/or > > > administrative policies require a trust function at the wireless > > > edge, then it is RECOMMENDED to trust DSCP (over [IEEE.802.11-2016] > > > UP markings) markings in the upstream direction, for the following > > > reasons: > > > > > > I don't understand what a "trust function" is, so this looks like a > > > circular statement. Once "trust function" is clarified, change > > > "RECOMMENDED to trust DSCP" to "RECOMMENDED to pass through > DSCP" > > > ... but the details of this clarification are crucial as this text > > > is a potentially serious security hole > > as > > > currently written. > > > > > > A related minor issue turns up in Section 8.1 - see below. > > > > > > Finally, Gorry noted: > > > > > > (4) I suspect the security section may benefit from a better definition > > > of the case where the 802.11 network forms the edge of a DS domain. I > > > suspect other people will suggest text on this. > > > > > > I suspect that some of the changes suggested in this review towards > > > less use of the word "trust" will help with this concern, so I suggest that > Gorry and I > > > both take a look at the resulting text to see whether it suffices. That > said, it > > > would help to add a reference from the security considerations text > > > on CS6 and CS7 back to section 5.4, which discusses this "edge of a DS > domain" > > case. > > > > > > -- Minor > > > > > > Section 2.1: > > > > > > Thus the QoS treatment of packets at the access point will depend on > > > the position of the AP in the network infrastructure and on the WLAN > > > deployment model. > > > > > > Needs specific examples and/or forward references to what changes > > > with AP position. > > > > > > Sections 5.2, 5.3 and 5.4: > > > > > > These sections are effectively discussing alternatives for access > > > point > > Diffserv > > > functionality. That structure (do one of these three) is not clear in the > draft. > > > > > > Section 8.1: > > > > > > Additionally, Section 5.3 made it clear > > > that it is generally NOT RECOMMENDED to trust DSCP markings from > > > unauthorized and/or unauthenticated devices, as these are > > > typically considered untrusted sources. This is especially > > > relevant for IoT deployments, where tens-of-billions of devices > > > are being connected to IP networks, many of which have little or > > > no security. > > > > > > In the first sentence: "trust" -> "pass through" > > > > > > In the second sentence as written, "many of which" refers to "IP > > > networks" - I suspect that was not intended, e.g., "tens-of-billions > > > of devices that may have little or no security are being connected > > > to IP networks" may be closer to what was intended. > > > > > > Setting a trust boundary reflective of business objectives and > > > policy, such that traffic from authorized users and/or > > > applications and/or endpoints will be accepted by the network; > > > otherwise packet markings will be "bleached" (i.e. remarked to > > > DSCP DF and/or UP 0). > > > > > > I have some idea of what a "trust boundary" is, but suspect that > > > "traffic conditioning policy" may be clearer and closer to what was > intended. > > > > > > Section 8.2: > > > > > > Every paragraph in this section is bidirectional in scope, applying > > > to both > > > wired->wireless and wireless-> wired traffic, except for this paragraph: > > > > > > If such marking/mapping were not controlled, then, for example, a > > > malicious user could cause WLAN DoS by flooding traffic marked CS7 > > > DSCP downstream. This codepoint would map by default to UP 7 and > > > would be assigned to the Voice Access Category (AC_VO). Such a flood > > > could cause Denial-of-Service to not only wireless voice > > > applications, but also to all other traffic classes. > > > > > > I suggest making this paragraph bidirectional by providing the > > > example in both directions and then making it clear that the following > paragraph: > > > > > > Therefore, to mitigate such an attack, it is RECOMMENDED that