WG: [Tsvwg] Re: IETF LC comments on draft-ietf-tsvwg-rsvp-ipsec

["Tschofenig, Hannes" <hannes.tschofenig@siemens.com>]

Resend 

-----Ursprüngliche Nachricht-----
Von: Tschofenig, Hannes 
Gesendet: Donnerstag, 21. Dezember 2006 14:54
An: 'Francois Le Faucheur IMAP'; tsvwg tsvwg
Cc: Magnus Westerlund; RJ Atkinson
Betreff: AW: [Tsvwg] Re: IETF LC comments on draft-ietf-tsvwg-rsvp-ipsec

Hi Francois, 

A few minor comments inline:
 
> -----Ursprüngliche Nachricht-----
> Von: Francois Le Faucheur IMAP [mailto:flefauch@cisco.com] 
> Gesendet: Donnerstag, 14. Dezember 2006 10:29
> An: tsvwg tsvwg
> Cc: Magnus Westerlund; RJ Atkinson
> Betreff: Re: [Tsvwg] Re: IETF LC comments on 
> draft-ietf-tsvwg-rsvp-ipsec
> 
> All,
> 
> Below is a proposal for a considerably expanded Security Section for  
> draft-ietf-tsvwg-rsvp-ipsec, based on our earlier discussions and  
> input from Ran.
> Please comment by X-mas as I'd like to post an updated version round  
> then, and this is the only remaining open issue.
> 
> Thanks
> 
> Francois
> 
> ====================================================================
> Security Considerations
> 
> In the environments addressed by this document, RSVP messages are  
> used to control resource reservations for generic aggregate  
> reservations and may be used to control resource reservations 
> for E2E  
> reservations being aggregated over the generic aggregate  
> reservations. To ensure the integrity of the associated reservation  
> and admission control mechanisms, the RSVP Authentication mechanisms  
> defined in [RSVP-CRYPTO1] and [RSVP-CRYPTO2] may be used. These  
> protect RSVP message integrity hop-by-hop and provide node  
> authentication

It is really the IP address that is authenticated since there is no other identifier available
(not node authentication).


 as well as replay protection, thereby protecting  
> against corruption and spoofing of RSVP messages. These hop-by-hop  
> integrity mechanisms can be naturally used to protect the RSVP  
> messages used for generic aggregate reservations and to protect RSVP  
> messages used for E2E reservations outside the aggregation region.  
> These hop-by-hop RSVP integrity mechanisms can also be used to  
> protect RSVP messages used for E2E reservations when those transit  
> through the aggregation region. This is because the Aggregator and  
> Deaggregator behave as RSVP neighbors from the viewpoint of the E2E  
> flows (even if they are not necessarily IP neighbors).
> 
> [RSVP-CRYPTO1] discusses several approaches for key distribution.  
> First, the RSVP Authentication shared keys can be distributed  
> manually. This is the base option and its support is mandated 
> for any  
> implementation. However, in some environments, this approach may  
> become a burden if keys frequently change over time. 
> Alternatively, a  
> standard key management protocol for secure key distribution can be  
> used. However, existing key distribution protocols may not be  
> appropriate in all environments because of the complexity or  
> operational burden they involve. Finally, [RSVP-CRYPTO1] specifies  
> how Kerberos [KERBEROS] may be used to generate the RSVP  
> Authentication keys. Kerberos allows for the use of trusted third  
> party keying relationships between security principals (RSVP sender  
> and receivers) where the Kerberos key distribution center (KDC)  
> establishes an ephemeral session key to be shared between 
> RSVP sender  
> and receivers.
> 
> The use of RSVP Authentication in parts of the network where there  
> may be one or more IP hops in between two RSVP neighbors raises an  
> additional challenge. This is because, with some RSVP messages such  
> as a Path message, an RSVP router does not know the RSVP next 
> hop for  
> that message at the time of forwarding it. In fact, part of the role  
> of a Path message is precisely to discover the RSVP next hop (and to  
> dynamically re-discover it when it changes, say because of a routing  
> change). Hence, the RSVP router may not know which security  
> association to use when forwarding such a message. This applies in  
> particular to the case where RSVP Authentication mechanisms 
> are to be  
> used for protection of RSVP E2E messages (e.g. E2E Path) while they  
> transit through an aggregation region and where the dynamic  
> Deaggregator determination procedure defined in [RSVP-AGG] is used.  
> This is because the Aggregator and the Deaggregator behave as RSVP  
> neighbors for the E2E reservation, while there may be one or more IP  
> hops in between them, and the Aggregator does not know ahead of time  
> which router is going to act as the Deaggregator.

