Re: [secdir] Secdir review of draft-ietf-pce-gmpls-pcep-extensions-12

Cyril Margaria <cmargaria@juniper.net> Wed, 30 January 2019 23:08 UTC

Return-Path: <cmargaria@juniper.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECEE7130ED7; Wed, 30 Jan 2019 15:08:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.263
X-Spam-Level:
X-Spam-Status: No, score=-3.263 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, KHOP_DYNAMIC=2, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id frakqgAUX9BZ; Wed, 30 Jan 2019 15:08:16 -0800 (PST)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8F48130F05; Wed, 30 Jan 2019 15:08:13 -0800 (PST)
Received: from pps.filterd (m0108158.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x0UN2jdv014817; Wed, 30 Jan 2019 15:08:13 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=PPS1017; bh=0tPqQ5dmiIaDhH0osU/+bX4f8bBpj4EtNFr4ENOm+Cg=; b=x98JoPqnaLP+xEfXlN+3Q8744bRsSgEG9+945hOU8ngevGX4I4aFYOQCxJkVIbmkqMax A4HM6ZhEYFlWykgETVR4nMcG82fK79FBVDc5C4WlQMDtIkiZM4fzDLvraGrQj5K8gCWv fuEUtu371B6fpAotD1/MXVt+AFg6kAnigF9VUo/z6lB7X3n0/X/mmAqcREj0WgrsfB5z kwQBs/epJlrg+Z1M7kYU2ijDnqkdv5hobwCfaug3VHQANDKSAoGXwvbUyEdVnSB52iLk q3iGkpjZLpKi+L3wYI4948vKkUQQFIq1/UzZ4NSrpJROOcS3TIwn66AeJhnHqIuMDun2 MA==
Received: from nam01-by2-obe.outbound.protection.outlook.com (mail-by2nam01lp2057.outbound.protection.outlook.com [104.47.34.57]) by mx0a-00273201.pphosted.com with ESMTP id 2qbdm80uwq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 30 Jan 2019 15:08:13 -0800
Received: from CY4PR0501MB3698.namprd05.prod.outlook.com (52.132.97.154) by CY4PR0501MB3843.namprd05.prod.outlook.com (52.132.100.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1580.11; Wed, 30 Jan 2019 23:08:11 +0000
Received: from CY4PR0501MB3698.namprd05.prod.outlook.com ([fe80::4e9:c3bf:1c78:68d6]) by CY4PR0501MB3698.namprd05.prod.outlook.com ([fe80::4e9:c3bf:1c78:68d6%5]) with mapi id 15.20.1580.017; Wed, 30 Jan 2019 23:08:11 +0000
From: Cyril Margaria <cmargaria@juniper.net>
To: Vincent Roca <vincent.roca@inria.fr>, The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-pce-gmpls-pcep-extensions.all@ietf.org" <draft-ietf-pce-gmpls-pcep-extensions.all@ietf.org>
Thread-Topic: Secdir review of draft-ietf-pce-gmpls-pcep-extensions-12
Thread-Index: AQHUgwvDphDSiahwmUOqL/DqfyKS4aXI2la7
Date: Wed, 30 Jan 2019 23:08:11 +0000
Message-ID: <CY4PR0501MB36985EA23D8870C52322CD26B5900@CY4PR0501MB3698.namprd05.prod.outlook.com>
References: <BB25281B-EB32-40A3-A0BE-7D9375832608@inria.fr>
