[lisp] FW: SECDIR review of draft-ietf-lisp-pubsub-06
"Alberto Rodriguez Natal (natal)" <natal@cisco.com> Tue, 17 November 2020 04:35 UTC
Return-Path: <natal@cisco.com>
X-Original-To: lisp@ietfa.amsl.com
Delivered-To: lisp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3DF23A0BE2 for <lisp@ietfa.amsl.com>; Mon, 16 Nov 2020 20:35:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.601
X-Spam-Level:
X-Spam-Status: No, score=-9.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=C59OWHB/; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=wFNBvDym
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pPxGmZc9_d8z for <lisp@ietfa.amsl.com>; Mon, 16 Nov 2020 20:35:37 -0800 (PST)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 345013A0BD9 for <lisp@ietf.org>; Mon, 16 Nov 2020 20:35:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2666; q=dns/txt; s=iport; t=1605587737; x=1606797337; h=from:to:subject:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=HFgTNgq2flWAD7dZAYH7hKUnGdMpFonr07J27EdJTm4=; b=C59OWHB/ncmO3SmpfAYWcI8BbWMBXYoAjivudf6RSghd3BNN5qsHJtYQ hqQc+xdgxmEIM32hFPOVQImTo1XCDYSEcn/KggH1p9JsFl0Luzqsqnfcs R44mDDdDDbB4wfKymulNiix3AUx2tREvisZ2dixsGM7UTFvJ823D9zhvS w=;
X-IPAS-Result: A0BpCADTUrNffYgNJK1igQmBT4FSIy6BVC8uCoQyg0kDjTSKPI5tglMDVAsBAQENAQEtAgQBAYRKAheCCQIlNwYOAgMBAQEDAgMBAQEBBQEBAQIBBgQUAQGGPAELhXMCBBIREQwBATgPAgEIGgImAgICHxEVBgEGAwIEEyKDBIJWAy4BowYCgTyIaHaBMoMEAQEFgkyCPg0LghAJgQ4qgnODdoZXG4IAgREnDBCCTz6CG4U6M4Isk2ijUiRUCoJtlgKFEwMfgxmKFotgiGqTUo1rkmgCBAIEBQIOAQEFgWoigVlwFTsqAYI+UBcCDZIQilh0NwIGAQkBAQMJfIw7AYEQAQE
IronPort-PHdr: 9a23:g51ULhb7no2rrEooNRP3boj/LSx94ef9IxIV55w7irlHbqWk+dH4MVfC4el21QaTD4TW9/wCjPDZ4OjsWm0FtJCGtn1KMJlBTAQMhshemQs8SNWEBkv2IL+PDWQ6Ec1OWUUj8yS9Nk5YS8fze1OUpWe9vnYeHxzlPl9zIeL4UofZk8Ww0bW0/JveKwVFjTawe/V8NhKz+A7QrcIRx4BlL/U8
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.77,484,1596499200"; d="scan'208";a="628446634"
Received: from alln-core-3.cisco.com ([173.36.13.136]) by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 17 Nov 2020 04:35:29 +0000
Received: from XCH-RCD-005.cisco.com (xch-rcd-005.cisco.com [173.37.102.15]) by alln-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id 0AH4ZTf9019706 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL) for <lisp@ietf.org>; Tue, 17 Nov 2020 04:35:29 GMT
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by XCH-RCD-005.cisco.com (173.37.102.15) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 16 Nov 2020 22:35:29 -0600
Received: from xhs-aln-003.cisco.com (173.37.135.120) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 16 Nov 2020 23:35:28 -0500
Received: from NAM04-SN1-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Mon, 16 Nov 2020 22:35:28 