[secdir] secdir review of draft-ietf-mpls-soft-preemption-18.txt

Stephen Kent <kent@bbn.com> Tue, 25 August 2009 03:42 UTC

Return-Path: <kent@bbn.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B22793A6D1D for <secdir@core3.amsl.com>; Mon, 24 Aug 2009 20:42:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.501
X-Spam-Level:
X-Spam-Status: No, score=-2.501 tagged_above=-999 required=5 tests=[AWL=0.098, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FAlEzOVKu7Eq for <secdir@core3.amsl.com>; Mon, 24 Aug 2009 20:42:47 -0700 (PDT)
Received: from mx11.bbn.com (mx11.bbn.com [128.33.0.80]) by core3.amsl.com (Postfix) with ESMTP id E697B3A6C9F for <secdir@ietf.org>; Mon, 24 Aug 2009 20:42:46 -0700 (PDT)
Received: from dommiel.bbn.com ([192.1.122.15] helo=[169.223.4.160]) by mx11.bbn.com with esmtp (Exim 4.60) (envelope-from <kent@bbn.com>) id 1Mflzj-0006UF-D4; Mon, 24 Aug 2009 22:42:47 -0400
Mime-Version: 1.0
Message-Id: <p06240800c6b90bdf0776@[128.89.89.40]>
Date: Mon, 24 Aug 2009 23:42:52 -0400
To: secdir@ietf.org, matthew.meyer@bt.com, jpv@cisco.com
From: Stephen Kent <kent@bbn.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Cc: swallow@cisco.com, adrian.farrel@huawei.com, loa@pi.nu
Subject: [secdir] secdir review of draft-ietf-mpls-soft-preemption-18.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Aug 2009 03:42:51 -0000

I reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

This document (draft-ietf-mpls-soft-preemption-18.txt) defines a set 
of modifications to MPLS RSVP-TE to accommodate _soft_ preemption. 
The preemption facility is intended to offer a less draconian 
alternative to the basic preemption facility of MPLS RSVP, i.e., 
immediate displacement of a preempted LSP (label-switched path). The 
approach described here adopts a _make before break_ strategy, to 
minimize the impact of rerouting an LSP that is being preempted. In 
this model, preemption is initiated at some midpoint along an LSP, 
e.g., because another, higher priority traffic flow has been assigned 
to traverse the router in question. The authors note that if the 
cause of the preemption is the allocation of resources for a new 
flow, rather than actual data plane congestion, the hard preemption 
option is unduly disruptive. This is especially true if the 
environment in which the traffic is being carried supports multiple 
Diff-Serv levels.

The security considerations section of this document refers to RFC 
3209, the RSVP-TE (Extensions to RSVP for LSP tunnels) spec, stating 
that no new security issues arise as a result of defining the soft 
preemption capability introduced here. Since soft preemption is less 
intrusive than the (default) hard preemption, it seems likely that 
any DoS security  concerns for LSPs that are preempted are subsumed 
by the more general RSVP security concerns addressed in 3209. An 
attack that would cause one or more router to inappropriately preempt 
traffic would have a less severe impact in this context, than in the 
current RSVP preemption model. However, as the authors note, soft 
preemption can cause temporary under provisioning of one of more 
nodes/links in a path, and this does represent a new security 
concern.  I suggest that the authors notes this explicitly in the 
Security Considerations section. (They cite under-provisioning as a 
possible effect of this preemption approach, so it seems reasonable 
to cite this as a possible security issue.)

RFC 3209 has a one paragraph security considerations section. For the 
most part this paragraph refers to the base RSVP spec (RFC 2205). It 
does note that the use of LSP tunnels reduces the filtering options 
available to an ?administration? and thus it suggests using address 
family SESSION objects of type IPv4 or IPv6.  (This seems to be a 
very minimal filtering capability compared to normal IP 
source/destination address pair filtering.)

A quick look at RFC 2205 shows that it contains a non-trivial 
security section (not the security considerations section mandated in 
later RFCs, but still about a page of text). This discussion is a bit 
superficial and uses technically poor security terminology. It also 
refers to a "work in progress" for "a part of the base RSVP 
specification" despite the normative nature of the cited document, 
(which was not issued as an RFC for over 2 years). RFC 2205 says that 
node authentication is effected via an Integrity object, an odd 
terminology mismatch. 2205 also uses the term "encrypted hash 
function" in pointing to the document that was later issued as RFC 
2747. RFC 2747 describes use of a "keyed hash function" for 
integrity, and cites HMAC-MD5 as mandatory. The correct, generic 
terminology is a hash-based MAC, but the security AD at the time was 
not a stickler for technically accurate terminology, c.f. the TCP-MD5 
"signature" option :.  This suggests that an update to these earlier 
document may be in order.

There are several minor typos in the text, but I'm confident that the 
RFC Editor will fix them during the AUTH48 interval.