Re: [secdir] secdir review of draft-ietf-ccamp-lsp-dppm-10

"Weiqiang Sun" <sunwq@MIT.EDU> Wed, 09 December 2009 02:34 UTC

Return-Path: <sunwq@MIT.EDU>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9ABF13A6892; Tue, 8 Dec 2009 18:34:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.449
X-Spam-Level:
X-Spam-Status: No, score=-6.449 tagged_above=-999 required=5 tests=[AWL=0.149, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, STOX_REPLY_TYPE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gobSTtuRqnVX; Tue, 8 Dec 2009 18:34:40 -0800 (PST)
Received: from biscayne-one-station.mit.edu (BISCAYNE-ONE-STATION.MIT.EDU [18.7.7.80]) by core3.amsl.com (Postfix) with ESMTP id 5B6B13A6359; Tue, 8 Dec 2009 18:34:40 -0800 (PST)
Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by biscayne-one-station.mit.edu (8.13.6/8.9.2) with ESMTP id nB92Un5F009672; Tue, 8 Dec 2009 21:30:50 -0500 (EST)
Received: from APC ([202.120.39.240]) (authenticated bits=0) (User authenticated as sunwq@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id nB92VEfR006344 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Tue, 8 Dec 2009 21:31:26 -0500 (EST)
Message-ID: <7EB0E891E84D41FDBF35C04AAEEB6A10@sjtu.edu.cn>
From: "Weiqiang Sun" <sunwq@MIT.EDU>
To: <tlyu@mit.edu>, <secdir@ietf.org>, <iesg@ietf.org>
Date: Wed, 9 Dec 2009 10:31:12 +0800
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="gb2312"; reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
Importance: Normal
X-Mailer: Microsoft Windows Live Mail 14.0.8089.726
X-MimeOLE: Produced By Microsoft MimeOLE V14.0.8089.726
X-Scanned-By: MIMEDefang 2.42
X-Mailman-Approved-At: Tue, 08 Dec 2009 23:07:50 -0800
Cc: draft-ietf-ccamp-lsp-dppm@tools.ietf.org, ccamp-chairs@tools.ietf.org
Subject: Re: [secdir] secdir review of draft-ietf-ccamp-lsp-dppm-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Dec 2009 02:34:41 -0000

Hi Tom,

[Seems that the secdir review email does not reach my mailbox. I am 
following up this thread manually. Hope it gets sorted correctly.]

Thanks for your comments. Please see inline for our responses/proposed 
changes.

>This document appears to define a set of performance metrics for
>characterizing dynamic LSP provisioning performance in GMPLS networks.
>Editorial:
>The document claims (in the Introduction) that these metrics
>characterize the performance of the signaling protocol.  I find that
>the metrics more accurately measure the performance of the LSP setup
>and teardown operations, and are only tangentially related to the
>performance of the signaling protocol (unless somehow the performance
>of the signaling protocol implicitly includes the actions that the
>routers take in response, in which case I think the document should
>state it more plainly.)
Yes we do have this.
   This document provides a series of performance metrics to evaluate
   the dynamic Label Switched Path (LSP) provisioning performance in
   GMPLS networks, specifically the dynamic LSP setup/release
   performance.  These metrics can be used to characterize the features
   of GMPLS networks in LSP dynamic provisioning.

>
>Security:
>
>[Most of these are probably minor points merely requiring clarifying
>text.]
>
>The Security Considerations section mentions the consequences of
>active traffic injection into the control plane, including skewing the
>results of measurements and causing congestion and denial of service.
>If the injected control traffic is expected to have the potential
>effect of enabling dramatically more data traffic, I think this effect
>should also be included in the Security Considerations, perhaps with
>advice to select probing control messages that do not materially alter
>the flow of data channel traffic.
>
>This document does not address security considerations related to the
>protocols communicating of the results of the measurements, or of any
>protocol used to request initiation of a measurement, perhaps because
>this document does not specify such protocols.  I assume that these
>any document that specifies such other protocols will cover those
>security considerations, even if this document does not obviously
>refer to such specifications.
>
>On the other hand, if this document is intended as guidance for
>protocol specifications that describe implementation of the
>measurement of and communication of these metrics, perhaps it should
>also outline the security considerations that those additional
>protocol specifications should address.  For example, what sort of
>authentication is required in a protocol that initiates a measurement
>of these metrics?
>
>It's not completely clear to me what sort of threat the passive
>measurement scenario involves; perhaps a router could repeatedly and
>with high frequency initiate LSP changes that overwhelm the monitoring
>channel?
For the security consideration section, we propose the following text.
Hope it is clearer.

16.  Security Considerations

   Samples of the metrics can be obtained in either active or passive
   manners.

   In active measurement, ingress nodes inject probing messages into the
   control plane.  Since the measurement endpoints must be conformant to
   signaling specifications and behave as normal signaling endpoints, it
   will not incur other security issues than normal LSP provisioning.
   However, the measurement parameters must be carefully selected so
   that the measurements inject trivial amounts of additional traffic
   into the networks they measure.  If they inject "too much" traffic,
   they can skew the results of the measurement, and in extreme cases
   cause congestion and denial of service.

   When samples of the metrics are collected in a passive manner, e.g.,
   by monitoring the operations on real-life LSPs, the implementation of
   the monitoring and reporting mechanism must be careful so that they
   will not be used to attack the control plane.  A typical
   implementation may use the Management Information Base (MIB) to
   collect/store the metrics and access to the MIB is limited to the
   Network Management Systems (NMSs).  In this case, passive monitoring
   will not incur other security issues than implementing the MIBs and
   NMSs.  If an implementation chooses to expose the performance data to
   other applications, then it must take into account the possible
   security issues it may face.  For example, when exposing the
   performance data through SNMP, certain authentication method should
   be used to ensure that the entity maintaining the performance data
   are not subject to unauthorized readings and modifications.  Rate
   limiting on the performance query may also be desirable to reduce the
   risk that the entity maintaining the performance data are overwhelmed
   by too much query requests.  It is RECOMMENDED that implementers
   consider the security features as provided by the SNMPv3 framework
   (see [RFC3410], section 8), including full support for the SNMPv3
   cryptographic mechanisms (for authentication and privacy).

   Besides, the security considerations pertaining to the original RSVP
   protocol [RFC2205] and its TE extensions [RFC3209] also remain
   relevant.

Thanks again,
Weiqiang