Re: [secdir] Security Directorate review of draft-ietf-pwe3-dynamic-ms-pw-20

"Bocci, Matthew (Matthew)" <matthew.bocci@alcatel-lucent.com> Mon, 06 January 2014 16:01 UTC

Return-Path: <matthew.bocci@alcatel-lucent.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C330C1AE06C; Mon, 6 Jan 2014 08:01:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.9
X-Spam-Level:
X-Spam-Status: No, score=-6.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AP_42JdROzak; Mon, 6 Jan 2014 08:01:44 -0800 (PST)
Received: from hoemail2.alcatel.com (hoemail2.alcatel.com [192.160.6.149]) by ietfa.amsl.com (Postfix) with ESMTP id F03791AE06D; Mon, 6 Jan 2014 08:01:43 -0800 (PST)
Received: from fr712usmtp2.zeu.alcatel-lucent.com (h135-239-2-42.lucent.com [135.239.2.42]) by hoemail2.alcatel.com (8.13.8/IER-o) with ESMTP id s06G1XuI009345 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 6 Jan 2014 10:01:34 -0600 (CST)
Received: from FR711WXCHHUB01.zeu.alcatel-lucent.com (fr711wxchhub01.zeu.alcatel-lucent.com [135.239.2.111]) by fr712usmtp2.zeu.alcatel-lucent.com (GMO) with ESMTP id s06G1XRS026177 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Mon, 6 Jan 2014 17:01:33 +0100
Received: from FR711WXCHMBA05.zeu.alcatel-lucent.com ([169.254.1.146]) by FR711WXCHHUB01.zeu.alcatel-lucent.com ([135.239.2.111]) with mapi id 14.02.0247.003; Mon, 6 Jan 2014 17:01:33 +0100
From: "Bocci, Matthew (Matthew)" <matthew.bocci@alcatel-lucent.com>
To: "Klaas Wierenga (kwiereng)" <kwiereng@cisco.com>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-pwe3-dynamic-ms-pw.all@tools.ietf.org" <draft-ietf-pwe3-dynamic-ms-pw.all@tools.ietf.org>
Thread-Topic: Security Directorate review of draft-ietf-pwe3-dynamic-ms-pw-20
Thread-Index: AQHPCsTfytZKjSSLZEyTvepq9ynOw5p3ytOA
Date: Mon, 6 Jan 2014 16:01:32 +0000
Message-ID: <CEF08393.5A066%matthew.bocci@alcatel-lucent.com>
References: <5784D17B-CADE-4298-953C-37423DF6A66F@cisco.com>
In-Reply-To: <5784D17B-CADE-4298-953C-37423DF6A66F@cisco.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.9.131030
x-originating-ip: [135.239.27.38]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <FE7EC0CFB9701846B5F6F335DB6840CE@exchange.lucent.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailman-Approved-At: Mon, 06 Jan 2014 09:12:35 -0800
Subject: Re: [secdir] Security Directorate review of draft-ietf-pwe3-dynamic-ms-pw-20
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jan 2014 16:01:47 -0000

Klaas

Thank you very much for your review. I will add a short discussion to the
security considerations section, as you propose.

Regards

Matthew

On 06/01/2014 09:51, "Klaas Wierenga (kwiereng)" <kwiereng@cisco.com>;
wrote:

>Hi,
>
>I have reviewed this document as part of the security directorate's
>ongoing effort to review all IETF documents being processed by the
>IESG.  These comments were written primarily for the benefit of the
>security area directors.  Document editors and WG chairs should treat
>these comments just like any other last call comments.
>
>The draft describes extensions to the pseudowire control protocol to
>dynamically place the segments of the multi-segment pseudowire among a
>set of Provider Edge (PE) routers.
>
>The draft is relatively straightforward and clear, but from a security
>PoV I did take issue with the statement in the security considerations
>that goes:
>
>"This document specifies only extensions to the protocols already defined
>in [RFC4447], and [RFC6073]. The extensions defined in this document do
>not affect the security considerations for those protocols."
>
>When you essentially propose a mechanism to insert dynamically men in the
>middle you can imo not just state that nothing changes. In the meanwhile
>I have talked to some people that are much more cognisant about
>pseudowires than I am, and I have let myself be convinced that this
>indeed not introducing new attack vectors (as compared to static PW and
>normal MPLS networks), and that existing threats can be mitigated by
>doing end to end connection verification, but I believe that others, like
>me would be helped by a short discussion pertaining to this.
>
>Hope this helps,
>
>Klaas