In-Reply-To: <BB25281B-EB32-40A3-A0BE-7D9375832608@inria.fr>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [66.129.239.12]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY4PR0501MB3843; 6:GGxSp2fU8XwnSRas0Wg+u8luayd/+1KYYDgu4zuIasajqX1m2DV1J1mHVtAQmYHWzEL4stcXIGKZIt2RX1pInZ8Y6lCW7uYr/Wkuk1hyv8zCIMVfSBm9buaSI9KDDZ7W/GuyY10NoLObdJbVYBo9XhKAI8QH/DNoJgEjk/nDtFaR+UIdOJOoUjDEp/aGLOTE+KRZlEJySlUTWIUuI5UzmL8qfVN6HFmtlHPDZT9tvGZvzKMXrCDFsvZvXr+jno0hdIsTVp2Zf3EGKf/vWryEWNUxGu2Dr8DHo/Nl0nUZ8aPwyLt6FqzWKe82p7qnfdJAPhvTSvRhfMa7r7WiqQt8CqTVAHpAb83y3JWUf5ke4AiFKA4GG9ApP/oF+/TANU27xs8ctf5ub8b/+LSFJeRWT+/apVRSUTJlojYb+Eb8OUNiO+d2+xo1yTeTDGoXhS0hRg1S0nSAPniEO0sA4ApE5Q==; 5:ghEzmpqHQua06O9GZZKAOdN4igRsDoZEXXzAlRHohE2DDJ2Sso1VCQoE+2IyvT19WbZZKRvo515KTDqIaEitRbBJtlJmD4L88+Z3mAooOOxsftivSpzmtAVR5I0GU/DjU3mxk6+1rF8gfyeVRh+AnAU43KhrMUtg5m+mpzcio2HhPTphY9w6Tl+bbgJRPWCUHmMy3++PRbF5/grDWBRDaQ==; 7:nwrhSuln2/v1qzJH41wrTanO08V92jGHrlA17GHLUkK0ljZQcMo96xU1Tp1/MK3VAEWqcgB2Vyxs3p8XVc9NE4toijsPczsegZ+zwobDN3pdlwkAGPaQzFSy5sT0mliGFKQTjb/YgSAQJAT7Mx2vLg==
x-ms-office365-filtering-correlation-id: 2abae5c9-4045-4e08-d819-08d68707ce50
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605077)(4618075)(2017052603328)(7153060)(7193020); SRVR:CY4PR0501MB3843;
x-ms-traffictypediagnostic: CY4PR0501MB3843:
x-microsoft-antispam-prvs: <CY4PR0501MB38439D4A345922AA760CB0E8B5900@CY4PR0501MB3843.namprd05.prod.outlook.com>
x-forefront-prvs: 0933E9FD8D
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(346002)(39860400002)(366004)(396003)(376002)(199004)(189003)(6506007)(81166006)(8676002)(606006)(81156014)(256004)(71200400001)(102836004)(14444005)(53546011)(71190400001)(2906002)(86362001)(74316002)(186003)(446003)(486006)(66066001)(11346002)(2201001)(476003)(26005)(68736007)(7696005)(8936002)(76176011)(105004)(25786009)(33656002)(54896002)(6116002)(97736004)(9686003)(6246003)(106356001)(6306002)(55016002)(236005)(7736002)(3846002)(229853002)(53936002)(316002)(110136005)(2501003)(14454004)(99286004)(478600001)(105586002)(19627405001)(6436002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY4PR0501MB3843; H:CY4PR0501MB3698.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: Y/1xQxt/p49XfLheY/c8abkBd9UKude6fAU1tWMm2A/KLiBmpkwbgVsb1UIFgAldroFMVNLR+g1w3fvgjVrQIfI6lwAVVEPafFsz9UXTbXeY5HtJawVZUrxihVpROPWQf9CARB/KgfVfnFE+coRZvKawKa1zKaKbtmEbUZZUov5H5tf1xDOEj0EcETfLo07Vyll6x2DQVQzVJXE3zdfwZHRZl5+wG3O83qITCFOJVXD7K/zAeVu3uBfnaO2UQUQo4yhq4JCAKWDsu+FXBXlwE4HtclWGTc4A6wZKMdsYXvhoTUw9sT2OBXNeM3I6mUKMbH9LuRsBp5VtbNNBHc+2xO6dh/NE+u6fQxcaW+E50XprajubWxmMwfvKPE+90rch6UDJk81At/lGWnGZe38Tfkoxwp32c0dot0Cj3LyHq+s=
Content-Type: multipart/alternative; boundary="_000_CY4PR0501MB36985EA23D8870C52322CD26B5900CY4PR0501MB3698_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 2abae5c9-4045-4e08-d819-08d68707ce50
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Jan 2019 23:08:11.4608 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR0501MB3843
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-01-30_17:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1901300166
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/-5ec0iGrIG3P8s0h0Xsf14zmAIw>
Subject: Re: [secdir] Secdir review of draft-ietf-pce-gmpls-pcep-extensions-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Jan 2019 23:08:20 -0000

