[lisp] FW: SECDIR review of draft-ietf-lisp-pubsub-06

"Alberto Rodriguez Natal (natal)" <natal@cisco.com> Tue, 17 November 2020 04:35 UTC

Return-Path: <natal@cisco.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3DF23A0BE2 for <lisp@ietfa.amsl.com>; Mon, 16 Nov 2020 20:35:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.601
X-Spam-Level:
X-Spam-Status: No, score=-9.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=C59OWHB/; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=wFNBvDym
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pPxGmZc9_d8z for <lisp@ietfa.amsl.com>; Mon, 16 Nov 2020 20:35:37 -0800 (PST)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 345013A0BD9 for <lisp@ietf.org>; Mon, 16 Nov 2020 20:35:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2666; q=dns/txt; s=iport; t=1605587737; x=1606797337; h=from:to:subject:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=HFgTNgq2flWAD7dZAYH7hKUnGdMpFonr07J27EdJTm4=; b=C59OWHB/ncmO3SmpfAYWcI8BbWMBXYoAjivudf6RSghd3BNN5qsHJtYQ hqQc+xdgxmEIM32hFPOVQImTo1XCDYSEcn/KggH1p9JsFl0Luzqsqnfcs R44mDDdDDbB4wfKymulNiix3AUx2tREvisZ2dixsGM7UTFvJ823D9zhvS w=;
X-IPAS-Result: A0BpCADTUrNffYgNJK1igQmBT4FSIy6BVC8uCoQyg0kDjTSKPI5tglMDVAsBAQENAQEtAgQBAYRKAheCCQIlNwYOAgMBAQEDAgMBAQEBBQEBAQIBBgQUAQGGPAELhXMCBBIREQwBATgPAgEIGgImAgICHxEVBgEGAwIEEyKDBIJWAy4BowYCgTyIaHaBMoMEAQEFgkyCPg0LghAJgQ4qgnODdoZXG4IAgREnDBCCTz6CG4U6M4Isk2ijUiRUCoJtlgKFEwMfgxmKFotgiGqTUo1rkmgCBAIEBQIOAQEFgWoigVlwFTsqAYI+UBcCDZIQilh0NwIGAQkBAQMJfIw7AYEQAQE
IronPort-PHdr: 9a23:g51ULhb7no2rrEooNRP3boj/LSx94ef9IxIV55w7irlHbqWk+dH4MVfC4el21QaTD4TW9/wCjPDZ4OjsWm0FtJCGtn1KMJlBTAQMhshemQs8SNWEBkv2IL+PDWQ6Ec1OWUUj8yS9Nk5YS8fze1OUpWe9vnYeHxzlPl9zIeL4UofZk8Ww0bW0/JveKwVFjTawe/V8NhKz+A7QrcIRx4BlL/U8
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.77,484,1596499200"; d="scan'208";a="628446634"
Received: from alln-core-3.cisco.com ([173.36.13.136]) by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 17 Nov 2020 04:35:29 +0000
Received: from XCH-RCD-005.cisco.com (xch-rcd-005.cisco.com [173.37.102.15]) by alln-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id 0AH4ZTf9019706 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL) for <lisp@ietf.org>; Tue, 17 Nov 2020 04:35:29 GMT
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by XCH-RCD-005.cisco.com (173.37.102.15) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 16 Nov 2020 22:35:29 -0600
Received: from xhs-aln-003.cisco.com (173.37.135.120) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 16 Nov 2020 23:35:28 -0500
Received: from NAM04-SN1-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Mon, 16 Nov 2020 22:35:28 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NbtLeAYZjMg0RZ00I4z4eBq3B69v+Xft7kzT4GTss9ZWRW5im1SmY0qUbDLa1/+W+1fNA50wjKY5spkUoi4/goNwjacSoj7qzcZ8MPoIGwZcpnQGtZthCUv00LhC5HP62h0nFwmEUFz2ISu5GeJ0WF7bI6uUWN14Jr2FhA07+6vIe5PvSe3565k0ZqTCYmezkUBiw96oxXiBvJ3NDJQiSSbOX1wKxfAM84RDFYLx/gh3ghoDduCpGbNrzQ6w557AJ2kVFUqrGSJEv8aFlw3H0CyxDicYv46v9KdSZk3YDrRdiv6w7AfR3A3cXTOHlrmgArBA0elqcRNXLewFw/rOkA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HFgTNgq2flWAD7dZAYH7hKUnGdMpFonr07J27EdJTm4=; b=b5s2749t3WreWyTnvuYpu+NxKiwj5idJFUb0tXK6AJKt9Tv60d78RH73J2CSx62hoAh8zvH32imDJbRuoHdocWRPptfSIo86kTX7Irus9k0xujqMmlq6Km1ybEdOvyMS39CQW1C5VrnXcCecGfnwBAzAragXkPJZ0RxaC6yspV52I6nY7TmmqTmF23D5h383zv1aT0zwWwEw+JtCJqS9rtSZFtf7pCvQENFf3j4P/F9e675ELPAlzs5/B0N0QHzGiUooLVgnt/my88IK+q3NQsdZyFGbxOYDG/Z9QZoYn1pc+uFMEwSp7AEFAdLwZ5ZwNESDSKllJ0aCPUMYEyJUfA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HFgTNgq2flWAD7dZAYH7hKUnGdMpFonr07J27EdJTm4=; b=wFNBvDymqlYqZiRNljNkr83J4ATRzkBlO4HW5qfnDHOxQ2YsWrxvUb8ghNFcABVWCJ/LFiy1gz6raTdLx9wAlybpdG3wWjXAdtzsc4OMlmGRiDTlUgHKA4fFdfejpa1BSDR61VGKSC1sSpCw7RRac5Q5AD9pI4xjqP7mA5rIveQ=
