Re: [Bier] Secdir last call review of draft-ietf-bier-oam-requirements-12
Greg Mirsky <gregimirsky@gmail.com> Thu, 10 August 2023 16:18 UTC
Return-Path: <gregimirsky@gmail.com>
X-Original-To: bier@ietfa.amsl.com
Delivered-To: bier@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33B74C14CE25; Thu, 10 Aug 2023 09:18:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Loj1TvISRqJH; Thu, 10 Aug 2023 09:18:11 -0700 (PDT)
Received: from mail-yw1-x1133.google.com (mail-yw1-x1133.google.com [IPv6:2607:f8b0:4864:20::1133]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91426C14CEFC; Thu, 10 Aug 2023 09:18:06 -0700 (PDT)
Received: by mail-yw1-x1133.google.com with SMTP id 00721157ae682-58451ecf223so13021767b3.1; Thu, 10 Aug 2023 09:18:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1691684285; x=1692289085; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=71qnwbKOnwPQTR6Qgf6RrftO2f9Vy59HZF6rRMUiW50=; b=BTNTZ7FDsdDnvAG/3nOM9fx7iF+enLa5r/6jyld0j4OeR0gOuCjmM64CbcBEM/ibgE bNrZs5CIA4pviGuEdasZgCNRIwDjLabpiUuJ2JkGDeouHdFX90/576XCEj17YgXV14HS k3pyX62vEN0LzADNgDCIgjcRbiKfbq1YKc0l9f10X4iDSd2VBSwlafmgs5tAU+oqSKJb RZUUjIxTkNzq0TidTvMRVR/zvYxbQOa349W0abb7+rOaZzDzQUVnxbM1QQ+vNg8tDU+u FzKpysM2yIltqsMARFT5i7OnS8G8wCN6OnQ2k3UJ7LLHVhHftEZhe53tsdrYhU5kfLtv d+hA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691684285; x=1692289085; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=71qnwbKOnwPQTR6Qgf6RrftO2f9Vy59HZF6rRMUiW50=; b=bxTh235pk6ovpWR3xCE+x3QBjMthFqy8pFcpyQoDa53hV94o9MEWEr4Zq0amb/KGKZ PgESL9c9GsdBT/uCBpFN70kJm0RnJ3TcfI1ZNq0yMcDurO7Zacxy5xs9Ndg/RtoB+MyX k0VR+08KFZJiPYNG8qAs3oEWv7gFLQrP+x/Z1A6hblWH5UsnUQ9FLfoGEeNeEJKS2wng FQeWmeKIID83KqRAW+LI6bLnR47OU7/R7AmLuQJN+4f7wr5I71f8hnTQIO3awiSaBhsr vnmVsGTcKj//Hh0w+ccMCLJU224qEcsk7dAcTfjZiuT7UR404qxlA96Pm1LlgWeINtX6 cXvg==
X-Gm-Message-State: AOJu0Yx8C8gTtTEZxWUti7m+JNTuvdUszeU7Wf+CCBDwVrYJCxNBxWw0 +r5hMSSZAmMG2OtaZHV9X3fe84VBw2NLAeCxjZYZdT/N
X-Google-Smtp-Source: AGHT+IFZlewmFzuLKuXFKj4L7MgfUSC1RNmvN5Ns7UtLv2hiLOHT7i0xcTgBYZtwHdrEbdx5WPWOAM2EeYbfAW33ICU=
X-Received: by 2002:a0d:ef82:0:b0:56d:5272:d540 with SMTP id y124-20020a0def82000000b0056d5272d540mr2928482ywe.46.1691684285426; Thu, 10 Aug 2023 09:18:05 -0700 (PDT)
MIME-Version: 1.0
References: <169160814305.42427.16864377745174297952@ietfa.amsl.com> <CA+RyBmUrffiM6PE1L_bsm+VpKaga3jtLFNF=OduORiXiUPCW_A@mail.gmail.com> <CALaySJ+H8fnerC-vKOz+25u_KTuFL2dZ06CjzRfj=cQA+jb5RQ@mail.gmail.com>
In-Reply-To: <CALaySJ+H8fnerC-vKOz+25u_KTuFL2dZ06CjzRfj=cQA+jb5RQ@mail.gmail.com>
From: Greg Mirsky <gregimirsky@gmail.com>
Date: Thu, 10 Aug 2023 09:17:54 -0700
Message-ID: <CA+RyBmUndFwXnkLyt4J4T82V2j2g=ehK4WkSncKsrbdaRHEJHg@mail.gmail.com>
To: Barry Leiba <barryleiba@computer.org>
Cc: bier@ietf.org, draft-ietf-bier-oam-requirements.all@ietf.org, last-call@ietf.org, secdir@ietf.org
Content-Type: multipart/alternative; boundary="000000000000e7b0bd060293f0ca"
Archived-At: <https://mailarchive.ietf.org/arch/msg/bier/zx55GRVJnhrmjDV8NxiabjoPraM>
Subject: Re: [Bier] Secdir last call review of draft-ietf-bier-oam-requirements-12
X-BeenThere: bier@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "\"Bit Indexed Explicit Replication discussion list\"" <bier.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bier>, <mailto:bier-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/bier/>
