[secdir] Review of draft-ietf-pce-lsp-control-request-07
Shawn Emery <shawn.emery@gmail.com> Mon, 19 August 2019 00:47 UTC
Return-Path: <shawn.emery@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE0B712009C; Sun, 18 Aug 2019 17:47:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M4-0rDTyzc4U; Sun, 18 Aug 2019 17:47:57 -0700 (PDT)
Received: from mail-ed1-x536.google.com (mail-ed1-x536.google.com [IPv6:2a00:1450:4864:20::536]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1C6112007A; Sun, 18 Aug 2019 17:47:53 -0700 (PDT)
Received: by mail-ed1-x536.google.com with SMTP id z51so105015edz.13; Sun, 18 Aug 2019 17:47:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=a2K/lBsJD799OmfrYgEUyE560WiB/D1XGsNRBrp5Vfo=; b=SkeTXefx2kPdYqQ9kz54gzKWgYqkcvSczAW5aqNr4Of5I2daXOh8Q0EKFHX/gvceY2 PCFLdInetWEDJKAHn5dbyiBi+p6BAe9Y3k/VtBHNuj8VxqM6DRa5k2nNI0hFrWPv/pyg QYpPRTIxlvYSjvYFVt4necC3scSe+cmvqJYxgimf1blTgZrn38j7Sip+pLv0+DlpG4B2 sjrsLKXxqCubdUPg5xGWxGl1fp1wAXmfUNWRRvuS4cMvTU9hmXxOYcACa+g/JNhpkBUt YhHXuBCtuEfqMpig8goqAWgiKg75zgSIfPunnjAGE+5UvG3oGl7x80gn3FnslpEx9QZx UtZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=a2K/lBsJD799OmfrYgEUyE560WiB/D1XGsNRBrp5Vfo=; b=C1p5TykQHq5BDTNeTIFb5pnc8T/QBe7BqrFxNiI1yvJt3mNCxk7NMJkY8FmtOPJ01r g+RIxQRTC24mK55TFcoewrleNFW0nxH45C1zyNGRzm2V3KQppfMSxHte4yDy2stfbxtW 8phzsop1klYuEsuRf7u04spNOa8xzGdko80sSbEDCoK1TLVHFu3am1rWMYcnWMGJF3Je QhcP2CXin7fdeyScebmSGH27+CKo8yIXE1SP55yMf6PW2AGGPQuYUKVt4GNSIMO7rrJM +YceLHZ4HYN673sw0OnsY2I7luNM5qoqMpTMx/fp3cmDPmYgG9GCMOZnb7GdtKZ8iXOb Ufdg==
X-Gm-Message-State: APjAAAV1gW/ydEE6HkdjiNkEt7k1lbtGKcLIy6RnpPc32rQxsCdAJysO PteiXcjSa3KOBYwxweWc0b9A69TqRY75v3lmNu3MoNIi
X-Google-Smtp-Source: APXvYqwJeBVBB1z84j/OF8NyKIMKJnWWvLzpmx2JZ0FpXaoO+0emxTzNSbsiMrqs96dxrAgLU93fVsy5+Xe55P5vj3M=
X-Received: by 2002:a50:a48a:: with SMTP id w10mr22820761edb.1.1566175671900; Sun, 18 Aug 2019 17:47:51 -0700 (PDT)
MIME-Version: 1.0
From: Shawn Emery <shawn.emery@gmail.com>
Date: Sun, 18 Aug 2019 18:47:40 -0600
Message-ID: <CAChzXmauwuia34m8wVM4T8+_hB6dOWOsXdjB9E1HUc7H+GKc2g@mail.gmail.com>
To: secdir@ietf.org, draft-ietf-pce-lsp-control-request.all@ietf.org
Cc: Shawn Emery <semery@uccs.edu>
Content-Type: multipart/alternative; boundary="000000000000945e8605906db0c9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/6KKCzY-jLuOYHE842nFTyPaIMW0>
Subject: [secdir] Review of draft-ietf-pce-lsp-control-request-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Aug 2019 00:47:59 -0000
Reviewer: Shawn M. Emery Review result: Ready I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This draft specifies an extension to the Path Computation Element communication Protocol (PCE) that allows a PCE to request control of Label Switched Paths (LSPs). The security considerations section does exist and discusses a new DoS vector that this draft creates. The attack involves sending control requests for delegate control of all of its LSPs to the Path Computation Client (PCC). The proposed solution is to set a threshold rate of the delegation requests for the PCC per PCE. I agree with the proposed solution, though I don't know if guidance can be provided on what these thresholds would be per environment. The section goes on to refer to RFC 8231 to justify that the PCP extension should be deployed with authenticated and encrypted sessions in TLS using RFC 8253. I agree with this prescription as well else an attacker would now be able to take control over all local LSPs with this extension. I think that this should at least be stated if an attacker is able to compromise a PCE. General comments: None. Editorial comments: s/sends PCRpt/sends a PCRpt/ s/also specify/also specifies/ s/all its/all of its/ s/If threshold/If the threshold/ s/explicitly set aside/explicitly excluded/ Shawn. --
- [secdir] Review of draft-ietf-pce-lsp-control-req… Shawn Emery
- Re: [secdir] Review of draft-ietf-pce-lsp-control… Dhruv Dhody
- Re: [secdir] Review of draft-ietf-pce-lsp-control… Mahend Negi
- Re: [secdir] Review of draft-ietf-pce-lsp-control… Shawn Emery