[secdir] secdir review of draft-ietf-mpls-soft-preemption-18.txt
Stephen Kent <kent@bbn.com> Tue, 25 August 2009 03:42 UTC
Return-Path: <kent@bbn.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B22793A6D1D for <secdir@core3.amsl.com>; Mon, 24 Aug 2009 20:42:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.501
X-Spam-Level:
X-Spam-Status: No, score=-2.501 tagged_above=-999 required=5 tests=[AWL=0.098, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FAlEzOVKu7Eq for <secdir@core3.amsl.com>; Mon, 24 Aug 2009 20:42:47 -0700 (PDT)
Received: from mx11.bbn.com (mx11.bbn.com [128.33.0.80]) by core3.amsl.com (Postfix) with ESMTP id E697B3A6C9F for <secdir@ietf.org>; Mon, 24 Aug 2009 20:42:46 -0700 (PDT)
Received: from dommiel.bbn.com ([192.1.122.15] helo=[169.223.4.160]) by mx11.bbn.com with esmtp (Exim 4.60) (envelope-from <kent@bbn.com>) id 1Mflzj-0006UF-D4; Mon, 24 Aug 2009 22:42:47 -0400
Mime-Version: 1.0
Message-Id: <p06240800c6b90bdf0776@[128.89.89.40]>
Date: Mon, 24 Aug 2009 23:42:52 -0400
To: secdir@ietf.org, matthew.meyer@bt.com, jpv@cisco.com
From: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc: swallow@cisco.com, adrian.farrel@huawei.com, loa@pi.nu
Subject: [secdir] secdir review of draft-ietf-mpls-soft-preemption-18.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Aug 2009 03:42:51 -0000
I reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document (draft-ietf-mpls-soft-preemption-18.txt) defines a set of modifications to MPLS RSVP-TE to accommodate _soft_ preemption. The preemption facility is intended to offer a less draconian alternative to the basic preemption facility of MPLS RSVP, i.e., immediate displacement of a preempted LSP (label-switched path). The approach described here adopts a _make before break_ strategy, to minimize the impact of rerouting an LSP that is being preempted. In this model, preemption is initiated at some midpoint along an LSP, e.g., because another, higher priority traffic flow has been assigned to traverse the router in question. The authors note that if the cause of the preemption is the allocation of resources for a new flow, rather than actual data plane congestion, the hard preemption option is unduly disruptive. This is especially true if the environment in which the traffic is being carried supports multiple Diff-Serv levels. The security considerations section of this document refers to RFC 3209, the RSVP-TE (Extensions to RSVP for LSP tunnels) spec, stating that no new security issues arise as a result of defining the soft preemption capability introduced here. Since soft preemption is less intrusive than the (default) hard preemption, it seems likely that any DoS security concerns for LSPs that are preempted are subsumed by the more general RSVP security concerns addressed in 3209. An attack that would cause one or more router to inappropriately preempt traffic would have a less severe impact in this context, than in the current RSVP preemption model. However, as the authors note, soft preemption can cause temporary under provisioning of one of more nodes/links in a path, and this does represent a new security concern. I suggest that the authors notes this explicitly in the Security Considerations section. (They cite under-provisioning as a possible effect of this preemption approach, so it seems reasonable to cite this as a possible security issue.) RFC 3209 has a one paragraph security considerations section. For the most part this paragraph refers to the base RSVP spec (RFC 2205). It does note that the use of LSP tunnels reduces the filtering options available to an ?administration? and thus it suggests using address family SESSION objects of type IPv4 or IPv6. (This seems to be a very minimal filtering capability compared to normal IP source/destination address pair filtering.) A quick look at RFC 2205 shows that it contains a non-trivial security section (not the security considerations section mandated in later RFCs, but still about a page of text). This discussion is a bit superficial and uses technically poor security terminology. It also refers to a "work in progress" for "a part of the base RSVP specification" despite the normative nature of the cited document, (which was not issued as an RFC for over 2 years). RFC 2205 says that node authentication is effected via an Integrity object, an odd terminology mismatch. 2205 also uses the term "encrypted hash function" in pointing to the document that was later issued as RFC 2747. RFC 2747 describes use of a "keyed hash function" for integrity, and cites HMAC-MD5 as mandatory. The correct, generic terminology is a hash-based MAC, but the security AD at the time was not a stickler for technically accurate terminology, c.f. the TCP-MD5 "signature" option :. This suggests that an update to these earlier document may be in order. There are several minor typos in the text, but I'm confident that the RFC Editor will fix them during the AUTH48 interval.
- [secdir] secdir review of draft-ietf-mpls-soft-pr… Stephen Kent