Re: [lisp] AD Review of draft-ietf-lisp-sec-25
"Fabio Maino (fmaino)" <fmaino@cisco.com> Thu, 28 April 2022 16:30 UTC
Return-Path: <fmaino@cisco.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0F99C15E6E8; Thu, 28 Apr 2022 09:30:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.592
X-Spam-Level:
X-Spam-Status: No, score=-9.592 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=kvtmlhtQ; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=RQJgHScD
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ounqt8CCxng0; Thu, 28 Apr 2022 09:30:49 -0700 (PDT)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF651C15E6CE; Thu, 28 Apr 2022 09:30:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=44108; q=dns/txt; s=iport; t=1651163448; x=1652373048; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=FSb2y7IPmHYWr5uDnAR2YSYplq4yc4UpfRQCWjxjtMU=; b=kvtmlhtQpg9ZU/MKnNi9Xnhm0qPOcJSNdvsrvSLr4BrDaWPNoeAtTEUe xv0/tEqRTjFFzxSURHWRqf4ShSA7l7XPgFMon0AahCJbPN93UQu8YHMC0 R6LDiWB1ADjqXE9bFq4Ed8XXaKJACm9loBLmxEeEItIyUEpZ9zfPW8F6m M=;
IronPort-PHdr: A9a23:n6+u5hGs86dXw9WAfjoZQp1GfiYY04WdBeZdwpYkircbdKOl8tyiOUHE/vxigRfPWpmT8PNLjefa8sWCEWwN6JqMqjYOJZpLURJWhcAfhQd1BsmDBAXyJ+LraCpvGsNEWRdl8ni3PFITFtz5YgjZo2a56ngZHRCsXTc=
IronPort-Data: A9a23:pQUwsK25pETZ9lzJ//bD5Tlzkn2cJEfYwER7XKvMYLTBsI5bpzdWm2EaXTqFMvqLNzOjfIslbo6z/EsGsZSDzIRrGlY/3Hw8FHgiRegpqji6wuYcB84ZRyH6ZBoPA/42N5+RdajYcleG/k33auS7/SElvU21buOU5NDsa3gZqTBMEE/NuTo78wIIqtYAbeqRWmthivuqyyHrA2JJ7hYvWo4iBw1vnzs01Bj6kGtwUlXT/pmntneG/5UeJMp3ya1csxLFrodo8u6SH44vzZmj9W/fuhwqEN7gzfDwc1YBRfjZOg3mZnh+Avf5xEMd4H1plP9nb5Lwam8P49mNt950wdRLsrS7SBwiOevHn+F1vxxwTHwiZPYbo+6dSZS4mYnJp6HcSFPowu52SUo2NIwC4c52DH1As/sCJ1glYR+Tr+23z7OrDO9hmqwLKMjwJKset21uizbDAp4OTYrKTbmP5NJE0nI0h9tWWO3TbOIYZCZhKhPabHVnM00aFJs4laGpi2XxWzJdoVOR46Ew5gDuIKZZuFT2GMDedtrPTsJPkwPH4GnH5G/+RBodMbSiJfO+2irErofycenTAer+zIGFy8M=
IronPort-HdrOrdr: A9a23:gv3UN60+QJanlC4o1maw/gqjBepxeYIsimQD101hICG9Lfb3qyn+ppsmPEHP5Ar5AEtQ5expOMG7MBfhHQYc2/heAV7QZniYhILOFvAi0WKC+UyuJ8SazI9gPMhbAtBD4bHLfDpHZIPBkXSF+rUbsZm6GcKT9JzjJh5WJGkAAcwBnmRE40SgYzdLrWJ9dP0E/e+nl7N6Tk2bCBIqh6qAdxw4dtmGg+eOuIPtYBYACRJiwhKJlymU5LnzFAXd9gsCUhtUqI1SslTtokjc3OGOovu7whjT2yv49JJNgubszdNFGYilltUVEDPxkQylDb4RGYFq/QpF5d1H2mxa1+UkkC1QefibLEmhJ11dlCGdnzUIFgxes0MKh2Xo2kcL6vaJOg7SQ/Ax9L6xNCGpsXbJeLpHof52N6XzjesLMfqIplWP2zCDPSsa5nacsD4sl/UegGdYVpZbYLhNrZYH9EcQC5sYGjnmgbpXWtWGIfusrMq+S2nqJEwxf1Mft+CETzA2BFOLU0ICssua33xfm2141VIRwIgakm0b/JwwRpFY76CcW54Y2I1mX4sTd+ZwFe0BScy4BijERg/NKnubJRDiGLscM3zAppbr6PE+5f2sepYP0Jwu8a6xHW9wpCo3YQbjGMeO1JpE/lTER3i8Ry3kzoVE651wqtTHNfPW2O24OSYTeueb0oAi65fgKoSO0bptcoveEVc=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0A2BgAmvmpi/49dJa1aHgEBCxIMQIFKC4FSKigHdQJYOUOEToNKA4UxhQmDAoEWiX+FMYpxgSwUgREDVAsBAQENAQE5CQQBAYUCAhaFGgIlNAkOAQIEAQEBEgEBBQEBAQIBBwSBCROFaA2GQwIBAxIICREMAQElCwcBDwIBCA4MAiYCAgIfERUQAgQBDQUigloBgmMDMQEOoFYBgT4Cih96gTGBAYIIAQEGBASFDQ0LgjgDBoEQLIMRgwGBJ4RrgjMHAR8cgUlEgRUnHIIwNz6CIUIBAYEmIgkmgz83gi6cFAkBawYIUgEJAQMUBAoZCBAEEkQDHggCDA8jCgcBAhICAQEVAQECDRQFBQoCBQwYEZFsFINpl3eSDWsKg0mFK4Vtjm6FfAUjC4N0jDkDhS6BLopRhSKBVJZgIIIpileDVZBAIiYBhHECBAIEBQIOAQEGgWE8gVlwFTsqAYIKAQEBMVEZD44gCQMWgQQBCIJDhRSFSnU7AgYBCgEBAwmLYoJGAQE
X-IronPort-AV: E=Sophos;i="5.91,295,1647302400"; d="scan'208";a="754135392"
Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by rcdn-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 28 Apr 2022 16:30:46 +0000
Received: from mail.cisco.com (xfe-rcd-003.cisco.com [173.37.227.251]) by rcdn-core-7.cisco.com (8.15.2/8.15.2) with ESMTPS id 23SGUkb3009324 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=OK); Thu, 28 Apr 2022 16:30:46 GMT
Received: from xfe-rtp-002.cisco.com (64.101.210.232) by xfe-rcd-003.cisco.com (173.37.227.251) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.14; Thu, 28 Apr 2022 11:30:46 -0500
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (64.101.32.56) by xfe-rtp-002.cisco.com (64.101.210.232) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.14 via Frontend Transport; Thu, 28 Apr 2022 12:30:46 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Z/VcpfNhDds1MlcATLfZ+GKjqkjzWuhneRg89DLTcl8CBKXzi1fIvAwCsIAAXHTL/n75FfgedltB1LrIL8YgsVrD2hQZlWS/FDAhtw25owN+d0jZdZxnT2sE7y5zsLFs6GKRqVm2JzQtZfywEhNaJDoXF8J/H6Y31exorWbrs3TMZL1MH0jA2RoZoQfAbc5aaq38Om8S7w4IY1TtChY0XKcQzVbZ1j3vVzRYqMFTUJeVQQ3Nv356y3m6nON0dEjAEKSDlIsiVicLx8mTPgO6S428Cg2cfVdLxVAz6/X7Gv5UCZwHje43eVQ5O91g2bHt5qHvqeEdR/OQczBMCLfT+w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=FSb2y7IPmHYWr5uDnAR2YSYplq4yc4UpfRQCWjxjtMU=; b=lVhhZHbSMlEHA696zdhydlE9RZQXCbGg5ISWtLHGk2jX3DwR8NjiGnJpGpwWbNeUaP2YDSwRKeK8Dh3yNc6VSX1682o83VT7/webFqKrQkZoDUdgMAt8cao1oI/BsyzpEBrSYdrrXflOmAyMI9rb0d/kXMS+IC+Hum4m8AlKZ9LrUq3prpKG22GmMIdAW5Mu8bnL0NKEQYI2XlW5VVAhqDSooOtOFnelD78W16AqpiuaizSPaUKnf0DgfBPT29HPF6NPoBApAwYWaSCU4AlR6GU+8Y86Mn1nSB0BLu5pqo7xckAzoPJg9pEtCR1c7GsiD4NC+D2oiEcWJVSZ1KGHQA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FSb2y7IPmHYWr5uDnAR2YSYplq4yc4UpfRQCWjxjtMU=; b=RQJgHScDjIJSirPxhXSwtBcQaVHWAxNrJ9vcb4NqQLeTHrX/NNDclcZlSTeZh3W+aEqCP8ct+wPhoL8axJtQrUbxXLrmOICVzLYJNYotKlUobGZ2kupQI6uvddAUId2/YQHYAl0iabBDSDTjJpNxCTPfWAyj/0GCFYWhY+7bMM0=