Received: from BY5PR11MB4273.namprd11.prod.outlook.com (2603:10b6:a03:1c9::32) by BYAPR11MB3717.namprd11.prod.outlook.com (2603:10b6:a03:b0::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3541.25; Tue, 17 Nov 2020 04:35:26 +0000
Received: from BY5PR11MB4273.namprd11.prod.outlook.com ([fe80::7813:c6b3:29a4:e7c2]) by BY5PR11MB4273.namprd11.prod.outlook.com ([fe80::7813:c6b3:29a4:e7c2%5]) with mapi id 15.20.3564.028; Tue, 17 Nov 2020 04:35:26 +0000
From: "Alberto Rodriguez Natal (natal)" <natal@cisco.com>
To: "lisp@ietf.org" <lisp@ietf.org>
Thread-Topic: SECDIR review of draft-ietf-lisp-pubsub-06
Thread-Index: AQHWl+9PLxIjCp6uzUyWBT8sMqgoD6nLgCeA
Date: Tue, 17 Nov 2020 04:35:26 +0000
Message-ID: <B62E7E8A-C749-4295-A173-CB8F68CA576B@cisco.com>
References: <cee3ecb4-af25-289a-5a18-862142574f87@gmail.com>
In-Reply-To: <cee3ecb4-af25-289a-5a18-862142574f87@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.43.20110804
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [24.5.88.59]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4c22cbd9-6a43-4157-a8e2-08d88ab234a5
x-ms-traffictypediagnostic: BYAPR11MB3717:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <BYAPR11MB37170B000F869484EE764CF6B6E20@BYAPR11MB3717.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: BVUJHcAN1ZXHtqaN3URWd2sZWHYrD89cDJ3wY6Ep+GlPYZsywTc/gZeB/r7macfiwdTvIFhhJx/kUwLP/RFA5iaWEq5Qum7n7vEyDNL1I0ArwEhBxN/2/iVRq+EfQveKfFrbOJhvd39OzJJTjjYgwZTXWnKNmXRMPB7Xx+PKXOMUvBP8cM3cMiKmRlcjBR/Mc02V3Taz3tvgVgXrKSDfvjS1fST3CxgrLZP/clovUr2V2ld8jy+CfOBnHXeHKGQze3EHhqYyjN3wEDCPx+/Mmlz5sWMSttfsvo4SncBUeBiZn1fZfJSxNUWrTD50gZKS
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR11MB4273.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(346002)(366004)(39860400002)(376002)(136003)(396003)(83380400001)(2616005)(36756003)(2906002)(86362001)(5660300002)(33656002)(66556008)(186003)(6916009)(66476007)(8936002)(478600001)(6512007)(6486002)(76116006)(316002)(8676002)(71200400001)(6506007)(66946007)(64756008)(66446008)(26005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: vePLWcMrY630yaMhmPlG0k51059lVoYxbMP1Tljrhotrzkk9ReAYsZOcM+5nzWnoyNr5dMfjg5qGwFjq4N9DvwyO7dbBBAMhDRa+90dr5KecAgRMpzWRFFgqpJiBjWgTyjcWntBu1pGc3qpDUcx+qyDBfqYjRJgkzFWk/ekhBDafMtiOi/vyIb6LrAkZIojyBVi/NSc8PqaPTU+4WmaL5FPaVQSJFNF+1kRpghTq6w/99aAiqCZbJqeyjjrT4TeLRzLRLbXxoSP3ohs4sESp9MFQjXWKvlY+XIC1CTSJK8GBSJil7P3ZivBCIzxd9fFnbOjP6apd1AMEiu+CCTNdW5IpDkN7C73ii8AqMWRXJyydodvJ2O3T5V+Hb7RoT4UFhgpWwvoALiX4HYLk9OTE6cT1ghavWLI9uwyG+hJxO9JMe5JaLNm8wXrgYxv3phJNgTjDhfzzXd3hhqDqe5gSBupYQ6KX3xWWz2AavQdLWhETa3pwIHxIEZ/T8YvfdmAT+4rsn9KULsB1hhEvuWlIUGz+gC9mmfAk4iN4krj/TVLuunV63u2TcgfZxHZBGA7WAvc/5XUe35HHJn5uyVxCscvN7yXY4caeeOdCsqLEyt68LfPKzlgxI/Y981n25H9vaWn3tYfkEh7sd97koZRPXg==
Content-Type: text/plain; charset="utf-8"
Content-ID: <A75BEE10BFEA6348AC43CC2B4348C954@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR11MB4273.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4c22cbd9-6a43-4157-a8e2-08d88ab234a5
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Nov 2020 04:35:26.3949 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 86ffPLLK7HNiZ6ZgPO6HQpRT4meR4QCamzbWj/hiRezlfPq/DNhpYHg5/AlaMfyz
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB3717
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.15, xch-rcd-005.cisco.com
X-Outbound-Node: alln-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/yQfrYl4iBYJ1oXNviy9q3SfXC_8>
Subject: [lisp] FW: SECDIR review of draft-ietf-lisp-pubsub-06
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Nov 2020 04:35:39 -0000

