Re: [secdir] secdir review of draft-ietf-teas-gmpls-lsp-fastreroute-09
"BRUNGARD, DEBORAH A" <db3546@att.com> Tue, 11 July 2017 11:25 UTC
Return-Path: <db3546@att.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9698813169C; Tue, 11 Jul 2017 04:25:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.399
X-Spam-Level:
X-Spam-Status: No, score=-5.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FlRC8AMWeYvR; Tue, 11 Jul 2017 04:25:32 -0700 (PDT)
Received: from mx0a-00191d01.pphosted.com (mx0b-00191d01.pphosted.com [67.231.157.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6675131687; Tue, 11 Jul 2017 04:25:32 -0700 (PDT)
Received: from pps.filterd (m0083689.ppops.net [127.0.0.1]) by m0083689.ppops.net-00191d01. (8.16.0.17/8.16.0.17) with SMTP id v6BBPRuM043978; Tue, 11 Jul 2017 07:25:27 -0400
Received: from alpi155.enaf.aldc.att.com (sbcsmtp7.sbc.com [144.160.229.24]) by m0083689.ppops.net-00191d01. with ESMTP id 2bmpw8yk89-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 11 Jul 2017 07:25:27 -0400
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi155.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id v6BBPQxc003904; Tue, 11 Jul 2017 07:25:26 -0400
Received: from mlpi408.sfdc.sbc.com (mlpi408.sfdc.sbc.com [130.9.128.240]) by alpi155.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id v6BBPNDh003882 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 11 Jul 2017 07:25:23 -0400
Received: from MISOUT7MSGHUBAA.ITServices.sbc.com (MISOUT7MSGHUBAA.itservices.sbc.com [130.9.129.145]) by mlpi408.sfdc.sbc.com (RSA Interceptor); Tue, 11 Jul 2017 11:25:06 GMT
Received: from MISOUT7MSGUSRDE.ITServices.sbc.com ([169.254.5.17]) by MISOUT7MSGHUBAA.ITServices.sbc.com ([130.9.129.145]) with mapi id 14.03.0319.002; Tue, 11 Jul 2017 07:25:06 -0400
From: "BRUNGARD, DEBORAH A" <db3546@att.com>
To: "Rakesh Gandhi (rgandhi)" <rgandhi@cisco.com>, Vishnu Pavan Beeram <vbeeram@juniper.net>, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, "draft-ietf-teas-gmpls-lsp-fastreroute.all@ietf.org" <draft-ietf-teas-gmpls-lsp-fastreroute.all@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, The IESG <iesg@ietf.org>
CC: Lou Berger <lberger@labn.net>, "EXT-vishnupavan@gmail.com" <vishnupavan@gmail.com>
Thread-Topic: [secdir] secdir review of draft-ietf-teas-gmpls-lsp-fastreroute-09
Thread-Index: AQHS9MsWaGEBYuByQU6NJCOAub4enqJEBLSAgAAMBoCAAyKIgIAHUdaQ
Date: Tue, 11 Jul 2017 11:25:05 +0000
Message-ID: <F64C10EAA68C8044B33656FA214632C85DF42E24@MISOUT7MSGUSRDE.ITServices.sbc.com>
References: <CAGL6epL36m-j_UHLZ7zK+rTVNdOOTpnww1Q0i5zowxLp=+V1RA@mail.gmail.com> <E6C94EE4-C51B-47E2-AF0C-50AF1E967F44@cisco.com> <233DDE34-9818-4088-A9CE-84180A34D5A4@juniper.net> <5C02CE7F-DEE3-48D0-898C-347CF4CB6595@cisco.com>
In-Reply-To: <5C02CE7F-DEE3-48D0-898C-347CF4CB6595@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [135.70.203.125]
Content-Type: multipart/alternative; boundary="_000_F64C10EAA68C8044B33656FA214632C85DF42E24MISOUT7MSGUSRDE_"
MIME-Version: 1.0
X-RSA-Inspected: yes
X-RSA-Classifications: public
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-07-11_05:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1707110180
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/JcQ554-2av0RhuqpYmkVOZXeG-M>
Subject: Re: [secdir] secdir review of draft-ietf-teas-gmpls-lsp-fastreroute-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jul 2017 11:25:35 -0000
