Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-opsawg-l3sm-l3nm-10

tom petch <daedulus@btconnect.com> Thu, 29 July 2021 16:10 UTC

Return-Path: <daedulus@btconnect.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06A873A09C3; Thu, 29 Jul 2021 09:10:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r8Vl_oz5bFJN; Thu, 29 Jul 2021 09:10:25 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2098.outbound.protection.outlook.com [40.107.21.98]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCCF53A0A6C; Thu, 29 Jul 2021 09:10:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aLcJrgPF3p0zA7ctwOSoG49TWm0cuD0QouikYhdL3Ne89Ztt6W864mS59H2Jh1ixqLUOng34E38neRxjit6XEJDXUGyp9uzHWPB1bNDgnFIC8G3o7fTqKS7J5J6SF6M0h3gYyLXgl/5R3pimUvfHp7Iq0gZAMzvMS+3xE+tnzOEK69mTgMhSeKUV1qC+h2muEJhnV6Ua3nCMVmE1LgCINJjJHfCSiSSgie3rDyMwxuhItrG/jLnMlVstIaSOb3OzcPQDwAX8RNKSOq++AnHne9FeOesT6kEOmcoNVIg0t8hkxpZhsNjWaKeWtyl/wJS8IblnT0hwHkJgVaWv/gHXog==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EnGpGZHBKk7asvHjzc2Xnr6kz6/8G7kXGKNwqze6fWA=; b=mIWJi7ncn9W7mUObB7XODqZ9QDVjUENyWQ5qRgVN3S2YXLck3t7mYf8truZvIpRWJb8x6wWeIis7icWX/rfEwX4a7Oo9IU4VUIOeqyLh8iOs5RDJFK+kINFM9zvx6ayCGQIVcoEcyoYaZ+5vBW3vr+JhjzZ78hE9Tqw3h76YLuOS25E/djwf/u9EhiZd7VLqpu7jVi6+V/zt87hcllN7RWKAJmW4aS78QnwoQyOpgir0j0fovC0MqUoj1jVU83EpUiYIKXfEGdlk1SWue4PxxVY5i8kOSJvDD64Nu6wbD/yRyOrnwpB+RJrnuITeJSSBFayAyL9tNht2MQ6kgV90ag==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EnGpGZHBKk7asvHjzc2Xnr6kz6/8G7kXGKNwqze6fWA=; b=cjcamqafK/6qP5/blWLwgIfibm72alVhS7Du1IecpMzRMeQZ1h4poCBMRKWHf9G84B9nFcZPJo+Uz5v69qxmKqPvLKF1mDzyZCabeNfixu8R4c7gtV0tJV6jur1NbjD+PzFVXtdrOyuYa6e12vPMNOANz+RKzWbx2Y042Wqa4HI=
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=btconnect.com;
Received: from VI1PR07MB6704.eurprd07.prod.outlook.com (2603:10a6:800:18b::8) by VI1PR0701MB2397.eurprd07.prod.outlook.com (2603:10a6:800:69::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4394.9; Thu, 29 Jul 2021 16:10:18 +0000
Received: from VI1PR07MB6704.eurprd07.prod.outlook.com ([fe80::10f5:d159:cfea:1b95]) by VI1PR07MB6704.eurprd07.prod.outlook.com ([fe80::10f5:d159:cfea:1b95%3]) with mapi id 15.20.4373.019; Thu, 29 Jul 2021 16:10:17 +0000
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>, secdir@ietf.org
References: <162724649271.1477.16367299362861096101@ietfa.amsl.com>
Cc: last-call@ietf.org, draft-ietf-opsawg-l3sm-l3nm.all@ietf.org
From: tom petch <daedulus@btconnect.com>
Message-ID: <6102D2D8.6010106@btconnect.com>
Date: Thu, 29 Jul 2021 17:10:00 +0100
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:38.0) Gecko/20100101 Thunderbird/38.5.0
