IETF Logo Mail Archive

Re: [secdir] Secdir last call review of draft-ietf-pim-source-discovery-bsr-07

Stig Venaas <stig@venaas.com> Tue, 16 January 2018 17:51 UTC

Return-Path: <stig@venaas.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2AD3212E887 for <secdir@ietfa.amsl.com>; Tue, 16 Jan 2018 09:51:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=venaas-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i3pjttaGHPSp for <secdir@ietfa.amsl.com>; Tue, 16 Jan 2018 09:51:30 -0800 (PST)
Received: from mail-qk0-x22d.google.com (mail-qk0-x22d.google.com [IPv6:2607:f8b0:400d:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E85512E885 for <secdir@ietf.org>; Tue, 16 Jan 2018 09:51:28 -0800 (PST)
Received: by mail-qk0-x22d.google.com with SMTP id d21so21925926qkj.3 for <secdir@ietf.org>; Tue, 16 Jan 2018 09:51:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=venaas-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=fynCVErqUtKxANJdU4gsldkHJgE7RlmRnlg0Pv1m8v8=; b=K5GE3JRvtX7gmrU+3jsRaoJZFNbef79ZPDGbV6eta9VZf7JzQ7EQpZQHmr1fVwBnC2 HDzqe0yRaaGyBy47CZX1iRAPI9MZ4TtzYk7ykuF99hZI0h8BadrCdjv7LWr+/QNw3/8D baGCtbnXf6awMMVMwm52+/mCgkV9S/jDpASObEl4nePWzFf10EZEkuwWp3fOS/6wY/Uu RSh7bl+hooE10ken7lKRCvDY/JPxGNQW2ubhc3oRV6yCGdTKu+X2YpbHrd9hOPeoYw1G tmhONOvWFRxDXT/G0TskdemCyKU6Oxci9MtRL67iEfw1jbZERUZaTqYMnKiFRce8mM44 Pe9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=fynCVErqUtKxANJdU4gsldkHJgE7RlmRnlg0Pv1m8v8=; b=WNs91B9ZfRY0QoB8TiCxWke55NB2JNclcpdzIOVBCWgBOKIPwwurduKXTE9J99b3Yb RCiaLg6k8mM/H75cTVK8tEGgRz6WGHYmjJDFQJBObBdvLT7esu4FtPuoM1WHolafoq4m jXCwbxcttA2jTx1cwq297XXHOROWFrDjI3gjm/WyDuTr04p9lDktdOJ45jUKb5cldB7J 9ByGbrPO9SqC+fkxo+Kuh+vlBu4saLwJz8nTig6FmpcAlFoFdPd0c+6Q43Vnbd3JxLEZ 50chIqOXMbABZP68Wnyp73QMhS9ELpaNnW0vSEHn+NgzET0fX+EfBeVSGmRBBmlJeQCb oA3Q==
X-Gm-Message-State: AKwxytehXEWbudwlQVM7mFe9vRe7ddq7ppsnjOCQZRDLXxVEca6+mSjb 4AlYAqDOQ2ARAogARHm3j8pNBE7JRavo4wOFkUqY+g==
X-Google-Smtp-Source: ACJfBouPWJNXsJ8pcNKxkP7vlKJydx1tYfzT4EczJPrQi+Fo9dKV9E+eAhVBWBw6y7IlD+kjV6Pb/JiVideEoHZDmtY=
X-Received: by 10.55.142.70 with SMTP id q67mr16315404qkd.92.1516125087469; Tue, 16 Jan 2018 09:51:27 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.20.81 with HTTP; Tue, 16 Jan 2018 09:51:26 -0800 (PST)
In-Reply-To: <151539253778.11305.7448095057192632663@ietfa.amsl.com>
References: <151539253778.11305.7448095057192632663@ietfa.amsl.com>
From: Stig Venaas <stig@venaas.com>
Date: Tue, 16 Jan 2018 09:51:26 -0800
Message-ID: <CAHANBtL8TmOFn1bq5qgCqjaHxHCuSeTDTD_gdwM56R4sJ2yFsQ@mail.gmail.com>
To: Liang Xia <frank.xialiang@huawei.com>
Cc: secdir@ietf.org, draft-ietf-pim-source-discovery-bsr.all@ietf.org, ietf@ietf.org, pim@ietf.org, The IESG <iesg@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/9zFphKTJWbIxV0pux-UDmI33Lvk>
Subject: Re: [secdir] Secdir last call review of draft-ietf-pim-source-discovery-bsr-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jan 2018 17:51:31 -0000

Thanks for great feedback!

I've tried to address all of your comments. I'm planning to add this
paragraph to the security considerations.

PIM-SM link-local messages can be authenticated using IPsec, see
[RFC7761] section 6.3 and [RFC5796]. Since PFM messages are link-local
messages sent hop by hop, a link-local PFM message can be
authenticated using IPsec such that a router can verify that a message
was sent by a trusted neighbor and has not been modified. However, to
verify that a received message contains correct information announced
by the originator specified in the message, one will have to trust
every router on the path from the originator and that each router has
authenticated the received message.

Let me know if you have any comments on that paragraph.
Thanks,
Stig

On Sun, Jan 7, 2018 at 10:22 PM, Liang Xia <frank.xialiang@huawei.com> wrote:
> Reviewer: Liang Xia
> Review result: Has Issues
>
> Nits:
> 1. In Abstract, the abbreviation is missed when the Term are firstly appeared,
> such as: Sparse-Mode, Rendezvous Point; 2. Every word in the section titles
> should be in the capital form
>
> Issues:
> 1. In Security Considerations section,  should one sentence be "even if the
> sources are actually not active"? 2. Generally, the peer authentication (by
> certificate, shared key...) and the message integration protection are always
> helpful to defend against the forged routers and PEM messages, even the
> resulted resource consumption. But in current Security Considerations section,
> there is nothing discussed about these countermeasures, even in the general
> way. Suggest to consider this point personally.
>

v2.23.0 | Report a Bug | By Email