[secdir] Review of draft-ietf-ippm-rt-loss-03

"Murphy, Sandra" <Sandra.Murphy@sparta.com> Thu, 15 March 2012 17:23 UTC

Return-Path: <Sandra.Murphy@sparta.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id E2FB421F87B0; Thu, 15 Mar 2012 10:23:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.419
X-Spam-Status: No, score=-102.419 tagged_above=-999 required=5 tests=[AWL=0.180, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id wwz3iKkOxnL1; Thu, 15 Mar 2012 10:23:10 -0700 (PDT)
Received: from M4.sparta.com (M4.sparta.com []) by ietfa.amsl.com (Postfix) with ESMTP id 2B8DA21F87D0; Thu, 15 Mar 2012 10:23:10 -0700 (PDT)
Received: from Beta5.sparta.com (beta5.sparta.com []) by M4.sparta.com (8.14.4/8.14.4) with ESMTP id q2FHN9qB028844; Thu, 15 Mar 2012 12:23:09 -0500
Received: from Hermes.columbia.ads.sparta.com ([]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id q2FHN7st006939; Thu, 15 Mar 2012 12:23:07 -0500
Received: from HERMES.columbia.ads.sparta.com ([2002:9db9:506b::9db9:506b]) by Hermes.columbia.ads.sparta.com ([2002:9db9:506b::9db9:506b]) with mapi id 14.01.0355.002; Thu, 15 Mar 2012 13:23:07 -0400
From: "Murphy, Sandra" <Sandra.Murphy@sparta.com>
To: "secdir@ietf.org" <secdir@ietf.org>
Thread-Topic: Review of draft-ietf-ippm-rt-loss-03
Thread-Index: Ac0Cy61aoe3WD3DWSdeekjjL3uBB8g==
Date: Thu, 15 Mar 2012 17:23:07 +0000
Message-ID: <24B20D14B2CD29478C8D5D6E9CBB29F60F6C7F35@Hermes.columbia.ads.sparta.com>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-ippm-rt-loss.all@tools.ietf.org" <draft-ietf-ippm-rt-loss.all@tools.ietf.org>
Subject: [secdir] Review of draft-ietf-ippm-rt-loss-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Mar 2012 17:23:13 -0000

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

The draft-ietf-ippm-rt-loss-03 draft defines a round trip loss metric.  A round trip loss measurement capability is specified in RFC5357 ("Two-Way Active Measurement Protocol (TWAMP)"), but no metric has been defined in the defined RFC2330 framework.

As this draft defines a new metric, not the means to implement measurements with the metric, I do not see that security considerations apply.  But I see no problem with discussion of the considerations that should guide implementations.

(Indeed, RFC2861 which defines a delay metric says much the same:
   Conducting Internet measurements raises both security and privacy
   concerns.  This memo does not specify an implementation of the
   metrics, so it does not directly affect the security of the Internet
   nor of applications which run on the Internet.  However,
   implementations of these metrics must be mindful of security and
   privacy concerns.)

I have a few comments about the security considerations section.  

The section mentions both active and passive use of the metric.  But the abstract and intro imply this metric is for use in TWAMP, which is active.  Is use of the metric possible in passive measurements as well?

In section 9.3, it says:

   It may be possible to identify that a certain packet or stream of
   packets is part of a sample.  With that knowledge at the destination
   and/or the intervening networks, it is possible to change the
   processing of the packets (e.g. increasing or decreasing delay) that
   may distort the measured performance.  It may also be possible to
   generate additional packets that appear to be part of the sample
   metric.  These additional packets are likely to perturb the results
   of the sample measurement.

   To discourage the kind of interference mentioned above, packet
   interference checks, such as cryptographic hash, may be used.

How would a simple crypto hash prevent either the distortion of performance (delaying a packet will not change its hash) or the injection of additional packets (a cryptographic hash can be computed for the injected packets as well).

RFC2861 mentions similar injection concerns and recommends:

                   Authentication techniques, such as digital signatures, may
   be used where appropriate to guard against injected traffic attacks.

Is there reason to suggest authentication in this metric definition as well?  TWAMP provides (but does not mandate) both authentication and encryption.  If TWAMP is the only use of the metric, those features should be mentioned.  If TWAMP is just one important use of the metric, it could be good to mention the features here.