IETF Logo Mail Archive

Re: [secdir] Secdir review of draft-ietf-ccamp-gmpls-ether-svcs

Adrian Farrel <Adrian.Farrel@huawei.com> Wed, 17 February 2010 12:05 UTC

Return-Path: <Adrian.Farrel@huawei.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2F40C3A795D for <secdir@core3.amsl.com>; Wed, 17 Feb 2010 04:05:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.466
X-Spam-Level:
X-Spam-Status: No, score=-2.466 tagged_above=-999 required=5 tests=[AWL=0.132, BAYES_00=-2.599, STOX_REPLY_TYPE=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JRvc1KJUlKTc for <secdir@core3.amsl.com>; Wed, 17 Feb 2010 04:05:04 -0800 (PST)
Received: from usaga03-in.huawei.com (usaga03-in.huawei.com [206.16.17.220]) by core3.amsl.com (Postfix) with ESMTP id 5DDAB3A7654 for <secdir@ietf.org>; Wed, 17 Feb 2010 04:05:03 -0800 (PST)
Received: from huawei.com (usaga03-in [172.18.4.17]) by usaga03-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0KXZ009Z0IZ5LH@usaga03-in.huawei.com> for secdir@ietf.org; Wed, 17 Feb 2010 06:06:41 -0600 (CST)
Received: from your029b8cecfe (dsl-sp-81-140-15-32.in-addr.broadbandscope.com [81.140.15.32]) by usaga03-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTPA id <0KXZ00EE6IZ3UN@usaga03-in.huawei.com> for secdir@ietf.org; Wed, 17 Feb 2010 06:06:41 -0600 (CST)
Date: Wed, 17 Feb 2010 12:06:20 +0000
From: Adrian Farrel <Adrian.Farrel@huawei.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>, secdir@ietf.org, draft-ietf-ccamp-gmpls-ether-svcs.all@tools.ietf.org
Message-id: <3D3F33B1A4BB48FE84F8C39B90A29785@your029b8cecfe>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.5579
X-Mailer: Microsoft Outlook Express 6.00.2900.5843
Content-type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-transfer-encoding: 7bit
X-Priority: 3
X-MSMail-priority: Normal
References: <p0624084fc7a0f5f984a3@[10.20.30.158]>
Subject: Re: [secdir] Secdir review of draft-ietf-ccamp-gmpls-ether-svcs
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Adrian Farrel <Adrian.Farrel@huawei.com>
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Feb 2010 12:05:06 -0000

Hi Paul,

Thanks for the review.

Off-topic of the draft, I think, you say...

> RFC 3473 is GMPLS signalling with RSVP-TE. RSVP has hop-by-hop integrity 
> protection
> that is often used in real-world deployments; no privacy is assumed in the 
> signalling. However,
> RSVP-TE introduces non-hop-by-hop notifications that are adopted by 
> draft-ietf-ccamp-
> gmpls-ether-svcs. Unlike the rest of RSVP-TE, those notifications have no 
> integrity protection
> unless that operators run the protocol under a security service like IPsec

I am not sure why you make this assertion.
The GMPLS Notification message is open to all of the security features 
available in RSVP-TE.

It is true that Notification messages can be sent using "non-adjacent 
signaling" which would require the existence of security peerings between 
non-adjacent nodes. This can be achieved by group keying, but peer keying 
need not be so arduous in most use cases.

But an alternative mechanism for delivery of Notification messages is 
defined in RFC3473 where the messages are forwarded hop-by-hop within 
RSVP-TE. This enables the use of the normal RSVP-TE security model.

Cheers,
Adrian

v2.23.0 | Report a Bug | By Email