IETF Logo Mail Archive

Re: [pim] Stephen Farrell's Discuss on draft-ietf-pim-rfc4601bis-05: (with DISCUSS)

Brian Haberman <brian@innovationslab.net> Tue, 26 May 2015 14:29 UTC

Return-Path: <brian@innovationslab.net>
X-Original-To: pim@ietfa.amsl.com
Delivered-To: pim@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 352B01B2F28; Tue, 26 May 2015 07:29:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j5w-LRyHgyfD; Tue, 26 May 2015 07:29:25 -0700 (PDT)
Received: from uillean.fuaim.com (uillean.fuaim.com [206.197.161.140]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5A671B2F26; Tue, 26 May 2015 07:29:24 -0700 (PDT)
Received: from clairseach.fuaim.com (clairseach-high.fuaim.com [206.197.161.158]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by uillean.fuaim.com (Postfix) with ESMTP id 7EABF88125; Tue, 26 May 2015 07:29:24 -0700 (PDT)
Received: from Brians-MacBook-Pro.local (swifi-nat.jhuapl.edu [128.244.87.133]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by clairseach.fuaim.com (Postfix) with ESMTP id EADE313682AA; Tue, 26 May 2015 07:29:23 -0700 (PDT)
Message-ID: <5564833F.6060004@innovationslab.net>
Date: Tue, 26 May 2015 10:29:19 -0400
From: Brian Haberman <brian@innovationslab.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.7.0
MIME-Version: 1.0
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, The IESG <iesg@ietf.org>
References: <20150526130833.24322.71081.idtracker@ietfa.amsl.com>
In-Reply-To: <20150526130833.24322.71081.idtracker@ietfa.amsl.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="RLaPwu37atuftO4UAvI5gdIElBO5iPlNp"
Archived-At: <http://mailarchive.ietf.org/arch/msg/pim/lf43yai9mo32uAnZtZJJI3Gk3aY>
Cc: draft-ietf-pim-rfc4601bis@ietf.org, pim-chairs@ietf.org, pim@ietf.org
Subject: Re: [pim] Stephen Farrell's Discuss on draft-ietf-pim-rfc4601bis-05: (with DISCUSS)
X-BeenThere: pim@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Protocol Independent Multicast <pim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pim>, <mailto:pim-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pim/>
List-Post: <mailto:pim@ietf.org>
List-Help: <mailto:pim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pim>, <mailto:pim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 May 2015 14:29:27 -0000

Hi Stephen,

On 5/26/15 9:08 AM, Stephen Farrell wrote:
> Stephen Farrell has entered the following ballot position for
> draft-ietf-pim-rfc4601bis-05: Discuss
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-pim-rfc4601bis/
> 
> 
> 
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
> 
> 
> 4601 used IPsec AH for it's MTI security. This removes that and
> points at 5796 which defines how to use ESP for link local
> addresses and with manual keying. That raises one technical
> question and two ickky process questions. The ickky process
> questions are probably best discussed between the IESG at least
> initially in case we don't need to bother the authors/wg with
> 'em.
> 
> (1) I'd like to check that 5796 defines a way in which one can
> secure all PIM messages that are defined here in 4601bis (should
> one want to do that). If there are cases where PIM-SM can be
> used and where there is no well defined security then I think
> that would be a problem. And I think maybe there are such cases.
> Am I wrong? If not, then how does one secure those?

5796 focuses on the link-local messages (i.e., directly-connected
peers), but does say

   Securing the unicast messages can be achieved by the use of a normal
   unicast IPsec Security Association (SA) between the two communicants.

The above refers to the set of PIM messages that are not sent as
link-local.  My opinion is that this is sufficient given the uses of PIM
as defined in 4601.

> 
> (2) Is it ok for an IS to depend on a PS for it's MTI security
> mechanism? (I think it is, but yeah, someone else might not.) 

I don't see why not.

> 
> (3) Is it ok for an IS to not conform to BCP107? (I think it
> depends, and I'm not sure in this case.)

I am not sure how BCP 107 relates since it discusses Guidelines for
Cryptographic Key Management and the crypto stuff is now referred to via
5796.

Regards,
Brian

v2.23.0 | Report a Bug | By Email