In-Reply-To: <162724649271.1477.16367299362861096101@ietfa.amsl.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-ClientProxiedBy: LO4P123CA0453.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:1aa::8) To VI1PR07MB6704.eurprd07.prod.outlook.com (2603:10a6:800:18b::8)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [192.168.1.65] (86.146.121.231) by LO4P123CA0453.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:1aa::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.20.4373.17 via Frontend Transport; Thu, 29 Jul 2021 16:10:17 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 4e3f5d55-46c1-4d0b-2bd5-08d952ab5b79
X-MS-TrafficTypeDiagnostic: VI1PR0701MB2397:
X-Microsoft-Antispam-PRVS: <VI1PR0701MB23978AC127E311653CB1D787C6EB9@VI1PR0701MB2397.eurprd07.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: SdejW/xVduRENkvKUlIUboMRS0MDwXG+Yx1jAp28jKeMog6yHz0oTLCAtC8J/XwXbFxFV9JyL9Hd5pRp5hg+2ehxWsdZ0p5/cTEY4oHGtex/XJpUSzXpKi+ckvpD7kTgqPqx7QZcpO2ShBG7sHS/gZgB1LfkEwrOosb/kXTwS/nxInFaO3x1pyAZSGyasH96bL7i7Zg+WJioLjScTKbrG2qmhrqCISbrzdJsbcWDeB8whBsE0ZNyj9PD5uVBsjWLMG4zIbz2mqRL9joH2JRZ6YQMaYtoFb3KhVf5Y/3vgu/GoA+ddN38IOF7x5glmMhBGZYu63xBKaMf2sXbtgXUrIGJYJJ8skFTLCm2V40aScl3MFaUCSUJQJ0XL85hfoevnp658hFb1XExb7OCocvDpvqjECVbed45FL1da6AjpVnXpQqisvu/2VS6BzVf7VwnDyvR9hfS+/1oBsH2ofQnjycsaeH298X6LbldFM32Ri5aTsifnhW4RxLVavktljSqMsFuqgulYKIjSgY9S4u2uk+8Pzv4UpITk+3xV4TxxLYC6R4R0ZW1ao5OO8Ej2P2kjcC6lsAinHEXqMtlq3aP64xcqKbBCvodXJGhL8EG0+osldcuANFOHT+Yh5tEE2G3kbCTUqwJfjGLUFeaahfU7njKFfwabPcy/oYpTMoTYuSLqi/WsZrSKuGSDj41wqvMV8ZblpeGSUC5SOCfH8Un/g==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR07MB6704.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(346002)(376002)(366004)(136003)(39860400002)(396003)(186003)(5660300002)(53546011)(26005)(2616005)(2906002)(8936002)(956004)(8676002)(6486002)(4326008)(38350700002)(66556008)(66476007)(86362001)(83380400001)(478600001)(16576012)(87266011)(38100700002)(66946007)(36756003)(52116002)(6666004)(33656002)(316002); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?Windows-1252?Q?8duB+miiE/+EcstLEyxmHL8sjvnPQb3wFMqfkvRPg/NsGAMHGyl3LDEI?= =?Windows-1252?Q?rFL5KHfcl/W8Ho0cVpvvJdYb/cruZ5xk+ydT+FiI5Aie8dh3DhJr6QJa?= =?Windows-1252?Q?uJwpynzjCYupoRnMwjFugqUmnOURa0UeeRBPtI5pkZZNL/O5oTWIB+UR?= =?Windows-1252?Q?11eKOO7usGAaHs7rXyrLDWl+85qEq6ov9JToHjeI7IJaUVPyX89nwnHq?= =?Windows-1252?Q?9oNFmlTCom7/n91K/cnG1lpi0lZMOUX68mTXXF9DrpOmcoF/JEbPZyWD?= =?Windows-1252?Q?IWrf6LNVS2dieb7VomeFNnPoawF3ip8M+ftI77/LJaSXb+0SIM6c3NIQ?= =?Windows-1252?Q?AKDV9ame6lDZEZriEHdaS+66vsKmdDuI0AqgX2BrcAhucS2qu32grazw?= =?Windows-1252?Q?ufp740GvSgMy/zVfPlJkeKBEzt82/xEmDQ4QyrgFpVp9sPrp7fm95xfE?= =?Windows-1252?Q?CQ+sAN6fyJdnWPaxzNe9CaaOhfV+hXDbb9ByIVeIF1yra5j9ysCcfzoU?= =?Windows-1252?Q?5DEJ8uD3WFCPlRU+YjlFiCrvoE29iFtkf6ePistdgv3YKYyF3pP5evNz?= =?Windows-1252?Q?lMU2dewIRPiMWEJoownvYS6NWSmAgt6Jwh4P7s4IHONahiaxRQ4rQA4o?