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NbtLeAYZjMg0RZ00I4z4eBq3B69v+Xft7kzT4GTss9ZWRW5im1SmY0qUbDLa1/+W+1fNA50wjKY5spkUoi4/goNwjacSoj7qzcZ8MPoIGwZcpnQGtZthCUv00LhC5HP62h0nFwmEUFz2ISu5GeJ0WF7bI6uUWN14Jr2FhA07+6vIe5PvSe3565k0ZqTCYmezkUBiw96oxXiBvJ3NDJQiSSbOX1wKxfAM84RDFYLx/gh3ghoDduCpGbNrzQ6w557AJ2kVFUqrGSJEv8aFlw3H0CyxDicYv46v9KdSZk3YDrRdiv6w7AfR3A3cXTOHlrmgArBA0elqcRNXLewFw/rOkA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HFgTNgq2flWAD7dZAYH7hKUnGdMpFonr07J27EdJTm4=; b=b5s2749t3WreWyTnvuYpu+NxKiwj5idJFUb0tXK6AJKt9Tv60d78RH73J2CSx62hoAh8zvH32imDJbRuoHdocWRPptfSIo86kTX7Irus9k0xujqMmlq6Km1ybEdOvyMS39CQW1C5VrnXcCecGfnwBAzAragXkPJZ0RxaC6yspV52I6nY7TmmqTmF23D5h383zv1aT0zwWwEw+JtCJqS9rtSZFtf7pCvQENFf3j4P/F9e675ELPAlzs5/B0N0QHzGiUooLVgnt/my88IK+q3NQsdZyFGbxOYDG/Z9QZoYn1pc+uFMEwSp7AEFAdLwZ5ZwNESDSKllJ0aCPUMYEyJUfA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HFgTNgq2flWAD7dZAYH7hKUnGdMpFonr07J27EdJTm4=; b=wFNBvDymqlYqZiRNljNkr83J4ATRzkBlO4HW5qfnDHOxQ2YsWrxvUb8ghNFcABVWCJ/LFiy1gz6raTdLx9wAlybpdG3wWjXAdtzsc4OMlmGRiDTlUgHKA4fFdfejpa1BSDR61VGKSC1sSpCw7RRac5Q5AD9pI4xjqP7mA5rIveQ=
Received: from BY5PR11MB4273.namprd11.prod.outlook.com (2603:10b6:a03:1c9::32) by BYAPR11MB3717.namprd11.prod.outlook.com (2603:10b6:a03:b0::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3541.25; Tue, 17 Nov 2020 04:35:26 +0000
Received: from BY5PR11MB4273.namprd11.prod.outlook.com ([fe80::7813:c6b3:29a4:e7c2]) by BY5PR11MB4273.namprd11.prod.outlook.com ([fe80::7813:c6b3:29a4:e7c2%5]) with mapi id 15.20.3564.028; Tue, 17 Nov 2020 04:35:26 +0000
From: "Alberto Rodriguez Natal (natal)" <natal@cisco.com>
To: "lisp@ietf.org" <lisp@ietf.org>
Thread-Topic: SECDIR review of draft-ietf-lisp-pubsub-06
Thread-Index: AQHWl+9PLxIjCp6uzUyWBT8sMqgoD6nLgCeA
Date: Tue, 17 Nov 2020 04:35:26 +0000
Message-ID: <B62E7E8A-C749-4295-A173-CB8F68CA576B@cisco.com>
References: <cee3ecb4-af25-289a-5a18-862142574f87@gmail.com>
In-Reply-To: <cee3ecb4-af25-289a-5a18-862142574f87@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.43.20110804
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [24.5.88.59]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4c22cbd9-6a43-4157-a8e2-08d88ab234a5
x-ms-traffictypediagnostic: BYAPR11MB3717:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <BYAPR11MB37170B000F869484EE764CF6B6E20@BYAPR11MB3717.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: BVUJHcAN1ZXHtqaN3URWd2sZWHYrD89cDJ3wY6Ep+GlPYZsywTc/gZeB/r7macfiwdTvIFhhJx/kUwLP/RFA5iaWEq5Qum7n7vEyDNL1I0ArwEhBxN/2/iVRq+EfQveKfFrbOJhvd39OzJJTjjYgwZTXWnKNmXRMPB7Xx+PKXOMUvBP8cM3cMiKmRlcjBR/Mc02V3Taz3tvgVgXrKSDfvjS1fST3CxgrLZP/clovUr2V2ld8jy+CfOBnHXeHKGQze3EHhqYyjN3wEDCPx+/Mmlz5sWMSttfsvo4SncBUeBiZn1fZfJSxNUWrTD50gZKS
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR11MB4273.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(346002)(366004)(39860400002)(376002)(136003)(396003)(83380400001)(2616005)(36756003)(2906002)(86362001)(5660300002)(33656002)(66556008)(186003)(6916009)(66476007)(8936002)(478600001)(6512007)(6486002)(76116006)(316002)(8676002)(71200400001)(6506007)(66946007)(64756008)(66446008)(26005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: vePLWcMrY630yaMhmPlG0k51059lVoYxbMP1Tljrhotrzkk9ReAYsZOcM+5nzWnoyNr5dMfjg5qGwFjq4N9DvwyO7dbBBAMhDRa+90dr5KecAgRMpzWRFFgqpJiBjWgTyjcWntBu1pGc3qpDUcx+qyDBfqYjRJgkzFWk/ekhBDafMtiOi/vyIb6LrAkZIojyBVi/NSc8PqaPTU+4WmaL5FPaVQSJFNF+1kRpghTq6w/99aAiqCZbJqeyjjrT4TeLRzLRLbXxoSP3ohs4sESp9MFQjXWKvlY+XIC1CTSJK8GBSJil7P3ZivBCIzxd9fFnbOjP6apd1AMEiu+CCTNdW5IpDkN7C73ii8AqMWRXJyydodvJ2O3T5V+Hb7RoT4UFhgpWwvoALiX4HYLk9OTE6cT1ghavWLI9uwyG+hJxO9JMe5JaLNm8wXrgYxv3phJNgTjDhfzzXd3hhqDqe5gSBupYQ6KX3xWWz2AavQdLWhETa3pwIHxIEZ/T8YvfdmAT+4rsn9KULsB1hhEvuWlIUGz+gC9mmfAk4iN4krj/TVLuunV63u2TcgfZxHZBGA7WAvc/5XUe35HHJn5uyVxCscvN7yXY4caeeOdCsqLEyt68LfPKzlgxI/Y981n25H9vaWn3tYfkEh7sd97koZRPXg==
