Re: [secdir] SECDIR review of draft-ietf-pals-seamless-vccv-02

Phillip Hallam-Baker <> Thu, 28 April 2016 19:37 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EF84C12D1E8; Thu, 28 Apr 2016 12:37:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.399
X-Spam-Status: No, score=-2.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Ekqrg3vxiEZE; Thu, 28 Apr 2016 12:37:34 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4010:c07::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D0A1312D90F; Thu, 28 Apr 2016 12:37:32 -0700 (PDT)
Received: by with SMTP id y84so95735010lfc.0; Thu, 28 Apr 2016 12:37:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc; bh=x/LtDXysYoeWUO5fVQv+XfBg8KN4CVfHiI0vt3XhfSY=; b=PXeeVoG14uUXxpyd5kuAZC7twwyJ2yXnY4iPAO9S4slkI0Tko9MOm+2O+nQK9lgzuY 6C9nSLm5mnpemdDadD3la8IvEBpoccWH/WwnjMmJ/0HBIYTVrTY6DST9x/JzOgRLhdiG x/nLp8SIeS2pTNJK3R0qDUYvoeoMfZCOXwfQq4P5uxhWPJCo6SL1H1RFOuCHvVx9jaam 9MktknHBBWrcgXc2N476IPJfLDIGXMLqmlUytuv/A3jtpqQD21oYNQsg4CuDslhe8oUh fqy3SMO5QJlmDVWrVH7wQqs/HVj/kYFM8UuUy7uE5VQPE4I501n1lgyQNzvj8xqI602I Bl4A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc; bh=x/LtDXysYoeWUO5fVQv+XfBg8KN4CVfHiI0vt3XhfSY=; b=ArMpVLHZ8kx3vTl/NWeKQy8tDmuaiDUpzW55Av7DJSm0cX1s+Y3w+j0flYQfIFxxMx S7AqrO4t94cHKv/wBCg4x4hZYpKg7GYyR1S+mhKFdLVGj6QfAtlduNNlxd817WgvDsl1 PA67Od5CriX6l/6ZUrIQelsUH0JNWu/jopI7Su2F5lufk1G7VhHD4SDecsmGAWKMXLGO XLig34VYZyphmPpa3EEJPnQ+O6q8VxtNgQBsmVQDwmKNla3MkvWKeekwK+Tl8s7sMXrz fZtg/PzmAPdeGTHn/we/Qy8Jicmy4vQrOuK4MvF9Xlfke1PL7YsZcbm8pHvxDD3owiLu D/Ng==
X-Gm-Message-State: AOPr4FVRgkUjcp4Tw1Tr1ZJBnY301sSOpNl6WegVmn7tl3MwqtTazd0L4HFUyVdwykfe0zJ3dqOeryt3F2EiZA==
MIME-Version: 1.0
X-Received: by with SMTP id o76mr821509lfb.67.1461872251052; Thu, 28 Apr 2016 12:37:31 -0700 (PDT)
Received: by with HTTP; Thu, 28 Apr 2016 12:37:30 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <>
Date: Thu, 28 Apr 2016 15:37:30 -0400
X-Google-Sender-Auth: xZDUYUmskLbxsV-uKDMkVj13LgA
Message-ID: <>
From: Phillip Hallam-Baker <>
To: Stewart Bryant <>
Content-Type: multipart/alternative; boundary="001a1140027a3b2efe053190a82e"
Archived-At: <>
Cc:, "Andrew G. Malis" <>, "" <>, "" <>
Subject: Re: [secdir] SECDIR review of draft-ietf-pals-seamless-vccv-02
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 28 Apr 2016 19:37:37 -0000

On Wed, Apr 27, 2016 at 5:31 AM, Stewart Bryant <>

> On 26/04/2016 15:51, Phillip Hallam-Baker wrote:
> Yes, I think that what is needed is IAB review of what is going on
> rather than action on this particular draft.
> Sorry - what is the scope of your proposed IAB review?
> In particular, I don't consider a protocol suitable to be considered
> an IETF standard unless people can buy devices from multiple vendors
> and configure them to work together securely.
> Sure, but I would like to see an evidence based assessment of the specific
> problem you are seeing in the field. So far none has been brought to PALS
> (ne PWE3)
> or MPLS as far as I am aware. Carlos can talk to L2TP, but again I have not
> heard of a specific problem ever being raised.

The point of security considerations is that the onus is on the developers
to show that the system is secure.

The documents I have read don't describe a coherent security architecture.
It seems to me that the security of the MPLS/SDN etc world is something
that hasn't really received the consideration it needs.

A few years back we suddenly realized that BGP had no security model and
desperately needed one. The whole point of security considerations was to
try to avoid situations like that occurring. It seems we have done the same
thing in this space.

The other issue is that security people probably should be looking at layer
2 security because that is the only way to achieve protection against
certain mass surveillance attacks. It is a potential tool that has been

Right, but I cannot see why anyone would want to mass surveil the OAM
> protocol, and we inherit the security enhancements to the underlying
data and control planes.

The type of attack that would be of concern would be injecting messages
into the control plane to affect movement of packets. There are games that
can be played just by manipulating quality of service.

> I do not consider IPSEC to be a suitable security mechanism for this
> type of system. If I was given the design brief, I would insist that
> every message be authenticated by digital signature rather than a MAC
> and the control messages logged. I might use a MAC for
> pre-authentication to prevent DoS attack on the control plane. But the
> control messages should be fixed in non repudiable fashion.
> We need to examine this statement in more detail to understand which
> element
> of the system you are concerned about. However please remember that some
> elements of the dataplane and OAM are cost and time sensitive.

I am mostly interested in security of the control plane messages. Though it
might well be useful to consider the possibility of using these
infrastructures as a possible platform for building traffic analysis
resistant networks.

I am aware that this is not BGP which is a layer 3 switching protocol.
I don't think anyone would describe BGP as a layer 3 switching protocol!

It exchanges reachability information, it does not switch packets.

I just did and I am right. The layer at which BGP data moves is pretty much
irrelevant to me. It could move out of band on carrier pigeon for all I
care. BGP is supplying the information that directs packets at layer 3.
Hence it is best viewed as a support protocol for layer 3.

The ISO layered model isn't very helpful because it directs attention to
how packets move. Once you start on virtual links and quality of service,
you end up with nested stacks if you try to maintain 'layering'.

This document has the title 'psuedowire' in the title. The protocol it is
describing creates a capability that has link-like nature. Therefore from a
security perspective we are talking layer 2 even if you build this on layer

At that layer I am interested in service and traffic analysis attacks.