IETF Logo Mail Archive

Re: [lisp] Kathleen Moriarty's No Objection on draft-ietf-lisp-impact-04: (with COMMENT)

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 22 October 2015 13:07 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83E801A1B83; Thu, 22 Oct 2015 06:07:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 20SSfNnHaAHk; Thu, 22 Oct 2015 06:07:31 -0700 (PDT)
Received: from mail-wi0-x22a.google.com (mail-wi0-x22a.google.com [IPv6:2a00:1450:400c:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E97031A6F6D; Thu, 22 Oct 2015 06:07:19 -0700 (PDT)
Received: by wicfx6 with SMTP id fx6so134824958wic.1; Thu, 22 Oct 2015 06:07:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=a/xf3b7Lr4R5N2vE8lY1SpfU0cfUe3z4Ea3a6T06kSI=; b=l4pRM9CW7krC8htotT+WhWZulrd0l0QhrrQY5gbuwBgggpvTfX5mcoX8PUZdOvL7rs 8dqNm+LTgwwNAhu6E76qojrO3PVJCD5rKFutnf31CEctjeGFep2CLk0PbAQEw0voOAVU Pw8ezBMC7zN8RKsy4ZHfavuSD0tyyMpupu1e7/cCjplQFHU9SfhdrjoqH9rqhKWKfeh+ GV3IVpkuGTrvo+ktAp/6lQBen7gTIE7q7q48UuoQp1+k1l3vKas8f4wcztuvPb1rfiQR 6m1oMBBJPK3oHkKnFTwj79kxt+DjMp4iZZwOJZqI3FiNAcDA5JqFUMSVH312uuL3pqAG krAw==
MIME-Version: 1.0
X-Received: by 10.195.11.72 with SMTP id eg8mr19569074wjd.14.1445519238497; Thu, 22 Oct 2015 06:07:18 -0700 (PDT)
Received: by 10.28.214.213 with HTTP; Thu, 22 Oct 2015 06:07:18 -0700 (PDT)
In-Reply-To: <56C57AAF-DBD9-42D8-987E-2435871DC5C6@gmail.com>
References: <20151021165230.18223.65896.idtracker@ietfa.amsl.com> <DF2097B2-704A-4A9A-84F2-0C5870925B9B@gigix.net> <56C57AAF-DBD9-42D8-987E-2435871DC5C6@gmail.com>
Date: Thu, 22 Oct 2015 09:07:18 -0400
Message-ID: <CAHbuEH5n0+Q1x-CYyDWTwFUVz2PM87xUVkaiXuHzUTfH8rwS5A@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: Luigi Iannone <ggx@gigix.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/lisp/Pezp8wcsHK4WGhwlrQMrWP6aRmA>
Cc: "lisp-chairs@ietf.org" <lisp-chairs@ietf.org>, "lisp@ietf.org" <lisp@ietf.org>, "draft-ietf-lisp-impact.all@ietf.org" <draft-ietf-lisp-impact.all@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-lisp-impact@ietf.org" <draft-ietf-lisp-impact@ietf.org>
Subject: Re: [lisp] Kathleen Moriarty's No Objection on draft-ietf-lisp-impact-04: (with COMMENT)
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Oct 2015 13:07:33 -0000

Luigi,

Just one more question.

On Thu, Oct 22, 2015 at 7:06 AM, Kathleen Moriarty
<kathleen.moriarty.ietf@gmail.com> wrote:
> Hi Luigi,
>
> Thank you!  It must not have gone to the SecDir list.  I had noticed at least one of the changes.
>
> Best regards,
> Kathleen
>
> Sent from my iPhone
>
>> On Oct 22, 2015, at 5:32 AM, Luigi Iannone <ggx@gigix.net> wrote:
>>
>> Hi Kathleen,
>>
>>> On 21 Oct 2015, at 18:52, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> wrote:
>>
>> [snip]
>>
>>>
>>>
>>> ----------------------------------------------------------------------
>>> COMMENT:
>>> ----------------------------------------------------------------------
>>>
>>> Hello,
>>>
>>> There was no follow up or changes (it seems) as a result of the SecDir
>>> review.  It would be helpful to address the questions on the aim of this
>>> draft and how it applies to security for the user and impact of LISP.
>>> https://www.ietf.org/mail-archive/web/secdir/current/msg06103.html
>>
>> There was actually a follow up  (see below) or ami I missing something?
>>
>> Let me know.
>>
>> ciao
>>
>> L.
>>
>>
>> %—— Last reply to Hilarie on 20th October———————%
>> Hi Hilarie,
>>
>> Thanks again for your reply.
>> please find our comments inline.
>>
>> ciao
>>
>> Luigi
>>
>>
>>> On 19 Oct 2015, at 21:02, Hilarie Orman <ho@alum.mit.edu> wrote:
>>>
>>> [NB: this is in re draft-ietf-lisp-impact-04]
>>>
>>> A few comments and suggestions:
>>>
>>>   Unless gleaning features (actually deprecated in
>>>   RFC 6830 [RFC6830]) are used,
>>>
>>> I don't see that gleaning is deprecated.  In any event, how does gleaning
>>> undermine security?
>>
>> This is actually discussed in sections 6 and 12 of RFC6830 and analysed in Section 3.1 of draft-ietf-lisp-threats.

