[Tsvwg] Re: Draft-ietf-tsvwg-rsvp-dste-04.txt secdir review
Francois Le Faucheur <flefauch@cisco.com> Thu, 14 September 2006 16:16 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1GNtt2-0007u7-7F; Thu, 14 Sep 2006 12:16:24 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1GNtsj-0007DZ-B5; Thu, 14 Sep 2006 12:16:05 -0400
Received: from rtp-iport-2.cisco.com ([64.102.122.149]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1GNtjG-0006Gn-FG; Thu, 14 Sep 2006 12:06:21 -0400
Received: from rtp-dkim-2.cisco.com ([64.102.121.159]) by rtp-iport-2.cisco.com with ESMTP; 14 Sep 2006 12:06:17 -0400
X-IronPort-AV: i="4.09,165,1157342400"; d="scan'208,217"; a="102427540:sNHT58458740"
Received: from ams-core-1.cisco.com (ams-core-1.cisco.com [144.254.224.150]) by rtp-dkim-2.cisco.com (8.12.11.20060308/8.12.11) with ESMTP id k8EG6Hxx010504; Thu, 14 Sep 2006 12:06:17 -0400
Received: from xbh-ams-332.emea.cisco.com (xbh-ams-332.cisco.com [144.254.231.87]) by ams-core-1.cisco.com (8.12.10/8.12.6) with ESMTP id k8EG6Gg2028837; Thu, 14 Sep 2006 18:06:16 +0200 (MEST)
Received: from xfe-ams-332.cisco.com ([144.254.231.73]) by xbh-ams-332.emea.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 14 Sep 2006 18:06:16 +0200
Received: from [144.254.53.99] ([144.254.53.99]) by xfe-ams-332.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Thu, 14 Sep 2006 09:06:15 -0700
In-Reply-To: <44F55C47.90707@ericsson.com>
References: <3870C46029D1F945B1472F170D2D9790013BA952@de01exm64.ds.mot.com> <7DD2996B-2755-451F-A8D9-9E5A932DBBC0@cisco.com> <44F55C47.90707@ericsson.com>
Mime-Version: 1.0 (Apple Message framework v752.2)
Content-Type: multipart/alternative; boundary="Apple-Mail-11--445894921"
Message-Id: <757C04A3-1612-4D50-9A0B-622F731F0F05@cisco.com>
From: Francois Le Faucheur <flefauch@cisco.com>
Date: Thu, 14 Sep 2006 18:05:31 +0200
To: Magnus Westerlund <magnus.westerlund@ericsson.com>, Eastlake III Donald-LDE008 <Donald.Eastlake@motorola.com>
X-Mailer: Apple Mail (2.752.2)
X-OriginalArrivalTime: 14 Sep 2006 16:06:15.0342 (UTC) FILETIME=[B4A864E0:01C6D817]
DKIM-Signature: a=rsa-sha1; q=dns; l=23437; t=1158249977; x=1159113977; c=relaxed/simple; s=rtpdkim2001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=flefauch@cisco.com; z=From:Francois=20Le=20Faucheur=20<flefauch@cisco.com> |Subject:Re=3A=20Draft-ietf-tsvwg-rsvp-dste-04.txt=20secdir=20review |To:Magnus=20Westerlund=20<magnus.westerlund@ericsson.com>, =0A=20=20=20=20=2 0=20=20=20Eastlake=20III=20Donald-LDE008=20<Donald.Eastlake@motorola.com>; X=v=3Dcisco.com=3B=20h=3DIiaXxwCu7c6X97viPPwh9ORgbok=3D; b=Ilg7p+ECV3QFABJGkf5QIVWczBmQ9C+VLbcYIhKgXyN0JlhhCFRmirG7kUvIB6rRgiJS3/zf 3elj1iGCtejQhUtiQcbxcWIiTJr3bu2ZnuQn9VcrIg0AfwCnwR8EGy+X;
Authentication-Results: rtp-dkim-2.cisco.com; header.From=flefauch@cisco.com; dkim=pass ( 30 extraneous bytes; sig from cisco.com verified; );
X-Spam-Score: 0.3 (/)
X-Scan-Signature: 958aa603499a3de6b2b87d68741ed60e
Cc: tsvwg tsvwg <tsvwg@ietf.org>, secdir@mit.edu, IESG <iesg@ietf.org>, James Polk <jmpolk@cisco.com>, Sam Hartman <hartmans-ietf@mit.edu>
Subject: [Tsvwg] Re: Draft-ietf-tsvwg-rsvp-dste-04.txt secdir review
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
Errors-To: tsvwg-bounces@ietf.org
Magnus, Donald and everyone, On 30 Aug 2006, at 11:37, Magnus Westerlund wrote: > Hi, > > To me this seems very reasonable. I am awaiting an update of the > document before progressing to IESG Evaluation. Below is the updated text I propose to use as the updated Security Section. I hope this addresses the review comments received so far. Please let me know if you have any further comments/recommendations. I plan to issue in a few days a next rev as agreed so the document can progress to IESG Evaluation. Thanks Francois " 8. Security Considerations In the environments concerned by this document, RSVP messages are used to control resource reservations for E2E flows outside the MPLS region as well as to control resource reservations for MPLS TE Tunnels inside the MPLS region. To ensure the integrity of the associated reservation and admission control mechanisms, the mechanisms defined in [RSVP-CRYPTO1] and [RSVP-CRYPTO2] can be used. Those protect RSVP messages integrity hop-by-hop and provide node authentication, thereby protecting against corruption and spoofing of RSVP messages. These hop-by-hop integrity mechanisms can naturally be used to protect the RSVP messages used for E2E reservations outside the MPLS region, to protect RSVP messages used for MPLS TE Tunnels inside the MPLS region, or for both. These hop-by-hop RSVP integrity mechanisms can also be used to protect RSVP messages used for E2E reservations when those transit through the MPLS region. This is because the Aggregator and Deaggregator behave as RSVP neighbors from the viewpoint of the E2E flows (even if they are not necessarily IP neighbors nor RSVP-TE neighbors). It that case, the Aggregator and Deaggregator need to use a pre-shared secret. As discussed in section 6 of [RSVP-TE], filtering of traffic associated with an MPLS TE Tunnel can only be done on the basis of an MPLS label, instead of the 5-tuple of conventional RSVP reservation as per [RSVP]. Thus, as explained in [RSVP-TE], an administrator may wish to limit the domain over which TE Tunnels (which are used for aggregation of RSVP E2E reservations as per this specification) can be established. See