Re: [secdir] SECDIR review of draft-ietf-manet-olsrv2-metrics-rationale-02

"Stan Ratliff (sratliff)" <sratliff@cisco.com> Wed, 06 March 2013 17:14 UTC

Return-Path: <sratliff@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0DDD921F85B2 for <secdir@ietfa.amsl.com>; Wed, 6 Mar 2013 09:14:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Level:
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eW7sdMGd9eNq for <secdir@ietfa.amsl.com>; Wed, 6 Mar 2013 09:14:54 -0800 (PST)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) by ietfa.amsl.com (Postfix) with ESMTP id 8DCB721F867D for <secdir@ietf.org>; Wed, 6 Mar 2013 09:14:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=19660; q=dns/txt; s=iport; t=1362590089; x=1363799689; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=2jnr6WI38Km55sCqtw72KIWzTcQ/tiA/upmXrkqOKr4=; b=ao+JDie56VXubpUVjGOSsZhWohO/4KoncsxCbcIfBctJUC7GAEX7buFx jbqZw7W6WgNqIaSn7o8y2OkdpStLAEmj3oM6epAxOLDNZotjbw/S/jmWQ tiYwCNcJWaSnPJXalYVERRIz+FwUOMuAp6g3cRm/ZrQ5WUYRHA//UY49w k=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgUFAJ94N1GtJXG+/2dsb2JhbABEhBS4DogkgVoWc4IqAQEBAgJVHAgQAgEIEQQBAQsdBzIUCQgCBA4FCIgLDL0JjUsKDngmBgUGAQYDglZhA5dpj1KDCIFpCRce
X-IronPort-AV: E=Sophos; i="4.84,795,1355097600"; d="scan'208,217"; a="184467477"
Received: from rcdn-core2-3.cisco.com ([173.37.113.190]) by rcdn-iport-7.cisco.com with ESMTP; 06 Mar 2013 17:14:49 +0000
Received: from xhc-rcd-x04.cisco.com (xhc-rcd-x04.cisco.com [173.37.183.78]) by rcdn-core2-3.cisco.com (8.14.5/8.14.5) with ESMTP id r26HEmhS006019 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Wed, 6 Mar 2013 17:14:48 GMT
Received: from xmb-aln-x03.cisco.com ([169.254.6.8]) by xhc-rcd-x04.cisco.com ([173.37.183.78]) with mapi id 14.02.0318.004; Wed, 6 Mar 2013 11:14:48 -0600
From: "Stan Ratliff (sratliff)" <sratliff@cisco.com>
To: "Dearlove, Christopher (UK)" <Chris.Dearlove@baesystems.com>
Thread-Topic: SECDIR review of draft-ietf-manet-olsrv2-metrics-rationale-02
Thread-Index: AQHOGoDnF/PDunHJJE6/fPb3L+81eJiZQVoAgAAKboA=
Date: Wed, 6 Mar 2013 17:14:47 +0000
Message-ID: <2ED1D3801ACAAB459FDB4EAC9EAD090C1004184D@xmb-aln-x03.cisco.com>
References: <51376352.5050802@bbn.com> <B31EEDDDB8ED7E4A93FDF12A4EECD30D2502C92B@GLKXM0002V.GREENLNK.net>
In-Reply-To: <B31EEDDDB8ED7E4A93FDF12A4EECD30D2502C92B@GLKXM0002V.GREENLNK.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [64.102.54.124]
Content-Type: multipart/alternative; boundary="_000_2ED1D3801ACAAB459FDB4EAC9EAD090C1004184Dxmbalnx03ciscoc_"
MIME-Version: 1.0
X-Mailman-Approved-At: Wed, 06 Mar 2013 10:24:20 -0800
Cc: "T.Clausen@computer.org" <T.Clausen@computer.org>, secdir <secdir@ietf.org>, "philippe.jacquet@alcatel-lucent.com" <philippe.jacquet@alcatel-lucent.com>, Adrian Farrel <adrian@olddog.co.uk>, "macker@itd.nrl.navy.mil" <macker@itd.nrl.navy.mil>, "Stewart Bryant \(stbryant\)" <stbryant@cisco.com>
Subject: Re: [secdir] SECDIR review of draft-ietf-manet-olsrv2-metrics-rationale-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2013 17:14:59 -0000

FWIW, I agree with Chris - including security concerns for OLSRv2 would be a scope change for the document. The authors were trying to answer the question "Why did you put metrics into OLSRv2, and why did you include them in this specific fashion?" Given that scope, I don't believe there are security issues, and the note in the document is adequate.

Just my 2 cents.

Regards,
Stan

On Mar 6, 2013, at 11:37 AM, Dearlove, Christopher (UK) wrote:

Please note that this is not a rationale of OLSRv2.

This is a rationale of how metrics were added to OLSRv2, a small subset of the complete OLSRv2 functionality.

There were of course security considerations in the design of OLSRv2, but this is not that document.

--
Christopher Dearlove
Senior Principal Engineer, Communications Group
Communications, Networks and Image Analysis Capability
BAE Systems Advanced Technology Centre
West Hanningfield Road, Great Baddow, Chelmsford, CM2 8HN, UK
Tel: +44 1245 242194 |  Fax: +44 1245 242124
chris.dearlove@baesystems.com<mailto:chris.dearlove@baesystems.com> | http://www.baesystems.com

BAE Systems (Operations) Limited
Registered Office: Warwick House, PO Box 87, Farnborough Aerospace Centre, Farnborough, Hants, GU14 6YU, UK
Registered in England & Wales No: 1996687

From: Stephen Kent [mailto:kent@bbn.com]
Sent: 06 March 2013 15:40
To: secdir; Dearlove, Christopher (UK); T.Clausen@computer.org<mailto:T.Clausen@computer.org>; philippe.jacquet@alcatel-lucent.com<mailto:philippe.jacquet@alcatel-lucent.com>; macker@itd.nrl.navy.mil<mailto:macker@itd.nrl.navy.mil>; sratliff@cisco.com<mailto:sratliff@cisco.com>; Stewart Bryant; Adrian Farrel
Subject: SECDIR review of draft-ietf-manet-olsrv2-metrics-rationale-02


*** WARNING ***
This message originates from outside our organisation, either from an external partner or the internet.
Keep this in mind if you answer this message.
Please see this process<http://intranet.ent.baesystems.com/howwework/security/spotlights/Documents/Dealing%20With%20Suspicious%20Emails.pdf> on how to deal with suspicious emails.
SECDIR review of draft-ietf-manet-olsrv2-metrics-rationale-02

I reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

This document is targeted as an Informational RFC. It describes itself as “… an historic record of the rationale for, and design considerations behind, how link metrics were included in OLSRv2.”

The Security Considerations section says simply “This document does not specify any security considerations.” It’s been a very long time (many years) since I’ve encountered that phrase in a candidate RFC. A rationale document itself probably does not entail security considerations, but the omission of any security discussion suggests that security did not play a role in the deign of this routing protocol. Is that true? If so, who thinks this is a good thing?

I looked at the I-D that defines OLSRv2. It contains a two-page Security Considerations section. From my perspective, this document ought to provide background info (rationale) for the security suggestions contained that document.

********************************************************************
This email and any attachments are confidential to the intended
recipient and may also be privileged. If you are not the intended
recipient please delete it from your system and notify the sender.
You should not copy it or use it for any purpose nor disclose or
distribute its contents to any other person.
********************************************************************