Could you add an explicit reference so ti tis clear that this has been
documented?

It would also be good to see how the impact of LISP on security too as
this is an impact draft.

Thank you,
Kathleen

>>
>>>
>>>                                  the  LISP data-plane shows the
>>>   same level of security as other IP-over-IP technologies.
>>>   From a security perspective, the control-plane remains the
>>>   critical part of the LISP architecture.
>>>
>>>   To maximally mitigate the threats on the mapping
>>>
>>> I doubt authentication is "maximal" mitigation.  It just mitigates.
>>
>> Agreed. The sentence will be simplified as just “To mitigate the threats…."
>>
>>>
>>>   system, authentication must be used, whenever possible, for all
>>>
>>> When would it be impossible to use authentication?
>>
>> The idea was to hint at deployments in ressource constrained environments.
>> It might in fact be misleading. The whole sentence can be reworded as follows:
>>
>>    To mitigate the threats on the mapping system, authentication
>>    should be used for all control plane messages.
>>
>>
>>>   control plane messages.
>>>
>>>   Current specification already offer security mechanisms
>>>   ([RFC6833],  [I-D.ietf-lisp-sec]) able to strongly reduce threats
>>>   in non-trustable environments such as the Internet.
>>>
>>> "The currenet specification defines security mechanisms which can
>>> reduce threats in open network environments”
>>
>> Just to keep the references, the sentence can be:
>>
>>    The current specification ([RFC6833],  [I-D.ietf-lisp-sec]) defines security
>>    mechanisms which can reduce threats in open network environments.
>>
>>
>>> ?
>>
>>>   Actually, LISP specifications define a generic authentication data field
>>>   control plane messages [RFC6830] allowing to propose a general
>>>   authentication mechanisms for the LISP control-plane while staying
>>>   backward compatible.
>>>
>>> "The LISP specification defines a generic authentication data field
>>>   for control plane messages [RFC6830] which could be used for a general
>>>   authentication mechanisms for the LISP control-plane while staying
>>>   backward compatible. "  ??
>>
>> Reads much better, thanks.
>>
>> Luigi
>>
>>> Hilarie
>>>
>>>> Subject: Re: review of draft-saucez-lisp-impact-04.txt
>>>> From: Luigi Iannone <luigi.iannone@telecom-paristech.fr>
>>>> Date: Sat, 17 Oct 2015 21:49:24 +0200
>>>> Cc: Damien Saucez <damien.saucez@inria.fr>,
>>>>       draft-saucez-lisp-impact@tools.ietf.org, secdir@ietf.org,
>>>>       The IESG <iesg@ietf.org>
>>>
>>>> Hi Hilarie,
>>>
>>>> In the current format the security section just states that actually
>>>> security is out of the scope of the document.
>>>> This was actually an outcome of the WG discussion, were it was
>>>> decided to clearly separate security and impact.
>>>
>>>
>>>> Yet, it is true that the security section is poor, while
>>>> security analysis is out of the scope of the document, it does not
>>>> mean that we cannot mention the major security points
>>>> thoroughly analysed in the threats document.
>>>
>>>
>>>> Hence we propose to modify the security section as follows:
>>>
>>>> Old Version:
>>>
>>>>       Security and threats analysis of the LISP protocol is out of the
>>>>       scope of the present document.  A thorough analysis of LISP security
>>>>       threats is detailed in [I-D.ietf-lisp-threats].
>>>
>>>
>>>> NEW Version:
>>>
>>>>       A thorough security and threats analysis of the LISP protocol
>>>>       is carried out in details in [I-D.ietf-lisp-threats].
>>>>       Like for other Internet technologies, also for LISP most of
>>>>       threats can be mitigated using Best Current Practice, meaning
