IETF Logo Mail Archive

[secdir] Secdir review of draft-ietf-nsh-tlv-08

Charlie Kaufman <charliekaufman@outlook.com> Fri, 01 October 2021 06:23 UTC

Return-Path: <charliekaufman@outlook.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 232673A081D; Thu, 30 Sep 2021 23:23:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.9
X-Spam-Level: **
X-Spam-Status: No, score=2.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, GB_SUMOF=5, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=outlook.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yE_nTJNzQ3uU; Thu, 30 Sep 2021 23:23:04 -0700 (PDT)
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (mail-bn7nam10olkn2109.outbound.protection.outlook.com [40.92.40.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98A593A005E; Thu, 30 Sep 2021 23:23:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=madit/6VqkqwntanwEBhg/oY2rhNQ50a/NQ+2mXIrw6diOoSDDhTNConQ6Wh7lkt25uUTq8f9RtAebvw/qUziwXgn94QUSDlTnbw/1x71eOL8j2dmvVpbgSUZupGmiK29Zmcr5CnNMSkFUbMZ4mJQRujq27QvS8UoQXpd4EqX3o0ckd/ndgTabNekJDzdOgxLBQlGJHG5etoXJj/x3HiF+nmw5tBDeQwzLzKIcjJke0OsqMBUOM5HQhN+uOT2r2Y/SuvUBAFY9eHYT7D0GN3rStepyC3NEcTwy4v8R49ucysD2fY0msmADnEorUBXyL2wz0ExupO7HXpWLQKbcYaIw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=EF2JjIs3J+Fy9Z3rzr1frEiUKBOUsaQ680sqgRPX0pw=; b=bkAxcpmLFqd1y8Zo8nI0QTZwyPAfol3JP/btlcanHo1EseIf7iVmqEg5qqY0YEEj9/OOWLQ+PP1qCiLzA5xde9bYnifEDkbs/L+4msBokrvsNOM9uv4uqwttyCiZCHv8/cjy9PpI1Oo/tsinPZw+7BClawplwX769IlNnqhbFJbcOVnEsKSSdWvju51VsnwBcYGymITcWyEu0sU44nc5KB+a/FRM4/YqP7+fCYK4d4UWWI5/hRUBnAJqTmzZSToZyTfqdLvbJoa+4SEuIoj0fXzfGtaczLmcm7lwKTcZNuQtxLDumZqWWdOrye/MRU0lbM5DBdAH/swuTPnotnVa9w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outlook.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EF2JjIs3J+Fy9Z3rzr1frEiUKBOUsaQ680sqgRPX0pw=; b=qKcopZxSloBQecL4X7/2au4VS6lRtILq8lvd0buAnFAKf9lXMAJ151Bs1KeUuYongQ4cHLLMmH9fs7FhVzgez/elFF5Cih1Ct7HeoqdM0nCXCZZ8Rb+Kp5h+w1xj+XJnxp9qxe+BIT04nIbTrHUj8TX1UcjIxJeJYkrLoyPLJKTd37gOFi9JSh3Ath/dGsQ9d0Rhca1nSuT+eXdeuzUX0MwqttnJj2henNRlIJYKRSN8pBypl2zI92+W+2sAa25tRhaXed9w7DtVMJyqO7m3+mYqhDVW//WxYl4J5lrtu58AcjqXfossnMtgwfd+RQIl2qeJbIIPZIadfcC80PUreg==
Received: from MW2PR1901MB4683.namprd19.prod.outlook.com (2603:10b6:302:6::28) by MWHPR19MB1086.namprd19.prod.outlook.com (2603:10b6:300:a5::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4544.21; Fri, 1 Oct 2021 06:23:02 +0000
Received: from MW2PR1901MB4683.namprd19.prod.outlook.com ([fe80::d1fc:871:50e:2dd5]) by MW2PR1901MB4683.namprd19.prod.outlook.com ([fe80::d1fc:871:50e:2dd5%6]) with mapi id 15.20.4544.025; Fri, 1 Oct 2021 06:23:02 +0000
From: Charlie Kaufman <charliekaufman@outlook.com>
To: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-nsh-tlv.all@ietf.org" <draft-ietf-nsh-tlv.all@ietf.org>
Thread-Topic: Secdir review of draft-ietf-nsh-tlv-08
Thread-Index: AQHXtoxLoeTM3+lkiked51ZCecVWng==
Date: Fri, 01 Oct 2021 06:23:02 +0000
Message-ID: <MW2PR1901MB468370FA7A15C00DAD68285BDFAB9@MW2PR1901MB4683.namprd19.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