section 6 of [RSVP-TE] for a description of how filtering of RSVP messages associated with MPLS TE Tunnels can be deployed to that end. This document is based in part on [RSVP-AGG] which specifies aggregation of RSVP reservations. Section 5 of [RSVP-AGG] raises the point that because many E2E flows may share an aggregate reservation, if the security of an aggregate reservation is compromised, there is a multiplying effect in the sense that it can in turn compromise the security of many E2E reservations whose quality of service depends on the aggregate reservation. This concern applies also to RSVP Aggregation over TE Tunnels as specified in the present document. However, the integrity of MPLS TE Tunnels operation can be protected using the mechanisms discussed in the previous paragraphs. Also, while [RSVP-AGG] specifies RSVP Aggregation over dynamically established aggregate reservations, the present document restricts itself to RSVP Aggregation over pre-established TE Tunnels. This further reduces the security risks. In the case where the Aggregators dynamically resize the TE tunnels based on the current level of reservation, there are risks that the TE tunnels used for RSVP aggregation hog resources in the core which could prevent other TE Tunnels from being established. There are also potential risks that such resizing results in significant computation and signaling as well as churn on tunnel paths. Such risks can be mitigated by configuration options allowing control of TE tunnel dynamic resizing (maximum TE tunnel size, maximum resizing frequency, ...) and/or possibly by the use of TE preemption. Section 5 of [RSVP-AGG] also discusses a security issue specific to RSVP aggregation related to the necessary modification of the IP Protocol number in RSVP E2E Path messages that traverses the aggregation region. This security issue does not apply to the present document since aggregation of RSVP reservation over TE Tunnels does not use this approach of changing the protocol number in RSVP messages. Section 7 of [LSP-HIER] discusses security considerations stemming from the fact that the implicit assumption of a binding between data interface and the interface over which a control message is sent is no longer valid. These security considerations are equally applicable to the present document. If the Aggregator and Deaggregator are also acting as IPsec Security Gateways, the Security Considerations of [SEC-ARCH] apply. " where [RSVP-CRYPTO1] and [RSVP-CRYPTO2] refer to RFC2747 & RFC 3097 > > cheers > > Magnus > > Francois Le Faucheur wrote: >> Hello Don, Sam, >> Thanks for your reviews and comments. Focusing on the Security >> Cons section: >> On 9 Aug 2006, at 05:41, Eastlake III Donald-LDE008 wrote: >>> >>> >>> The Security Considerations section references no less than five >>> other >>> RFCs whose security sections are incorporated by reference. These >>> RFCs >>> cover a wide range of IETF eras. The earliest has a Security >>> section but >>> no Security Considerations section because it pre-dates the >>> requirement >>> to have such a section. I doubt that the security provisions in the >>> earlier of these RFCs would pass current standards. It is pretty >>> hard to >>> see whether the security provisions in the six documents (this >>> draft and >>> the 5 RFCs referenced from its Security Considerations section) >>> actually >>> fit together well without substantial gaps under the many options >>> described. It is my impression that there is probably a reasonable >>> interpretation of these various security sections that fits >>> together... >>> >> I see your point. >> In this light, we could change the Security Considerations section >> so that: >> - it incorporates by reference the RSVP Crypto specs (RFC2747 >> & 3097) as the fundamental provisions for securing RSVP (I just >> realized those were not explicitly referenced which was a big >> omission) >> - it clarifies how the RSVP Crypto mechanisms can indeed be >> used in this environment between Aggregator and Deaggregator >> (considering those are not direct IP neighbors) >> - it captures the key security issue specific to RSVP-TE, >> points to [RSVP-TE/3209] Security Cons section for details of >> provisions for this, & explains that this is relevant here only >> for the "Aggregate RSVP reservations" ie the TE Tunnels. >> - it removes the reference to RSVP-AGG/3175 Sec Cons >> altogether and instead incorporates directly the relevant points >> (since only a small subset are actually relevant). >> - it keeps the current reference to LSP-HIER/4206 since it >> already spells out which consideration/provision is relevant, >> - it keeps the current reference to SEC-ARCH/4301 since it >> already spells out that this is only relevant for the special case >> where the Aggregator and Deaggregator are also acting as IPsec >> Security Gateways (ie IPsec is used between Aggregator and Deagg). >> Does that sound like a viable way forward? >> Thanks >> Francois > > > -- > > Magnus Westerlund > > Multimedia Technologies, Ericsson Research EAB/TVA/A > ---------------------------------------------------------------------- > Ericsson AB | Phone +46 8 4048287 > Torshamsgatan 23 | Fax +46 8 7575550 > S-164 80 Stockholm, Sweden | mailto: magnus.westerlund@ericsson.com
- [Tsvwg] Re: Draft-ietf-tsvwg-rsvp-dste-04.txt sec… Francois Le Faucheur