[Isis-wg] Kathleen Moriarty's Discuss on draft-ietf-isis-l2bundles-05: (with DISCUSS)
Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com> Wed, 24 May 2017 15:49 UTC
Return-Path: <Kathleen.Moriarty.ietf@gmail.com>
X-Original-To: isis-wg@ietf.org
Delivered-To: isis-wg@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 84B2E129B84; Wed, 24 May 2017 08:49:15 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-isis-l2bundles@ietf.org, isis-chairs@ietf.org, hannes@gredler.at, isis-wg@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.51.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <149564095549.28549.3563573514142018683.idtracker@ietfa.amsl.com>
Date: Wed, 24 May 2017 08:49:15 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/isis-wg/x38C5ZXaL4bEV-aJZPjGhHM_YUM>
Subject: [Isis-wg] Kathleen Moriarty's Discuss on draft-ietf-isis-l2bundles-05: (with DISCUSS)
X-BeenThere: isis-wg@ietf.org
X-Mailman-Version: 2.1.22
List-Id: IETF IS-IS working group <isis-wg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/isis-wg/>
List-Post: <mailto:isis-wg@ietf.org>
List-Help: <mailto:isis-wg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/isis-wg>, <mailto:isis-wg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 May 2017 15:49:20 -0000
Kathleen Moriarty has entered the following ballot position for draft-ietf-isis-l2bundles-05: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-isis-l2bundles/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- I agree that there needs to be security considerations and have the following suggestions to help fill in that section. I think I caught the added considerations, but please expand on it if I've missed something. The draft seems to enable methods to gather information on connected links and the available bandwidth. That should be mentioned as a vulnerability, exposing path information (connections/links and bandwidth). This is a consideration in other IS-IS RFCs and is specific to the TLVS and subTLVs of this draft as well as far as I can tell, but please correct me if I am missing something. The use of the Sub-TLV identifiers provide path information that should be a security consideration in the write up: o IPv4 Interface Address (sub-TLV 6 defined in [RFC5305]) o IPv6 Interface Address (sub-TLV 12 defined in [RFC6119]) o Link Local/Remote Identifiers (sub-TLV 4 defined in [RFC5307]) Within a single operator environment, the concerns are mitigated, but not eliminated since it does not appear that encryption is used. The following text from RFC7917 seems like a useful addition to these security considerations along with an explanation of what is possibly exposed with this draft (above): Security concerns for IS-IS are already addressed in [ISO10589], [RFC5304], and [RFC5310] and are applicable to the mechanisms described in this document. Extended authentication mechanisms described in [RFC5304] or [RFC5310] SHOULD be used in deployments where attackers have access to the physical networks, because nodes included in the IS-IS domain are vulnerable.
- [Isis-wg] Kathleen Moriarty's Discuss on draft-ie… Kathleen Moriarty