[secdir] (late) review of draft-ietf-mpls-self-ping-05

Leif Johansson <leifj@sunet.se> Wed, 14 October 2015 12:34 UTC

Return-Path: <leifj@sunet.se>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 1816F1A1BD7; Wed, 14 Oct 2015 05:34:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.661
X-Spam-Status: No, score=-1.661 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_SE=0.35, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id GQmeFin5bKeq; Wed, 14 Oct 2015 05:34:04 -0700 (PDT)
Received: from e-mailfilter01.sunet.se (e-mailfilter01.sunet.se [IPv6:2001:6b0:8:2::201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3503B1A1BCB; Wed, 14 Oct 2015 05:34:04 -0700 (PDT)
Received: from smtp1.sunet.se (smtp1.sunet.se []) by e-mailfilter01.sunet.se (8.14.4/8.14.4/Debian-4) with ESMTP id t9ECY0ue011133 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 14 Oct 2015 14:34:00 +0200
Received: from kerio.sunet.se (kerio.sunet.se []) by smtp1.sunet.se (8.14.9/8.14.7) with ESMTP id t9ECXutC020005 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 14 Oct 2015 14:33:59 +0200 (CEST)
VBR-Info: md=sunet.se; mc=all; mv=swamid.se
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sunet.se; s=default; t=1444826040; bh=9y8u5/tecGeYRKtuVjjPTWhkFca/I7Y1bFS8IjS9DZQ=; h=To:From:Subject:Date; b=ipx27RR+bPeKxXxdnfr3eiCOyTVFKg1kqITVp5oFsxlQ41E5Qacbnt8cOnfBRfv7q vwQ+yAmNaGcpxZfXmY4E2NfcIcJSDh3MkrB0AWRVAhgXCSeqqMEYo/Bk1bDiGOiT4y QTel6bzwfszGInWvNZQf91lgmE1WY88SrbX0KztE=
X-Footer: c3VuZXQuc2U=
Received: from [] ([]) (authenticated user leifj@sunet.se) by kerio.sunet.se (Kerio Connect 8.5.2) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128 bits)); Wed, 14 Oct 2015 14:33:54 +0200
To: "secdir@ietf.org" <secdir@ietf.org>, draft-ietf-mpls-self-ping.all@tools.ietf.org, IESG <iesg@ietf.org>
From: Leif Johansson <leifj@sunet.se>
X-Enigmail-Draft-Status: N1110
Message-ID: <561E4BB2.2000506@sunet.se>
Date: Wed, 14 Oct 2015 14:33:54 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.3.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Bayes-Prob: 0.0001 (Score 0, tokens from: outbound, outbound-sunet-se:default, sunet-se:default, base:default, @@RPTN)
X-CanIt-Geo: ip=; country=SE; latitude=59.3294; longitude=18.0686; http://maps.google.com/maps?q=59.3294,18.0686&z=6
X-CanItPRO-Stream: outbound-sunet-se:outbound (inherits from outbound-sunet-se:default, sunet-se:default, base:default)
X-Canit-Stats-ID: 09Pt0y0qc - 16ddc351f7f6 - 20151014
X-CanIt-Archive-Cluster: PfMRe/vJWMiXwM2YIH5BVExnUnw
Received-SPF: neutral (e-mailfilter01.sunet.se: is neither permitted nor denied by domain leifj@sunet.se) receiver=e-mailfilter01.sunet.se; client-ip=; envelope-from=<leifj@sunet.se>; helo=smtp1.sunet.se; identity=mailfrom
X-Scanned-By: CanIt (www . roaringpenguin . com) on
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/2u8ckhvuPcAZOQ-ttjh0N7nAGpQ>
Subject: [secdir] (late) review of draft-ietf-mpls-self-ping-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Oct 2015 12:34:07 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments that arrive in
timely manner, and not significantly belated.

First of all - pls apologize for being very late with this review!

The field is also well outside my area of expertise which may make
my review moot.

My one comment is that the Security Considerations section identifies
the Session-ID as sensitive and sais that implementations SHOULD NOT
be assigned in a predictable manner. Given the security implications
of Session-ID forgery (also clearly stated in the SC section) it
might be worth recommending the use of a CSPRNG to generate
the Session-IDs

I'm curious about how this is done in implementations today though...

	Cheers Leif