= =?Windows-1252?Q?khxm2ioJ5kuJ7hg/AJztsT/elbPMlXUYjPFpBAUVqZHuaN75UfGPhDql?= =?Windows-1252?Q?/tY+1HH9uLQN4Fod+APw6imqoXNj5Xvuae4hvpHnOznz3j9Mt9VREuHw?= =?Windows-1252?Q?NnjxV/m3P1154kO9Gp6p5TbxGdNJVJvubRJGAYwaQPz8+qqyprPsmqKp?= =?Windows-1252?Q?lR9oeOlvQQqvp6spH9SnDJUk13UW4Vg46iMFyexwJcCJ74IDhtcmS4Ub?= =?Windows-1252?Q?HtN25i6dVINXSG565yYo08W9WvZeTUdM+CqZrs+T8soSiUB7Vzm7668Q?= =?Windows-1252?Q?UlYFAJdkp6eSGceexCvi6OEsGTKPNXHvrciXcFrMdb2Gq9zed37J3EB0?= =?Windows-1252?Q?P15QDEQ3SZtCteX70xdU+JgkeUTZF8qC7rkFZbp8GWtXHF1f/eWM07Jk?= =?Windows-1252?Q?3qvahd7OwLGxa6VYUCYypnffPgSk54asd/LQhm40o3vs7A1lE6fwclPY?= =?Windows-1252?Q?AgjwYLsW4HG0KHw9O7JRyFL3RsKpgQa3/Oc5LhfpKESD9IE0akmnuqaa?= =?Windows-1252?Q?TwtB34LOoxyhFlKUtVtsA5VPTve0NgJ3u9dm6vt9flrO7PkAQ+0rcgg7?= =?Windows-1252?Q?jxeNA0YxYgW6RJtWZ3JVwuMWo82/2nFhaxfrXVfhxma9n7t/kaR5Jrt1?= =?Windows-1252?Q?qZykKZb46kE4pCGZMVf2FYCdLY3ceKO2nRbkcPADjt+1paFaooTzS/XH?= =?Windows-1252?Q?SzldtCLf0GjNdL3a5yvY6JI/ru7yImbdkrMM2aWEbSQ01v/6vqLJtf9B?=
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 4e3f5d55-46c1-4d0b-2bd5-08d952ab5b79
X-MS-Exchange-CrossTenant-AuthSource: VI1PR07MB6704.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Jul 2021 16:10:17.8413 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: h93FfShdupFw8rtoPa8KQoxtFpl/qx3iWB6RF+yvtkQykIA4AgLsxfLwMxSM2sBoQVUQFOT/4vjJ6S6g5uR3jw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0701MB2397
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/OZ_fP7qXK8SDHkVpZK2Siglmk3U>
Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-opsawg-l3sm-l3nm-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Jul 2021 16:10:32 -0000

On 25/07/2021 21:54, Rifaat Shekh-Yusef via Datatracker wrote:
> Reviewer: Rifaat Shekh-Yusef
> Review result: Has Issues
>
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
>
> This document defines an L3VPN Network YANG Model (L3NM) that can be
> used for the provisioning of Layer 3 Virtual Private Network (VPN)
> services within a service provider network.  The model provides a
> network-centric view of L3VPN services.
>
> Issues:
>
> 1. The following is a quote from Security Consideration section:
>      "Several data nodes defined in the L3NM rely upon [RFC8177] for
>       authentication purposes."
>
> I think it would be helpful to elaborate on which nodes need the mechanism
> defined in RFC8177 and why?
>
> 2. The summary bullets:
>
>     o  Malicious clients attempting to delete or modify VPN services.
>
> Why 'create' and 'read' are not part of the risks in this case?

Rifat

Reading this I-D, I wondered what the secdir view is of recommending the 
use of MD5 to secure the session as this I-D does for BGP.  (Such a use 
in NTP did generate a comment).

Tom Petch