That's so nice about the RSVP PATH message: It helps you to discover the next node along the path dynamically even in case of route changes but at the same time it does not help you since you already need to know the new node to make use of security. 

If you always know what the next node is then why do you use a discovery message. If the protected discovery message hits the wrong node then it will be discarded = Not Good(tm).

The simplest way to deal with these problems is to "invent" a discovery mechanisms. You might get some inspiration in  NSIS documents. 

> 
> In that situation, one approach is to share the same RSVP  
> Authentication shared key across all the RSVP routers of a part of  
> the network where there may be RSVP neighbors with IP hops in  
> between. For example, all the Aggregators or Deaggregators of an  
> aggregation region could share the same RSVP Authentication key,  
> while different per-neighbor keys could be used between any RSVP  
> router pair straddling the boundary between two administrative  
> domains that have agreed to use RSVP signaling.
> 
> When the same RSVP Authentication shared key is to be shared among  
> multiple RSVP neighbors, manual key distribution may be used. In the  
> future, automated key distribution techniques suitable for this  
> situation may become available. Possible examples include the  
> adaptation of multicast key management techniques such as those  
> developed by the IETF MSEC Working Group or those commonly used for  
> Multicast key distribution in WiFi environments, to this scenario  
> wherein the same key also needs to be dynamically distributed to  
> multiple routers of a particular community (i.e. the RSVP routers  
> here). Specification of such automated key distribution 
> techniques or  
> of their applicability to RSVP is out of the scope of this document.
> 
> The RSVP Authentication mechanisms do not provide 
> confidentiality. If  
> confidentiality is required, IPsec ESP [IPSEC-ESP] may be used,  
> although it imposes the burden of key distribution.

Could you explain how the IPsec ESP usage would look like? 


 It also 
> faces the  
> additional issue discussed for key management above in case 
> there can  
> be IP hops in between RSVP hops. In the future, confidentiality  
> solutions may be developed for the case where there can be IP 
> hops in  
> between RSVP hops, perhaps by adapting confidentiality solutions  
> developed by the IETF MSEC Working Group. Such confidentiality  
> solutions for RSVP are outside the scope of this document.
> 
> Protection against traffic analysis is also not provided by RSVP  
> Authentication. Since generic aggregate reservations are intended to  
> reserve resources collectively for a whole set of users or hosts,  
> malicious snooping of the corresponding RSVP messages could provide  
> more traffic analysis information than snooping of an E2E  
> reservation. When RSVP neighbors are directly attached, mechanisms  
> such as bulk link encryption might be used when protection against  
> traffic analysis is required.

I guess you are talking about "link layer encryption". Correct? 