List-Post: <mailto:bier@ietf.org>
List-Help: <mailto:bier-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bier>, <mailto:bier-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Aug 2023 16:18:16 -0000
Hi Barry, thank you for your kind consideration of the proposed update. I've uploaded the new version. Regards, Greg On Wed, Aug 9, 2023 at 7:28 PM Barry Leiba <barryleiba@computer.org> wrote: > Thanks, Greg, for considering my comments; the text you propose is > useful. I can’t attest to its completeness, as routing and OAM aren’t my > expertise. But it makes it clear that thought was put into this. > > Barry > > On Wed, Aug 9, 2023 at 6:50 PM Greg Mirsky <gregimirsky@gmail.com> wrote: > >> Hi Barry, >> thank you for your comments and suggestions. I agree that even though >> this document lists requirements for BIER OAM, the Security Consideration >> section should be more useful to a reader. Below is the proposed update: >> OLD TEXT: >> This document lists the OAM requirement for a BIER-enabled domain and >> does not raise any security concerns or issues in addition to ones >> common to networking. >> NEW TEXT: >> This document lists the OAM requirement for a BIER-enabled domain and >> thus inherits security considerations discussed in [RFC8279] and >> [RFC8296]. Another general security aspect results from using active >> OAM protocols, according to the [RFC7799], in a multicast network. >> Active OAM protocols inject specially constructed test packets, and >> some active OAM protocols are based on the echo request/reply >> principle. In the multicast network, test packets are replicated as >> data packets, thus creating a possible amplification effect of >> multiple echo responses being transmitted to the sender of the echo >> request. Thus, an implementation of BIER OAM MUST protect the >> control plane from spoofed replies. Also, an implementation of BIER >> OAM MUST provide control of the number of BIER OAM messages sent to >> the control plane. >> >> What are your thoughts about the new text? I greatly appreciate your >> comments, suggestions, and questions. >> >> Regards, >> Greg >> >> On Wed, Aug 9, 2023 at 12:09 PM Barry Leiba via Datatracker < >> noreply@ietf.org> wrote: >> >>> Reviewer: Barry Leiba >>> Review result: Has Issues >>> >>> The only comment I have from a security standpoint is that the Security >>> Considerations seem basically absent, saying no more than "Nothing to see >>> here." That's common and easy to say, but I expected some explanation >>> of how >>> the requirements specified in the document are needed to ensure a robust >>> and >>> secure BIER system. I wouldn't expect pages of text, but I'm surprised >>> to see >>> nothing at all. Is it really the case that an OAM system for BIER would >>> do >>> nothing to enhance security, nothing to alert us to BIER-specific >>> attacks? >>> >>> >>>
- [Bier] Secdir last call review of draft-ietf-bier… Barry Leiba via Datatracker
- Re: [Bier] Secdir last call review of draft-ietf-… Greg Mirsky
- Re: [Bier] Secdir last call review of draft-ietf-… Barry Leiba
- Re: [Bier] Secdir last call review of draft-ietf-… Greg Mirsky