Received: from CH2PR11MB4376.namprd11.prod.outlook.com (2603:10b6:610:40::13) by BL0PR11MB3409.namprd11.prod.outlook.com (2603:10b6:208:31::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5206.13; Thu, 28 Apr 2022 16:30:44 +0000
Received: from CH2PR11MB4376.namprd11.prod.outlook.com ([fe80::1167:402b:8361:7b0]) by CH2PR11MB4376.namprd11.prod.outlook.com ([fe80::1167:402b:8361:7b0%5]) with mapi id 15.20.5186.023; Thu, 28 Apr 2022 16:30:44 +0000
From: "Fabio Maino (fmaino)" <fmaino@cisco.com>
To: Alvaro Retana <aretana.ietf@gmail.com>, "draft-ietf-lisp-sec@ietf.org" <draft-ietf-lisp-sec@ietf.org>
CC: "lisp@ietf.org" <lisp@ietf.org>, Luigi Iannone <ggx@gigix.net>, "lisp-chairs@ietf.org" <lisp-chairs@ietf.org>
Thread-Topic: AD Review of draft-ietf-lisp-sec-25
Thread-Index: AQHYVbXj+qm54fZ3xEGfJ0IslwAxsq0Fi1YA//+OgYA=
Date: Thu, 28 Apr 2022 16:30:44 +0000
Message-ID: <EDCC413C-57ED-4D2C-BCE8-95C7C45AA39F@cisco.com>
References: <CAMMESszR8Sz9vArweC7W3WYHC45wkKGPhZTqaRVMb6d0hwWwRA@mail.gmail.com> <CAMMESsyj-3sRyMfOieqqid1JFuBJG5v5px9cMz0FWvbVgOA03Q@mail.gmail.com>
In-Reply-To: <CAMMESsyj-3sRyMfOieqqid1JFuBJG5v5px9cMz0FWvbVgOA03Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.60.22041000
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cisco.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8db60b3c-0150-4121-0adb-08da29347172
x-ms-traffictypediagnostic: BL0PR11MB3409:EE_
x-microsoft-antispam-prvs: <BL0PR11MB34090C2319F7ADBDD3869769C2FD9@BL0PR11MB3409.namprd11.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: eFVvziarMEWRKKDZGAHGn7N/vIjnMGgwuzJG6MbrO70z92kiOtKgCMMZdsRlhyv2c8wPUYSulJY8iR6gk223HQfSe2qhKCOHAntli7z0FgEZok26hrEl7Sly65crQ2lX3ROq8TG4AotIsTMHQvr46F32Q2Cp5hjHIeTRwcCar62vLFCMX5fin3Hq71ysYRvc/IU8C0XVicSK4EguX/gnwtsP1AfDoVEWu/dZ+ullSkACR7xxKoluAGEuEUuqj6rK+2qIaGWbSniZs8R1jkuBZ6l+0qh/V1xaUFELudAEhaxk/YkSixlt/sEWFLhAkGctVhHLuqor+tGYGb58PHtDxRAIxuACOUu2Dd8I1dps5rlhwXBXZHnUXgs1e+zhTGLaN/6DthR+qAJiCW32jvNqi+/zZYWE5N896Zxe+D+7XpisvPPg1MXuYAbOnpTVfJMvdjEotcrIjHC/JaUb24RRtUQ3kTL0QG+yq4L0x479rWyI61Vemg4ur1anNSxAxkaTCXOxzOMKibUynGw9AMv/LnPqhJUKk2zyWf54Gk/P7VcE9k9uvoRIG71t+652uiPUMRa8H/YLKJL5v0iMZgpBpYqQVpEP5sAATTa3TGlgoNFYdzXHGyQz2ggvRNqeQjn66GtilC9XWr89SwhzLtkhzVn1d9CvZM3NJ0DQ1CSLY0n7Jw/ybo7IxoobXh0fK6xqkV9QJMXJbbltSjXVtbPdtC5kPPzbHmLe10P991Q5s09rSo9jbL8FzFQkySO3096es5V43LLbSpZOPYJytE/bgfk2l0zoUlzf64IcLi+WD4esS/txPYMaxEUcLHT04xhBEz840emV6kQLHbZ9orfiXpTyjLgGrZ7ABAre2tnaSW4=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CH2PR11MB4376.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(366004)(2906002)(30864003)(91956017)(33656002)(36756003)(66946007)(5660300002)(76116006)(316002)(66476007)(186003)(66556008)(83380400001)(8676002)(66446008)(64756008)(4326008)(8936002)(110136005)(54906003)(86362001)(2616005)(71200400001)(6486002)(966005)(508600001)(38070700005)(38100700002)(26005)(122000001)(6512007)(6506007)(45980500001)(579004)(559001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: N6QYqG9PkZvOAr08Nco2HN+K7+ikdylrWLGcJ6cZC1umeQM6V4so2EP0n9NzclEnmWSnYYnUyI/ORDV4WsLbPyCg3alu25+svstczXyEZJ2CH4m2W4bm8uNbYcMir0XP1dEUtlLXwh00+LMeJRk9DV/xLthK0iu4V+6pAz6kdqZ5eXvVjYyqCg50drxClwsuTsg8lo+qyVZYOkgpgOrWMdp1gJFYlxeIOBdSsnG8ESFi+byAdIEmIZwluCUDY3rWnSqF37xyIW/ISe6BA+OLNBtngxj83uJPHPhnoq2bw3Oau3YkEXDw3xlU58uqeUN8MPjtTp03w6t12lZBk9NbOyK4Ne2zbG9JXXOBx1EM4rPUXW7xSiLkvkfPP+VEY+PPCDJ2KaZnqVXEMtoA2pdSnFc8SgR0JoYOedLcCJTI+0krjBHNOIfl9T0Y3r+IwyVLC32GD6/HlRkdInsLahbXkJNNzwhiXYUAEtN8TJZ8eClLpUuHJxa9ldvbLnR35ThCe4nMWykvSWFDgHguB3m1dantS2KygYibcXbO6ImBhyOMIGOkHJQ2OTslBpbh/fEbTcnrm79AqeMOGGKqOMJ5ZXnscofPVRFosOhBhJPqJhahQHtJjuLx62YepAzMIgc7+JjzQpgq/eCsVjZY9Qy7wlpttDrLgiYuVA5pydpyH7dF5SatUfLbppCzJaEoDRguOBDxRreAUvDHW723Tw5qCFioxm1QWtrHIm5bUhaPvv6ooYJU8PnIq0ovZmlye1CGocNTBExDtkvz/dovUBQrrF0w6kKszUT+2k1hVq2iExlWZGosDMh59FnUKJKIck0JsMBOanCNAsYPcCqH4SP047ynx8v8dcLXXOKK79XfJplutZuHrcQJ86cEtDkO4KB2fwMgc+TEmRMYRRn9GYZwV3myoEOnHBVicbOMsx/qwEdbHAAviDlcEJqqCss0LqIw7Rr6SC1V9drpjUL1aVZbvJJZAuTPuxhSqlBQ4xsZIeTGwUckNw7jE92ZywQ2dIdJLMdLIWZsx6xJPzm4c/padvHMnym+qI9mNyMv51UmhdZUmYK3vC2WFrte72l1b4QcxmtGAw+gpcs8eQrejo1PFkVyNvA77ltor4z+muE7M3eHcAclJjAnBGYbrYVzBfx38chb9qa6bUw2TDhYw+ppQp0TBFaYOROn02+YhrlE4xfl4b4ml2tTVzMqrdyqg9OZrL2sfqAJD2NdwdWHv6uDYAkO7smeJQRuJiAKYMXTfoVX+I903bWNMNvEC2aqZgPdY+ZVA0j3iCDDz/5f4acJanMFAzMrMAWq67B8dJxtA5s9+3xP9rFGLWzIXrPu0668CvsKu4MtoIAgSTOrtnkr6YSbsaGwCOQwMdoVUwYZhkZQpciW15N9lBotCyhWBZmioaZ6OuJoUnkmzjzD+doFqEYUXbw4cHcH2EF5bOlig85y5doLU9egowyx6mMy53z7DBLaC0cQal8nZ5hhZZ6nYxyePvk6FtZp6Alj0wgZo7VzvliGSoPoVwnQKuFAOBgNdLrvCWkVJq5XxM1M7p0uP1fwzAFUgLomAs37b+qZI3vTRrfmFK+p10pl4NUW8VR0an0rrgO9OaI1PAx35gAfvqL3wsMR8lAasGrKY6v2s0rqDhvhrjim4VbPCsIMV1chKeu7rJaEUofTKdF4c70v0cfPvpEvzRz4DJcCV9ww/6MDs5pgy6iHcBUxYaH6zEXsHyrniVpkZko75Nc0CoGB9A==
