[secdir] SECDIR review of draft-ietf-mpls-forwarding-06
Stephen Kent <kent@bbn.com> Mon, 03 February 2014 21:06 UTC
Return-Path: <kent@bbn.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D2BC1A01DA for <secdir@ietfa.amsl.com>; Mon, 3 Feb 2014 13:06:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.735
X-Spam-Level:
X-Spam-Status: No, score=-4.735 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AVgmeJipoG4J for <secdir@ietfa.amsl.com>; Mon, 3 Feb 2014 13:06:21 -0800 (PST)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 03BBD1A015A for <secdir@ietf.org>; Mon, 3 Feb 2014 13:06:20 -0800 (PST)
Received: from dommiel.bbn.com ([192.1.122.15]:48610 helo=comsec.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1WAQib-000F5H-VE; Mon, 03 Feb 2014 16:06:15 -0500
Message-ID: <52F004B7.5080909@bbn.com>
Date: Mon, 03 Feb 2014 16:05:59 -0500
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: secdir <secdir@ietf.org>, curtis@occnc.com, kireeti@juniper.net, samante@apple.com, agmalis@gmail.com, cpignata@cisco.com, Stewart Bryant <stbryant@cisco.com>, Adrian Farrel <adrian@olddog.co.uk>, Loa Andersson <loa@pi.nu>, rcallon@juniper.net, swallow@cisco.com
Content-Type: multipart/alternative; boundary="------------080800000307000501000302"
Subject: [secdir] SECDIR review of draft-ietf-mpls-forwarding-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Feb 2014 21:06:25 -0000
SECDIR review of draft-ietf-mpls-forwarding-06 I reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.These comments were written primarily for the benefit of the security area directors.Document editors, WG chairs and ADs should treat these comments just like any other last call comments. This documentis a candidate Informational RFC. It cites about 25 MPLS RFCs (normatively) as a basis for guidelines for MPLS router implementers and network providers, with respect to forwarding of MPLS traffic. The Security Considerations Section is very brief. It correctly states that it is a review of forwarding behavior specified in numerous MPLS RFCs, and thus introduces no new security requirements. It makes specific reference to Section 4.6, which specifies (at a high level) some tests for DoS susceptibility in MPLS routers. The paragraph that includes this reference should be extended to include pointers to Section 2.6.1 (which discusses DoS concerns), and to Section 3.6 (which includes a list of DoS protection questions to be posed to suppliers). It might be nice to summarize the security considerations recommendations from the MPLS RFCs that are normative references in this document. Since this document is a summary of forwarding-relevant requirements from these documents, plus practical advice, such a summary would be useful here, and fitting. Some suggested edits: 2.1.2.MPLS Differentiated Services [RFC2474] deprecates the IP Type of Service (TOS) and IP Precedence (Prec) fields and replaces them with the Differentiated Services Field more commonly known as the Differentiated Services Code Point (DSCP) field.[RFC2475] defines the Differentiated Services architecture, which in other forum is often called a Quality of Service (QoS) architecture. Either use "fora" (correct Latin) or "forums" (common English) 2.1.8.1.Pseudowire Sequence Number Pseudowire (PW) sequence number support is most important for PW payload types with a high expectation of lossless and/or in-order delivery.Identifying lost PW packets and exact amount of lost payload is critical for PW services which maintain bit timing, such as Time Division Multiplexing (TDM) services since these services MUST compensate lost payload on a bit-for-bit basis. "the exact amount" With PW services which maintain bit timing, packets that have been received out of order also MUST be identified and may be either re- ordered or dropped. Uppercase MAY? The term "microflow" does not appear to be defined anywhere in this document, but is used a number of times. I suggest including the definition from RFC 2474. 2.4.4.MPLS Entropy Label The MPLS entropy label simplifies flow group identification [RFC6790] at midpoint LSR.Prior to the MPLS entropy label midpoint LSR needed to inspect the entire label stack and often the IP headers to provide ... Missing an article, or make LSR plural. Many service providers consider it a hard requirement that use of UDP and TCP ports can be disabled.Therefore there is a stong incentive for implementations to provide both options. "strong" Cryptographic authentication can is some circumstances be subject to DoS attack by overwhelming the capacity of the decryption with a high volume of malicious traffic. "in"
- [secdir] SECDIR review of draft-ietf-mpls-forward… Stephen Kent
- Re: [secdir] SECDIR review of draft-ietf-mpls-for… Curtis Villamizar
- Re: [secdir] SECDIR review of draft-ietf-mpls-for… Loa Andersson
- Re: [secdir] SECDIR review of draft-ietf-mpls-for… Stephen Kent
- Re: [secdir] SECDIR review of draft-ietf-mpls-for… Carlos Pignataro (cpignata)
- Re: [secdir] SECDIR review of draft-ietf-mpls-for… Curtis Villamizar
- Re: [secdir] SECDIR review of draft-ietf-mpls-for… Curtis Villamizar
- Re: [secdir] SECDIR review of draft-ietf-mpls-for… Stephen Kent
- [secdir] SECDIR review of draft-ietf-mpls-forward… Stephen Kent