all > > > packets marked to Diffserv Codepoints not in use over the wireless > > > network be mapped to UP 0. > > > > > > applies to both access points and wireless device operating systems. > > > > > > > > > -- Editorial > > > > > > Section 1.1: > > > > > > Note: [RFC4594] is intended to be viewed as a set of "project plans" > > > for building all the (diffserv) furniture that one might want. Thus, > > > it describes different types of traffic expected in IP networks and > > > provides guidance as to what DSCP marking(s) should be associated > > > with each traffic type. As such, this document draws heavily on > > > [RFC4594], [RFC5127], and [RFC8100]. > > > > > > The first sentence seems a bit too informal, suggest: > > > > > > OLD > > > Note: [RFC4594] is intended to be viewed as a set of "project plans" > > > for building all the (diffserv) furniture that one might want. > > > NEW > > > Note: [RFC4594] is intended to be viewed as a framework and > guidelines > > > for supporting Diffserv in any network, including wireless networks. > > > > > > Section 2.1: > > > > > > It is important to recognize that the wired-to-wireless edge may or > > > may not equate to the edge of the Diffserv domain. > > > > > > equate to the edge of the Diffserv domain -> function as an edge of > > > a Diffserv domain or a domain boundary. > > > > > > Section 8: > > > > > > Initial paragraph seems overly defensive, suggest: > > > > > > OLD > > > The recommendations put forward in this document do not present any > > > additional security concerns that do not already exist in wired and > > > wireless devices. In fact, several of the recommendations made in > > > this document serve to mitigate and protect wired and wireless > > > networks from potential abuse arising from existing vulnerabilities. > > > NEW > > > The recommendations in this document concern existing wired and > > > wireless > > > network functionality, and for that reason do not add significant security > > > concerns. Some of the recommendations help protect wired and > wireless > > > networks from potential abuse, e.g., as discussed further in this section. > > > > > > Section 8.2: > > > > > > It should be strongly noted that in the wireless deployment model > > > > > > I suggest deleting "It should be strongly noted that" > > > > > > Thanks, --David > > > > > > > > > > -----Original Message----- > > > > From: tsvwg [mailto:tsvwg-bounces@ietf.org] On Behalf Of G > > > > Fairhurst > > > > Sent: Thursday, July 6, 2017 3:11 AM > > > > To: tsvwg WG <tsvwg@ietf.org> > > > > Subject: [tsvwg] TSVWG Working Group Last Call (WGLC) on > > > > draft-ietf-tsvwg- > > > > ieee-802-11-01 to conclude 10th Jul 2017 > > > > > > > > This email announces a second TSVWG Working Group Last Call (WGLC) > > on: > > > > > > > > DiffServ to IEEE 802.11 Mapping > > > > draft-ietf-tsvwg-ieee-802-11-01 > > > > https://datatracker.ietf.org/doc/draft-ietf-tsvwg-ieee-802-11-01 > > > > > > > > This WGLC will last for about 2 weeks weeks. The purpose of this > > > > call is to provide further feedback (if required) on changes made > > > > since the first WGLC concluded. > > > > > > > > Comments should be sent to thetsvwg@ietf.org > > > > <mailto:tsvwg@ietf.org>list, although purely editorial comments > > > > may be sent directly to the authors. Please cc: the WG chairs > > > > attsvwg-chairs@ietf.org <mailto:tsvwg-chairs@ietf.org> if you > > > > would like the chairs to track such editorial comments as part of > > > > the WGLC process. > > > > > > > > No IPR disclosures have been submitted directly on > > > > draft-ietf-tsvwg-ieee-802-11-01 > > > > > > > > Thanks, > > > > Gorry > > > > (TSVWG Co-Chair)
- [tsvwg] TSVWG Working Group Last Call (WGLC) on d… Black, David
- Re: [tsvwg] TSVWG Working Group Last Call (WGLC) … Tim Szigeti (szigeti)
- Re: [tsvwg] TSVWG Working Group Last Call (WGLC) … Black, David
- Re: [tsvwg] TSVWG Working Group Last Call (WGLC) … Tim Szigeti (szigeti)
- Re: [tsvwg] TSVWG Working Group Last Call (WGLC) … Black, David