Content-Type: text/plain; charset="utf-8"
Content-ID: <9B843E589EB0394F9457DD29C75152C8@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH2PR11MB4376.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8db60b3c-0150-4121-0adb-08da29347172
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Apr 2022 16:30:44.4059 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 0yATk9CHZep4TjFY5/L1ev/d3wNu58rVjQRK8NVLN5EBwV4NewALkdtBUxNg7u8aoYANNd5CMJ5dGTxnrt84XQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR11MB3409
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.227.251, xfe-rcd-003.cisco.com
X-Outbound-Node: rcdn-core-7.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/dl0BOhePR_fVAfauYOkhhrxEsS4>
Subject: Re: [lisp] AD Review of draft-ietf-lisp-sec-25
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Apr 2022 16:30:53 -0000
Thanks Alvaro, I believe Damien and Luigi are already taking a first pass. After a quick review between the authors, we should be able to return it back to you. Fabio On 4/28/22, 9:17 AM, "Alvaro Retana" <aretana.ietf@gmail.com> wrote: Hi! I'm just moving this message up in people's mailer to make sure everyone saw it. If you’re already working in it, sorry for the interruption. Alvaro. On April 21, 2022 at 3:27:18 PM, Alvaro Retana (aretana.ietf@gmail.com) wrote: Dear authors: Thank you for the work on this document! I put detailed comments inline below. As we have a constrained timeline for this document, I would like to start the IETF Last-Call in no more than a couple of weeks. I don't think my comments will be hard to address. In fact, there are comments that I repeat in different sections, and some overlap. Please reply inline to this message to expedite my review of any updates. Also, if you think talking would clear things up faster, feel free to find time on my calendar: https://doodle.com/mm/alvaroretana/book-a-time Thanks! Alvaro. [Line numbers from idnits.] ... 15 Abstract 17 This memo specifies LISP-SEC, a set of security mechanisms that 18 provides origin authentication, integrity and anti-replay protection 19 to LISP's EID-to-RLOC mapping data conveyed via mapping lookup 20 process. LISP-SEC also enables verification of authorization on EID- 21 prefix claims in Map-Reply messages. [nit] s/via mapping lookup process/via the mapping lookup process/g ... 100 1. Introduction ... 120 This memo specifies LISP-SEC, a set of security mechanisms that 121 provides origin authentication, integrity and anti-replay protection 122 to LISP's EID-to-RLOC mapping data conveyed via mapping lookup 123 process. LISP-SEC also enables verification of authorization on EID- 124 prefix claims in Map-Reply messages, ensuring that the sender of a 125 Map-Reply that provides the location for a given EID-prefix is 126 entitled to do so according to the EID prefix registered in the 127 associated Map-Server. Map-Register/Map-Notify security, including 128 the right for a LISP entity to register an EID-prefix or to claim 129 presence at an RLOC, is out of the scope of LISP-SEC as those 130 protocols are protected by the security mechanisms specified in 131 [I-D.ietf-lisp-rfc6833bis]. However, LISP-SEC extends the Map- 132 Register message to allow an ITR to securely downgrade to non LISP- 133 SEC Map-Requests. Additional security considerations are described 134 in Section 6. [major] "securely downgrade to non LISP-SEC Map-Requests" To "securely downgrade" to no security doesn't sound right to me. See more comments in §6.7. ... 176 4. LISP-SEC Threat Model 178 LISP-SEC addresses the control plane threats, described in section 179 3.7 and 3.8 of [RFC7835], that target EID-to-RLOC mappings, including 180 manipulations of Map-Request and Map-Reply messages, and malicious 181 ETR EID prefix overclaiming. LISP-SEC makes two main assumptions: 182 (1) the LISP mapping system is expected to deliver a Map-Request 183 message to their intended destination ETR as identified by the EID, 184 and (2) no man-in-the-middle (MITM) attack can be mounted within the 185 LISP Mapping System. How the Mapping System is protected from MITM 186 attacks depends from the particular Mapping System used, and is out 187 of the scope of this memo. Furthermore, while LISP-SEC enables 188 detection of EID prefix overclaiming attacks, it assumes that Map- 189 Servers can verify the EID prefix authorization at registration time. [] As part of the efforts to make the language in IETF documents more inclusive, consider using "on-path attack" instead of MITM. This term in already in use in some parts of this document. https://www.ietf.org/about/groups/iesg/statements/on-inclusive-language/ ... 202 5. Protocol Operations ... 