 This approach could be used inside the  
> aggregation region for protection of the generic aggregate  
> reservations. It may also be used outside the aggregation region for  
> protection of the E2E reservation. However, it is not applicable to  
> the protection of E2E reservations while the corresponding E2E RSVP  
> messages transit through the aggregation region.
> 
> When generic aggregate reservations are used for aggregation of E2E  
> reservations, the security considerations discussed in [RSVP-AGG]  
> apply and are revisited here.
> 
> First, the loss of an aggregate reservation to an aggressor causes  
> E2E flows to operate unreserved, and the reservation of a great  
> excess of bandwidth may result in a denial of service. These issues  
> are not confined to the extensions defined in the present document:  
> RSVP itself has them. However, they may be exacerbated here by the  
> fact that each aggregate reservation typically facilitates  
> communication for many sessions. Hence compromising one such  
> aggregate reservation can result in more damage than compromising a  
> typical E2E reservation. Use of the RSVP Authentication 
> mechanisms to  
> protect against such attacks has been discussed above.
> 
> An additional security consideration specific to RSVP aggregation  
> involves the modification of the IP protocol number in RSVP Path  
> messages that traverse an aggregation region. Malicious modification  
> of the IP protocol number in a Path message would cause the message  
> to be ignored by all subsequent RSVP devices on its path, preventing  
> reservations from being made. It could even be possible to correct  
> the value before it reached the receiver, making it difficult to  
> detect the attack. Note that in theory, it might also be 
> possible for  
> a node to modify the IP protocol number for non-RSVP messages as  
> well, thus interfering with the operation of other protocols. 
> One way  
> to mitigate the risks of malicious modification of the IP protocol  
> number is to use an IPsec authentication header, which would ensure  
> that malicious modification of the IP header is detected. This is a  
> desirable approach but again imposes some administrative burden in  
> the form of key management for authentication purposes and may again  
> face the additional key management issue discussed above where there  
> can be IP hops in between RSVP neighbors.

Could you describe how IPsec would be used here?


 It is RECOMMENDED that  
> implementations of this specification only support modification of  
> the IP protocol number for RSVP Path, PathTear, and ResvConf  
> messages. That is, a general facility for modification of the IP  
> protocol number SHOULD NOT be made available.
> 
> Network operators deploying routers with RSVP aggregation capability  
> should be aware of the risks of inappropriate modification of the IP  
> protocol number and should take appropriate steps (physical 
> security,  
> password protection, etc.) to reduce the risk that a router could be  
> configured by an attacker to perform malicious modification of the  
> protocol number.
> 
> ===========================================================
> 
> 

