[lisp] Roman Danyliw's No Objection on draft-ietf-lisp-gpe-17: (with COMMENT)
Roman Danyliw via Datatracker <noreply@ietf.org> Wed, 08 July 2020 22:08 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: lisp@ietf.org
Delivered-To: lisp@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1])
by ietfa.amsl.com (Postfix) with ESMTP id 43FB93A0842;
Wed, 8 Jul 2020 15:08:00 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Roman Danyliw via Datatracker <noreply@ietf.org>
To: "The IESG" <iesg@ietf.org>
Cc: draft-ietf-lisp-gpe@ietf.org, lisp-chairs@ietf.org, lisp@ietf.org,
Luigi Iannone <ggx@gigix.net>, ggx@gigix.net
X-Test-IDTracker: no
X-IETF-IDTracker: 7.7.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Roman Danyliw <rdd@cert.org>
Message-ID: <159424608025.11827.15288656141836801569@ietfa.amsl.com>
Date: Wed, 08 Jul 2020 15:08:00 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/h3toBeoc3XMrLTHIcGsLs1yOVyU>
Subject: [lisp] Roman Danyliw's No Objection on draft-ietf-lisp-gpe-17:
(with COMMENT)
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.29
List-Id: List for the discussion of the Locator/ID Separation Protocol
<lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>,
<mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>,
<mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jul 2020 22:08:01 -0000
Roman Danyliw has entered the following ballot position for draft-ietf-lisp-gpe-17: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-lisp-gpe/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Section 4. Per “When a LISP-GPE router performs Ethernet encapsulation, the inner header 802.1Q [IEEE.802.1Q_2014] VLAN Identifier (VID) MAY be mapped to, or used to determine the LISP Instance IDentifier (IID) field”, as noted in a DISCUSS item in my ballot on draft-ietf-lisp-rfc6830bis-32, using Instance ID values as 802.1Q tags without integrity protection seems problematic in the public internet scenario. Please add cautionary language recommending integrity protection. Section 7. Per “LISP-GPE, as many encapsulations that use optional extensions, is subject to on-path adversaries that by manipulating the P-Bit and the packet itself can remove part of the payload or claim to encapsulate any protocol payload type”, it’s worse than that – (in the absence of integrity protection and like LISP in general) an on-path attacker make arbitrary modifications to the packet (like a 802.1Q tag in the encapsulated ethernet; or the Instance ID using an 802.1.Q tag)
- [lisp] Roman Danyliw's No Objection on draft-ietf… Roman Danyliw via Datatracker
- Re: [lisp] Roman Danyliw's No Objection on draft-… Fabio Maino (fmaino)