210 LISP-SEC builds on top of the security mechanisms defined in 211 [I-D.ietf-lisp-rfc6833bis] to address the threats described in 212 Section 4 by leveraging the trust relationships existing among the 213 LISP entities participating to the exchange of the Map-Request/Map- 214 Reply messages. Those trust relationships are used to securely 215 distribute, as described in Section 8.4, a per-message One-Time Key 216 (OTK) that provides origin authentication, integrity and anti-replay 217 protection to mapping data conveyed via the mapping lookup process, 218 and that effectively prevent overclaiming attacks. The processing of 219 security parameters during the Map-Request/Map-Reply exchange is as 220 follows: [nit] s/participating to/participating in ... 245 1. The ITR, upon needing to transmit a Map-Request message, 246 generates and stores an OTK (ITR-OTK). This ITR-OTK is included 247 into the Encapsulated Control Message (ECM) that contains the 248 Map-Request sent to the Map-Resolver. ITR-OTK confidentiality 249 and integrity protection MUST be provided in the path between the 250 ITR and the Map-Resolver. This can be achieved either by 251 encrypting the ITR-OTK with the pre-shared secret known to the 252 ITR and the Map-Resolver (as specified in Section 6.5), or by 253 enabling DTLS between the ITR and the Map-Resolver. [major] "protection MUST be provided" Please specify things only once. In this case, because this section just "describes the flow", there's no need to specify anything in it, or go into some of the details. The protection part is properly covered later in the document and is not necessary to be called out at this point. 255 2. The Map-Resolver decapsulates the ECM message, decrypts the ITR- 256 OTK, if needed, and forwards through the Mapping System the 257 received Map-Request and the ITR-OTK, as part of a new ECM 258 message. The LISP Mapping System delivers the ECM to the 259 appropriate Map-Server, as identified by the EID destination 260 address of the Map-Request. As mentioned in Section 4, how the 261 Mapping System is protected from MITM attacks depends from the 262 particular Mapping Systems used, and is out of the scope of this 263 memo. [minor] Anything "as mentioned in" can be left out of this description to avoid duplication. ... 275 4. The Map-Server derives a new OTK, the MS-OTK, by applying a Key 276 Derivation Function (KDF) to the ITR-OTK. This MS-OTK is 277 included in the Encapsulated Control Message that the Map-Server 278 uses to forward the Map-Request to the ETR. MS-OTK 279 confidentiality and integrity protection MUST be provided in the 280 path between the Map-Server and the ETR. This can be achieved 281 either by encrypting the MS-OTK with the pre-shared secret known 282 to the Map-Server and the ETR (as specified in Section 6.5), or 283 by enabling DTLS between the Map-Server and the ETR. [major] "protection MUST be provided": Same comment as above: no need for this part here. ... 303 8. The ITR, upon receiving the Map-Reply, uses the locally stored 304 ITR-OTK to verify the integrity of the EID-prefix authorization 305 data included in the Map-Reply by the Map-Server. The ITR 306 computes the MS-OTK by applying the same KDF (as specified in the 307 ECM encapsulated Map-Reply) used by the Map-Server, and verifies 308 the integrity of the Map-Reply. If the integrity checks fail, 309 the Map-Reply MUST be discarded. Also, if the EID-prefixes 310 claimed by the ETR in the Map-Reply are not equal or more 311 specific than the EID-prefix authorization data inserted by the 312 Map-Server, the ITR MUST discard the Map-Reply. [major] "...MUST..." These details are not needed here. ... 322 6.1. Encapsulated Control Message LISP-SEC Extensions ... 358 V: Key Version bit. This bit is toggled when the sender switches 359 to a new OTK wrapping key [] I don't understand how this works. If the OTK doesn't change then this bit's value shouldn't change, is that it? [major - If so..] If so, what should a receiver do if the V bit didn't change but the OTK did? What if the OTK didn't change, but the V bit did? ... 363 Requested HMAC ID: The HMAC algorithm, that will be used to 364 protect the mappings, requested by the ITR. See Section 6.4 for 365 details, and Section 8.3 for HMAC IDs that MUST be supported. [major] §8.3 says this: AUTH-HMAC-SHA-1-96 MUST be supported, AUTH-HMAC-SHA-256-128 SHOULD be supported. However, (1) it is not good practice to include specifications in the IANA Considerations section (only instructions to IANA should be included there), and, (2) the MUST/SHOULD combination doesn't match the MUST used here. Instead, please move the text (above + references to rfc2104/rfc6234) from §8.3 to §6.4, and eliminate the reference to §8.3. Note that similar text is used in multiple places. Please update all. ... 