[secdir] Secdir last call review of draft-ietf-bess-mvpn-expl-track-11

Christian Huitema <huitema@huitema.net> Sat, 06 October 2018 04:40 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id C9EFB130E57; Fri, 5 Oct 2018 21:40:34 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Christian Huitema <huitema@huitema.net>
To: <secdir@ietf.org>
Cc: draft-ietf-bess-mvpn-expl-track.all@ietf.org, ietf@ietf.org, bess@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.85.1
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <153880083477.1014.16960817024421960255@ietfa.amsl.com>
Date: Fri, 05 Oct 2018 21:40:34 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/LXJ-hNvKOkiXGgVphZRQqJjXPUA>
Subject: [secdir] Secdir last call review of draft-ietf-bess-mvpn-expl-track-11
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Oct 2018 04:40:35 -0000

Reviewer: Christian Huitema
Review result: Has Nits

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

I have reviewed version 11 of draft-ietf-bess-mvpn-expl-track. From a security
point of view this draft is almost ready, except for the small issue that no
mitigation is proposed for the one vulnerability discussed in the security
section.

Multicast VPN (MVPN) operates by setting a routing tree between the ingress
site and the egress sites. In MVPN, that tree is built by the network provider,
and includes multicast nodes inside the network as well as the customer facing
"provider edge" routers. Ingress nodes do not necessarily know how many egress
nodes have joined the multicast tree at a given time. The purpose of Explicit
Tracking is to provide that information.

Explicit tracking procedures are defined by RFC 6513, RFC 6514, and RFC 6625.
They rely on MVPN tunnel attributes to trigger the setup of Selective Provider
Multicast Service Interface Auto-Discovery routes. The current draft
complements these procedures to cover a number of cases not yet covered, in
particular when the multicast groups for which information is desired are
indentified by wild cards instead of the full combination of source and group
identifiers. This is done by defining an additional flag (LIR-pF) in the tunnel
attributes.

The security considerations list only one issue: that abuse of wild card
definitions in large networks could trigger a large amount of explicit tracking
traffic, which might affect the performance of the control plane. Otherwise,
this draft does not change the security properties of MVPN discussed in RFC
6513 and RFC 6514. That seems fair, but the draft then says that studying
mitigations for the potential abuse is out of scope, which leaves me a bit
puzzled. I can think of a variety of techniques to either spread the explicit
tracking traffic over time, rate limit it, or aggregate it in intermediate
nodes. Some of those techniques could probably be proposed as a basic
mitigation.