[secdir] secdir review of draft-ietf-pwe3-fc-encap-15.txt

Stephen Hanna <shanna@juniper.net> Tue, 29 March 2011 09:35 UTC

Return-Path: <shanna@juniper.net>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7B2303A692D; Tue, 29 Mar 2011 02:35:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d0jy4obSAsYd; Tue, 29 Mar 2011 02:35:24 -0700 (PDT)
Received: from exprod7og125.obsmtp.com (exprod7og125.obsmtp.com [64.18.2.28]) by core3.amsl.com (Postfix) with ESMTP id 3EAA73A68EC; Tue, 29 Mar 2011 02:35:24 -0700 (PDT)
Received: from source ([66.129.224.36]) (using TLSv1) by exprod7ob125.postini.com ([64.18.6.12]) with SMTP ID DSNKTZGoN7LVpH2SDNEI+zS3AeVQ94bqTDcl@postini.com; Tue, 29 Mar 2011 02:37:02 PDT
Received: from p-emfe01-wf.jnpr.net (172.28.145.24) by P-EMHUB01-HQ.jnpr.net (172.24.192.35) with Microsoft SMTP Server (TLS) id 8.2.254.0; Tue, 29 Mar 2011 02:29:39 -0700
Received: from EMBX01-WF.jnpr.net ([fe80::1914:3299:33d9:e43b]) by p-emfe01-wf.jnpr.net ([fe80::d0d1:653d:5b91:a123%11]) with mapi; Tue, 29 Mar 2011 05:31:07 -0400
From: Stephen Hanna <shanna@juniper.net>
To: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>
Date: Tue, 29 Mar 2011 05:31:04 -0400
Thread-Topic: secdir review of draft-ietf-pwe3-fc-encap-15.txt
Thread-Index: AcvR2J79mnoqbMWXRHiAcNAfdrQddAcGqTcA
Message-ID: <AC6674AB7BC78549BB231821ABF7A9AEB52F4A5CAA@EMBX01-WF.jnpr.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "draft-ietf-pwe3-fc-encap@tools.ietf.org" <draft-ietf-pwe3-fc-encap@tools.ietf.org>
Subject: [secdir] secdir review of draft-ietf-pwe3-fc-encap-15.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Mar 2011 09:35:25 -0000

This is a follow-up to my secdir review of draft-ietf-pwe3-fc-encap-14.txt,
included below.

I have reviewed the Security Considerations section in the latest version
of this draft: draft-ietf-pwe3-fc-encap-15.txt.

My concerns with the previous version have been resolved and I'm happy
with the new version. It provides good guidance on the security issues
related to the document. The new Security Considerations are still brief
but they now point to several other documents that provide appropriate
guidance. One security issue unique to this document is identified and
mitigation measures are recommended.

>From a security perspective, this document is now ready to go! Thanks
to the document authors for addressing the concerns that I had raised
in a prompt and proper manner.

Take care,

Steve

> -----Original Message-----
> From: Stephen Hanna
> Sent: Monday, February 21, 2011 10:04 AM
> To: 'secdir@ietf.org'.org'; iesg@ietf.org
> Cc: 'draft-ietf-pwe3-fc-encap@tools.ietf.org'
> Subject: secdir review of draft-ietf-pwe3-fc-encap-14.txt
> 
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.
> These comments were written primarily for the benefit of the security
> area directors.  Document editors and WG chairs should treat these
> comments just like any other last call comments.
> 
> This document describes how Fibre Channel traffic can be carried
> over MPLS networks using a Fibre Channel pseudowire (FC PW). I am
> not an expert in Fibre Channel, MPLS, or pseudowires so I will not
> venture any judgment on the content of the draft. I will focus
> exclusively on the Security Considerations section.
> 
> The Security Considerations section is rather brief, only five
> sentences long. While I support brevity, this section seems to
> omit key information. For example, the text says "FC PW shares
> susceptibility to a number of pseudowire-layer attacks and
> implementations SHOULD use whatever mechanisms for confidentiality,
> integrity, and authentication are developed for PWs in general.
> These methods are beyond the scope of this document." That's too
> brief. At least, the authors should add a reference to a document
> that describes the attacks to which this protocol is susceptible
> and the countermeasures that can be employed. If no such document
> exists, either it should be written or this document should describe
> the threats and countermeasures or this document should admit that
> the threats and countermeasures are not understood at this time.
> You can't just leave the analysis of threats and countermeasures
> to the reader.
> 
> Thanks,
> 
> Steve Hanna