Re: [Pce] Roman Danyliw's No Objection on draft-ietf-pce-pcep-flowspec-10: (with COMMENT)
Adrian Farrel <adrian@olddog.co.uk> Wed, 26 August 2020 21:26 UTC
Return-Path: <adrian@olddog.co.uk>
X-Original-To: pce@ietfa.amsl.com
Delivered-To: pce@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DE7F3A07E0; Wed, 26 Aug 2020 14:26:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I_XMlCgoq9vY; Wed, 26 Aug 2020 14:26:34 -0700 (PDT)
Received: from mta8.iomartmail.com (mta8.iomartmail.com [62.128.193.158]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 278363A07A9; Wed, 26 Aug 2020 14:26:33 -0700 (PDT)
Received: from vs2.iomartmail.com (vs2.iomartmail.com [10.12.10.123]) by mta8.iomartmail.com (8.14.4/8.14.4) with ESMTP id 07QLQSLW001157; Wed, 26 Aug 2020 22:26:28 +0100
Received: from vs2.iomartmail.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 5C4A922044; Wed, 26 Aug 2020 22:26:28 +0100 (BST)
Received: from asmtp1.iomartmail.com (unknown [10.12.10.248]) by vs2.iomartmail.com (Postfix) with ESMTPS id 466B922042; Wed, 26 Aug 2020 22:26:28 +0100 (BST)
Received: from LAPTOPK7AS653V ([84.51.134.114]) (authenticated bits=0) by asmtp1.iomartmail.com (8.14.4/8.14.4) with ESMTP id 07QLQRjp021622 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 26 Aug 2020 22:26:27 +0100
Reply-To: adrian@olddog.co.uk
From: Adrian Farrel <adrian@olddog.co.uk>
To: 'Roman Danyliw' <rdd@cert.org>, 'The IESG' <iesg@ietf.org>
Cc: draft-ietf-pce-pcep-flowspec@ietf.org, pce-chairs@ietf.org, pce@ietf.org, 'Julien Meuric' <julien.meuric@orange.com>
References: <159847187489.17269.2128556004841645905@ietfa.amsl.com> <029301d67bed$150568f0$3f103ad0$@olddog.co.uk> <97fc081252ed4796ac26a51bcc5981e5@cert.org>
In-Reply-To: <97fc081252ed4796ac26a51bcc5981e5@cert.org>
Date: Wed, 26 Aug 2020 22:26:27 +0100
Organization: Old Dog Consulting
Message-ID: <029c01d67bef$8f216920$ad643b60$@olddog.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Content-Language: en-gb
Thread-Index: AQDIuNJwSHtALPLpWSOg46sVu7ttEQF0Nq6jAU7YlQirUFTQ8A==
X-Originating-IP: 84.51.134.114
X-Thinkmail-Auth: adrian@olddog.co.uk
X-TM-AS-GCONF: 00
X-TM-AS-Product-Ver: IMSVA-9.0.0.1623-8.2.0.1013-25628.003
X-TM-AS-Result: No--29.424-10.0-31-10
X-imss-scan-details: No--29.424-10.0-31-10
X-TMASE-Version: IMSVA-9.0.0.1623-8.2.1013-25628.003
X-TMASE-Result: 10--29.424400-10.000000
X-TMASE-MatchedRID: ZFzIhWOuIzvxIbpQ8BhdbOqwWVBfMuvoekMgTOQbVFvp1qa73dDTdqe7 nmhJA6kzAsdc8BXLJb2x3CvLSK1ryE3bYJ4h3Z058eSmTJSmEv2oNgF4lZVXFJ722hDqHosTCPI vP3uOlZe5StfB/3Hd4aMBmStfnmy2yXNZc4VnAvov3+J18jXdW1eCQ99zu8oJmXw0RNbqkoLDfF GFK6UzgcribRtCIfuHwUkszbc6jeY158EdyYsSY4S/TV9k6ppAEAImHgFYA95tw+n+iKWyyLyHz TKr2PB5FhSUD5yteesanKKLKmIACnbjKtRz1M+cOwpfLMeBwRvJ5SXtoJPLyEYza41dGqxSp56A jxnx9+wBgAB9yP/VZjL2zCenPkjeaFlk0tAiKs74AIbmhYnu0rzETYfYS4xZCDaSBZ23epr5gc6 akIiNTfrKePmZLehHN30nkw+1G08bji6Tj+it2npJm01s0ox6z/ROYC2DUoQh44tUX96R0OLmdk /ji+Y6fW39y7WGAba9bbLusWzG+Rv0uavzJz/CngIgpj8eDcBZDL1gLmoa/JuTdmBzA9G/FzCce ANpH4cLbigRnpKlKSBuGJWwgxArFnn7zLfna4I=
X-TMASE-SNAP-Result: 1.821001.0001-0-1-12:0,22:0,33:0,34:0-0
Archived-At: <https://mailarchive.ietf.org/arch/msg/pce/D9zdhva-ZmQbqR1vem6BMeCwyeA>
Subject: Re: [Pce] Roman Danyliw's No Objection on draft-ietf-pce-pcep-flowspec-10: (with COMMENT)
X-BeenThere: pce@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Path Computation Element <pce.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pce>, <mailto:pce-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pce/>
List-Post: <mailto:pce@ietf.org>
