IETF Logo Mail Archive

Re: [lisp] Kathleen Moriarty's No Objection on draft-ietf-lisp-impact-04: (with COMMENT)

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 22 October 2015 14:12 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 328951A8711; Thu, 22 Oct 2015 07:12:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WuCgi1C689yQ; Thu, 22 Oct 2015 07:12:47 -0700 (PDT)
Received: from mail-wi0-x235.google.com (mail-wi0-x235.google.com [IPv6:2a00:1450:400c:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16AD11A90B6; Thu, 22 Oct 2015 07:12:46 -0700 (PDT)
Received: by wijp11 with SMTP id p11so34222359wij.0; Thu, 22 Oct 2015 07:12:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=IrfX4zTucZR74Hzgqkn5rm3BQqb97uh1Ho2qsODyzRs=; b=A1DSmJhwTOkRZbnISJARts1rtEeRjkM/HLkSM5UNQgzX30klcRWvnI8QDfFbQUo5+e s38gMx+jHlJAq6T5GULCLJi+uPGDPhNPiztb6++ALfQWS+Gb0g/zL6DnkGmhjEnpmB+/ GD4E+azsiRMetdITNtH7/5szHxEsHo5tuIEXcPgr+nq3J4SWsIjVOUvNNEcWsLnmpfj2 a9kgONF5k8eVEkDkgPTGxeoeuJo+bVCx9ZQY82ZDv7V6uX+PhKb1RU8MmKAi42z0wlUT SR/gs0aJ7yUk9IAQLPPziqJWnlMIEPq1UeZfbOWYQiIOf1+61NRjFQvs1WycrHxOmTew xu5w==
MIME-Version: 1.0
X-Received: by 10.195.11.72 with SMTP id eg8mr20015159wjd.14.1445523162588; Thu, 22 Oct 2015 07:12:42 -0700 (PDT)
Received: by 10.28.214.213 with HTTP; Thu, 22 Oct 2015 07:12:42 -0700 (PDT)
In-Reply-To: <79A908E5-6DAE-47A5-AB86-7DAC84ECE5D9@gigix.net>
References: <20151021165230.18223.65896.idtracker@ietfa.amsl.com> <DF2097B2-704A-4A9A-84F2-0C5870925B9B@gigix.net> <56C57AAF-DBD9-42D8-987E-2435871DC5C6@gmail.com> <CAHbuEH5n0+Q1x-CYyDWTwFUVz2PM87xUVkaiXuHzUTfH8rwS5A@mail.gmail.com> <79A908E5-6DAE-47A5-AB86-7DAC84ECE5D9@gigix.net>
Date: Thu, 22 Oct 2015 10:12:42 -0400
Message-ID: <CAHbuEH4CfOJGE8kGA6GkNKSee=2WOxA6XJQUvF67oJD6BxbJng@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: Luigi Iannone <ggx@gigix.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/lisp/lg74Cg_oLK7veqhIEh1ZOPFWHns>
Cc: "lisp-chairs@ietf.org" <lisp-chairs@ietf.org>, "lisp@ietf.org" <lisp@ietf.org>, "draft-ietf-lisp-impact.all@ietf.org" <draft-ietf-lisp-impact.all@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-lisp-impact@ietf.org" <draft-ietf-lisp-impact@ietf.org>
Subject: Re: [lisp] Kathleen Moriarty's No Objection on draft-ietf-lisp-impact-04: (with COMMENT)
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Oct 2015 14:12:50 -0000

Thank you!

