IETF Logo Mail Archive

Re: [Last-Call] Secdir last call review of draft-ietf-bier-oam-requirements-12

Greg Mirsky <gregimirsky@gmail.com> Wed, 09 August 2023 22:50 UTC

Return-Path: <gregimirsky@gmail.com>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26875C151530; Wed, 9 Aug 2023 15:50:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 04JptF_7YP-r; Wed, 9 Aug 2023 15:50:15 -0700 (PDT)
Received: from mail-ot1-x32c.google.com (mail-ot1-x32c.google.com [IPv6:2607:f8b0:4864:20::32c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9DD89C15152B; Wed, 9 Aug 2023 15:50:12 -0700 (PDT)
Received: by mail-ot1-x32c.google.com with SMTP id 46e09a7af769-6bca3311b4fso316076a34.0; Wed, 09 Aug 2023 15:50:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1691621412; x=1692226212; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=NBguJthhU+5UNKbj74+Eyx4KeNC92fsN9IMNNxjAziA=; b=I8r0clcr33nr9UAOGAdFwFiPx46rdray44/22mAPkBI8Q31FdOfkeI0NKqOece1eqA 80tC+9CBUnp302xgvJitrGoh8Ti7BrMS+htfB0AOskMLFvjnhh5Xo4t81c1ywRY8sw87 qnbkscZaXTjud1wyNFq4J7UXWdvUr0pynT+BpXmafXIf1DCZpez9fwccd9dyRwA3xtIf UWeP4oL2C0Ipjc2CSMVb53ShpCN5zUlSjhvcs8v3rDjmkMASZf3DOZox3iC4c6dte4z4 G4n48hWRtICaRPolVsNdHmLewE4FGbrNglaYR/oAP6fd7YRRMxSt25T/pM1ItVNIraDB PPag==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691621412; x=1692226212; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=NBguJthhU+5UNKbj74+Eyx4KeNC92fsN9IMNNxjAziA=; b=dwL3RewNmTtLd6nlzMpM1f1L6i1boIjJPvuod3nTAirphwuv6N2qjRTGfcVy0AZIge uQ/D50mcuZC/4gXepDnQZJ7vulBmwL1Ox8BLLFdABwTXsT2YAZC7MlUJxqkqQzJl58jC yAJBG9oWLmGzYufGWyqmh3JQgxWUQgMS5fYr7Pz2XGyLS+vrec5pG4G/dmMGNj349BAv AAf+oOB0BeVLZw8H3b/AmN+PUTc/sT9vJKzOHeHXTcIKbEV1C5nKlfpfrXOvBPGjjaN8 2NQ0U6jhpjR8dZwBHOQfqopNTCT3V/8dXpT90zKkQhIa7xiTKoMMhoEl9otE1h43mWIP Ks/Q==
X-Gm-Message-State: AOJu0Yya/0p09YaDZLNQGzo1YYsQBG+/V8Z9oRVoWPwE35n9oA77qywk kQZBSIG+7Fr2EBir5pV7usIASc61qR4ftbU1es68PCVcz/0=
X-Google-Smtp-Source: AGHT+IFUsmvf0c8n0ctVC1s7wDav/FUvw/ju0tRbSDCjuKyq+xezJdbId/MusnMIzxJZbiSoUzfiXzWjBIveRg6+fHw=
X-Received: by 2002:a05:6358:2917:b0:135:4003:7849 with SMTP id y23-20020a056358291700b0013540037849mr915763rwb.4.1691621411756; Wed, 09 Aug 2023 15:50:11 -0700 (PDT)
MIME-Version: 1.0
References: <169160814305.42427.16864377745174297952@ietfa.amsl.com>
In-Reply-To: <169160814305.42427.16864377745174297952@ietfa.amsl.com>
From: Greg Mirsky <gregimirsky@gmail.com>
Date: Wed, 09 Aug 2023 15:50:00 -0700
Message-ID: <CA+RyBmUrffiM6PE1L_bsm+VpKaga3jtLFNF=OduORiXiUPCW_A@mail.gmail.com>
To: Barry Leiba <barryleiba@computer.org>
Cc: secdir@ietf.org, bier@ietf.org, draft-ietf-bier-oam-requirements.all@ietf.org, last-call@ietf.org
Content-Type: multipart/alternative; boundary="000000000000579f520602854d00"
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/KVoPYwI6CGjkRu0VUmrK8qtgqF8>
Subject: Re: [Last-Call] Secdir last call review of draft-ietf-bier-oam-requirements-12
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Aug 2023 22:50:20 -0000

Hi Barry,
thank you for your comments and suggestions. I agree that even though this
document lists requirements for BIER OAM, the Security Consideration
section should be more useful to a reader. Below is the proposed update:
OLD TEXT:
   This document lists the OAM requirement for a BIER-enabled domain and
   does not raise any security concerns or issues in addition to ones
   common to networking.
NEW TEXT:
   This document lists the OAM requirement for a BIER-enabled domain and
   thus inherits security considerations discussed in [RFC8279] and
   [RFC8296].  Another general security aspect results from using active
   OAM protocols, according to the [RFC7799], in a multicast network.
   Active OAM protocols inject specially constructed test packets, and
   some active OAM protocols are based on the echo request/reply
   principle.  In the multicast network, test packets are replicated as
   data packets, thus creating a possible amplification effect of
   multiple echo responses being transmitted to the sender of the echo
   request.  Thus, an implementation of BIER OAM MUST protect the
   control plane from spoofed replies.  Also, an implementation of BIER
   OAM MUST provide control of the number of BIER OAM messages sent to
   the control plane.

What are your thoughts about the new text? I greatly appreciate your
comments, suggestions, and questions.

Regards,
Greg

On Wed, Aug 9, 2023 at 12:09 PM Barry Leiba via Datatracker <
noreply@ietf.org> wrote:

> Reviewer: Barry Leiba
> Review result: Has Issues
>
> The only comment I have from a security standpoint is that the Security
> Considerations seem basically absent, saying no more than "Nothing to see
> here."  That's common and easy to say, but I expected some explanation of
> how
> the requirements specified in the document are needed to ensure a robust
> and
> secure BIER system.  I wouldn't expect pages of text, but I'm surprised to
> see
> nothing at all.  Is it really the case that an OAM system for BIER would do
> nothing to enhance security, nothing to alert us to BIER-specific attacks?
>
>
>

v2.23.0 | Report a Bug | By Email