Hi Tal,
thank you for your careful consideration of my comments and detailed responses. Please find my follow-up notes in-line below under the GIM>> tag.
Regards,
Greg
On Wed, Nov 25, 2020 at 1:56 AM Tal Mizrahi <tal.mizrahi.phd@xxxxxxxxx> wrote:
Hi Greg,
Thanks for the comments.
Please see my comments below, marked [TM].
Thanks,
Tal.
On Tue, Nov 24, 2020 at 11:30 PM Greg Mirsky <gregimirsky@xxxxxxxxx> wrote:
>
> Dear All,
> I have several comments related to the security aspects of this specification:
>
> although this draft does not define network-specific encapsulation of IAOM data, it would the right place to introduce a generic method of IAOM data integrity protection. As noted in the Security Considerations section, IOAM trace options and collected information may become the target of a malicious attack. Protecting the integrity of data with HMAC seems like the right option. It seems reasonable that the text used to calculate HMAC includes in addition to the IOAM trace option header and an IOAM node data field that uniquely identify the source of the packet that includes IOAM trace. For example, in an IP network, the IP source address can be concatenated with the IAOM trace option header. The integrity of each IAOM node data record can also be protected by HMAC. The data record can be concatenated with, for example, the IOAM option header to form the text used in the calculation of the HMAC. While the detailed construction of the text used in HMAC calculation could be provided in network-specific documents, it seems appropriate to require the optional use of HMAC for the integrity protection of the IOAM option header and IOAM data record in this document.
[TM] Integrity protection is an important security consideration.
Thanks to your previous comments about this issue we have added the
following text to the security considerations section:
In particular, these threats are applicable by compromising
the integrity of IOAM data, either by maliciously modifying IOAM
options in transit, or by injecting packets with maliciously
generated IOAM options
Specifically, implementing HMAC by hardware devices such as switches
and routers in wire speed may be challenging.
My feeling is that even if we decided to define an HMAC, it would end
up being something that is not implemented by most vendors.
GIM>> I appreciate the proposed text but am not convinced that the limitations of the current HW platforms are a factor that should limit our definition of the comprehensive and secure protocol. I agree, there's always a difference between the specification of a protocol and its implementation. How a vendor decides to implement and how an operator chooses to deploy the protocol is outside of our control as a group the defines the protocol specification. But I believe that the proper protocol specification must include security mechanisms that protect data integrity. Whether the protocol also protects the privacy of the data or relies on the security mechanisms outside of the protocol, in my opinion, is an open question but it should be explained in the protocol specification.
I would suggest to consider a new IOAM option that incorporates an
HMAC, which can be used alongside the conventional trace options. This
would allow an optional integrity protection capability for those
specific implementations that require it. This new option could be
defined in a new draft, allowing the data draft to proceed to
publication.
GIM>> I think that proceeding without addressing the essential security issue of the protocol might be premature and may produce implementations that are vulnerable to attacks.
> I have some concern over using the Checksum Complement in the IPv6 network. RFC 6936 provided us with the most detailed analysis for using zero UDP checksum in the IPv6 network. As I understand the purpose of the Checksum Complement, its security impact is similar to the one of using zero UDP checksum. I think that the use of Checksum Complement in the IPv6 network should be explicitly discussed in the document. I'd recommend adding the reference to RFC 6936 and provide arguments supporting the use of the Checksum Complement in the IPv6 network.
[TM] The Checksum Complement is a field that simplifies the checksum
update for hardware switches/routers. Unlike zero checksum, the
destination *does* verify the checksum when a checksum complement is
used. Therefore, in my opinion the zero checksum considerations are
not relevant in this context.
>From a security perspective, I do not think a Checksum Complement has
any security implications. I believe it was phrased well in RFC 7820
(OWAMP/TWAMP Checksum Complement):
It is important to emphasize that the scheme described in this
document does not increase the protocol's vulnerability to MITM
attacks; a MITM attacker who maliciously modifies a packet and its
Checksum Complement is logically equivalent to a MITM attacker who
modifies a packet and its UDP Checksum field.
GIM>> As I recall, one of the reasons RFC 7820 was published as Experimental was concern about the security impact of the proposed mechanism. If my recollection of the discussion of the security impact RFC 7820 may have in a network is accurte, I'll maintain my concern regarding the Checksum Complement option in IOAM.
>
> Regards,
> Greg
>
> On Tue, Nov 24, 2020 at 10:25 AM The IESG <iesg-secretary@xxxxxxxx> wrote:
>>
>>
>> The IESG has received a request from the IP Performance Measurement WG (ippm)
>> to consider the following document: - 'Data Fields for In-situ OAM'
>> <draft-ietf-ippm-ioam-data-11.txt> as Proposed Standard
>>
>> The IESG plans to make a decision in the next few weeks, and solicits final
>> comments on this action. Please send substantive comments to the
>> last-call@xxxxxxxx mailing lists by 2020-12-08. Exceptionally, comments may
>> be sent to iesg@xxxxxxxx instead. In either case, please retain the beginning
>> of the Subject line to allow automated sorting.
>>
>> Abstract
>>
>>
>> In-situ Operations, Administration, and Maintenance (IOAM) records
>> operational and telemetry information in the packet while the packet
>> traverses a path between two points in the network. This document
>> discusses the data fields and associated data types for in-situ OAM.
>> In-situ OAM data fields can be encapsulated into a variety of
>> protocols such as NSH, Segment Routing, Geneve, IPv6 (via extension
>> header), or IPv4. In-situ OAM can be used to complement OAM
>> mechanisms based on e.g. ICMP or other types of probe packets.
>>
>>
>>
>>
>> The file can be obtained via
>> https://datatracker.ietf.org/doc/draft-ietf-ippm-ioam-data/
>>
>>
>> The following IPR Declarations may be related to this I-D:
>>
>> https://datatracker.ietf.org/ipr/3526/
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> ippm mailing list
>> ippm@xxxxxxxx
>> https://www.ietf.org/mailman/listinfo/ippm
-- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
