Re: [mpls] Stephen Farrell's No Objection on draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf-15: (with COMMENT)

Gregory Mirsky <gregory.mirsky@ericsson.com> Thu, 19 November 2015 04:03 UTC

Return-Path: <gregory.mirsky@ericsson.com>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3DC31A6FB4; Wed, 18 Nov 2015 20:03:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.2
X-Spam-Level:
X-Spam-Status: No, score=-104.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0UBDx2ZENvdL; Wed, 18 Nov 2015 20:03:28 -0800 (PST)
Received: from usevmg20.ericsson.net (usevmg20.ericsson.net [198.24.6.45]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B255E1A6FB1; Wed, 18 Nov 2015 20:03:27 -0800 (PST)
X-AuditID: c618062d-f79ef6d000007f54-b9-564ce7fccbc7
Received: from EUSAAHC005.ericsson.se (Unknown_Domain [147.117.188.87]) by usevmg20.ericsson.net (Symantec Mail Security) with SMTP id 8C.CF.32596.CF7EC465; Wed, 18 Nov 2015 22:05:00 +0100 (CET)
Received: from EUSAAMB103.ericsson.se ([147.117.188.120]) by EUSAAHC005.ericsson.se ([147.117.188.87]) with mapi id 14.03.0248.002; Wed, 18 Nov 2015 23:03:25 -0500
From: Gregory Mirsky <gregory.mirsky@ericsson.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, The IESG <iesg@ietf.org>
Thread-Topic: Stephen Farrell's No Objection on draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf-15: (with COMMENT)
Thread-Index: AQHRImHY5+v//ckBgESjvywcna6X7Z6isj1Q
Date: Thu, 19 Nov 2015 04:03:25 +0000
Message-ID: <7347100B5761DC41A166AC17F22DF11221942DFE@eusaamb103.ericsson.se>
References: <20151119003257.1445.91117.idtracker@ietfa.amsl.com>
In-Reply-To: <20151119003257.1445.91117.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [147.117.188.9]
Content-Type: multipart/alternative; boundary="_000_7347100B5761DC41A166AC17F22DF11221942DFEeusaamb103erics_"
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrHIsWRmVeSWpSXmKPExsUyuXRPuO6f5z5hBhufqFkcv1pocW31ARaL GX8mMlusu3yKzeLW0pWsFn9XXGGxmL73GrsDu8fa7qtsHkuW/GTyuN50lT2AOYrLJiU1J7Ms tUjfLoErY/n734wFNyoqLnb/ZG5g3FHaxcjJISFgItFwp4kRwhaTuHBvPVsXIxeHkMARRonz e9tYIJzljBIH/t9lAqliEzCSeLGxhx3EFhHwlHjYdwqsiFngOZPEvkmrWUASwgK5EpderYYq ypOYtnMqlG0kce/2KbBBLAKqEp9P9YLV8wr4Spxv/gEWFxJwkHjbtxvoDA4OTgFHiV0XckDC jEDXfT+1BqyEWUBc4taT+UwQVwtILNlznhnCFpV4+fgfK4StKLGvfzo7yBhmgXyJO3MjIDYJ Spyc+YRlAqPoLCSTZiFUzUJSBRHWlFi/Sx+iWlFiSvdDdghbQ6J1zlx2ZPEFjOyrGDlKi1PL ctONDDYxAmPxmASb7g7GPS8tDzEKcDAq8fAWTPIJE2JNLCuuzD3EKMHBrCTCW3YJKMSbklhZ lVqUH19UmpNafIhRmoNFSZx3/5L7oUIC6YklqdmpqQWpRTBZJg5OqQbGKVOTjiy+3JKh/uG+ YcMaNdHwtBJ5g1itdb67p3XK/JXSa2+dOnGHhoNAcLlS0WR+e5dad8WtFdMPNV9RXOjlERmy P7Rs9oUV+u++ZOb3d8YtOHqeXeXAFldWk/8bpFbsEH568XR1gxbXI923gt/nXzA7ut4p4PS+ 8HUKS7sjZALy87bH/0hTYinOSDTUYi4qTgQAifAtA8ECAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/mpls/aQ2UuhgbANv9RiM-BcewwhQuPtw>
Cc: "draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf.all@ietf.org" <draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf.all@ietf.org>, "draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf@ietf.org" <draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf@ietf.org>, "rcallon@juniper.net" <rcallon@juniper.net>, "mpls-chairs@ietf.org" <mpls-chairs@ietf.org>, "mpls@ietf.org" <mpls@ietf.org>
Subject: Re: [mpls] Stephen Farrell's No Objection on draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf-15: (with COMMENT)
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2015 04:03:31 -0000

Hi Stephen,

thank you for your review and comments. Please find my answers in-line and tagged GIM>>. Hope we can find good solution to address your concern with BFD security.



                Regards,

                                Greg



-----Original Message-----
From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie]
Sent: Wednesday, November 18, 2015 4:33 PM
To: The IESG
Cc: draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf@ietf.org; draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf.all@ietf.org; mpls-chairs@ietf.org; rcallon@juniper.net; mpls@ietf.org
Subject: Stephen Farrell's No Objection on draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf-15: (with COMMENT)



Stephen Farrell has entered the following ballot position for

draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf-15: No Objection



When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.)





Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html

for more information about IESG DISCUSS and COMMENT positions.





The document, along with other ballot positions, can be found here:

https://datatracker.ietf.org/doc/draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf/







----------------------------------------------------------------------

COMMENT:

----------------------------------------------------------------------





- 2.1.1, is there any chance of moving on from the "Keyed SHA1"

from RFC5880 to e.g. HMAC-SHA256 for this? We're generally trying to get that kind of transition done as we can and moving to use of a standard integrity check rather than a more home-grown one has some benefits. The HMAC-SHA1-like thing you're doing is still probably ok, (though could maybe do with crypto eyeballs on it as there may have been relevant new results since 2010) but future-proofing would suggest moving to HMAC-SHA256 if we can. (I can imagine such a change might require a new document, but am asking anyway:-)

GIM>> The fact is that we're bound by what is defined in RFC 5880. There was a proposal to strengthen BFD security BFD Generic Cryptographic Authentication<http://tools.ietf.org/html/draft-bhatia-bfd-crypto-auth-03> but the document had expired.



- 2.1.1, I'd recommend saying any password auth-type MUST NOT be used - would that be possible?

GIM>> I think that we’ll need to make changes to RFC 5880 first (5880bis?). Besides, there’s RFC 7487 that describes RSVP-TE extensions to configure MPLS-TP OAM.



- section 6 - what "established secure key-exchange protocol"

is available to use here?

GIM>> The document considers key exchange mechanisms being outside its scope. Mechanisms used only assumed and not discussed at length in the document.



- (this is sort of off-topic) I find an architecture like this where a packet traversing a network has quite so many side-effects a bit hard to grok. Do you have a pointer to something (not too long:-) that explains the consequences of that?

GIM>> The first paragraph of the Security Considerations section refers to some scenarios that may suffice due to conditions (overload) in the management plane. The third paragraph of the same section notes need to have sufficient security mechanism for LSP Ping communication.