While working on the PubSub slides for the WG session, I realized that the WG list was not in CC on the SECDIR review of PubSub. 

Forwarding the review now in case some of you might have missed it.

Alberto

On 10/1/20, 5:35 AM, "Chris Lonvick" <lonvick.ietf@gmail.com> wrote:

    Hi,

    I have reviewed this document as part of the security directorate's 
    ongoing effort to review all IETF documents being processed by the IESG. 
    These comments were written primarily for the benefit of the security 
    area directors. Document editors and WG chairs should treat these 
    comments just like any other last call comments.

    This is an "Early Review Request" so I'm going to mark the draft as 
    READY WITH NITS.

    It appears that there's a raft of drafts of LISP documents progressing 
    together through the WG that cross-reference each other in that they all 
    provide foundation and support for their collective features. (I'll 
    admit that I haven't been keeping up.) So if my nits have been addressed 
    in another document, that just means that I didn't dig far or deep 
    enough so please consider giving a pointer in the Security 
    Considerations of this document so others won't similarly be left adrift.

    In this document, and the associated others that I peered into, the term 
    "nonce" seems to be used more as a "token" than, well, what I consider 
    to be a nonce. In one case it may be a random value, but in several 
    others the value is stored, compared, and reused.  This is inconsistent 
    with the IETF's Security Glossary RFC 4949.

    Also, there is a reference to increasing the nonce for a particular use. 
    However, I saw no discussion of what to do when the value exceeds the 
    field space.

    Other than that, the document appears to be well written and well 
    thought out.

    Best regards,

    Chris