Ixia controller security risk (TLS 1.1 enabled)

[Pterosaur]

Some test cases depend on the Ixia controller(CONTROLLER_VERSION=0.0.1-3587) platform as the traffic generator which is deployed at:

DASH/test/third-party/traffic_gen/deploy_ixiac.sh

Line 4 in 7dd0ba0

docker-compose -f deployment/ixia-c-deployment.yml up -d

But the controller service support TLS 1.0 and TLS1.1 which are unsafe to downgrade attacks since they rely on SHA-1 hash for the integrity of exchanged messages.

We should upgrade the controller or disable the TLS 1.0 and 1.1 support in this controller.

[Pterosaur]

@lguohan Please help to assign this issue to a proper person.

[chrispsommers]

@Pterosaur This controller is used for CI/CD testing in the test pipeline, in a very controlled environment. Why is this deemed a security risk? It is not a production component. I will investigate your claims but I don't see how this is a "risk."

[lguohan]

@chrispsommers , unfortunately we are treating test environment the same way as production, so it is a secuirty risk for us. we can not run it till TLS 1.0 AND 1.1 are disabled.

[Pterosaur]

We can check whether a service support TLS 1.1 by the command openssl s_client -connect 127.0.0.1:443 -tls1_1 -cipher DEFAULT@SECLEVEL=1

[chrispsommers]

I've logged issue open-traffic-generator/ixia-c#125 and our team will look into it ASAP. Thanks for bringing this to our attention!

[Pterosaur]

The issue version we are using is 0.0.1-3587. But I tried some controllers with newer versions from(https://github.com/orgs/open-traffic-generator/packages/container/package/ixia-c-controller) that cannot pass all test cases of DASH. I guess the interfaces has been modified.

[chrispsommers]

Hi @Pterosaur, the controller and traffic engines are released as a compatible set (see here), so you can't just upgrade one and get a predictable result. AFAIK all controllers have same issue. We are treating it seriously and will address it ASAP.

Depending upon which commit of DASH you used, you might have picked up a version which had a CI failure due to a sequence of MRs which caused a regression, since fixed in #355. If the failures you saw look similar to https://github.com/sonic-net/DASH/actions/runs/4555886865/jobs/8036577440#step:22:1394 this would explain it. If not, perhaps it was the controller/traffic-engine pairing.

[chrispsommers]

New version of ixia-c resolves this issue https://github.com/open-traffic-generator/ixia-c/releases/tag/v0.0.1-4064, I will upgrade the DASH test infra to use it soon.