Re: [lisp] SECDIR review of draft-ietf-lisp-pubsub-06

"Alberto Rodriguez-Natal (natal)" <natal@cisco.com> Sat, 09 January 2021 03:37 UTC

Return-Path: <natal@cisco.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0B6E3A09ED; Fri, 8 Jan 2021 19:37:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.62
X-Spam-Level:
X-Spam-Status: No, score=-9.62 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=IyE0QYj0; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=pBuD2HKH
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 07z5ddRE9t05; Fri, 8 Jan 2021 19:37:34 -0800 (PST)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B71473A09E9; Fri, 8 Jan 2021 19:37:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4832; q=dns/txt; s=iport; t=1610163452; x=1611373052; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=H6UBytmC8Ec1Hzd2PEC2tbPgS5pcnGGbp3C9X8nn+/c=; b=IyE0QYj0cdsF1tU0ysutIe2rMLA5EKjXnIW1aRBQ8l5QAyUpt3PR0H3h YwUyE5g4LcgxCa6LVrJM14NqhSwEIFtUuumUvd+7UaDGEBLdiLoUp3xk5 UyhN9c7AXnAZ3MEGiFi2H9wBsJMwa1z7wO5V1srpJLSGEau6ulMxqUh8t o=;
IronPort-PHdr: 9a23:uDk+XhVfMKO/AiVks1j64c/iyZrV8LGuZFwc94YnhrRSc6+q45XlOgnF6O5wiEPSBNyHuf1BguvS9avnXD9I7ZWAtSUEd5pBH18AhN4NlgMtSMiCFQXgLfHsYiB7eaYKVFJs83yhd0QAHsH4ag7dp3Sz6XgZHRCsfQZwL/7+T4jVicn/3uuu+prVNgNPgjf1Yb57IBis6wvLscxDiop5IaF3wRzM8XY=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CdBQAEJPlf/5ldJa1iHAEBAQEBAQcBARIBAQQEAQFAgU+BU1EHdlsvLgqENYNIA41LJQOZEoJTA1QLAQEBDQEBIwoCBAEBhEoCF4FZAiU4EwIDAQELAQEFAQEBAgEGBHGFYQyFdAEFIxEMAQE3AQ8CAQgYAgImAgICMBUQAgQBDQWDJgGCVQMuAQ6jCwKKJXaBMoMEAQEGgTcCg2kYghADBoEOKoJ1g3yGOiYbggCBEScMEIFYfj6CXQEBA4FcF4MBNIIsgkIGYAEDIhkWAjCBJwovARiLMIgEpCJ9CoJ2iSqMJYYPAx+DKYoulQeUEYsWkVwYhDUCBAIEBQIOAQEGgSVII4FXcBVlAYI+UBcCDY4hg3GFFIVEdDcCBgEJAQEDCXyKNQEwYAEB
X-IronPort-AV: E=Sophos;i="5.79,333,1602547200"; d="scan'208";a="835960762"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by rcdn-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 09 Jan 2021 03:37:30 +0000
Received: from XCH-ALN-005.cisco.com (xch-aln-005.cisco.com [173.36.7.15]) by rcdn-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id 1093bWTf027682 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Sat, 9 Jan 2021 03:37:32 GMT
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by XCH-ALN-005.cisco.com (173.36.7.15) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 8 Jan 2021 21:37:31 -0600
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Fri, 8 Jan 2021 21:37:31 -0600