Ciao
Hannes

> 
> 
> On 17 Nov 2006, at 16:20, Magnus Westerlund wrote:
> 
> > Hi,
> >
> > Below is answers from Ran to Francois comments. You will need to  
> > keep him on the CC to discuss these issues.
> >
> > ---- Text from Ran Atkinson ----------------
> >
> > > On 13 Oct 2006, at 11:55, Magnus Westerlund wrote:
> > >
> > >> Hi, the IESG received the below comment during the ongoing IETF  
> > LC. I would appreciate some response to it.
> > >>
> > >> "I think that the "Security Considerations" section of this
> > >> document is significantly thin.  There are significant security  
> > risks
> > >> associated with this sort of aggregation that I don't 
> see discussed
> > >> in much detail.
> > >
> > > "RSVP Aggregation over Generic Aggregate RSVP reservations" as  
> > per this document is of course very very similar to "RSVP  
> > Aggregation over Aggregate RSVP reservation" as per RFC3175. The  
> > issues associated with "this sort of aggregation" were 
> discussed in  
> > RFC3175, so we elected to refer to the security considerations in  
> > RFC3175. The current text says:
> > > "
> > > When generic aggregate reservations are used for 
> aggregation of E2E
> > > reservations, the security considerations discussed in [RSVP-AGG]
> > > apply.
> > > "
> > > We could either keep it this way or replicate the relevant text.  
> > I would personally prefer keeping it that way because some of the  
> > security discussions relates to aggregation mechanisms (such as  
> > RSVP-E2E-IGNORE) which are specified in details in RFC3175 
> and only  
> > brought into our document by reference to RFC3175.
> > > But I can bring in the relevant text if you recommend we do so.
> >
> > The relevant text ought to be replicated, possibly editing it to
> > reflect whatever differences might exist between this and RFC-3175
> > and whatever we know/realise now that might not have been clearly
> > documented or understood then.
> >
> > >> There should also be at least some mention of traffic
> > >> analysis issues and the potential DDOS attacks on the network
> > >> operator arising from this usage.
> > >
> > > Regarding traffic analysis, I am not quite sure what is there to  
> > say.
> > > It seems that if an entity uses RSVP to signal its reservation  
> > requirement from point A to point B, someone snooping RSVP  
> > signaling would be able to know ... what are the reservation  
> > requirement from point A to point B. That seems like a fundamental  
> > aspect of signaling.
> >
> > It is a fundamental aspect of *clear-text* *in-band* signalling.
> >
> > It is not a fundamental aspect of in-band signalling.  For example,
> > one could provide confidentiality to the signalling traffic
> > (if one could figure out how to distribute keys properly).
> >
> > It is not a fundamental aspect of signalling.  For example,
> > Signalling System 7 (used in the telephony world) is out-of-band,
> > so snooping by ordinary users generally isn't practical.
> >
> > > Or is the point that using aggregation makes traffic analysis  
> > easier because you get the full aggregate requirement by snooping  
> > one message?
> > > Is this worth mentioning this?
> >
> > This is also worth mentioning, and it is a difference in risk
> > from ordinary RSVP usage.
> >
> > > Is there something smarter/more useful that should be said about  
> > traffic analysis that is specific to this document?
> > >
> > >>
> > >> Unlike RIPv2 Authentication, RSVP Authentication has never had
> > >> any measurably large deployment, as near as I can tell.
> > >
> > > Actually, I believe there is significant use of RSVP  
> > Authentication in MPLS Traffic Engineering deployments.
> >
> > I know of several ISPs that use RSVP for MPLS Traffic Engineering.
> > I do not know of *one* that has enabled RSVP Authentication 
> for MPLS.
> > Several have said that RSVP Authentication is impractical to enable
> > because of the absence of suitable key management.  This has come
> > up in hallway conversations with operators at RIPE and NANOG in the
> > past.  More recently, I've heard complaints about this aspect of
> > RSVP informally from certain parts of the US Government.
> >
> > This issue is not unique to RSVP.  For example, BGP Authentication
> > (or RIPv2 Authentication) faces similar challenges where we have a
> > suitable authentication mechanism, but the absence of suitable key
> > management is one of several reasons that BGP Authentication has
> > somewhat limited deployment.  If one looks at the RIPv2 
> Authentication
> > document (either the original one or the latest one), then one will
> > see that this key management issue for RIP is carefully described --
> > along with suggestions for how the IETF might be able to 
> fill that gap
> > in future.
> >
> > If the authors think that suitable key management exists for RSVP
> > in this usage, it would be VERY helpful to document that in the
> > SECURITY CONSIDERATIONS for this draft, so that operators who choose
> > to deploy this mechanism know how to do it.
> >
> > Alternately, and more likely in my view, they should at 
> least clearly
> > document this key management issue/gap with RSVP for this usage
> > in the SECURITY CONSIDERATIONS section.  If they think a reasonable
> > algorithm exists, by all means add a citation to REFERENCES and
> > mention that in SECURITY CONSIDERATIONS as a possible 
> future approach.
> >
> > In the case of RIPv2, RIP packets are typically sent via IP 
> multicast
> > to a special IP multicast group.  So if/when IETF has a key 
> management
> > protocol for multicast applications (there is, I believe, 
> the MSEC WG
> > on this -- and both RFC-2094 and RFC-2095 give reasonable hope that