Content-Type: text/plain; charset="utf-8"
Content-ID: <A75BEE10BFEA6348AC43CC2B4348C954@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR11MB4273.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4c22cbd9-6a43-4157-a8e2-08d88ab234a5
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Nov 2020 04:35:26.3949 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 86ffPLLK7HNiZ6ZgPO6HQpRT4meR4QCamzbWj/hiRezlfPq/DNhpYHg5/AlaMfyz
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB3717
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.15, xch-rcd-005.cisco.com
X-Outbound-Node: alln-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/lisp/yQfrYl4iBYJ1oXNviy9q3SfXC_8>
Subject: [lisp] FW: SECDIR review of draft-ietf-lisp-pubsub-06
X-BeenThere: lisp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: List for the discussion of the Locator/ID Separation Protocol <lisp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lisp>, <mailto:lisp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lisp/>
List-Post: <mailto:lisp@ietf.org>
List-Help: <mailto:lisp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lisp>, <mailto:lisp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Nov 2020 04:35:39 -0000
While working on the PubSub slides for the WG session, I realized that the WG list was not in CC on the SECDIR review of PubSub. Forwarding the review now in case some of you might have missed it. Alberto On 10/1/20, 5:35 AM, "Chris Lonvick" <lonvick.ietf@gmail.com> wrote: Hi, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This is an "Early Review Request" so I'm going to mark the draft as READY WITH NITS. It appears that there's a raft of drafts of LISP documents progressing together through the WG that cross-reference each other in that they all provide foundation and support for their collective features. (I'll admit that I haven't been keeping up.) So if my nits have been addressed in another document, that just means that I didn't dig far or deep enough so please consider giving a pointer in the Security Considerations of this document so others won't similarly be left adrift. In this document, and the associated others that I peered into, the term "nonce" seems to be used more as a "token" than, well, what I consider to be a nonce. In one case it may be a random value, but in several others the value is stored, compared, and reused. This is inconsistent with the IETF's Security Glossary RFC 4949. Also, there is a reference to increasing the nonce for a particular use. However, I saw no discussion of what to do when the value exceeds the field space. Other than that, the document appears to be well written and well thought out. Best regards, Chris
- [lisp] FW: SECDIR review of draft-ietf-lisp-pubsu… Alberto Rodriguez Natal (natal)
- Re: [lisp] SECDIR review of draft-ietf-lisp-pubsu… Alberto Rodriguez-Natal (natal)