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Fri, 8 Jan 2021 22:37:30 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bNwWmv/rRvVDg7C+rR6AIcRIYK5YASIpNBQgIx2QiJhQ4aHUACHZxAbJxzBl6V9HQYunLS0Bws+011JUIGXMAQrR8NHAE3oxKpuf4cReFDs45HmcIzc5waDH8iSoV6JvpWulV8df/uU1Gp7uG0R43hg+0EsjY0N8r6k1jt0xfsm3Axvy8Wfb2ybWUDhIziO2AmUc7zb+ES1nrghnRi3oILi9lKyAEHWbnfRuDajam294jlvllIpbAKMsNJ4j6Q+DMGgEpL15XvJZOAYbOYHUHTj0AEUk104xPuv++uMuOy8jE3KgL3LHt7+y/2A4GzsA1sl+yfrGfpIqe7bTpjMklA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=H6UBytmC8Ec1Hzd2PEC2tbPgS5pcnGGbp3C9X8nn+/c=; b=kTiwxrzhHz52BP8LuWIeb9FhnktarMCrt9EdnUsU+CvCnAvdvDQNeiiyno4Xrg+2LoPw1CqZen7l7wAFZRScAD3Ue7lh32Hk74BBRDx/uS7/M1UPfK4X0/7jjTzncATD21FPqzsqnJwN1Bpaxkq4xEXhi/D4x9YOQ1ubdO5yqYQ3yT18vNcSOptt4lwhUBNlQaDSO5AdcbUo01Xt9xcfcOqEMA9zL7QNqy7UE6SQ9ruqJI+XnLo03UWESqNG51yM6HeDzrvyF/QpjtgxhsJ8Ygo3U3UpM1heMBeZ5d11LG6V4ua3vzLo42+e9h3cjWXZ+PJj+2jGur2WVPTcUrUSWQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=H6UBytmC8Ec1Hzd2PEC2tbPgS5pcnGGbp3C9X8nn+/c=; b=pBuD2HKHWHACe5zvKIeY4UGRsPZmGamwtWloSL16bbcLTrrl1EC7IUAZUSZBJXxgZlVX8yrucUZpJwXaMneCmamFY+E2MkZMiqCtdb3ixgDHrWHMdsu4Z3GLV6dMqHUu2QwsTJ6GNTl6gAEKOqmPUHZ1NK1InVqyfQUgwnk8SXs=
Received: from BY5PR11MB4273.namprd11.prod.outlook.com (2603:10b6:a03:1c9::32) by BYAPR11MB3719.namprd11.prod.outlook.com (2603:10b6:a03:fa::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3742.10; Sat, 9 Jan 2021 03:37:28 +0000
Received: from BY5PR11MB4273.namprd11.prod.outlook.com ([fe80::a926:a1cd:c970:99f8]) by BY5PR11MB4273.namprd11.prod.outlook.com ([fe80::a926:a1cd:c970:99f8%3]) with mapi id 15.20.3742.009; Sat, 9 Jan 2021 03:37:28 +0000
From: "Alberto Rodriguez-Natal (natal)" <natal@cisco.com>
To: Chris Lonvick <lonvick.ietf@gmail.com>, "Joel M. Halpern" <jmh@joelhalpern.com>
CC: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-lisp-pubsub.all@ietf.org" <draft-ietf-lisp-pubsub.all@ietf.org>, "lisp@ietf.org" <lisp@ietf.org>
Thread-Topic: SECDIR review of draft-ietf-lisp-pubsub-06
Thread-Index: AQHWl+9PLxIjCp6uzUyWBT8sMqgoD6mDG8aA///yLoCAm62RgA==
Date: Sat, 09 Jan 2021 03:37:28 +0000
Message-ID: <D8BBA78C-BB5C-4196-B6E0-60486798AA02@cisco.com>
References: <cee3ecb4-af25-289a-5a18-862142574f87@gmail.com> <54e37d9a-8daf-c582-cb43-73114345843b@joelhalpern.com> <4EDE4838-BA3A-4181-9CE4-521963AB62AB@cisco.com>
In-Reply-To: <4EDE4838-BA3A-4181-9CE4-521963AB62AB@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.44.20121301
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [24.5.88.59]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 80a7bf01-e363-49e3-bf5d-08d8b44fe366
