[secdir] SECDIR review of draft-ietf-mpls-forwarding-06

Stephen Kent <kent@bbn.com> Mon, 03 February 2014 21:06 UTC

Return-Path: <kent@bbn.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 7D2BC1A01DA for <secdir@ietfa.amsl.com>; Mon, 3 Feb 2014 13:06:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.735
X-Spam-Status: No, score=-4.735 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.535, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id AVgmeJipoG4J for <secdir@ietfa.amsl.com>; Mon, 3 Feb 2014 13:06:21 -0800 (PST)
Received: from smtp.bbn.com (smtp.bbn.com []) by ietfa.amsl.com (Postfix) with ESMTP id 03BBD1A015A for <secdir@ietf.org>; Mon, 3 Feb 2014 13:06:20 -0800 (PST)
Received: from dommiel.bbn.com ([]:48610 helo=comsec.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1WAQib-000F5H-VE; Mon, 03 Feb 2014 16:06:15 -0500
Message-ID: <52F004B7.5080909@bbn.com>
Date: Mon, 03 Feb 2014 16:05:59 -0500
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.2.0
MIME-Version: 1.0
To: secdir <secdir@ietf.org>, curtis@occnc.com, kireeti@juniper.net, samante@apple.com, agmalis@gmail.com, cpignata@cisco.com, Stewart Bryant <stbryant@cisco.com>, Adrian Farrel <adrian@olddog.co.uk>, Loa Andersson <loa@pi.nu>, rcallon@juniper.net, swallow@cisco.com
Content-Type: multipart/alternative; boundary="------------080800000307000501000302"
Subject: [secdir] SECDIR review of draft-ietf-mpls-forwarding-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Feb 2014 21:06:25 -0000

SECDIR review of draft-ietf-mpls-forwarding-06

I reviewed this document as part of the security directorate's ongoing 
effort to review all IETF documents being processed by the IESG.These 
comments were written primarily for the benefit of the security area 
directors.Document editors, WG chairs and ADs should treat these 
comments just like any other last call comments.

This documentis a candidate Informational RFC. It cites about 25 MPLS 
RFCs (normatively) as a basis for guidelines for MPLS router 
implementers and network providers, with respect to forwarding of MPLS 

The Security Considerations Section is very brief. It correctly states 
that it is a review of forwarding behavior specified in numerous MPLS 
RFCs, and thus introduces no new security requirements. It makes 
specific reference to Section 4.6, which specifies (at a high level) 
some tests for DoS susceptibility in MPLS routers. The paragraph that 
includes this reference should be extended to include pointers to 
Section 2.6.1 (which discusses DoS concerns), and to Section 3.6 (which 
includes a list of DoS protection questions to be posed to suppliers).

It might be nice to summarize the security considerations 
recommendations from the MPLS RFCs that are normative references in this 
document. Since this document is a summary of forwarding-relevant 
requirements from these documents, plus practical advice, such a summary 
would be useful here, and fitting.

Some suggested edits:

2.1.2.MPLS Differentiated Services

[RFC2474] deprecates the IP Type of Service (TOS) and IP Precedence

(Prec) fields and replaces them with the Differentiated Services

Field more commonly known as the Differentiated Services Code Point

(DSCP) field.[RFC2475] defines the Differentiated Services

architecture, which in other forum is often called a Quality of

Service (QoS) architecture.

Either use "fora" (correct Latin) or "forums" (common English) Sequence Number

Pseudowire (PW) sequence number support is most important for PW

payload types with a high expectation of lossless and/or in-order

delivery.Identifying lost PW packets and exact amount of lost

payload is critical for PW services which maintain bit timing, such

as Time Division Multiplexing (TDM) services since these services

MUST compensate lost payload on a bit-for-bit basis.

"the exact amount"

With PW services which maintain bit timing, packets that have been

received out of order also MUST be identified and may be either re-

ordered or dropped.

Uppercase MAY?

The term "microflow" does not appear to be defined anywhere in this 
document, but is used a number of times. I suggest including the 
definition from RFC 2474.

2.4.4.MPLS Entropy Label

The MPLS entropy label simplifies flow group identification [RFC6790] at 
midpoint LSR.Prior to the MPLS entropy label midpoint LSR needed to 
inspect the entire label stack and often the IP headers to provide ...

Missing an article, or make LSR plural.

Many service providers consider it a hard requirement

that use of UDP and TCP ports can be disabled.Therefore there is a stong 
incentive for implementations to provide both options.


Cryptographic authentication can is some circumstances be subject

to DoS attack by overwhelming the capacity of the decryption with

a high volume of malicious traffic.