>>>>       with careful deployment an configuration (e.g., filter) and also
>>>>       by activating only features that are really necessary in the
>>>>     deployment and verifying all the information obtained from third
>>>>       parties. Unless gleaning features (actually deprecated in
>>>>       RFC 6830 [RFC6830]) are used, the  LISP data-plane shows the
>>>>       same level of security as other IP-over-IP technologies.
>>>>       From a security perspective, the control-plane remains the
>>>>       critical part of the LISP architecture.
>>>>       To maximally mitigate the threats on the mapping
>>>>       system, authentication must be used, whenever possible, for all
>>>>       control plane messages.
>>>>       Current specification already offer security mechanisms
>>>>       ([RFC6833],  [I-D.ietf-lisp-sec]) able to strongly reduce threats
>>>>       in non-trustable environments such as the Internet.
>>>>       Actually, LISP specifications define a generic authentication data field
>>>>       control plane messages [RFC6830] allowing to propose a general
>>>>       authentication mechanisms for the LISP control-plane while staying
>>>>       backward compatible.
>>>
>>>
>>>> We hope this delivers the information you were looking for.
>>>
>>>> ciao
>>>
>>>> Luigi
>>>
>>>
>>>>> On 13 Oct 2015, at 19:28, Hilarie Orman <ho@alum.mit.edu> wrote:
>>>>>
>>>>> Thanks for pointing out my mistake.  I have now reviewed
>>>>> draft-ietf-lisp-impact-04 and the same comments about security apply.
>>>>>
>>>>> Hilarie
>>>>>
>>>>>> From: Damien Saucez <damien.saucez@inria.fr>
>>>>>> Date: Tue, 13 Oct 2015 08:13:08 +0200
>>>>>
>>>>>
>>>>>> Thank you for the review. I would have a question regarding the document you reviewed. Did you review th
>>>>>
>>>>>> draft-sauces-lisp-impact-04
>>>>>
>>>>>> or
>>>>>
>>>>>> draft-ietf-lisp-impact-04
>>>>>
>>>>>> Thank you,
>>>>>
>>>>>> Damien Saucez
>>>>>
>>>>>> On 13 Oct 2015, at 05:01, Hilarie Orman <ho@alum.mit.edu> wrote:
>>>>>
>>>>>>> Secdir review of LISP Impact
>>>>>>> draft-saucez-lisp-impact-04.txt
>>>>>>>
>>>>>>> Do not be alarmed.  I have reviewed this document as part of the
>>>>>>> security directorate's ongoing effort to review all IETF documents
>>>>>>> being processed by the IESG.  These comments were written primarily
>>>>>>> for the benefit of the security area directors.  Document editors and
>>>>>>> WG chairs should treat these comments just like any other last call
>>>>>>> comments.
>>>>>>>
>>>>>>> A new way of handling routing information has been defined in IETF
>>>>>>> documents about the Locator/Identifier Separation Protocol (LISP).
>>>>>>> The draft under discussion here elaborates on the possible
>>>>>>> consequences of widespread use of LISP.
>>>>>>>
>>>>>>> The draft punts on security considerations and refers to previous
>>>>>>> documents describing threats to LISP and how LISP uses cryptography
>>>>>>> for protecting the integrity of its messages.
>>>>>>>
>>>>>>> It seems to me that if the purported impact of LISP is to "scale the
>>>>>>> Internet", then its impact on security should be a major part of the
>>>>>>> equation.  Will it make routing information more or less vulnerable
>>>>>>> malicious manipulation?  How will it affect the stability of a network
>>>>>>> that is under constant threat of attack?
>>>>>>>
>>>>>>> I don't feel that the draft can achieve its purpose without addressing
>>>>>>> security.
>>>>>>>
>>>>>>> Hilarie
>>>>>>>
>>>>>>> PS. I was very disappointed to realize that this was not a draft
>>>>>>> about my favorite programming language.
>>
>>



-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email