x-ms-traffictypediagnostic: BYAPR11MB3719:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <BYAPR11MB3719843E3A6D350036B710EEB6AD0@BYAPR11MB3719.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: KH5CGUuKMkwf/k7cWUUj589lbSMrsADxx0fRFjL0Qh0xFfnbRPssuH6z04mFyIG8zLatMMHa0+hvVkCTgvBs2hsjXIjIwBv4WBuu6FYTp8ZPNE322Qmqk9pxIbmfmfZgnmq6XjHrGG9KznbPIUtcuIDby1mrmNziViPmowzN31hC4zTQFZd/z9iLW2vRFXEsnaD8SUvEXfko1XBol/hc1JoHHz0iWCr95HyQNw/gCo+DOebbVeiDFPEKuarY/rOOVg2rllZDq9SsVvmrfBPM1cwwNzexawe8yhyVsJf/RF7KCgKQFubsSo869SDheDWwOoeETpdUTU41/pca226qU6LY2T2/IiGOJgq2cdMQ5spO0WlWnMZ91NYoQeDQoxQDYZkjR+GL8XfOs/IkTpTCtOwjE2qAkcpx++q65m80VubIn/Nza/Me3jICztqQLGcEIa7H5wkn2tj0O4rVBvgTAGcYU8HurZE4Orfe8XGwH35wH2SpqLv/vnY6QdE2PnYglSa5aSDagPfJsC3RRdi81w==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR11MB4273.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(346002)(39860400002)(366004)(396003)(376002)(136003)(86362001)(6506007)(64756008)(5660300002)(316002)(54906003)(8676002)(53546011)(6486002)(83380400001)(26005)(478600001)(76116006)(110136005)(36756003)(66476007)(66556008)(66446008)(186003)(8936002)(66946007)(2906002)(966005)(33656002)(6512007)(4326008)(71200400001)(2616005)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: JYzJk6kKEH7juLEcVfUNf1Um66qLkRfgDrckc3wWQQd99KqB+AaQ3iJnym/s4hzjp+jFznKgZQB/y8mpGjpGJmJCZrMoOAA/bVSS3PqzkcCuvAPSkPZMjQ6yvIPKRzv5lGb09+68Hw9f5PKT4QbMgaSwznPhsA5RBltmPBwJIux+khuNcxsF6h1iVdfQMoMpdC3VyfHyr7BCyLagYSM0kCH5k2cmb3GWkwQCZerpHa/KzyqxLDSKWFoGwZ8mmlclBXNuBFTup+0MIks4HRdtczlGHHDQSIIrCH+o3EqngZybquut1Fd9GSJEoABu7vFTVqxi7OTyOmOayPhkR787vWaJYG7gsaTHjkMLDNBz3yRaPE1zyWUmok9lQJ/ZkiEFSS8iBDW/edCEEtZB9EIyoRxIXLtWJVy9RCIW/XXZDuOPa+4rcPPlGCOnrflnNVipuucdvmnYupzUudSkEWQRAL1+n4FwdlL76Xz8REK8MJuJ+LaRz0ALwQhefGnCqNFGyEZ8AuZS9hyOucTtXQqgaiOMp1Dr6dbD3Vy5ThWKW0FodCw3l3M0usnXLUZuCxSgxoi0zGlsM4h/W5pnqo8XwBeD4negqj9aZdI1Zgd62eTgOJ5ubZBz/tTyt/FMJiZzxbjdKaWEAucN0hhvcm7X+4q0pGG/MEtslxM+JuLByBLisnXWKmGrNqh88Bwuz9YneelHtIbz2OqvMKkWj/ivjdG3UW7ZkEDrQZJ1Bxed5KcAEVE7rChbRMzTT+UT+O+gQUNe10tl7kaUjLi1iJghZot5X+vlCgSGjgIYZxxpDgyo72mMxOrU4TrFIRk7RW8OkhwRA7ot83LghtNbl102CwjgCW6X/FDBXuSc+tNOFF8GECIzws/e49Ya2LFbpvuVtGIQ/yITpH41uqudLtJnJY+NneM34NNDcrnFANTKRyBRQg8pK76ONVvM0b+Lkv10bZTIhUW9Jxi3BqRkV7IMlUu/wi3Sgm379OGUZ+/BjYZ/rTUubQeHRLWCtbBw2KzX
Content-Type: text/plain; charset="utf-8"
Content-ID: <7EDCA26B7A7C1D41BD5E556F2DF41790@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR11MB4273.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 80a7bf01-e363-49e3-bf5d-08d8b44fe366
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jan 2021 03:37:28.2533 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ml7ixOxHa1XCEaxgrcFujYkjh4mfb7jZ2QmaEK9oAFuMJzy5AptKo4lEAwZqg++/
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB3719
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.15, xch-aln-005.cisco.com
X-Outbound-Node: rcdn-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/_mUEsv3zhQTL9fl0wps5sfRWee4>
Subject: Re: [lisp] SECDIR review of draft-ietf-lisp-pubsub-06
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Jan 2021 03:37:36 -0000