Hi Rakesh, all, (I was on vacation last week:-)) I lean towards a somewhat strict interpretation of “update”, otherwise implementers need to browse all the updates to see what is appropriate. On this, it is more than extension, it definitely improves an implementation, so it should be an “update”. Authors – when do the next update - reword “This document extends the mechanism ..” to “This document updates the mechanism ..”. Thanks Rifaat – great comment- Deborah From: Rakesh Gandhi (rgandhi) [mailto:rgandhi@cisco.com] Sent: Thursday, July 06, 2017 11:31 AM To: Vishnu Pavan Beeram <vbeeram@juniper.net>; Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>; draft-ietf-teas-gmpls-lsp-fastreroute.all@ietf.org; secdir@ietf.org; The IESG <iesg@ietf.org> Cc: BRUNGARD, DEBORAH A <db3546@att.com>; Lou Berger <lberger@labn.net>; EXT-vishnupavan@gmail.com <vishnupavan@gmail.com> Subject: Re: [secdir] secdir review of draft-ietf-teas-gmpls-lsp-fastreroute-09 Thanks Pavan. Hi Deborah, Please let us know if you are OK with the suggestion. “Because the document extends RFC4090, it should add "Updates: 4090" at the top of the document.” Thanks, Rakesh From: Vishnu Pavan Beeram <vbeeram@juniper.net<mailto:vbeeram@juniper.net>> Date: Tuesday, July 4, 2017 at 11:38 AM To: "=SMTP:rgandhi@cisco. com" <rgandhi@cisco.com<mailto:rgandhi@cisco.com>>, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com<mailto:rifaat.ietf@gmail.com>>, "draft-ietf-teas-gmpls-lsp-fastreroute.all@ietf.org<mailto:draft-ietf-teas-gmpls-lsp-fastreroute.all@ietf.org>" <draft-ietf-teas-gmpls-lsp-fastreroute.all@ietf.org<mailto:draft-ietf-teas-gmpls-lsp-fastreroute.all@ietf.org>>, "secdir@ietf.org<mailto:secdir@ietf.org>" <secdir@ietf.org<mailto:secdir@ietf.org>>, The IESG <iesg@ietf.org<mailto:iesg@ietf.org>> Cc: DEBORAH BRUNGARD <db3546@att.com<mailto:db3546@att.com>>, Lou Berger <lberger@labn.net<mailto:lberger@labn.net>>, "EXT-vishnupavan@gmail.com<mailto:EXT-vishnupavan@gmail.com>" <vishnupavan@gmail.com<mailto:vishnupavan@gmail.com>> Subject: Re: [secdir] secdir review of draft-ietf-teas-gmpls-lsp-fastreroute-09 Rakesh, Hi! This is a valid comment. <GMPLS-LSP-FRR> doesn’t modify any of the existing procedures defined in RFC4090, but it does supplement it. As per RFC2223, this is sufficient grounds to set the “Updates” field. Courtesy RFC2223: To be used as a reference from a new item that cannot be used alone (i.e., one that supplements a previous document), to refer to the previous document. The newer publication is a part that will supplement or be added on to the existing document; e.g., an addendum, or separate, extra information that is to be added to the original document. @Deborah — Are you ok with this? Regards, -Pavan From: "Rakesh Gandhi (rgandhi)" <rgandhi@cisco.com<mailto:rgandhi@cisco.com>> Date: Tuesday, July 4, 2017 at 10:55 AM To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com<mailto:rifaat.ietf@gmail.com>>, "draft-ietf-teas-gmpls-lsp-fastreroute.all@ietf.org<mailto:draft-ietf-teas-gmpls-lsp-fastreroute.all@ietf.org>" <draft-ietf-teas-gmpls-lsp-fastreroute.all@ietf.org<mailto:draft-ietf-teas-gmpls-lsp-fastreroute.all@ietf.org>>, "secdir@ietf.org<mailto:secdir@ietf.org>" <secdir@ietf.org<mailto:secdir@ietf.org>>, The IESG <iesg@ietf.org<mailto:iesg@ietf.org>> Cc: DEBORAH BRUNGARD <db3546@att.com<mailto:db3546@att.com>>, Lou Berger <lberger@labn.net<mailto:lberger@labn.net>>, "EXT-vishnupavan@gmail.com<mailto:EXT-vishnupavan@gmail.com>" <vishnupavan@gmail.com<mailto:vishnupavan@gmail.com>> Subject: Re: [secdir] secdir review of draft-ietf-teas-gmpls-lsp-fastreroute-09 Resent-From: <alias-bounces@ietf.org<mailto:alias-bounces@ietf.org>> Resent-To: <mtaillon@cisco.com<mailto:mtaillon@cisco.com>>, <tsaad@cisco.com<mailto:tsaad@cisco.com>>, <rgandhi@cisco.com<mailto:rgandhi@cisco.com>>, Zafar Ali <zali@cisco.com<mailto:zali@cisco.com>>, <manav.bhatia@nokia.com<mailto:manav.bhatia@nokia.com>>, <mhartley@cisco.com<mailto:mhartley@cisco.com>>, Lou Berger <lberger@labn.net<mailto:lberger@labn.net>>, Vishnu