Re: [Bier] Secdir last call review of draft-ietf-bier-oam-requirements-12
Barry Leiba <barryleiba@computer.org> Thu, 10 August 2023 02:28 UTC
Return-Path: <barryleiba@gmail.com>
X-Original-To: bier@ietfa.amsl.com
Delivered-To: bier@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 493DDC1524B2; Wed, 9 Aug 2023 19:28:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.409
X-Spam-Level:
X-Spam-Status: No, score=-1.409 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aLEXJI_fC0S0; Wed, 9 Aug 2023 19:28:49 -0700 (PDT)
Received: from mail-lf1-f42.google.com (mail-lf1-f42.google.com [209.85.167.42]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E053C151530; Wed, 9 Aug 2023 19:28:11 -0700 (PDT)
Received: by mail-lf1-f42.google.com with SMTP id 2adb3069b0e04-4fe11652b64so596541e87.0; Wed, 09 Aug 2023 19:28:11 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691634489; x=1692239289; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=LYWCWzn9659qIjdpbPwMHGYr0y7nv5xue288Wl12E+g=; b=GxPYD+M5Q6GUSBLGTq8uKF+hm2aPIIszcvboqFWe+Fg6xoIEehNF1axsTal/99eUsY 2wSSRShstB54MRpRFJzp0W99SsshKlFM+0LBsuwxU49fffJE9ePpuOfLv7nULFgLwuk+ Y3D+rANW2yhSY2E76t7nPWlgu4c4h3CFNauvLHMH8tJ5snLnVVUeJVtQaDzLgjezOikA O91+oKBZZWrQAQ2GMmaIxad1WGviJid2eAXpNJSKpMR8jsYgtYBAgTiil9XqeZ2WQxQ9 2yGsAiB5nYNUQfs4d5QhczraOh/OV11tq8uX6+U5DBHTYIrt4j3pSgTv6ehMCnyK8i4Z p8eg==
X-Gm-Message-State: AOJu0Yzc+c1GIM7S/8mkL8i1ULiPl+kuY9J3TSiknbZ2zct34zneXh5H en7Q6sJk5AUkTk1memIUwW1kTGnC7uEfR6CR6Kw=
X-Google-Smtp-Source: AGHT+IHgTZ4jrCcC/Lb6DwZuoueYIKPe6RXIJgjH0z+KXmFHnx5ylsce1XsA7jMS0kOufekMuCzKY8O4F01SPyKl//k=
X-Received: by 2002:a05:6512:acf:b0:4f8:6e6e:4100 with SMTP id n15-20020a0565120acf00b004f86e6e4100mr775002lfu.52.1691634489328; Wed, 09 Aug 2023 19:28:09 -0700 (PDT)
MIME-Version: 1.0
References: <169160814305.42427.16864377745174297952@ietfa.amsl.com> <CA+RyBmUrffiM6PE1L_bsm+VpKaga3jtLFNF=OduORiXiUPCW_A@mail.gmail.com>
In-Reply-To: <CA+RyBmUrffiM6PE1L_bsm+VpKaga3jtLFNF=OduORiXiUPCW_A@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
Date: Wed, 09 Aug 2023 22:27:58 -0400
Message-ID: <CALaySJ+H8fnerC-vKOz+25u_KTuFL2dZ06CjzRfj=cQA+jb5RQ@mail.gmail.com>
To: Greg Mirsky <gregimirsky@gmail.com>
Cc: bier@ietf.org, draft-ietf-bier-oam-requirements.all@ietf.org, last-call@ietf.org, secdir@ietf.org
Content-Type: multipart/alternative; boundary="000000000000d386840602885857"
Archived-At: <https://mailarchive.ietf.org/arch/msg/bier/x2UB1drjwXsaPobNe0OLs7kKEp8>
Subject: Re: [Bier] Secdir last call review of draft-ietf-bier-oam-requirements-12
X-BeenThere: bier@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "\"Bit Indexed Explicit Replication discussion list\"" <bier.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bier>, <mailto:bier-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bier/>
List-Post: <mailto:bier@ietf.org>
List-Help: <mailto:bier-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bier>, <mailto:bier-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Aug 2023 02:28:51 -0000
Thanks, Greg, for considering my comments; the text you propose is useful. I can’t attest to its completeness, as routing and OAM aren’t my expertise. But it makes it clear that thought was put into this. Barry On Wed, Aug 9, 2023 at 6:50 PM Greg Mirsky <gregimirsky@gmail.com> wrote: > Hi Barry, > thank you for your comments and suggestions. I agree that even though this > document lists requirements for BIER OAM, the Security Consideration > section should be more useful to a reader. Below is the proposed update: > OLD TEXT: > This document lists the OAM requirement for a BIER-enabled domain and > does not raise any security concerns or issues in addition to ones > common to networking. > NEW TEXT: > This document lists the OAM requirement for a BIER-enabled domain and > thus inherits security considerations discussed in [RFC8279] and > [RFC8296]. Another general security aspect results from using active > OAM protocols, according to the [RFC7799], in a multicast network. > Active OAM protocols inject specially constructed test packets, and > some active OAM protocols are based on the echo request/reply > principle. In the multicast network, test packets are replicated as > data packets, thus creating a possible amplification effect of > multiple echo responses being transmitted to the sender of the echo > request. Thus, an implementation of BIER OAM MUST protect the > control plane from spoofed replies. Also, an implementation of BIER > OAM MUST provide control of the number of BIER OAM messages sent to > the control plane. > > What are your thoughts about the new text? I greatly appreciate your > comments, suggestions, and questions. > > Regards, > Greg > > On Wed, Aug 9, 2023 at 12:09 PM Barry Leiba via Datatracker < > noreply@ietf.org> wrote: > >> Reviewer: Barry Leiba >> Review result: Has Issues >> >> The only comment I have from a security standpoint is that the Security >> Considerations seem basically absent, saying no more than "Nothing to see >> here." That's common and easy to say, but I expected some explanation of >> how >> the requirements specified in the document are needed to ensure a robust >> and >> secure BIER system. I wouldn't expect pages of text, but I'm surprised >> to see >> nothing at all. Is it really the case that an OAM system for BIER would >> do >> nothing to enhance security, nothing to alert us to BIER-specific attacks? >> >> >>
- [Bier] Secdir last call review of draft-ietf-bier… Barry Leiba via Datatracker
- Re: [Bier] Secdir last call review of draft-ietf-… Greg Mirsky
- Re: [Bier] Secdir last call review of draft-ietf-… Barry Leiba
- Re: [Bier] Secdir last call review of draft-ietf-… Greg Mirsky
- [Bier] Re: Secdir last call review of draft-ietf-… Greg Mirsky
- [Bier] [secdir] Re: Secdir last call review of dr… Tero Kivinen
- [Bier] Re: [secdir] Re: Secdir last call review o… Greg Mirsky
- [Bier] Re: [Last-Call] Re: [secdir] Re: Secdir la… Robert Sparks
- [Bier] Re: [secdir] Re: Secdir last call review o… Gunter van de Velde (Nokia)