Re: [Last-Call] [ippm] Last Call: <draft-ietf-ippm-ioam-data-11.txt> (Data Fields for In-situ OAM) to Proposed Standard

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Greg,

Thanks for the comments.
Please see my comments below, marked [TM].

Thanks,
Tal.



On Tue, Nov 24, 2020 at 11:30 PM Greg Mirsky <gregimirsky@xxxxxxxxx> wrote:
>
> Dear All,
> I have several comments related to the security aspects of this specification:
>
> although this draft does not define network-specific encapsulation of IAOM data, it would the right place to introduce a generic method of IAOM data integrity protection. As noted in the Security Considerations section, IOAM trace options and collected information may become the target of a malicious attack. Protecting the integrity of data with HMAC seems like the right option. It seems reasonable that the text used to calculate HMAC includes in addition to the IOAM trace option header and an IOAM node data field that uniquely identify the source of the packet that includes IOAM trace. For example, in an IP network, the IP source address can be concatenated with the IAOM trace option header. The integrity of each IAOM node data record can also be protected by HMAC. The data record can be concatenated with, for example, the IOAM option header to form the text used in the calculation of the HMAC. While the detailed construction of the text used in HMAC calculation could be provided 
 in network-specific documents, it seems appropriate to require the optional use of HMAC for the integrity protection of the IOAM option header and IOAM data record in this document.

[TM] Integrity protection is an important security consideration.
Thanks to your previous comments about this issue we have added the
following text to the security considerations section:

   In particular, these threats are applicable by compromising
   the integrity of IOAM data, either by maliciously modifying IOAM
   options in transit, or by injecting packets with maliciously
   generated IOAM options

Specifically, implementing HMAC by hardware devices such as switches
and routers in wire speed may be challenging.
My feeling is that even if we decided to define an HMAC, it would end
up being something that is not implemented by most vendors.

I would suggest to consider a new IOAM option that incorporates an
HMAC, which can be used alongside the conventional trace options. This
would allow an optional integrity protection capability for those
specific implementations that require it. This new option could be
defined in a new draft, allowing the data draft to proceed to
publication.


> I have some concern over using the Checksum Complement in the IPv6 network. RFC 6936 provided us with the most detailed analysis for using zero UDP checksum in the IPv6 network. As I understand the purpose of the Checksum Complement, its security impact is similar to the one of using zero UDP checksum. I think that the use of Checksum Complement in the IPv6 network should be explicitly discussed in the document. I'd recommend adding the reference to RFC 6936 and provide arguments supporting the use of the Checksum Complement in the IPv6 network.

[TM] The Checksum Complement is a field that simplifies the checksum
update for hardware switches/routers. Unlike zero checksum, the
destination *does* verify the checksum when a checksum complement is
used. Therefore, in my opinion the zero checksum considerations are
not relevant in this context.
>From a security perspective, I do not think a Checksum Complement has
any security implications. I believe it was phrased well in RFC 7820
(OWAMP/TWAMP Checksum Complement):

   It is important to emphasize that the scheme described in this
   document does not increase the protocol's vulnerability to MITM
   attacks; a MITM attacker who maliciously modifies a packet and its
   Checksum Complement is logically equivalent to a MITM attacker who
   modifies a packet and its UDP Checksum field.



>
> Regards,
> Greg
>
> On Tue, Nov 24, 2020 at 10:25 AM The IESG <iesg-secretary@xxxxxxxx> wrote:
>>
>>
>> The IESG has received a request from the IP Performance Measurement WG (ippm)
>> to consider the following document: - 'Data Fields for In-situ OAM'
>>   <draft-ietf-ippm-ioam-data-11.txt> as Proposed Standard
>>
>> The IESG plans to make a decision in the next few weeks, and solicits final
>> comments on this action. Please send substantive comments to the
>> last-call@xxxxxxxx mailing lists by 2020-12-08. Exceptionally, comments may
>> be sent to iesg@xxxxxxxx instead. In either case, please retain the beginning
>> of the Subject line to allow automated sorting.
>>
>> Abstract
>>
>>
>>    In-situ Operations, Administration, and Maintenance (IOAM) records
>>    operational and telemetry information in the packet while the packet
>>    traverses a path between two points in the network.  This document
>>    discusses the data fields and associated data types for in-situ OAM.
>>    In-situ OAM data fields can be encapsulated into a variety of
>>    protocols such as NSH, Segment Routing, Geneve, IPv6 (via extension
>>    header), or IPv4.  In-situ OAM can be used to complement OAM
>>    mechanisms based on e.g.  ICMP or other types of probe packets.
>>
>>
>>
>>
>> The file can be obtained via
>> https://datatracker.ietf.org/doc/draft-ietf-ippm-ioam-data/
>>
>>
>> The following IPR Declarations may be related to this I-D:
>>
>>    https://datatracker.ietf.org/ipr/3526/
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> ippm mailing list
>> ippm@xxxxxxxx
>> https://www.ietf.org/mailman/listinfo/ippm

-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call



[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux