Re: [lisp] Ben Campbell's No Objection on draft-ietf-lisp-impact-04: (with COMMENT)
"Ben Campbell" <ben@nostrum.com> Thu, 22 October 2015 15:08 UTC
Return-Path: <ben@nostrum.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACAFD1A8A5A; Thu, 22 Oct 2015 08:08:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R74rk7ftmcOv; Thu, 22 Oct 2015 08:08:20 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97D961A8A8B; Thu, 22 Oct 2015 08:08:20 -0700 (PDT)
Received: from [10.0.1.9] (cpe-70-119-203-4.tx.res.rr.com [70.119.203.4]) (authenticated bits=0) by nostrum.com (8.15.2/8.14.9) with ESMTPSA id t9MF8CY8052352 (version=TLSv1 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Thu, 22 Oct 2015 10:08:12 -0500 (CDT) (envelope-from ben@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host cpe-70-119-203-4.tx.res.rr.com [70.119.203.4] claimed to be [10.0.1.9]
From: Ben Campbell <ben@nostrum.com>
To: Luigi Iannone <ggx@gigix.net>
Date: Thu, 22 Oct 2015 10:08:12 -0500
Message-ID: <57BE6E2E-BF06-4F3C-94BE-E4EEE487D933@nostrum.com>
In-Reply-To: <2DAE09CA-B090-404C-89D6-D1EB4DA85426@gigix.net>
References: <20151021021458.7620.61602.idtracker@ietfa.amsl.com> <2DAE09CA-B090-404C-89D6-D1EB4DA85426@gigix.net>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.2r5141)
Archived-At: <http://mailarchive.ietf.org/arch/msg/lisp/j-TnlVSGL0ZD6hBGHNRY9IGgjwY>
X-Mailman-Approved-At: Sun, 01 Nov 2015 16:47:56 -0800
Cc: lisp-chairs@ietf.org, lisp@ietf.org, draft-ietf-lisp-impact.all@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-lisp-impact@ietf.org
Subject: Re: [lisp] Ben Campbell's No Objection on draft-ietf-lisp-impact-04: (with COMMENT)
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Oct 2015 15:08:22 -0000
Thanks, those changes would address my comments. Ben. On 22 Oct 2015, at 4:08, Luigi Iannone wrote: > Hi Ben, > >> On 21 Oct 2015, at 04:14, Ben Campbell <ben@nostrum.com> wrote: >> > > [snip] >> >> >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> It seems odd to me that an "impacts" paper would leave security >> impacts >> out of scope. Even with the detailed security considerations in >> draft-ietf-lisp-threats, it seems like there might be some >> higher-level >> observations to make, along the lines of the rest of the draft. >> > > Yes you are right. > We proposed an updated security section in the reply to Hillarie, who > did the secdir review. > The proposed text is: > > > A thorough security and threats analysis of the LISP protocol > is carried out in details in [I-D.ietf-lisp-threats]. > Like for other Internet technologies, also for LISP most of > threats can be mitigated using Best Current Practice, meaning > with careful deployment an configuration (e.g., filter) and also > by activating only features that are really necessary in the > deployment and verifying all the information obtained from third > parties. Unless gleaning features (actually deprecated in > RFC 6830 [RFC6830]) are used, the LISP data-plane shows the > same level of security as other IP-over-IP technologies. > From a security perspective, the control-plane remains the > critical part of the LISP architecture. > To mitigate the threats on the mapping system, authentication > should be used for all control plane messages. > The current specification ([RFC6833], [I-D.ietf-lisp-sec]) > defines security > mechanisms which can reduce threats in open network environments. > The LISP specification defines a generic authentication data field > for control plane messages [RFC6830] which could be used for a > general > authentication mechanisms for the LISP control-plane while staying > backward compatible. > > > >> Along those lines, if you want to refer to draft-ietf-lisp-threats >> for >> security considerations, it needs to be a normative reference. >> >> > > Absolutely. We will move the document as normative reference. > > thanks > > Luigi
- Re: [lisp] Ben Campbell's No Objection on draft-i… Luigi Iannone
- [lisp] Ben Campbell's No Objection on draft-ietf-… Ben Campbell
- Re: [lisp] Ben Campbell's No Objection on draft-i… Ben Campbell