Re: [secdir] draft-ietf-bess-multicast-damping-04 SECDIR Review

Thomas Morin <> Wed, 04 May 2016 08:42 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2C25712D09C; Wed, 4 May 2016 01:42:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.229
X-Spam-Status: No, score=-2.229 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.996, SPF_SOFTFAIL=0.665] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id i2jGtVdJp1ox; Wed, 4 May 2016 01:42:46 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id A143712B00A; Wed, 4 May 2016 01:42:44 -0700 (PDT)
Received: from (localhost.localdomain []) by localhost (Postfix) with SMTP id CC6B4E30081; Wed, 4 May 2016 10:42:43 +0200 (CEST)
Received: from (unknown []) by (Postfix) with ESMTP id 68AC8E3007F; Wed, 4 May 2016 10:42:43 +0200 (CEST)
Received: from [] ( by ( with Microsoft SMTP Server id; Wed, 4 May 2016 10:42:43 +0200
To: Donald Eastlake <>, "" <>, <>
References: <>
From: Thomas Morin <>
Organization: Orange
Message-ID: <>
Date: Wed, 4 May 2016 10:42:42 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------000401080700080505030005"
Archived-At: <>
Cc: "" <>
Subject: Re: [secdir] draft-ietf-bess-multicast-damping-04 SECDIR Review
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 04 May 2016 08:42:48 -0000

Hi Donald,

2016-04-27, Donald Eastlake:
> The feature specified in this document is aimed at limiting one type 
> of denial of service, or at least at interference to some users by 
> others: denial or interference due to excessive control plane traffic 
> due to a high rate of multicast group membership change. Still, it 
> makes me a bit queasy that the document has not one word, even by 
> reference, about security for the setting or changing of the 
> parameters used at a node in the damping algorithm.

The document does not introduce a new way of controlling parameters on a 
router; so in this regard it does not introduces a new security issue.
But of course, I agree letting an attacker control configuration can 
lead to much havoc ; again, nothing specific to these specs.

> I suppose it is reasonable that it doesn't talk about how any of the 
> control messages involved are protected or authenticated since the 
> document is just about suppressing such messages...

Yes, precisely.

> The Security Considerations section has a reasonable discussion of how 
> and to what extent the mechanisms specified provide the services claimed.
> Page 15, Section 9 (Security Considerations), 1st paragraph starting 
> on this page: There are a number of things wrong with the following 
> sentence:
>            Note well that the two
>     mechanism may interact: state for which Prune has been requested may
>     still remain taken into account for some time if damping has been
>     triggered and hence result in otherwise acceptable new state from
>     being successfully created.
> I would guess it should be "result in preventing otherwise" or should 
> end with "state not being successfully created". Here is a suggested 
> replacement:
> The two mechanisms may interact as follows: if damping has
> been triggered, state for which Prune has been requested may remain
> and still be taken into account for some timeresulting in an
> otherwise acceptable new state notbeing created.

Your replacement text is much better, and will be incorporated in next 

> *Editorial:*
> This document is very heavy with acronymic jargon with no expansion or 
> definition in this document. However, most of it is defined in other 
> RFCs that are referenced.
> Although I am willing to accept that it is just a matter of style, 
> this document has lots of extra words that add nothing but verbosity. 
> Things that could be completely dropped with no loss, like starting a 
> sentence with "Additionally, it is worth nothing that ...". If it 
> wasn't worth noting, it presumably wouldn't be in the document.

Your style suggestions are appreciated.
In some cases, I'd keep the original formulation (see below), but I'd 
take your suggestions in others.

> Page 4, Section 3, 3rd paragraph: "...this technique will allow to 
> meet the goals..." -> "...this technique will meet the goals..."


> Page 12, Section 7.2: "More specifically it is RECOMMENDED to 
> complement the existing ... (e.g. MRIB states): ..." -> "Complementing 
> the existing ... (e.g. MRIB states) is RECOMMENDED: ..."


> Page 13, Section 7.3, 2nd paragraph: What does "dimentioning" mean?

Corrected already based on OPS review.  That should be 'dimensioning'.

> Also "...state churn to go beyond what..." -> "...state churn going 
> beyond what..."


> Page 14, Section 9, 3rd paragraph: The word "shall" is used. While not 
> capitalized, this word sounds quite mandatory to me but it is not used 
> in a mandatory requirement context... I suggest "shall rely upon" -> 
> "relies on".


> Page 15, near the top: "should rely upon already" -> "should use already"


> Finally, while I understand that others have a different opinion, I 
> find it objectionable that not a single first page author is willing 
> to list a telephone number of any sort in the Authors' Addresses 
> section. To my mind, this sort of corner cutting does not speak well 
> for the document.

I'm honestly surprised that someone finds these phone numbers in IETF 
specs !

If someone wants to contacts authors of a spec, he's much more likely to 
succeed with email, not only because it can talk to all of them at the 
same time.
I have a reasonable filter on my email for spam/commercial 
sollicitations, but not on my phone lines; this is a strong obstacle to 
providing phone numbers in the wild.
Emails can also be slightly more stable than phone numbers.
Last, if voice can end up being useful for some exchange, I think it is 
likely that time will have to be coordinated in advance via email -- the 
actual phone number to use can be provided at this time, and may end up 
being the more convenient phone number among a few possible ones, a 
confcall bridge or a login on video chat system...

So we aren't "cutting corners".
I think it simply reflects the reality that this is an obsolete practice.
In fact, I would suggest removing the postal address as well.

Thanks for your comments,