> > it is a tractable problem), then RIP can use that approach.  OSPF's
> > situation is essentially the same as RIP, since both use IP  
> > multicasting
> > to reserved multicast groups.
> >
> > In the case of RSVP, packets are sent along a path, but the actual
> > path members are dynamic.  It is unclear to me that a key management
> > strategy even exists for this sort of deployment.  Maybe, and one
> > would have to give it a lot more thought, one could use a public-key
> > scheme along with a PKI (holding an incoming RSVP packet for the
> > relatively long time a key management protocol transaction 
> would take
> > likely has adverse consequences for the flow being 
> signalled).  If the
> > authors think such a strategy really exists, it would be helpful
> > to mention it and perhaps add a citation or two in the REFERENCES
> > section.
> >
> > >> A practical
> > >> to deploy key management strategy is not apparent to me right now
> > >> for RSVP Authentication.  RSVP Auth keys need to be placed in all
> > >> of the devices along a dynamic and *changing* flow path, so it is
> > >> much harder to pre-position manual keys along the whole path.
> > >> By contrast, OSPF and RIP have a well-defined and static set of
> > >> legitimate participating routers, so one can 
> pre-position manual  
> > keys
> > >> in all of those OSPF/RIP routers (and that has been commonly done
> > >> in numerous enterprise networks using OSPFv2 Auth or RIPv2 Auth).
> > >
> > > Well, in environments where RSVP is deployed on all routers of a  
> > convex cloud, using pre-positioned keys for RSVP seems very 
> similar  
> > to using pre-positioned keys for OSPF/RIP. I think pre-positioning  
> > keys with RSVP only gets more tricky in environments where 
> you have  
> > non-RSVP routers in between RSVP routers.
> >
> > See above.  This analysis is flawed in that both RIP and OSPF use
> > special-purpose IP multicast groups, so they can use MSEC's 
> multicast
> > key management.  RSVP does not use multicast, so it is not obvious
> > that it can use multicast key management.
> >
> > > But in any case, most of this discussion about general  
> > applicability of RSVP Authentication seems beyond the scope 
> of this  
> > particular document.
> >
> > Not at all.  If we have an issue with a security mechanism and some
> > protocol extension relies on that security mechanism, then the issue
> > remains unresolved for the usage in the extension document and
> > also should be clearly documented in the extension document's
> > SECURITY CONSIDERATIONS.
> >
> > > The one point I can see which is specific to this document, is  
> > that the aggregation mechanisms used here rely on the 
> Aggregator to  
> > send an E2E Path message into the Aggregation region without  
> > knowing ahead of time which Deaggregator will be used. This aspect  
> > is already discussed in the document, which also mentions that one  
> > possible solution then is to use the same key across all  
> > Aggregators/Deaggregators.
> >
> > Since we don't have a way to actually manage keys, it isn't clear
> > that this is any more practical than the general case, though it is
> > good that it is already mentioned.
> >
> > > BTW, Pratik Bose, Fred Baker and I, plan to submit a document  
> > proposing a method for IPsec protection of RSVP which could 
> be used  
> > in many RSVP environments, including the ones of generic aggregate  
> > RSVP. This may offer an alternative approach to the security  
> > concern discussed in previous paragraph. But this is future work,  
> > and need not be referenced from that document.
> >
> > At least the existence of the current real-world issues that make
> > it hard for a deployment to be secured should be fully documented
> > in the SECURITY CONSIDERATIONS.  It might, depending on the IESG's  
> > views,
> > be reasonable to add a paragraph to SECURITY CONSIDERATIONS 
> outlining
> > the general concept that the 3 folks names above have in mind for
> > key management and indicate that this is one possible future  
> > direction.
> >
> > As Steve Bellovin would be very quick to point out, "just use IPsec"
> > is not always a very credible answer.  I am the original author of
> > AH and ESP; I co-chaired the IPsec WG for a while.  In this case,
> > the issue is not so much how to use AH/ESP with RSVP, which might be
> > what is meant by the quoted text above, but how would one manage the
> > keys.  It is not at all clear that a hybrid Diffie-Hellman scheme,
> > such as ISAKMP/IKE, can be used in an RSVP deployment such as is
> > described here.  This is UNLIKE the case with RIP or OSPF, which
> > use multicast for their messages, where there are published 
> techniques
> > for multicast key management (RFC-2093, RFC-2094, and a wider number
> > in the open cryptographic literature) and there has been an 
> IETF MSEC
> > WG actually developing multicast key management for IETF use.
> >
> > It seems that if one looks through the above, at a bare minimum
> > significant new text (on several different topics) is needed in
> > this document's SECURITY CONSIDERATIONS section.
> >
> > Yours,
> >
> > Ran
> > rja@extremenetworks.com
> >
> >
> >
> >
> > -- 
> >
> > Magnus Westerlund
> >
> > IETF Transport Area Director & TSVWG Chair
> > 
> ----------------------------------------------------------------------
> > Multimedia Technologies, Ericsson Research EAB/TVA/A
> > 
> ----------------------------------------------------------------------
> > Ericsson AB                | Phone +46 8 4048287
> > Torshamsgatan 23           | Fax   +46 8 7575550
> > S-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com
> > 
> ----------------------------------------------------------------------
> 
>