Hi Chris,

Thanks again for the review of the LISP PubSub document, it was most helpful! We brought the SECDIR comments to the attention of the LISP WG during the last IETF in November and gathered some consensus from the WG on how to move forward.

Regarding the use of the term "nonce", the opinion of the WG was to keep the term for consistency with the rest of the LISP documents. The term nonce has been used this way in the LISP literature for so long that the WG believes it would be very challenging to change it now. 

As per what happens when the nonce fields exceeds the field space, we have submitted a new version of the draft (-07) with a note to clarify that it is not expected to happen during normal operation of the protocol due to the large field size.

Please feel free to take a look at the new version of the document and kindly let us know if you have any further comment.

https://tools.ietf.org/html/draft-ietf-lisp-pubsub-07

Thanks again for your time and great feedback!

Alberto

On 10/1/20, 6:15 PM, "Alberto Rodriguez Natal (natal)" <natal@cisco.com> wrote:

    Thanks a lot for the review Chris, this is much appreciated feedback. We will submit a new iteration of the document addressing your comments.

    Thanks also Joel for facilitating the review.

    Best,
    Alberto

    On 10/1/20, 12:06 PM, "Joel M. Halpern" <jmh@joelhalpern.com> wrote:

        Thank you Chris.   That is helpful, and I am confident the authors will 
        clean up the terminology.

        Yours,
        Joel

        On 10/1/2020 8:34 AM, Chris Lonvick wrote:
        > Hi,
        > 
        > I have reviewed this document as part of the security directorate's 
        > ongoing effort to review all IETF documents being processed by the IESG. 
        > These comments were written primarily for the benefit of the security 
        > area directors. Document editors and WG chairs should treat these 
        > comments just like any other last call comments.
        > 
        > This is an "Early Review Request" so I'm going to mark the draft as 
        > READY WITH NITS.
        > 
        > It appears that there's a raft of drafts of LISP documents progressing 
        > together through the WG that cross-reference each other in that they all 
        > provide foundation and support for their collective features. (I'll 
        > admit that I haven't been keeping up.) So if my nits have been addressed 
        > in another document, that just means that I didn't dig far or deep 
        > enough so please consider giving a pointer in the Security 
        > Considerations of this document so others won't similarly be left adrift.
        > 
        > In this document, and the associated others that I peered into, the term 
        > "nonce" seems to be used more as a "token" than, well, what I consider 
        > to be a nonce. In one case it may be a random value, but in several 
        > others the value is stored, compared, and reused.  This is inconsistent 
        > with the IETF's Security Glossary RFC 4949.
        > 
        > Also, there is a reference to increasing the nonce for a particular use. 
        > However, I saw no discussion of what to do when the value exceeds the 
        > field space.
        > 
        > Other than that, the document appears to be well written and well 
        > thought out.
        > 
        > Best regards,
        > 
        > Chris
        >