377 OTK Wrapping ID: The identifier of the key derivation function and 378 of the key wrapping algorithm used to encrypt the One-Time-Key. 379 See Section 6.5 for more details, and Section 8.4 for Wrapping IDs 380 that MUST be supported. [minor] The figure uses ("OTK Wrap. ID"). I know that's just an abbreviation, but please include it here for completeness: s/OTK Wrapping ID:/OTK Wrapping ID (OTK Wrap. ID): [major] "and Section 8.4 for Wrapping IDs that MUST be supported." Same comment as above: please move the text from §8.4 to §6.5. BTW, §6.5 already has come text about requiring AES-KEY-WRAP-128+HKDF-SHA256, but not NULL-KEY-WRAP-128: this last algorithm is mentioned, but the text doesn't require it. Also, AES-KEY-WRAP-128 (without "+HKDF-SHA256") is mentioned separately, but not listed in the table in §8.4. 382 One-Time-Key Preamble: set to 0 if the OTK is not encrypted. When 383 the OTK is encrypted, this field MAY carry additional metadata 384 resulting from the key wrapping operation. When a 128-bit OTK is 385 sent unencrypted by Map-Resolver, the OTK Preamble is set to 386 0x0000000000000000 (64 bits). See Section 6.5.1 for details. [nit] s/by Map-Resolver/by a Map-Resolver ... 391 EID-AD Length: length (in bytes) of the EID Authentication Data 392 (EID-AD). The ITR MUST set EID-AD Length to 4 bytes, as it only 393 fills the KDF ID field, and all the remaining fields part of the 394 EID-AD are not present. An EID-AD MAY contain multiple EID- 395 records. Each EID-record is 4-byte long plus the length of the 396 AFI-encoded EID-prefix. [nit] s/set EID-AD Length/set the EID-AD Length [major] "ITR MUST set EID-AD Length to 4 bytes" What should the receiver do if the length is set to anything else? For messages not originated by the ITR, the length has to be more then 4. In fact, it has to be 12 + the length of EID-prefix (multiple may be present) + length of EID HMAC. What should a receiver do if the length is not appropriate? I don't remember seeing anything in rfc6833bis about error handling or what to do about mismatched lengths in general. Did I miss it? 398 KDF ID: Identifier of the Key Derivation Function used to derive 399 the MS-OTK. The ITR MAY use this field to indicate the 400 recommended KDF algorithm, according to local policy. The Map- 401 Server can overwrite the KDF ID if it does not support the KDF ID 402 recommended by the ITR. See Section 5.4 for more details, and 403 Section 8.5 for KDF IDs that MUST be supported. [major] "Map-Server can overwrite the KDF ID if it does not support the KDF ID recommended by the ITR" Specify things only once. The text in §6.7.1 is similar. See comments there. [minor] s/5.4/6.4/g §5.4 doesn't exist. [major] "Section 8.5 for KDF IDs that MUST be supported" Same comment as above: please move the text from §8.5 to §6.4. 405 Record Count: The number of records in this Map-Request message. 406 A record is comprised of the portion of the packet that is labeled 407 'Rec' above and occurs the number of times equal to Record Count. [major] Should there at least be one, or is it ok if the value is 0? If at least one, what should a receiver do if no records are included? 409 E: ETR-Cant-Sign bit. This bit is set to 1 to signal to the ITR 410 that at least one of the ETRs authoritative for the EID prefixes 411 of this Map-Reply has not enabled LISP-SEC. This allows the ITR 412 to securely downgrade to non LISP-SEC requests, as specified in 413 Section 6.7, if so desired. [major] If I understand correctly, this bit should only ever be set by a Map-Server. Are there other cases where setting it would be valid? If this bit is set other than by a Map-Server, what should the receiver do. Assuming my understanding is correct, please say something here about the Map-Server being the only one that can set the bit. §6.7 is about Map-Server processing, but the fact that it can set the bit doesn't explicitly preclude other from doing so. [minor] s/This allows the ITR to securely downgrade to non LISP-SEC requests, as specified in Section 6.7, if so desired./See Section 6.7 for more details. ... 417 EID HMAC ID: Identifier of the HMAC algorithm used to protect the 418 integrity of the EID-AD. This field is filled by Map-Server that 419 computed the EID-prefix HMAC. See Section 5.4 for more details, 420 and Section 8.3 for HMAC IDs that MUST be supported. [nit] s/by Map-Server/by the Map-Server [major] "Section 8.3 for HMAC IDs that MUST be supported" Same comment as above: please move the text from §8.3 to §6.4. 422 EID mask-len: Mask length for EID-prefix. 424 EID-AFI: Address family of EID-prefix according to [AFN]. 426 EID-prefix: The Map-Server uses this field to specify the EID- 427 prefix that the destination ETR is authoritative for, and is the 428 longest match for the requested EID. [major] These 3 fields, which are part of the "Rec", are the same as what is specified in §5.2/rfc6833bis. But the descriptions are different, and the EID-AFI names doesn't match EID-Prefix-AFI. Please point at the definitions in rfc6833bis: EID mask-len: As defined in §5.2/rfc6833bis. ... 430 EID HMAC: HMAC of the EID-AD computed and inserted by Map-Server. 