On Thu, Oct 22, 2015 at 10:01 AM, Luigi Iannone <ggx@gigix.net> wrote:
> HI Kathleen,
>
> yes, a reference on gleaning and related issues can be added easily.
>
> ciao
>
> Luigi
>
>
>> On 22 Oct 2015, at 15:07, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> wrote:
>>
>> Luigi,
>>
>> Just one more question.
>>
>> On Thu, Oct 22, 2015 at 7:06 AM, Kathleen Moriarty
>> <kathleen.moriarty.ietf@gmail.com> wrote:
>>> Hi Luigi,
>>>
>>> Thank you!  It must not have gone to the SecDir list.  I had noticed at least one of the changes.
>>>
>>> Best regards,
>>> Kathleen
>>>
>>> Sent from my iPhone
>>>
>>>> On Oct 22, 2015, at 5:32 AM, Luigi Iannone <ggx@gigix.net> wrote:
>>>>
>>>> Hi Kathleen,
>>>>
>>>>> On 21 Oct 2015, at 18:52, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> wrote:
>>>>
>>>> [snip]
>>>>
>>>>>
>>>>>
>>>>> ----------------------------------------------------------------------
>>>>> COMMENT:
>>>>> ----------------------------------------------------------------------
>>>>>
>>>>> Hello,
>>>>>
>>>>> There was no follow up or changes (it seems) as a result of the SecDir
>>>>> review.  It would be helpful to address the questions on the aim of this
>>>>> draft and how it applies to security for the user and impact of LISP.
>>>>> https://www.ietf.org/mail-archive/web/secdir/current/msg06103.html
>>>>
>>>> There was actually a follow up  (see below) or ami I missing something?
>>>>
>>>> Let me know.
>>>>
>>>> ciao
>>>>
>>>> L.
>>>>
>>>>
>>>> %—— Last reply to Hilarie on 20th October———————%
>>>> Hi Hilarie,
>>>>
>>>> Thanks again for your reply.
>>>> please find our comments inline.
>>>>
>>>> ciao
>>>>
>>>> Luigi
>>>>
>>>>
>>>>> On 19 Oct 2015, at 21:02, Hilarie Orman <ho@alum.mit.edu> wrote:
>>>>>
>>>>> [NB: this is in re draft-ietf-lisp-impact-04]
>>>>>
>>>>> A few comments and suggestions:
>>>>>
>>>>>  Unless gleaning features (actually deprecated in
>>>>>  RFC 6830 [RFC6830]) are used,
>>>>>
>>>>> I don't see that gleaning is deprecated.  In any event, how does gleaning
>>>>> undermine security?
>>>>
>>>> This is actually discussed in sections 6 and 12 of RFC6830 and analysed in Section 3.1 of draft-ietf-lisp-threats.
>>
>> Could you add an explicit reference so ti tis clear that this has been
>> documented?
>>
>> It would also be good to see how the impact of LISP on security too as
>> this is an impact draft.
>>
>> Thank you,
>> Kathleen
>>
>>>>
>>>>>
>>>>>                                 the  LISP data-plane shows the
>>>>>  same level of security as other IP-over-IP technologies.
>>>>>  From a security perspective, the control-plane remains the
>>>>>  critical part of the LISP architecture.
>>>>>
>>>>>  To maximally mitigate the threats on the mapping
>>>>>
>>>>> I doubt authentication is "maximal" mitigation.  It just mitigates.
>>>>
>>>> Agreed. The sentence will be simplified as just “To mitigate the threats…."
>>>>
>>>>>
>>>>>  system, authentication must be used, whenever possible, for all
>>>>>
>>>>> When would it be impossible to use authentication?
>>>>
>>>> The idea was to hint at deployments in ressource constrained environments.
>>>> It might in fact be misleading. The whole sentence can be reworded as follows:
>>>>
>>>>   To mitigate the threats on the mapping system, authentication
>>>>   should be used for all control plane messages.
>>>>
>>>>
>>>>>  control plane messages.
>>>>>
>>>>>  Current specification already offer security mechanisms
>>>>>  ([RFC6833],  [I-D.ietf-lisp-sec]) able to strongly reduce threats
>>>>>  in non-trustable environments such as the Internet.
>>>>>
>>>>> "The currenet specification defines security mechanisms which can
>>>>> reduce threats in open network environments”
>>>>
>>>> Just to keep the references, the sentence can be:
>>>>
>>>>   The current specification ([RFC6833],  [I-D.ietf-lisp-sec]) defines security
>>>>   mechanisms which can reduce threats in open network environments.
>>>>
>>>>
>>>>> ?
>>>>
>>>>>  Actually, LISP specifications define a generic authentication data field
>>>>>  control plane messages [RFC6830] allowing to propose a general
>>>>>  authentication mechanisms for the LISP control-plane while staying
>>>>>  backward compatible.
>>>>>
>>>>> "The LISP specification defines a generic authentication data field
>>>>>  for control plane messages [RFC6830] which could be used for a general
>>>>>  authentication mechanisms for the LISP control-plane while staying
>>>>>  backward compatible. "  ??
>>>>
>>>> Reads much better, thanks.
>>>>
>>>> Luigi
>>>>
>>>>> Hilarie
>>>>>
>>>>>> Subject: Re: review of draft-saucez-lisp-impact-04.txt
>>>>>> From: Luigi Iannone <luigi.iannone@telecom-paristech.fr>
>>>>>> Date: Sat, 17 Oct 2015 21:49:24 +0200
>>>>>> Cc: Damien Saucez <damien.saucez@inria.fr>,
>>>>>>      draft-saucez-lisp-impact@tools.ietf.org, secdir@ietf.org,
>>>>>>      The IESG <iesg@ietf.org>
>>>>>
>>>>>> Hi Hilarie,
>>>>>
>>>>>> In the current format the security section just states that actually
