Mirja,
I believe draft-ietf-bess-mvpn-expl-track-13 addresses your issues. I
have expanded the Security Considerations section per your suggestions,
which IMO are all very reasonable.
Please let me know whether this is satisfactory.
Thanks.
Eric
On 11/26/2018 9:03 AM, Mirja Kuehlewind (IETF) wrote:
> Hi Eric,
>
> thanks for your detailed reply. Please see below.
>
>> Am 15.11.2018 um 19:07 schrieb Eric Rosen <ero...@juniper.net>:
>>
>> On 10/24/2018 8:28 AM, Mirja Kühlewind wrote:
>>> ---------------------------------------------------------------------
>>> DISCUSS:
>>> ----------------------------------------------------------------------
>>>
>>> In section 9 (security considerations):
>>> Thanks for discussing network load here! However, I find this sentence a bit
>>> unsatisfactory:
>>> „The specification of counter-measures for this problem is outside the
>>> scope
>>> of this document.“
>>> Isn’t there any easy way to make some more recommendations for counter
>>> measures
>>> that could be discussed here? E.g. implement some rate limiting or
>>> filtering.
>>> Or only accept LIR-PF request from preconfigured hosts (given that LIR-PF
>>> support must anyway be pre-configured)? I’m not an expert on this topic and
>>> therefore don’t know if any of such recommendations make sense, however, I
>>> would quickly like to discuss if it is potentially possible to say more than
>>> what’s current said. Thanks!
>> These particular suggestions don't really work in this context.
>>
>> - The set of Provider Edge routers (PEs) that attach to a given VPN is
>> always auto-discovered, never pre-configured. That's an important part
>> of the L3VPN value proposition. There are already mechanisms in place
>> to ensure that the S-PMSI A-D route gets sent only to the proper set of
>> egress PEs. Also, a properly functioning egress PE will only respond
>> with a Leaf A-D route if it has already auto-discovered the ingress PE.
>> (You might want to question the security of the L3VPN mechanisms, but
>> that would certainly be outside the scope of this document .)
>>
>> - Rate limiting the generation of Leaf A-D routes wouldn't work, because
>> the problem is not that one PE generates too many, but that too many PEs
>> may generate them. Rate limiting the processing of received Leaf A-D
>> routes is also problematic. In normal operation, you might correctly
>> get a whole bunch of them in quick succession, and if you don't process
>> them in a timely manner, the customers will see a high multicast "join
>> latency".
>>
>> In the particular sort of attack mentioned in the Security
>> Considerations section, an ingress PE originates an S-PMSI A-D route
>> with LIR-pF clear, but somehow the bit gets set before the route is
>> received by the egress PEs. As Alvaro has suggested, if an attacker
>> can modify the control messages, quite a bit of havoc can result, and
>> the particular attack under discussion is just one of many that can
>> occur if the control plane is not secure. I can certainly put in a
>> reference to RFCS 6192 and 7454 (as Alvaro suggests), if you think that
>> is helpful. Properly protecting the control plane should prevent this
>> kind of attack.
> Okay, then I would simply suggest to say this ("Properly protecting the
> control plane should prevent this kind of attack“) instead of just calling it
> out of scope.
>
>> In the event such an attack occurs, mitigating it is unfortunately not
>> very straightforward. The ingress node can take note of the fact that
>> it is getting Leaf A-D routes with LIR-pF set, in response to an S-PMSI
>> A-D route with LIR-pF clear. Withdrawing the S-PMSI A-D route could put
>> a stop to the attack. However, there are a few problems with this:
>>
>> - Under normal operation, there are some race conditions that may cause
>> the ingress node to think it is being attacked, when in fact it is not.
>>
>> - If some egress nodes have a bug that causes them to set LIR-pF when it
>> should be clear, withdrawing the S-PMSI A-D route will stop the flow of
>> multicast data traffic to all the egress nodes, causing an unnecessary
>> customer-visible disruption.
>>
>> - The same situation that caused the S-PMSI A-D route to be originated
>> in the first place will still exist after the S-PMSI A-D route is
>> withdrawn, so the route will just be re-originated.
>>
>> In other words, any action that would ameliorate the effects of this
>> sort of attack would have a negative effect during normal operation.
>> Therefore it is really better to rely on security mechanisms that
>> protect the control plane generally, rather than having a mechanism that
>> is focused on this one particular type of attack.
> This suggest that there is no good counter measure which would be more
> appropriate to say instead of calling it out of scope. I think it could even
> be helpful to add some of your explanation above to the security
> consideration section (instead of leaving this as an exercise to the reader).
>
>> We could say that if an ingress PE receives a Leaf A-D route with LIR-pF
>> set, and that route is a response to an S-PMSI A-D route that did not
>> have LIR-pF set, the event MUST be logged. This would generate some
>> noise in the log during normal operation, but could provide at least a
>> hint that an attack is occurring.
> I think this would be a good recommendation. I guess it actually does have to
> be a MUST, or you could say something like MUST be logged by default but can
> be configured differently if the protection mechanism used for the control
> plan is monitored. As I said, I’m really no expert here and you need to
> decide if that makes any sense though.
>
> Mirja
>
>
>> What do you think?
>>
>>> ----------------------------------------------------------------------
>>> COMMENT:
>>> ----------------------------------------------------------------------
>>>
>>> Some other minor comments:
>>> 1) section 2: „Use of this flag in the PTA carried by other route types
>>> is outside
>>> the scope of this document. Use of this flag in the PTA carried by
>>> an S-PMSI A-D routes whose NLRI does not contain a wildcard is
>>> outside the scope of this document.“
>>> Maybe you also want to say something like „The flag SHOULD be ignored in
>>> these cases.“..?
>> Agreed.
>>
>>> 2) section 3
>>> s/The result (if any) is the match for tracking“/The result (if any) is the
>>> “match for tracking“/
>>> (missing quotes)
>> Fixed in the next revision.
_______________________________________________
BESS mailing list
BESS@ietf.org
https://www.ietf.org/mailman/listinfo/bess