suggested_attachment_session_id: f10ce794-a09b-d976-9c6a-5f13b6580c87
x-tmn: [6xdA+qOQ21RI4OpKfTemObUfKluvZBWlrnk8ybCzFPzUecY0fFKTzg==]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 187747bf-b822-4764-e4cc-08d984a3ec16
x-ms-traffictypediagnostic: MWHPR19MB1086:
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: hvmRSGWxO5lgDxT/KCchaXn9CfHLkaL5TPH0mUtsohV7koZffyT1Zl38PDmcBRrri53dIrncnUbRJl712bNZbhhTLCQyJO2nWGRr3M+7V+mq6um5FqAdd3Wyp5MZdbrHUymTTfkP042xSp/orYKafS5x1IDnXiDpXQKcBcAc0kzCrhnege/tRIF6QVTXk4AErHWe6E9GMuocgAryWlVK9wlP9u6XQoZbgTyUtv1bSMZcXzhEbw5jWIOQKv34EQsf9Rr1xQZu8OS5aeOXvMgDaIQA3hjDskYHNrVemScZuDu/ZqsrTAPDUGx6nu2BRWbPsHHqYRmQHAOl/a8O9bv91EggaYx0DWftxDCoocLXUj0s05b5vMqHic5VLIH43wEcNshR8XL3+5s49BGqdNBIleJaLqMYu4UhHYgBHwiziB0Q6PJpe3lok+bDcjA1bflu
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: BDc1ItXV6m5to2UymYncVl2pxhWwWzq9Mq5Xvg+dSeJvnhv8xzKux3mjBEAwV5YmPtmK4klW3jFz0eFtEQe3TRKdIjQdW3Gm8yFQaBU8VLvU9jA3ctPTqaOhlZ62KkkwcTRhQbkvqNuFm+7sX6vBX6Id2fShCZ8C31xAbkik3B4=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MW2PR1901MB468370FA7A15C00DAD68285BDFAB9MW2PR1901MB4683_"
MIME-Version: 1.0
X-OriginatorOrg: outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MW2PR1901MB4683.namprd19.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 187747bf-b822-4764-e4cc-08d984a3ec16
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Oct 2021 06:23:02.4485 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR19MB1086
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/DsS5EY4-OBKCG0_1-dyoK8g7w2w>
Subject: [secdir] Secdir review of draft-ietf-nsh-tlv-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Oct 2021 06:23:10 -0000

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

Summary: No security issues

This document specifies a syntax only and therefore has no security considerations. The security considerations section points to the RFC8300 for security considerations of the protocol in which these messages are used.

General comments:

I found no nits with the document.

Section 3 of the document repeats information from RFC8300 but in less detail. I assume that's to set context and is non-normative. It omits important details like processing of the "U" fields. Neither document says what to do on format violations (e.g., Length=0).

I would have expected Section 4 to say what to do with format violations. For example, if the Length is not the value the spec says it has to be, should the length be ignored, or the extension be ignored, or the entire packet be discarded. What if the sum of the lengths of the extensions exceeds the length (in four octet groups) specified in the outer header?

This is common in specifications and does not lead to problems until someone tries to extend the protocol later and discovers divergent behavior in implementations. (Sadly, that's often true even if the specification does define correct behavior because implementations often don't follow the specifications, but you have to start somewhere).

v2.23.0 | Report a Bug | By Email