Re: [secdir] Status of draft-ietf-l2vpn-vpls-mcast-reqts?
"Yuji KAMITE" <y.kamite@ntt.com> Tue, 25 November 2008 11:51 UTC
Return-Path: <secdir-bounces@ietf.org>
X-Original-To: secdir-archive@ietf.org
Delivered-To: ietfarch-secdir-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 659963A692B; Tue, 25 Nov 2008 03:51:05 -0800 (PST)
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8DBE63A67F5 for <secdir@core3.amsl.com>; Tue, 25 Nov 2008 03:48:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.165
X-Spam-Level:
X-Spam-Status: No, score=-1.165 tagged_above=-999 required=5 tests=[AWL=-1.433, BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_33=0.6, J_CHICKENPOX_43=0.6, SARE_HTML_SINGLETS=1.666, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kMxEgDemH9kX for <secdir@core3.amsl.com>; Tue, 25 Nov 2008 03:48:02 -0800 (PST)
Received: from mgw2.noc.ntt.com (mgw2.noc.ntt.com [210.160.15.6]) by core3.amsl.com (Postfix) with ESMTP id 79AA33A692B for <secdir@ietf.org>; Tue, 25 Nov 2008 03:48:01 -0800 (PST)
Received: from mop2.noc.ntt.com by mgw2.noc.ntt.com (NTT-Com MailSV) with ESMTP id mAPBltPX015028; Tue, 25 Nov 2008 20:47:55 +0900 (JST)
Received: from mip1.noc.ntt.com (mvi2.noc.ntt.com) by mop2.noc.ntt.com (NTT-Com MailSV) with ESMTP id <0KAW00ANI0RVZ5@ntt.com>; Tue, 25 Nov 2008 20:47:55 +0900 (JST)
Date: Tue, 25 Nov 2008 20:47:51 +0900
From: Yuji KAMITE <y.kamite@ntt.com>
In-reply-to: <25092678-15BA-42B6-B3CB-540C572A7859@nist.gov>
To: 'Tim Polk' <tim.polk@nist.gov>
Message-id: <002101c94ef3$a5b23970$b3d80e0a@coe.ntt.com>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1933
X-Mailer: Microsoft Office Outlook 11
Content-type: multipart/mixed; boundary="----=_NextPart_000_0022_01C94F3F.1599E170"
Thread-index: AclI7lo6i8ORuYAQQhS2oFMexGUuVgF/9WEw
References: <002101c948d2$a6f73280$89fa320a@araoa.ntt.com> <25092678-15BA-42B6-B3CB-540C572A7859@nist.gov>
X-Mailman-Approved-At: Tue, 25 Nov 2008 03:51:04 -0800
Cc: 'Mark Townsley' <townsley@cisco.com>, draft-ietf-l2vpn-vpls-mcast-reqts@tools.ietf.org, l2vpn-chairs@tools.ietf.org, secdir@ietf.org
Subject: Re: [secdir] Status of draft-ietf-l2vpn-vpls-mcast-reqts?
