[secdir] Review of draft-ietf-pce-inter-layer-ext-12
Shawn Emery <shawn.emery@gmail.com> Sat, 04 March 2017 06:15 UTC
Return-Path: <shawn.emery@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6C31129470 for <secdir@ietfa.amsl.com>; Fri, 3 Mar 2017 22:15:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y-qaLHr5ETqq for <secdir@ietfa.amsl.com>; Fri, 3 Mar 2017 22:15:05 -0800 (PST)
Received: from mail-ot0-x22b.google.com (mail-ot0-x22b.google.com [IPv6:2607:f8b0:4003:c0f::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 719AC1293EB for <secdir@ietf.org>; Fri, 3 Mar 2017 22:15:05 -0800 (PST)
Received: by mail-ot0-x22b.google.com with SMTP id o24so22010157otb.1 for <secdir@ietf.org>; Fri, 03 Mar 2017 22:15:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=wK8xwHQhSj4QNCEnPVyv+CVbveboC2Ievs8s6mczeG0=; b=mAN+sHUF5HeaelBnvRzYFdcA7lIQz26HOjI9N5EjmDLlfMo9Wok4bPWuow/2w/kBhp d0R+xHsIU0lRDj8UBWPP9mHderKiq9hoyl8z2mYDVagnLups02hCUW15ysmb20xxj6Y7 mp7ZhJWvf7r7qdnqjBg/sRS0HLhelxPw9eNDICSQLjuAXW2JmcygTxBZERYM6MV/z6bm fWKj2vVvkIsU41gp8RAAGBlOAH5GE3lf+/RHlyQN1/mTFpZ5+J+dkhp+ZnawntjvsM9V YuLjdCsT2Fm2hxJKCrAFxKoPRBIBZgYenjNgauIexjLmf3Vy+/wCTZe74Hj+wUXmldyb eXjw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=wK8xwHQhSj4QNCEnPVyv+CVbveboC2Ievs8s6mczeG0=; b=rQvdofl0PYzwqgdjJcVTapFAlIROZhGlXA8p6G9bec8SqyEz0P/m4TGmcRNtV+qLCq a+pWV61c5qFS5fVzLtqV6XJYeHzwi8uRUX+DSy2E00doIVXjOSP14qhyu4oSCxes4UAN KmluoJx6ejf8PAjbtp41WGSIstbKI+k71X18Zco79s5b0UBoPE9bVsZmPCaC66yL9eFN Zjf4vOBchow/069PIvmwY7rJ0GQvyRraXK4JbzI2+nYCuOFUzu0LhVqD5O/xfRjAaSy3 UryXYdXfqt5vKJeva0UioYQqADaNk8ZCEF0rh5fQZ7MYM9CvEckYJWn7c4HcOzNq30Uu RUXg==
X-Gm-Message-State: AMke39n0TmGn3207ub+y1TsI54IcLBBvx039h1+2UtPLLBZUzA9kYyJLV2AOb/vX5FA4YC19MJiDc1gyE+Y8HQ==
X-Received: by 10.157.35.230 with SMTP id t93mr2609121otb.109.1488608104730; Fri, 03 Mar 2017 22:15:04 -0800 (PST)
MIME-Version: 1.0
Received: by 10.157.45.118 with HTTP; Fri, 3 Mar 2017 22:15:04 -0800 (PST)
From: Shawn Emery <shawn.emery@gmail.com>
Date: Fri, 03 Mar 2017 23:15:04 -0700
Message-ID: <CAChzXmZk6FcRTppxJgfqVD+VypgmYBS+F2Qo3OTGh6i2Hb+5YQ@mail.gmail.com>
To: secdir@ietf.org
Content-Type: multipart/alternative; boundary="001a114932664ad9040549e195a9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/KizKdg7SXbxzEPXwR-dzD96bYd4>
Cc: draft-ietf-pce-inter-layer-ext.all@tools.ietf.org
Subject: [secdir] Review of draft-ietf-pce-inter-layer-ext-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Mar 2017 06:15:07 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This draft discusses extensions to the Path Computation Element communication Protocol (PCEP) that allows network path information to passed through multiple technology layers. This data can be used to optimize network utilization by accounting for all of the layers in the stack instead of individual characteristics. The security considerations section does exist and states that controlling networks from inter-layer information does present security threats. The section goes on to state that a security threat is also introduced if a PCE is given full visibility of multi-layer traffic engineering information. Could you please expand on the threat specifically with visibility? To mitigate against such attacks the draft suggests the usage of the Path-Key-based (of no relation to a cryptographic key) mechanism, as described in RFC 5520. I agree with this assertion, or at least with the first threat outlined. General comments: None. Editorial comments: None. Thanks! Shawn. --