Pavan Beeram <vbeeram@juniper.net<mailto:vbeeram@juniper.net>>, <aretana@cisco.com<mailto:aretana@cisco.com>>, <db3546@att.com<mailto:db3546@att.com>>, <akatlas@gmail.com<mailto:akatlas@gmail.com>> Resent-Date: Tuesday, July 4, 2017 at 10:55 AM Thanks Rifaat for the review of this document. Hi Deborah, Lou, Pavan, Any thoughts on the following suggestion? “Because the document extends RFC4090, it should add "Updates: 4090" at the top of the document.” Thanks, Rakesh From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com<mailto:rifaat.ietf@gmail.com>> Date: Tuesday, July 4, 2017 at 9:32 AM To: "draft-ietf-teas-gmpls-lsp-fastreroute.all@ietf.org<mailto:draft-ietf-teas-gmpls-lsp-fastreroute.all@ietf.org>" <draft-ietf-teas-gmpls-lsp-fastreroute.all@ietf.org<mailto:draft-ietf-teas-gmpls-lsp-fastreroute.all@ietf.org>>, "secdir@ietf.org<mailto:secdir@ietf.org>" <secdir@ietf.org<mailto:secdir@ietf.org>>, The IESG <iesg@ietf.org<mailto:iesg@ietf.org>> Subject: [secdir] secdir review of draft-ietf-teas-gmpls-lsp-fastreroute-09 Resent-From: <alias-bounces@ietf.org<mailto:alias-bounces@ietf.org>> Resent-To: "=SMTP:mtaillon@cisco. com" <mtaillon@cisco.com<mailto:mtaillon@cisco.com>>, <tsaad@cisco.com<mailto:tsaad@cisco.com>>, "=SMTP:rgandhi@cisco. com" <rgandhi@cisco.com<mailto:rgandhi@cisco.com>>, Zafar Ali <zali@cisco.com<mailto:zali@cisco.com>>, <manav.bhatia@nokia.com<mailto:manav.bhatia@nokia.com>>, <mhartley@cisco.com<mailto:mhartley@cisco.com>>, Lou Berger <lberger@labn.net<mailto:lberger@labn.net>>, <vbeeram@juniper.net<mailto:vbeeram@juniper.net>>, <aretana@cisco.com<mailto:aretana@cisco.com>>, DEBORAH BRUNGARD <db3546@att.com<mailto:db3546@att.com>>, <akatlas@gmail.com<mailto:akatlas@gmail.com>> Resent-Date: Tuesday, July 4, 2017 at 9:40 AM I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Summary: Ready with Nits I did not have enough background on MLPS and GMPLS and their related RFCs, so I had to do some reading to get some familiarity with this subject to be able to provide some reasonable review of this document. This document builds on an existing mechanism, "Fast Reroute Extensions to RSVP-TE for LSP Tunnels" defined in RFC4090, which defines a mechanism to establish a backup tunnels for local LSP tunnels. One limitation of the existing mechanism is that in some situations it might assign different uni-directional bypass tunnels for the forward and reverse directions. This document extends the mechanism defined in RFC4090, by adding a new BYPASS_ASSIGNMENT subobject to the existing RECORD_ROUTE Object (RRO) used in PATH and RESV requests, to allow the establishment of a bi-directional bypass tunnel. The security of the existing mechanism still applies with the new mechanism, and the security section discusses the implications of the new subobject and the new error associated with that, which seems reasonable. The document also points to an MPLS/GMPLS Security Framework (RFC5920) document that has an extensive discussion of the security of MPLS/GMPLS network in general that also applies to this document. Nits Because the document extends RFC4090, it should add "Updates: 4090" at the top of the document. Regards, Rifaat
- [secdir] secdir review of draft-ietf-teas-gmpls-l… Rifaat Shekh-Yusef
- Re: [secdir] secdir review of draft-ietf-teas-gmp… Rakesh Gandhi (rgandhi)
- Re: [secdir] secdir review of draft-ietf-teas-gmp… Vishnu Pavan Beeram
- Re: [secdir] secdir review of draft-ietf-teas-gmp… Rakesh Gandhi (rgandhi)
- Re: [secdir] secdir review of draft-ietf-teas-gmp… BRUNGARD, DEBORAH A
- Re: [secdir] secdir review of draft-ietf-teas-gmp… Rakesh Gandhi (rgandhi)
- Re: [secdir] secdir review of draft-ietf-teas-gmp… Rakesh Gandhi (rgandhi)