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
Sender: secdir-bounces@ietf.org
Errors-To: secdir-bounces@ietf.org
Hi Tim (CC: Sec-Dirs), > I will keep an eye out for the new text, and would be glad to > review it. For addressing your DISCUSSes and Sec-Dir comments about this document, I am thinking about revising as attached. In your review you pointed out that the current document lacks of thorough security analysis, so now I propose the text to address it. I'd appreciate your recheck if it addresses the points you raised. For detail, please see the attached text. I also send the diff-file for your convenience. Best regards, -Yuji ------------------------------ Proposed changes summary: - Modified Section 6.6. - Create subsection 6.6.1 for security threat analysis : - This is totally new text for addressing Sam's DISCUSS and Sec-Dir comment below: https://datatracker.ietf.org/idtracker/draft-ietf-l2vpn-vpls-mcast-reqts/comment/75905/ http://www.ietf.org/mail-archive/web/ietf/current/msg49004.html - Create subsection 6.6.2. for security requirements: - Added a short paragraph to show highlighted relationship to address the Tim's DISCUSS https://datatracker.ietf.org/idtracker/draft-ietf-l2vpn-vpls-mcast-reqts/comment/78677/ - Elaborated how each threat item is solved/mitigated - Modified Section 7. - Added text as 3rd paragraph to reflect the proposed changes in Section 6.6. ------------------------------ > -----Original Message----- > From: Tim Polk [mailto:tim.polk@nist.gov] > Sent: Tuesday, November 18, 2008 4:55 AM > To: Yuji KAMITE > Cc: 'Mark Townsley'; > draft-ietf-l2vpn-vpls-mcast-reqts@tools.ietf.org; > l2vpn-chairs@tools.ietf.org > Subject: Re: Status of draft-ietf-l2vpn-vpls-mcast-reqts? > > Hi Yuji, > > I will keep an eye out for the new text, and would be glad to > review it. > > Thanks, > > Tim > > On Nov 17, 2008, at 10:36 AM, Yuji KAMITE wrote: > > > Mark, > > > > Regarding Tim's comment, > > I've been writing up the security threat analysis recently, but > > couldn't submit before the deadline. > > I'd like to show the curent proposed text for security very soon. > > (Hopefully in this week.) I hope Tim will take a look at it. > > > > BTW, regarding Ron's comment, > > I did the changes to address his comment already. > > But not sure if he actually confirmed it. > > > > Regards, > > Yuji > > -----Original Message----- > > From: Mark Townsley [mailto:townsley@cisco.com] > > Sent: Monday, November 17, 2008 9:40 AM > > To: draft-ietf-l2vpn-vpls-mcast-reqts@tools.ietf.org; > > l2vpn-chairs@tools.ietf.org > > Subject: Status of draft-ietf-l2vpn-vpls-mcast-reqts? > > > > > > > > My notes say: > >> 2 issues mostly covered, remaining security threat analysis issue > >> taking more time. > > I assume this means the comment from Ron can be argued against, but > > that the security issue is more problematic. > > > > The document hasn't moved since the last IETF. It seems stuck and > > needs a little attention from someone. > > > > Authors, please try and sit down with Tim Polk this week > and resolve > > what needs to be done to move this document forward. If you need my > > help, please ask. > > > > Thanks, > > > > - Mark > > > > > >> Discusses and Comments > >> Ron Bonica: > >> Discuss: > >> [2007-12-20] Maybe I missed it, but the document doesn't seem to > >> address MAC learning. > >> > >> Comment: > >> [2007-12-20] You say " > >> > >> "Furthermore, in some cases, IP service providers might expect > >> operational simplicity of VPLS. That is, they avoid direct and > >> detailed knowledge of IP routing. In this case, the multicast > >> delivery mechanism is expected to have not only efficiency > but also > >> simplicity. Generally speaking, there is a trade-off between > >> efficiency and simplicity in terms of bandwidth usage and state > >> maintenance, so the optimum trade-off will vary depending on the > >> requirements of each IP service provider." > >> > >> The argument about "operational simplicity of VPLS" > relative to layer > >> 3 service is difficult to support, as instead of "direct > and detailed > >> knowledge of IP routting", one has to deal with direct and > detailed > >> knowledge of MAC addresses (including MAC address learning), and > >> layer 2. > >> > >> Consider removing the entire paragraph > >> > >> > >> Also, you say: > >> > >> "A solution SHOULD honor customer multicast domains." > >> > >> > >> Perhaps replace with "A solution SHOULD NOT alter customer > multicast > >> domains' boundaries", as it is not clear what "honor .. multicast > >> domains" > >> really means. Otherwise, clarify what "honor" means. > >> > >> Also, you say: > >> > >> "Multicast