[lisp] Tsvart last call review of draft-ietf-lisp-rfc6830bis-15

Brian Trammell <ietf@trammell.ch> Mon, 27 August 2018 14:35 UTC

Return-Path: <ietf@trammell.ch>
X-Original-To: lisp@ietf.org
Delivered-To: lisp@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 52C6E130DFA; Mon, 27 Aug 2018 07:35:48 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Brian Trammell <ietf@trammell.ch>
To: <tsv-art@ietf.org>
Cc: draft-ietf-lisp-rfc6830bis.all@ietf.org, ietf@ietf.org, lisp@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.83.1
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <153538054829.30074.15428909912816972228@ietfa.amsl.com>
Date: Mon, 27 Aug 2018 07:35:48 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/dY7Px8wfclLeDLp9WS2C8kJYJ3w>
Subject: [lisp] Tsvart last call review of draft-ietf-lisp-rfc6830bis-15
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.27
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Aug 2018 14:35:49 -0000

Reviewer: Brian Trammell
Review result: Ready with Issues

>From a transport standpoint, this document is basically OK -- I suspect that
there are probably more transport-relevant issues to consider on 6833bis, but I
did not review it. Two issues with the dataplane:

(1) Common advice to all UDP-using encapsulation designers and implementors:
please read RFC8085, especially section 3.1.11. As LISP's dataplane is
basically an application of UDP, I was surprised to see no reference to RFC8085
here. I believe that in the most common case LISP falls into case 1 here, but
implementors of LISP ITRs should at least be made aware of the other cases.

(2) This is not transport-specific. Reading the document, it struck me that the
design of the protocol has a few inherently unsafe features related to the fact
that its wire image is neither confidentiality- nor integrity-protected. I
think that all of the potential DDoS and traffic focusing attacks I could come
up with in the hour I spent reviewing the document are indeed mentioned in the
security considerations section, but as the security considerations section
does not give any practical mitigation for dataplane overload attacks, it seems
to be saying that RLOC addresses shouldn't be Internet-accessible, which as I
understand it is not the point of LISP. I haven't seen a secdir review on this
document yet, but I'd encourage the authors to do everything it asks.

nit: Section 7.1. para 7 should note that the ICMPv6 message sent is called
Packet Too Big, not Unreachable/Frag Needed.