IETF Logo Mail Archive

[secdir] secdir review of draft-ietf-pce-pcep-flowspec-09

"Scott G. Kelly" <scott@hyperthought.com> Sun, 05 July 2020 22:48 UTC

Return-Path: <scott@hyperthought.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E7753A0BAA for <secdir@ietfa.amsl.com>; Sun, 5 Jul 2020 15:48:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qrLQuJx78rqF for <secdir@ietfa.amsl.com>; Sun, 5 Jul 2020 15:48:28 -0700 (PDT)
Received: from smtp86.iad3a.emailsrvr.com (smtp86.iad3a.emailsrvr.com [173.203.187.86]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54C2D3A0BA9 for <secdir@ietf.org>; Sun, 5 Jul 2020 15:48:28 -0700 (PDT)
Received: from app15.wa-webapps.iad3a (relay-webapps.rsapps.net [172.27.255.140]) by smtp19.relay.iad3a.emailsrvr.com (SMTP Server) with ESMTP id 4E1D737B9; Sun, 5 Jul 2020 18:48:27 -0400 (EDT)
Received: from hyperthought.com (localhost.localdomain [127.0.0.1]) by app15.wa-webapps.iad3a (Postfix) with ESMTP id 375EAE0039; Sun, 5 Jul 2020 18:48:27 -0400 (EDT)
Received: by apps.rackspace.com (Authenticated sender: scott@hyperthought.com, from: scott@hyperthought.com) with HTTP; Sun, 5 Jul 2020 15:48:27 -0700 (PDT)
X-Auth-ID: scott@hyperthought.com
Date: Sun, 05 Jul 2020 15:48:27 -0700
From: "Scott G. Kelly" <scott@hyperthought.com>
To: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, draft-ietf-pce-pcep-flowspec.all@ietf.org
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Importance: Normal
X-Priority: 3 (Normal)
X-Type: plain
Message-ID: <1593989307.2241306@apps.rackspace.com>
X-Mailer: webmail/17.3.12-RC
X-Classification-ID: 3b5a6d0e-1d4e-4147-9bb1-7e3fd03883d9-1-1
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/6vW7wAzE0BvAR0QUkwJcwGWR3hU>
Subject: [secdir] secdir review of draft-ietf-pce-pcep-flowspec-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Jul 2020 22:48:31 -0000

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

The summary of the review is ready. 

>From the abstract, "This document specifies a set of extensions to PCEP to support dissemination of Flow Specifications.  This allows a PCE to indicate what traffic should be placed on each path that it is aware of."

The security considerations section says that this mechanism has all of the same security considerations of the underlying PCEP protocol, and that all of the same security considerations in RFC5440, RFC6952, and RFC8253 apply. It also mentions some additional privacy considerations, and that order of installation for overlapping flow specs may have unexpected consequences that could be exploited by an attacker.

I don't have additional concerns.

v2.23.0 | Report a Bug | By Email