forwarding restoration time MUST NOT be greater > than the > >> restoration time of a customer's Layer-3 multicast protocols. For > >> example, if a customer uses PIM with default configuration, hello > >> hold timer is 105 seconds, and solutions are required to detect a > >> failure no later than this period." > >> > >> The above mixes *restoration* time at layer 3 with > *detection* time > >> at the VPLS infrastructure. Does not seems to be correct. > >> > >> > >> Also, you say: > >> > >> Therefore, in addition to the L2VPN discovery requirements in > >> [RFC4665], a multicast VPLS solution SHOULD provide a method that > >> dynamically allows multicast membership information to be > discovered > >> by PEs. Such membership information is, for example, a set of > >> multicast addresses. What information is provided dynamically is > >> solution specific." > >> > >> > >> This paragraph mixes several issues that should probably be > >> unbundled. > >> First of all, unless a solution supports (A), as defined in 3.2, > >> there is little point in PEs' dynamically discovering multicast > >> membership info. So, "SHOULD" be conditioned on supporting (A). > >> > >> Second in one scenario a PE discovers multicast membership > info from > >> only the sites connected to that PE, while in another scenario in > >> addition to the previous scenario the PE discovers multicast > >> membership info from other PEs as well. The spec needs to > spell out > >> what exactly it means by "dynamically allow multicast membership > >> information to be discovered by PEs". > >> > >> Tim Polk: > >> Discuss: > >> [2008-03-11] [This is a revised discuss, integrating Sam Hartman's > >> issues and my own into a single discuss to support AD transition.] > >> > >> This discuss elaborates on issues raised in Steve Hanna's security > >> directorate review; that review also needs to be examined in its > >> entirety. > >> > >> The following issue from the secdir review is blocking: > >>> Unfortunately, the document does not contain a systematic > security > >>> analysis of the problem. The Security Considerations section > >>> consists of two brief paragraphs. These paragraphs refer to other > >>> sections in the document where security requirements are > listed and > >>> to RFC 4665, which also lists security requirements. However, I > >>> could not find any methodical threat analysis listing the > possible > >>> threats relevant to the system and stating which ones are > protected > >>> against and which are not. > >> > >>> Without a thorough threat analysis, I have little confidence that > >>> the authors have thought carefully about the possible > threats to the > >>> system. I would expect this to lead to large gaps in the security > >>> requirements and this seems to be borne out in practice. For > >>> example, there is no discussion of threats due to compromise of > >>> components within the service provider network. > >> > >>> Even more troublesome, I think that a single node at a > customer site > >>> (presumably untrusted) can mount dangerous attacks. For > example, a > >>> node that joins many multicast groups can cause a large amount of > >>> state to be maintained in the L2VPN. > >> > >> Please provide a threat analysis and please work to address or > >> document the specific security concerns cited. > >> > >> Section 6.6 provides a list of mechanisms a VPLS solution SHOULD > >> include. There is no apparent relationship between the > requirements, > >> and each is listed with a caveat regarding its application > (e.g., "if > >> examined"). The net effect is that list appears to be > nearly empty > >> under some circumstances: if multicast IP addresses are > not used for > >> forwarding, and neither Ethernet multicast control frames or IP > >> multicast control packets are examined, only the first and last > >> bullets would apply. > >> > >> First, are there implicit relationships that should be > highlighted to > >> clarify the overall effect? For example, if a VPLS solution always > >> examines either Ethernet multicast control frames or IP multicast > >> control packets, the net effect is very different. If such > >> relationships exist they should be specifed. > >> > >> The SHOULD list is followed by several paragraphs with MAY > >> requirements. Again, the net effect is that a VPLS solution might > >> provide none of these mechanisms. The security considerations > >> section needs to elaborate on the consequences of a VPLS solution > >> that omits these security mechanisms. > > >
_______________________________________________ secdir mailing list secdir@ietf.org https://www.ietf.org/mailman/listinfo/secdir