Last Call Review of draft-ietf-tcpm-yang-tcp-06
review-ietf-tcpm-yang-tcp-06-secdir-lc-orman-2022-03-03-00

Request Review of draft-ietf-tcpm-yang-tcp
Requested revision No specific revision (document currently at 09)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2022-03-02
Requested 2022-02-16
Authors Michael Scharf , Mahesh Jethanandani , Vishal Murgai
I-D last updated 2022-03-03
Completed reviews Genart Last Call review of -06 by Stewart Bryant (diff)
Yangdoctors Early review of -06 by Ebben Aries (diff)
Opsdir Last Call review of -06 by Gyan Mishra (diff)
Secdir Last Call review of -06 by Hilarie Orman (diff)
Tsvart Last Call review of -06 by Gorry Fairhurst (diff)
Secdir Telechat review of -07 by Hilarie Orman (diff)
Opsdir Telechat review of -07 by Gyan Mishra (diff)
Assignment Reviewer Hilarie Orman
State Completed
Request Last Call review on draft-ietf-tcpm-yang-tcp by Security Area Directorate Assigned
Posted at https://mailarchive.ietf.org/arch/msg/secdir/rPgf6d_1Uv1BuUJ7JlB07qBdLV8
Reviewed revision 06 (document currently at 09)
Result Has issues
Completed 2022-03-02
review-ietf-tcpm-yang-tcp-06-secdir-lc-orman-2022-03-03-00
                    Security review of 
A YANG Model for Transmission Control Protocol (TCP) Configuration
                draft-ietf-tcpm-yang-tcp-06

Do not be alarmed.  I generated this review of this document as part
of the security directorate's ongoing effort to review all IETF
documents being processed by the IESG.  These comments were written
with the intent of improving security requirements and considerations
in IETF drafts.  Comments not addressed in last call may be included
in AD reviews during the IESG review.  Document editors and WG chairs
should treat these comments just like any other last call comments.

The abstract:
   This document specifies a minimal YANG model for TCP on devices that
   are configured by network management protocols.  The YANG model
   defines a container for all TCP connections and groupings of
   authentication parameters that can be imported and used in TCP
   implementations or by other models that need to configure TCP
   parameters.  The model also includes basic TCP statistics. 

This is a well-written document that brings up a troubling issue, the
outdated use of a keyed hash for authentication in TCP.  The fact that
there is such an option seems to be an expediency introduced long ago.
Originally, the hash algorithm was MD5, which made sense at the time.
Apparently that has become deeply embedded in network infrastructure.
Although the Authentication Option was later updated to include a
better hash algorithm, the unfortunate choice was SHA-1.  Both MD5 and
SHA-1 are considered "broken".

The keyed hash with MD5 or SHA-1 might be justified as "better than
nothing" or "good enough for our use cases", but it has the effect of
forcing two bad hash algorithms to reside permanently in the code base
for network management.  There are security efforts to move to
post-quantum cryptography and a quantum Internet, yet the oldest and
most unsuitable cryptographic algorithms seem set in stone.  It is as
though one looked into an ALU with a microscope and found a tiny
abacus etched into the silicon for backwards compatibility.

>From a security standpoint, it would be best if the YANG TCP document
were to recommend strongly against using TCP authentication no matter
what the hash algorithm is.  The recommended security solution is to
use IPSec or TLS to secure connections.

In the event that TCP authentication remains in YANG, I note that
there are no statistics kept for authentication failures.  If a shared
key falls out of synch, the statistics might help detect that.

Hilarie