Re: [secdir] Secdir last call review of draft-ietf-rtgwg-spf-uloop-pb-statement-09

<> Tue, 08 January 2019 08:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id AD221131047; Tue, 8 Jan 2019 00:49:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.588
X-Spam-Status: No, score=-2.588 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 939zNdOyOTDN; Tue, 8 Jan 2019 00:49:14 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3167D129B88; Tue, 8 Jan 2019 00:49:14 -0800 (PST)
Received: from (unknown [xx.xx.xx.5]) by (ESMTP service) with ESMTP id 43YmCD20CMz8v8T; Tue, 8 Jan 2019 09:49:12 +0100 (CET)
Received: from Exchangemail-eme2.itn.ftgroup (unknown [xx.xx.31.59]) by (ESMTP service) with ESMTP id 43YmCD0JCvzCqkc; Tue, 8 Jan 2019 09:49:12 +0100 (CET)
Received: from OPEXCLILMA4.corporate.adroot.infra.ftgroup ([fe80::65de:2f08:41e6:ebbe]) by OPEXCLILM43.corporate.adroot.infra.ftgroup ([fe80::ec23:902:c31f:731c%19]) with mapi id 14.03.0415.000; Tue, 8 Jan 2019 09:49:11 +0100
From: <>
To: Stewart Bryant <>, Phillip Hallam-Baker <>, "" <>
CC: "" <>, "" <>, "" <>
Thread-Topic: Secdir last call review of draft-ietf-rtgwg-spf-uloop-pb-statement-09
Thread-Index: AQHUpqOrlIzo84RMM0uZoVXfweW0vKWj+D+AgAEWX4A=
Date: Tue, 8 Jan 2019 08:49:11 +0000
Message-ID: <8227_1546937352_5C346408_8227_283_1_9E32478DFA9976438E7A22F69B08FF924B78BD8B@OPEXCLILMA4.corporate.adroot.infra.ftgroup>
References: <> <>
In-Reply-To: <>
Accept-Language: fr-FR, en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_9E32478DFA9976438E7A22F69B08FF924B78BD8BOPEXCLILMA4corp_"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [secdir] Secdir last call review of draft-ietf-rtgwg-spf-uloop-pb-statement-09
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 08 Jan 2019 08:49:17 -0000


I fully agree with what Stewart has mentioned.
The document does not introduce anything new regarding microloops.
There is no way for an attacker to trigger a microloop except by creating some IGP events (link or node down for example). In addition, there will never be a guarantee that there will be a microloop.
Again as Stewart has mentioned, if such an attacker can access to a router to create IGP events, it would be easier for him to bring the network down (erasing router config, changing critical parameters…) rather than trying to play with microloops.


From: Stewart Bryant []
Sent: Monday, January 07, 2019 18:05
To: Phillip Hallam-Baker;
Subject: Re: Secdir last call review of draft-ietf-rtgwg-spf-uloop-pb-statement-09

On 07/01/2019 16:11, Phillip Hallam-Baker wrote:

Reviewer: Phillip Hallam-Baker

Review result: Has Issues

The document describes the problem and solution pretty clearly. Unfortunately,

there is no discussion of the security considerations which is not appropriate

for a document addressing an availability which is a security issue.

While microloops can form by chance, some consideration should be given to the

possibility that an attacker could induce a loop to perform a DoS attack.

In section 1 the text says:

[RFC8405] defines a solution that satisfies this problem statement

   and this document captures the reasoning of the provided solution.

It is safe to assume that the reader of this text would have read normative reference RFC8405 and thus would be fully aware of the security issues related to the solution being analysed.

An attacker that had access to a network such that they could induce microloops would have the ability to do many worse things to the network.

If they were able to attack in-band they could poison the routing system to take it down in far more interesting ways. Operators use security at the physical and network layer to prevent this.

If they were operating at the physical layer then they could take circuits down at will and cause microloops in the base protocol, traffic overloads and application malfunction.

Thus if the attacker could deploy either of those attacks in a network to induce micro-loops, then any security considerations in this draft would count for nothing.

The draft is an analysis, and thus I think that it correctly states that it introduces no additional matters for security consideration.

- Stewart


Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.