IETF Logo Mail Archive

Re: [ippm] Secdir last call review of draft-ietf-ippm-stamp-on-lag-05

Tianran Zhou <zhoutianran@huawei.com> Tue, 12 December 2023 00:20 UTC

Return-Path: <zhoutianran@huawei.com>
X-Original-To: ippm@ietfa.amsl.com
Delivered-To: ippm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E5EEC0111E2; Mon, 11 Dec 2023 16:20:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.907
X-Spam-Level:
X-Spam-Status: No, score=-6.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BRbksNw9z1GL; Mon, 11 Dec 2023 16:20:24 -0800 (PST)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2666DC00EA44; Mon, 11 Dec 2023 16:20:24 -0800 (PST)
Received: from mail.maildlp.com (unknown [172.18.186.216]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4SpzlV71svz67G9Y; Tue, 12 Dec 2023 08:20:06 +0800 (CST)
Received: from lhrpeml100005.china.huawei.com (unknown [7.191.160.25]) by mail.maildlp.com (Postfix) with ESMTPS id 8C474140B35; Tue, 12 Dec 2023 08:20:21 +0800 (CST)
Received: from kwepemd200004.china.huawei.com (7.221.188.67) by lhrpeml100005.china.huawei.com (7.191.160.25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.35; Tue, 12 Dec 2023 00:20:20 +0000
Received: from kwepemd100004.china.huawei.com (7.221.188.31) by kwepemd200004.china.huawei.com (7.221.188.67) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.28; Tue, 12 Dec 2023 08:20:18 +0800
Received: from kwepemd100004.china.huawei.com ([7.221.188.31]) by kwepemd100004.china.huawei.com ([7.221.188.31]) with mapi id 15.02.1258.028; Tue, 12 Dec 2023 08:20:18 +0800
From: Tianran Zhou <zhoutianran@huawei.com>
To: Nancy Cam-Winget <ncamwing@cisco.com>, "secdir@ietf.org" <secdir@ietf.org>
CC: "draft-ietf-ippm-stamp-on-lag.all@ietf.org" <draft-ietf-ippm-stamp-on-lag.all@ietf.org>, "ippm@ietf.org" <ippm@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-ippm-stamp-on-lag-05
Thread-Index: AQHaLIe0bZ9emnts5EOqJYVLvQsfs7CkvhPw
Date: Tue, 12 Dec 2023 00:20:18 +0000
Message-ID: <d6853f54c6e445cc86854cddc36c1429@huawei.com>
References: <170233642311.18189.17365955358786524328@ietfa.amsl.com>
In-Reply-To: <170233642311.18189.17365955358786524328@ietfa.amsl.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.112.40.118]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ippm/u6dEgIPi-XuFYJ3IU_8J0eYw5uI>
Subject: Re: [ippm] Secdir last call review of draft-ietf-ippm-stamp-on-lag-05
X-BeenThere: ippm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF IP Performance Metrics Working Group <ippm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ippm>, <mailto:ippm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ippm/>
List-Post: <mailto:ippm@ietf.org>
List-Help: <mailto:ippm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ippm>, <mailto:ippm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Dec 2023 00:20:30 -0000

Hi Nancy,

Thanks very much for this expert review from the security point of view.
I am not sure if the confidentiality and privacy are really issues in this proposal.
Because the "Sender Micro-session ID" in the message is not really the sender hardware id. It's assigned by the controller.
There is mapping between "Sender Micro-session ID" and "Sender member link identifiers".
So you can see there is text in Section 3.2:
"The mapping between a micro STAMP session and the Sender/Reflector member
   link identifiers can be configured by augmenting the STAMP YANG
   [I-D.ietf-ippm-stamp-yang]." 
And the configuration channel is secured by TLS.

Best,
Tianran

-----Original Message-----
From: Nancy Cam-Winget via Datatracker [mailto:noreply@ietf.org] 
Sent: Tuesday, December 12, 2023 7:14 AM
To: secdir@ietf.org
Cc: draft-ietf-ippm-stamp-on-lag.all@ietf.org; ippm@ietf.org; last-call@ietf.org
Subject: Secdir last call review of draft-ietf-ippm-stamp-on-lag-05

Reviewer: Nancy Cam-Winget
Review result: Has Issues

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.


This document defines an extension to the Simple Two-Way Active Measurement Protocol (STAMP) to facilitate performance measurement on every member link of a tag.  As such, the proposed extension is to define a Micro-session identifier and a Session-Reflector member link identifier.

Issue:
As this draft is now exposing identifiers to the actual nodes in the link, there must be inclusions that describe the potential exposure of these nodes given their identifiers are now explicitly communicated.
RFC 8762 only addresses the integrity not the confidentiality of the information disclosed which with the session identifier now needs to be considered.  In addition, privacy considerations describing the potential consequences of this disclosure can lead to.

v2.23.0 | Report a Bug | By Email