Thanks a lot for the review,

please see inline for answers, a revised I.D will be posted shortly


________________________________
From: Vincent Roca <vincent.roca@inria.fr>
Sent: Friday, November 23, 2018 01:05
To: The IESG; secdir@ietf.org; draft-ietf-pce-gmpls-pcep-extensions.all@ietf.org
Cc: Vincent Roca
Subject: Secdir review of draft-ietf-pce-gmpls-pcep-extensions-12

Hello,

I have reviewed this document as part of the security directorate’s ongoing
effort to review all IETF documents being processed by the IESG. These
comments were written primarily for the benefit of the security area
directors.  Document editors and WG chairs should treat these comments just
like any other last call comments.

Summary: Ready with issues

The Security Considerations section provides a good introduction to the risks.
However my main concern is the lack of discussion around security policies.
After reading this section, we have the feeling that TLS alone is sufficient to
secure the GMPLS PCE WRT the three attacks described.
With scenario 1, a fundamental  part of the solution consists in setting
up security policies: what is acceptable or not in terms of path?
It may be discussed in the two references mentioned in the last paragraph,
but even in that case, the way the current section is written is misleading.
[MC] Would the following change clarify the section?
OLD:

   The security mechanisms can provide authentication and
   confidentiality for those scenarios where the PCC-PCE communication
   cannot be completely trusted.  Authentication can provide origin
   verification, message integrity and replay protection, while
   confidentiality ensures that a third party cannot decipher the
   contents of a message.

NEW:
 The security mechanisms can provide authentication and
   confidentiality for those scenarios where the PCC-PCE communication
   cannot be completely trusted.  [RFC8253] provides origin
   verification, message integrity and replay protection, and ensures
   that a third party cannot decipher the contents of a message.

   In order to protect against against the malicious PCE case the PCC
   SHOULD have policies in place to accept or not the path provided by
   the PCE.  Those policies can verify if the path follows the provided
   constraints.  In addition Technology specific data plane mechanism can
   be used (following [RFC5920] Section 5.8) to verify the data plane
   connectivity and deviation from constraints
END


I have two additional  comments:

** Ambiguous text: it is said

        o  Message deciphering: As in the previous case, knowledge of an
              infrastructure can be obtained by sniffing PCEP messages.

Message deciphering suggests the message is encrypted but the attacker
has enough knowledge to decrypt it. I'm not sure it's what the authors mean.
I think there's a confusion in the use of "deciphering" which in security
explicitely refers to encryption (https://en.wikipedia.org/wiki/Cipher<https://urldefense.proofpoint.com/v2/url?u=https-3A__en.wikipedia.org_wiki_Cipher&d=DwMFaQ&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=v8kOGBIadQ654pIrYCNQnqFCp1HfR6KLM8nYfCB2wLo&m=6zoL9zghXv0tN5FBNpN3Ww5fnLs1R9j_WCQLwxxN0io&s=4xX1Ddm1KChDZ1kmgFKbEPGUU1brkJmMSCoUVHuXMdE&e=>)1brkJmMSCoUVHuXMdE&e=>).

[MC] It should be replaced by message inspection


** Ambiguous text: it is said

        "Authentication can provide origin verification, message integrity and replay protection,..."


[MC] Will be replaced by RFC8253 provides..

Àuthentication of the two peers on the one hand, and integrity/replay
protection on the other hand, are different services.
There's probably a package where these three services are bundled together,
but that's a design choice. I suggest changing a little bit the sentence
to avoid this confusion.


Typo:
** Section 6: "A legitimate PCC could requests"  : s/requests/request/
[MC] OK

Cheers,

  Vincent