>>>>>> security is out of the scope of the document.
>>>>>> This was actually an outcome of the WG discussion, were it was
>>>>>> decided to clearly separate security and impact.
>>>>>
>>>>>
>>>>>> Yet, it is true that the security section is poor, while
>>>>>> security analysis is out of the scope of the document, it does not
>>>>>> mean that we cannot mention the major security points
>>>>>> thoroughly analysed in the threats document.
>>>>>
>>>>>
>>>>>> Hence we propose to modify the security section as follows:
>>>>>
>>>>>> Old Version:
>>>>>
>>>>>>      Security and threats analysis of the LISP protocol is out of the
>>>>>>      scope of the present document.  A thorough analysis of LISP security
>>>>>>      threats is detailed in [I-D.ietf-lisp-threats].
>>>>>
>>>>>
>>>>>> NEW Version:
>>>>>
>>>>>>      A thorough security and threats analysis of the LISP protocol
>>>>>>      is carried out in details in [I-D.ietf-lisp-threats].
>>>>>>      Like for other Internet technologies, also for LISP most of
>>>>>>      threats can be mitigated using Best Current Practice, meaning
>>>>>>      with careful deployment an configuration (e.g., filter) and also
>>>>>>      by activating only features that are really necessary in the
>>>>>>    deployment and verifying all the information obtained from third
>>>>>>      parties. Unless gleaning features (actually deprecated in
>>>>>>      RFC 6830 [RFC6830]) are used, the  LISP data-plane shows the
>>>>>>      same level of security as other IP-over-IP technologies.
>>>>>>      From a security perspective, the control-plane remains the
>>>>>>      critical part of the LISP architecture.
>>>>>>      To maximally mitigate the threats on the mapping
>>>>>>      system, authentication must be used, whenever possible, for all
>>>>>>      control plane messages.
>>>>>>      Current specification already offer security mechanisms
>>>>>>      ([RFC6833],  [I-D.ietf-lisp-sec]) able to strongly reduce threats
>>>>>>      in non-trustable environments such as the Internet.
>>>>>>      Actually, LISP specifications define a generic authentication data field
>>>>>>      control plane messages [RFC6830] allowing to propose a general
>>>>>>      authentication mechanisms for the LISP control-plane while staying
>>>>>>      backward compatible.
>>>>>
>>>>>
>>>>>> We hope this delivers the information you were looking for.
>>>>>
>>>>>> ciao
>>>>>
>>>>>> Luigi
>>>>>
>>>>>
>>>>>>> On 13 Oct 2015, at 19:28, Hilarie Orman <ho@alum.mit.edu> wrote:
>>>>>>>
>>>>>>> Thanks for pointing out my mistake.  I have now reviewed
>>>>>>> draft-ietf-lisp-impact-04 and the same comments about security apply.
>>>>>>>
>>>>>>> Hilarie
>>>>>>>
>>>>>>>> From: Damien Saucez <damien.saucez@inria.fr>
>>>>>>>> Date: Tue, 13 Oct 2015 08:13:08 +0200
>>>>>>>
>>>>>>>
>>>>>>>> Thank you for the review. I would have a question regarding the document you reviewed. Did you review th
>>>>>>>
>>>>>>>> draft-sauces-lisp-impact-04
>>>>>>>
>>>>>>>> or
>>>>>>>
>>>>>>>> draft-ietf-lisp-impact-04
>>>>>>>
>>>>>>>> Thank you,
>>>>>>>
>>>>>>>> Damien Saucez
>>>>>>>
>>>>>>>> On 13 Oct 2015, at 05:01, Hilarie Orman <ho@alum.mit.edu> wrote:
>>>>>>>
>>>>>>>>> Secdir review of LISP Impact
>>>>>>>>> draft-saucez-lisp-impact-04.txt
>>>>>>>>>
>>>>>>>>> Do not be alarmed.  I have reviewed this document as part of the
>>>>>>>>> security directorate's ongoing effort to review all IETF documents
>>>>>>>>> being processed by the IESG.  These comments were written primarily
>>>>>>>>> for the benefit of the security area directors.  Document editors and
>>>>>>>>> WG chairs should treat these comments just like any other last call
>>>>>>>>> comments.
>>>>>>>>>
>>>>>>>>> A new way of handling routing information has been defined in IETF
>>>>>>>>> documents about the Locator/Identifier Separation Protocol (LISP).
>>>>>>>>> The draft under discussion here elaborates on the possible
>>>>>>>>> consequences of widespread use of LISP.
>>>>>>>>>
>>>>>>>>> The draft punts on security considerations and refers to previous
>>>>>>>>> documents describing threats to LISP and how LISP uses cryptography
>>>>>>>>> for protecting the integrity of its messages.
>>>>>>>>>
>>>>>>>>> It seems to me that if the purported impact of LISP is to "scale the
>>>>>>>>> Internet", then its impact on security should be a major part of the
>>>>>>>>> equation.  Will it make routing information more or less vulnerable
>>>>>>>>> malicious manipulation?  How will it affect the stability of a network
>>>>>>>>> that is under constant threat of attack?
>>>>>>>>>
>>>>>>>>> I don't feel that the draft can achieve its purpose without addressing
>>>>>>>>> security.
>>>>>>>>>
>>>>>>>>> Hilarie
>>>>>>>>>
>>>>>>>>> PS. I was very disappointed to realize that this was not a draft
>>>>>>>>> about my favorite programming language.
>>>>
>>>>
>>
>>
>>
>> --
>>
>> Best regards,
>> Kathleen
>



-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email