431 Before computing the HMAC operation the EID HMAC field MUST be set 432 to 0. The HMAC MUST cover the entire EID-AD. [major] s/by Map-Server/by a Map-Server [major] "Before computing the HMAC operation the EID HMAC field MUST be set to 0. The HMAC MUST cover the entire EID-AD." §6.7.1 describes the same operation, but without using Normative language: The scope of the HMAC operation covers the entire EID-AD, from the EID-AD Length field to the EID HMAC field, which must be set to 0 before the computation. Please specify things only once! It seems to me that it may be more appropriate to include the specification in §6.7.1 (Generating a LISP-SEC Protected Encapsulated Map-Request). 434 6.2. Map-Reply LISP-SEC Extensions ... 464 MR AD Type: 1 (LISP-SEC Authentication Data). See Section 8. [] Just wondering... Why are separate registries used for ECM AD Type and MR AD Type? Are you expecting so many extensions that a single space won't be enough? 466 EID-AD Length: length (in bytes) of the EID-AD. An EID-AD MAY 467 contain multiple EID-records. Each EID-record is 4-byte long plus 468 the length of the AFI-encoded EID-prefix. [] It looks like you're mostly redefining the same fields as in the last section, at least for the EID-AD and Rec. Please point at the definitions there instead of redefining again here. If there are exceptions/variations that are east to call out then just mention those here. Otherwise, the comments from the last section apply here too. 470 KDF ID: Identifier of the Key Derivation Function used to derive 471 MS-OTK. See Section 6.7 for more details, and Section 8.5 for KDF 472 IDs that MUST be supported. [minor] §6.7 doesn't talk about the KFD ID. ... 480 EID HMAC ID: Identifier of the HMAC algorithm used to protect the 481 integrity of the EID-AD. See Section 6.7 for more details, and 482 Section 8.3 for HMAC IDs that MUST be supported. [minor] §6.7 doesn't talk about the EID HMAC ID. 484 EID mask-len: Mask length for EID-prefix. 486 EID-AFI: Address family of EID-prefix according to [RFC8060]. 488 EID-prefix: This field contains an EID-prefix that the destination 489 ETR is authoritative for, and is the longest match for the 490 requested EID. [major] Same comment as in §6.1: These 3 fields, which are part of the "Rec", are the same as what is specified in §5.2/rfc6833bis. ... 499 PKT HMAC ID: Identifier of the HMAC algorithm used to protect the 500 integrity of the Map-Reply. See Section 8.3 for HMAC IDs that 501 MUST be supported. [major] As mentioned before, please take Normative specifications out of the IANA section and move it somewhere more appropriate. 503 PKT HMAC: HMAC of the whole Map-Reply packet, including the LISP- 504 SEC Authentication Data. The scope of the authentication goes 505 from the Map-Reply Type field to the PKT HMAC field included. 506 Before computing the HMAC operation the PKT HMAC field MUST be set 507 to 0. See Section 6.8 for more details. [major] These two sentences don't seem to say the same thing: HMAC of the whole Map-Reply packet, including the LISP-SEC Authentication Data. The scope of the authentication goes from the Map-Reply Type field to the PKT HMAC field included. Does it include the Map-Reply (first sentence) or just the data defined in this document (second sentence)? The description in §6.8 is slightly clearer, but not by much: The PKT-AD contains the HMAC of the whole Map-Reply packet... The scope of the HMAC operation covers the entire PKT-AD, from the Map-Reply Type field to the PKT HMAC field... It would be better if the specification was made only once. A pointer to §6.8 should be enough here. [major] "Before computing the HMAC operation the PKT HMAC field MUST be set to 0." §6.8 describes the same operation, but without using Normative language: "...to the PKT HMAC field, which must be set to 0 before the computation." Please specify things only once! It seems to me that it may be more appropriate to include the specification in §6.8. 509 6.3. Map-Register LISP-SEC Extentions [] This section is not needed -- see below. 511 This memo is allocating one of the bits marked as Unassigned in the 512 Map-Register message defined in [I-D.ietf-lisp-rfc6833bis]. More 513 precisely, the second bit after the Type field in a Map-Register 514 message is allocated as the S bit. The S bit indicates to the Map- 515 Server that the registering ETR is LISP-SEC enabled. An ETR that 516 supports LISP-SEC MUST set the S bit in its Map-Register messages. [major] The S-bit is already allocated and defined in rfc6833bis, so the first two sentences are not needed. [major] rfc6833bis is not as explicit as the last two sentences, but it seems to me that it already covers them. This is from §5.6/rfc6833bis (Map-Register Message Format): S: This is the security-capable bit. When set, the procedures from [I-D.ietf-lisp-sec] are supported. This text doesn't explicitly require the ETR to set the bit. If you want to make that explicit, then we should update the text in rfc633bis. 518 6.4. ITR Processing: Generating a Map-Request 520 Upon creating a Map-Request, the ITR generates a random ITR-OTK that 521 is stored locally (until the corresponding Map-Reply is received), 522 together with the nonce generated as specified in 523 [I-D.ietf-lisp-rfc6833bis]. [minor] "until the corresponding Map-Reply is received" Please include a forward reference to §6.9. ... 