[pim] Deb Cooley's No Objection on draft-ietf-pim-3810bis-11: (with COMMENT)

Deb Cooley via Datatracker <noreply@ietf.org> Sun, 04 August 2024 19:03 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: pim@ietf.org
Delivered-To: pim@ietfa.amsl.com
Received: from [10.244.2.66] (unknown [104.131.183.230]) by ietfa.amsl.com (Postfix) with ESMTP id 52220C14F680; Sun, 4 Aug 2024 12:03:38 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Deb Cooley via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
X-Test-IDTracker: no
X-IETF-IDTracker: 12.21.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <172279821792.476131.7888586555538304564@dt-datatracker-6dd76c4557-2mkrj>
Date: Sun, 04 Aug 2024 12:03:37 -0700
Message-ID-Hash: S2JOW7IPAVR4KST4DZVOB4C2NTOURAPH
X-Message-ID-Hash: S2JOW7IPAVR4KST4DZVOB4C2NTOURAPH
X-MailFrom: noreply@ietf.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-pim.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: draft-ietf-pim-3810bis@ietf.org, pim-chairs@ietf.org, pim@ietf.org
X-Mailman-Version: 3.3.9rc4
Reply-To: Deb Cooley <debcooley1@gmail.com>
Subject: [pim] Deb Cooley's No Objection on draft-ietf-pim-3810bis-11: (with COMMENT)
List-Id: Protocol Independent Multicast <pim.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/pim/oVZVMe0-VV2iV4WaXtMIU3J1GC4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pim>
List-Help: <mailto:pim-request@ietf.org?subject=help>
List-Owner: <mailto:pim-owner@ietf.org>
List-Post: <mailto:pim@ietf.org>
List-Subscribe: <mailto:pim-join@ietf.org>
List-Unsubscribe: <mailto:pim-leave@ietf.org>

Deb Cooley has entered the following ballot position for
draft-ietf-pim-3810bis-11: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ 
for more information about how to handle DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-pim-3810bis/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Thanks to Valery Smyslov for his secdir review.  I'm copying part of his review
here:

--------------------------------------------
I think that the Security Consideration section should be expanded and be
rewritten in a more structural way. In particular, it should be mentioned that
the protocol lacks any cryptographic protection, thus its messages are not
authenticated, provide no confidentiality and can be replayed. Then I would
discuss the consequences of each of these deficiencies.

The lack of replay protection seems to have no effect on the protocol security,
because it is (at least it should be) designed so that it tolerates IP packets
duplication (correct me if I'm wrong, I read the protocol itself briefly, but
this was my impression).

The lack of authentication leads to possible message forgery. The corresponding
attacks are described in the draft, however, I'm not sure taht the list is
complete. For example, it seems to me that forged Current State Report message
from a malicious node may report a lot number of faked listening multicast
addresses, aiming to consume router's resources (a kind of DoS attack).

The lack of confidentiality is not discussed in the draft. In fact, it leads to
privacy issues - any passive attacker on the local link can learn what
multicast addresses other nodes are listen to, which may be quite sensitive
information.
---------------------------

With respect to that review, and the author response:

It is understood that it is very difficult/impossible to provide either
confidentiality or integrity protection for traffic in protocols such as MLD -
both multicast and discovery.  From my point of view, the only option would be
to modify the Security Consideration section.  I think one could use Valery's
suggestions, as appropriate (if replay isn't an issue, then leave that part
out, etc.).

Thanks for your attention.