List-Help: <mailto:pce-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pce>, <mailto:pce-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Aug 2020 21:26:38 -0000
Lovely, thanks. I have this captured in the working copy. Best, Adrian -----Original Message----- From: Roman Danyliw <rdd@cert.org> Sent: 26 August 2020 22:14 To: adrian@olddog.co.uk; 'The IESG' <iesg@ietf.org> Cc: draft-ietf-pce-pcep-flowspec@ietf.org; pce-chairs@ietf.org; pce@ietf.org; 'Julien Meuric' <julien.meuric@orange.com> Subject: RE: Roman Danyliw's No Objection on draft-ietf-pce-pcep-flowspec-10: (with COMMENT) Hi Adrian! > -----Original Message----- > From: Adrian Farrel <adrian@olddog.co.uk> > Sent: Wednesday, August 26, 2020 5:09 PM > To: Roman Danyliw <rdd@cert.org>; 'The IESG' <iesg@ietf.org> > Cc: draft-ietf-pce-pcep-flowspec@ietf.org; pce-chairs@ietf.org; pce@ietf.org; > 'Julien Meuric' <julien.meuric@orange.com> > Subject: RE: Roman Danyliw's No Objection on draft-ietf-pce-pcep-flowspec-10: > (with COMMENT) > > Hi Roman, > > > COMMENT: > > > > ** Section 12. To refine what Ben Kaduk noted about the applicability > > of [RFC6952], Section 2.5 seems to apply for me. > > Yes, that it the relevant section, and I've added an explicit section pointer. > > > ** Section 12. Per “Therefore, implementations or deployments > > concerned with protecting privacy MUST apply the mechanisms described > > in the documents referenced above.”, it might be helpful to explicitly > > call out the specific guidance to follow. I believe that it’s to use > > either IPSec per Section 10.4 – > > 6 of RFC5440 or TLS per RFC8523 to provide transport security > > properties. The legacy references to TCP-AO and TCP MD5 in those > documents don’t help here. > > You're right about the advice and we can make it clear. > MD5 obviously doesn't buy you much privacy and we can say that, too. > Understanding that TCP-AO is "not widely implemented" if it is truly legacy, I > wish someone would toggle the status to Historic or write some guidance on its > non-use. Right. I concur on the implementation status of TCP-AO. I was a too flip with the use of the word legacy. To re-state my point, TCP-AO and MD5 don't get us anything for this privacy issue. Let's just point to IPSec and TLS guidance (from the references already cited). > > ** Section 12. Per “Although this is not directly a security issue > > per se, the confusion and unexpected forwarding behavior may be > > engineered or exploited by an attacker. Therefore, implementers and > > operators SHOULD pay careful attention to the Manageability > > Considerations described in Section 13.”, I completely agree. I would > > say it a bit more strongly that this complexity could be a security > > issue. I’m envisioning a situation where the complex forwarding > > behaviors might create gaps in the monitoring and inspection of particular > traffic or provide a path that avoids expected mitigations. > > Right. So, to be clear, the threat here is "user error caused by confusion > resulting from complexity." Yes, I can clarify that. Exactly, and my prose was just showing an example of if circumstance where an attacker might exploit that. Roman > Thanks again, > Best, > Adrian
- [Pce] Roman Danyliw's No Objection on draft-ietf-… Roman Danyliw via Datatracker
- Re: [Pce] Roman Danyliw's No Objection on draft-i… Adrian Farrel
- Re: [Pce] Roman Danyliw's No Objection on draft-i… Roman Danyliw
- Re: [Pce] Roman Danyliw's No Objection on draft-i… Adrian Farrel