531 The Map-Request MUST be encapsulated in an ECM, with the S-bit set to 532 1, to indicate the presence of Authentication Data. [major] "Map-Request MUST be encapsulated in an ECM" This part is confusing to me -- along with the many parts that talk about an "encapsulated Map-Request". What do you mean by an "encapsulated Map-Request"? I see 3 options: (1) The ECM Authentication Data (from Figure 1) carried in the ECM (§5.8/rfc6833bis) with the S-bit set. This is what I've been assuming because §6.1 talks about it being a Map-Request when it describes the Record Count. If so, at minimum, the text is confusing because the content of the ECM Authentication Data is different from the Map-Request from §5.2/rfc6833bis, but the names are the same. Also, the functionality from rfc6833bis is different. (2) A Map-Request (§5.2/rfc6833bis) encapsulated as the LCM in the ECM as described in §5.8/rfc6833bis. In this case, setting the S-bit, as required above would indicate that the ECM Authentication Data (from Figure 1) would also be there. If so, this document is not clear about the interaction between the two Map-Requests. Should the Records match, what if they don't, etc..? (3) A Map-Request (§5.2/rfc6833bis) encapsulated as the LCM in the ECM as described in §5.8/rfc6833bis. The S-bit is not set. I don't think this interpretation makes sense because then it wouldn't be protected at all. Please clarify here, and update the descriptions elsewhere as needed. 534 ITR-OTK is wrapped with the algorithm specified by the OTK Wrapping 535 ID field. See Section 6.5 for further details on OTK encryption. If 536 the NULL-KEY-WRAP-128 algorithm is selected and DTLS is not enabled 537 in the path between the ITR and the Map-Resolver, the Map-Request 538 MUST be dropped and an appropriate log action SHOULD be taken. [nit] s/ITR-OTK/The ITR-OTK 540 The Requested HMAC ID field contains the suggested HMAC algorithm to 541 be used by the Map-Server and the ETR to protect the integrity of the 542 ECM Authentication data and of the Map-Reply. A HMAC ID Value of 543 NONE (0), MAY be used to specify that the ITR has no preferred HMAC 544 ID. [nit] s/NONE (0), MAY/NONE (0) MAY 546 The KDF ID field specifies the suggested key derivation function to 547 be used by the Map-Server to derive the MS-OTK. A KDF Value of NONE 548 (0), MAY be used to specify that the ITR has no preferred KDF ID. [major] s/Value of NONE (0), MAY be used/Value of NONE (0) may be used Even though it is optional to use 0, the optional use of the KDF ID field by the ITR was already specified in §6.1, so this is just a statement of fact. ... 554 6.4.1. PITR Processing [minor] Please expand PITR on first use. 556 The processing performed by a PITR is equivalent to the processing of 557 an ITR. However, if the PITR is directly connected to a Mapping 558 System such as LISP+ALT [RFC6836], the PITR performs the functions of 559 both the ITR and the Map-Resolver forwarding the Map-Request 560 encapsulated in an ECM header that includes the Authentication Data 561 fields as described in Section 6.6. [?] This description of a PITR having multiple colocated functionality is not specific to the PITR, right? Also, the description is not specific to LISP+ALT, the same would happen with any Mapping System, right? It seems to me that this section is not needed. 563 6.5. Encrypting and Decrypting an OTK ... 594 Implementations of this specification MUST support OTK Wrapping ID 595 AES-KEY-WRAP-128+HKDF-SHA256 that specifies the use of the HKDF- 596 SHA256 Key Derivation Function specified in[RFC4868] to derive a per- 597 message encryption key (per-msg-key), as well as the AES-KEY-WRAP-128 598 Key Wrap algorithm used to encrypt a 128-bit OTK, according to 599 [RFC3394]. [nit] s/in[RFC4868]/in [RFC4868] 601 The key wrapping process for OTK Wrapping ID AES-KEY-WRAP-128+HKDF- 602 SHA256 is described below: 604 1. The KDF algorithm is identified by the field 'OTK Wrapping ID' 605 according to the table in Section 8.4. 607 2. The Key Wrap algorithm is identified by the field 'OTK Wrapping 608 ID' according to the table in Section 8.4. [minor] Can we merge these two steps? Also, given that other algorithms may be defined later, let's separate the process from the table itself. Suggestion> The KDF and Key Wrap algorithms are identified by the value of the 'OTK Wrapping ID' field. The initial values are documented in Table #x. 610 3. If the NULL-KEY-WRAP-128 algorithm (defined in (Section 8.4)) is 611 selected and DTLS is not enabled, the Map-Request MUST be dropped 612 and an appropriate log action SHOULD be taken. [minor] s/8.4/6.5 ... 