[secdir] Secdir review of draft-ietf-mpls-rfc4379bis-07

Vincent Roca <vincent.roca@inria.fr> Fri, 21 October 2016 08:13 UTC

Return-Path: <vincent.roca@inria.fr>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id A38A3129521; Fri, 21 Oct 2016 01:13:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.33
X-Spam-Status: No, score=-7.33 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.431] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id VFN_eXnHG6-o; Fri, 21 Oct 2016 01:13:12 -0700 (PDT)
Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9E71C1294F4; Fri, 21 Oct 2016 01:13:11 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.31,375,1473112800"; d="asc'?scan'208,217";a="241724985"
Received: from dom38-1-82-236-155-50.fbx.proxad.net (HELO []) ([]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-SHA; 21 Oct 2016 10:13:09 +0200
From: Vincent Roca <vincent.roca@inria.fr>
X-Pgp-Agent: GPGMail
Content-Type: multipart/signed; boundary="Apple-Mail=_F335C447-FDBE-4867-9730-78C6CF79696D"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Date: Fri, 21 Oct 2016 10:13:06 +0200
Message-Id: <E1052DB3-20AB-4A0B-9869-927E0CADAFDA@inria.fr>
To: IESG <iesg@ietf.org>, secdir@ietf.org, draft-ietf-mpls-rfc4379bis.all@ietf.org
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/3uDs_37Imxu1HWz1uruTtnu7AzE>
Subject: [secdir] Secdir review of draft-ietf-mpls-rfc4379bis-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2016 08:13:15 -0000


I have reviewed this document as part of the security directorate’s ongoing
effort to review all IETF documents being processed by the IESG. These
comments were written primarily for the benefit of the security area
directors.  Document editors and WG chairs should treat these comments just
like any other last call comments.

IMHO, the document is Ready with issues.

I have two main comments:

1- This document has an interesting security considerations section. However it
lacks some key information. First of all, there is no attacker model. Is the
threat coming from corrupted equipment? Do we assume those attackers have full
control over the equipment and flows? Are attackers on path or off path?
Clarifying these points (it's not an exhaustive list) would help structuring the
discussion on a case by case basis.

2- Something else to clarify: I have the feeling (after quickly searching integrity/
authentication/HMAC/... keywords in the doc) that is no message integrity
nor sender authentication mechanism in the echo request/response detailed here.
If the attacker model also includes a full control of LSR, nothing can be done to
prevent some attacks. Please clarify.

And a few additional ones:

3- First sentence says:
   "Overall, the security needs for LSP ping are similar to those of ICMP ping."
Such debugging tools as ping and traceroute (not speaking of MPLS version here)
have an efficiency that heavily relies on (sometimes arbitrary) decisions made
by the system administrators whose security policies lead to total or partial
Hence my questions: is the situation similar with MPLS or can we expect more
homogeneous and favorable security policies (e.g., because there's a limited
number of administrative domains, or because we are not relying on an ICMP
mechanism any more, or because the present document is more directive on
what a system administrator should authorize/block/limit)?
This could change a lot the security aspects and the potential impacts on the
debugging tools.

4- Later it is said:
     "To avoid potential Denial-of-Service attacks, it is RECOMMENDED that
     implementations regulate the LSP ping traffic going to the control
     plane.  A rate limiter SHOULD be applied to the well-known UDP port
     defined below."
- Do you mean port 3503? It is mentionned but not defined below in this section.
  Wording should be adjusted.
- It is not clear to me by reading this sentence if it concerns the sender
  (who sends traffic to the control plane) or forwarding nodes, which I guess
  are the target. In other words, "going to the control plane" is somewhat

5- Then:
     "To protect against unauthorized sources using MPLS echo request
     messages to obtain network information, it is RECOMMENDED that
     implementations provide a means of checking the source addresses of
     MPLS echo request messages against an access list before accepting
     the message."
Are ACL efficient in this context? If an attacker can forge the source address,
it's not. Unless some cryptographic mechanism is used, there's little hope to
provide a secure ping service. This is a follow up of comment 1.

- Typo:
     "...an implementation MAY also validate the TimeStamp
     Sent by requiring an exact match on this field."
Sent => sent.