Re: [secdir] Review of draft-ietf-bfd-vxlan-09
"Shawn M. Emery" <semery@uccs.edu> Tue, 10 December 2019 21:36 UTC
Return-Path: <semery@uccs.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CA77120019; Tue, 10 Dec 2019 13:36:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.488
X-Spam-Level:
X-Spam-Status: No, score=-1.488 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.4, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fcyAu0U31h6L; Tue, 10 Dec 2019 13:36:49 -0800 (PST)
Received: from exchange.uccs.edu (uccs-ex1.uccs.edu [128.198.1.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E702C120005; Tue, 10 Dec 2019 13:36:48 -0800 (PST)
Received: from mail-ed1-f49.google.com (209.85.208.49) by UCCS-EX1.uccs.edu (128.198.1.101) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 10 Dec 2019 14:36:46 -0700
Received: by mail-ed1-f49.google.com with SMTP id cy15so17369524edb.4; Tue, 10 Dec 2019 13:36:46 -0800 (PST)
X-Gm-Message-State: APjAAAXj7NJKR03UI8jxIERlocxBuXMg0dW8W9rH1n7DuoWQuCHhvswg HFCh18YF0zLhJcJfX9J7gHT1y1CN2pJVg4QwCQg=
X-Google-Smtp-Source: APXvYqzoVQn3bFL6gdvs4Cua/mGOYgS1Yt1g4g+hpevP/nKSbgIG54JSR+nmvnApINro6oEj15lvzhQjwUWiwODMFZ0=
X-Received: by 2002:a50:fa87:: with SMTP id w7mr42506594edr.0.1576013805546; Tue, 10 Dec 2019 13:36:45 -0800 (PST)
MIME-Version: 1.0
References: <CAChzXmaj-fBb5D8EPy7C4nU0mO0+yPGux51-Xxvu22oyUVh4Ag@mail.gmail.com> <20191210155221.GB29250@pfrc.org>
In-Reply-To: <20191210155221.GB29250@pfrc.org>
From: "Shawn M. Emery" <semery@uccs.edu>
Date: Tue, 10 Dec 2019 14:36:34 -0700
X-Gmail-Original-Message-ID: <CAChzXmaPh1Z23yOwig1ToJOp7ye6b0W3pcmk5_qPzHV9es6yUg@mail.gmail.com>
Message-ID: <CAChzXmaPh1Z23yOwig1ToJOp7ye6b0W3pcmk5_qPzHV9es6yUg@mail.gmail.com>
To: Jeffrey Haas <jhaas@pfrc.org>
CC: draft-ietf-bfd-vxlan.all@ietf.org, secdir <secdir@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000a75430599604faa"
X-Originating-IP: [209.85.208.49]
X-ClientProxiedBy: UCCS-EX3.uccs.edu (128.198.1.103) To UCCS-EX1.uccs.edu (128.198.1.101)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/BRy1upX2MQCiMU6ESPalCJ3QIEo>
X-Mailman-Approved-At: Tue, 10 Dec 2019 13:38:19 -0800
Subject: Re: [secdir] Review of draft-ietf-bfd-vxlan-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Dec 2019 21:36:52 -0000
Hi Jeff, Comments begin with SME... On Tue, Dec 10, 2019 at 8:48 AM Jeffrey Haas <jhaas@pfrc.org> wrote: > Shawn, > > On Mon, Dec 09, 2019 at 05:51:30PM -0700, Shawn M. Emery wrote: > > Reviewer: Shawn M. Emery > > Review result: Ready with nits > > [...] > > > 1. Relating to privacy: > > I believe that this section [security considerations] should also > document > > the security impact of deploying BFD on VXLANs for monitoring tunnel > > traffic. > > Which additional information, if any, can now be obtained with BFD usage? > > BFD protects transport between two systems and, in the profile envisaged in > this document, does not typically involve itself in protecting user-managed > endpoints. (In such circumstances, they might consider standard RFC > 5880/5881 BFD as a user-provisioned mechanism.) > > The traffic for this mechanism is thus between two systems at the tunnel > level and only covers the information necessary to permit the BFD protocol > to execute, including any BFD security mechanisms that may be applied to > that session. There are thus no end user privacy considerations for this > mechanism. > SME: This was not clear to me when reading the draft and think that the text above would help in defending that there are no privacy concerns that this specification introduces. > > 2. Editorial: > > Echo BFD is out of scope for the document, but does not describe the > > reason for this or why state this at all? > > This is covered by RFC 5880 section 5. Similar to most other IETF > documents, when documenting extensions and we do not conflict with the base > behavior, we don't try to copy and paste the motivations as it waters down > the normative text. (If we were IEEE, we'd reissue the entire suite every > time we touched something...) > > Our preference is to leave it alone. > > At best, we could say "See RFC 5880, section 5." > SME: This was also not clear to me, as my initial investigation did not lead me to this text. Shawn. --
- [secdir] Review of draft-ietf-bfd-vxlan-09 Shawn M. Emery
- Re: [secdir] Review of draft-ietf-bfd-vxlan-09 Jeffrey Haas
- Re: [secdir] Review of draft-ietf-bfd-vxlan-09 Shawn M. Emery
- Re: [secdir] Review of draft-ietf-bfd-vxlan-09 Jeffrey Haas
- Re: [secdir] Review of draft-ietf-bfd-vxlan-09 Jeffrey Haas
- Re: [secdir] Review of draft-ietf-bfd-vxlan-09 Shawn M. Emery
- Re: [secdir] Review of draft-ietf-bfd-vxlan-09 Jeffrey Haas