640 6.5.1. Unencrypted OTK 642 MS-OTK confidentiality and integrity protection MUST be provided in 643 the path between the Map-Server and the ETR. Similarly, ITR-OTK 644 confidentiality and integrity protection MUST be provided in the path 645 between the ITR and the Map-Resolver. [major] This same specification is also present in §6.5. Please specify the bahavior only once. ... 676 6.7. Map-Server Processing 678 Upon receiving an ECM encapsulated Map-Request with the S-bit set to 679 1, the Map-Server process the Map-Request according to the value of 680 the security-capable S-bit and of the proxy map-reply P-bit contained 681 in the Map-Register sent by the ETRs authoritative for that prefix 682 during registration. [minor] This is a long sentence...my first read got me confused about what was meant by "the value of the security-capable S-bit" if it had just been pointed that it is set to 1. Please come up with a shortcut for "ECM encapsulated Map-Request with the S-bit set to 1". Refer back to the comments on §6.4. Suggestion: "secure Map-Request". Suggestion> Upon receiving a "secure Map-Request", the Map-Server precesses it according to the setting of the S and P-bits in the Map-Register received from the authoritative ETRs for the corresponding prefix, as described below. ... 731 In this way the ITR that sent a LISP-SEC protected Map-Request always 732 receives a LISP-SEC protected Map-Reply. However, the ETR-Cant-Sign 733 E-bit set to 1 specifies that a non LISP-SEC Map-Request might reach 734 additional ETRs that have LISP-SEC disabled. This mechanism allows 735 the ITR to securely downgrade to non LISP-SEC requests, if so 736 desired. [major] "This mechanism allows the ITR to securely downgrade to non LISP-SEC requests, if so desired." Besides the fact that "securely downgrade to non LISP-SEC" sounds like a contradiction, the "if so desired" part leaves the operation up in the air. When/why would an ITR desire to disable security? What are the use cases where it may be ok? What are the risks that should be considered? As I see it, downgrading is risky because it can open the door to overclaiming, which list-sec closes (rfc6833bis). IOW, a rogue ETR can decide not to set the S-bit (even if it did support lisp-sec) and eliminate its benefits. rfc6833bis also says this: 3. LISP-SEC [I-D.ietf-lisp-sec] MUST be implemented. Network operators should carefully weight how the LISP-SEC threat model applies to their particular use case or deployment. If they decide to ignore a particular recommendation, they should make sure the risk associated with the corresponding threats is well understood. Please add a "Deployment/Operational Considerations" section to help operators in making the decision above, particularly about when an ITR may desire to downgrade. Please include (as appropriate) information as described in §2/rfc5706. FWIW, I see the E-bit as useful as a transition mechanism: while not all the ETRs may have been upgraded then it seems ok to downgrade to maintain the operation of the network. However, I'm having a hard time seeing the value afterwards. 738 6.7.1. Generating a LISP-SEC Protected Encapsulated Map-Request ... 745 The Map-Server updates the OTK-AD by deriving a new OTK (MS-OTK) from 746 the ITR-OTK received with the Map-Request. MS-OTK is derived 747 applying the key derivation function specified in the KDF ID field. 748 If the algorithm specified in the KDF ID field is not supported, the 749 Map-Server uses a different algorithm to derive the key and updates 750 the KDF ID field accordingly. [major] If the algorithm specified in the KDF ID field is not supported, the Map-Server uses a different algorithm to derive the key and updates the KDF ID field accordingly. See the comment below (after line 775) about the future existence of multiple required/recommended algorithms. 752 MS-OTK confidentiality and integrity protection MUST be provided in 753 the path between the Map-Server and the ETR. This can be achieved 754 either by enabling DTLS between the Map-Server and the ETR, or by 755 encrypting the MS-OTK with the pre-shared secret known to the Map- 756 Server and the ETR. [major] This is specified in §6.5. Please specify behaviors only once
- [lisp] AD Review of draft-ietf-lisp-sec-25 Alvaro Retana
- Re: [lisp] AD Review of draft-ietf-lisp-sec-25 Alvaro Retana
- Re: [lisp] AD Review of draft-ietf-lisp-sec-25 Fabio Maino (fmaino)
- Re: [lisp] AD Review of draft-ietf-lisp-sec-25 Luigi Iannone
- Re: [lisp] AD Review of draft-ietf-lisp-sec-25 Alvaro Retana
- [lisp] Fwd: AD Review of draft-ietf-lisp-sec-25 Luigi Iannone
- Re: [lisp] Fwd: AD Review of draft-ietf-lisp-sec-… Alvaro Retana