IETF Logo Mail Archive

[secdir] secdir review of draft-templin-aero-10

Joe Salowey <jsalowey@cisco.com> Sun, 22 April 2012 22:00 UTC

Return-Path: <jsalowey@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8584421F85A0; Sun, 22 Apr 2012 15:00:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yutKGId5HPHq; Sun, 22 Apr 2012 15:00:08 -0700 (PDT)
Received: from mtv-iport-3.cisco.com (mtv-iport-3.cisco.com [173.36.130.14]) by ietfa.amsl.com (Postfix) with ESMTP id A494E21F8595; Sun, 22 Apr 2012 15:00:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=jsalowey@cisco.com; l=2627; q=dns/txt; s=iport; t=1335132008; x=1336341608; h=from:content-transfer-encoding:subject:date:message-id: to:mime-version; bh=yLcOKFKX6+VQPdXYObCnbmp5VQsrNwT+1JCqF4t41XA=; b=fj36VJI/tWpFpU+6GDLzFwmJf0tYA9z7WyQ/2qgLBdv4uP7hESFXXjqH gqgXWP/eZwJ+3LnJByV0tb0mfv/qZLsH+kgKhJb4DtA61KLCDoVKMW5nO Yk39eejmcRupe0czdgQ7/zl9+YyIjKQndDElQxFn7TY1YUCPs8b2EWHGN c=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AoAGALx+lE+rRDoH/2dsb2JhbABEgx2uJIEHgiIBJ4F9ATSHbJofnw2QUGMEiGONF4V0iGGBaYMJ
X-IronPort-AV: E=Sophos;i="4.75,463,1330905600"; d="scan'208";a="39104191"
Received: from mtv-core-2.cisco.com ([171.68.58.7]) by mtv-iport-3.cisco.com with ESMTP; 22 Apr 2012 22:00:08 +0000
Received: from [10.33.248.250] ([10.33.248.250]) by mtv-core-2.cisco.com (8.14.3/8.14.3) with ESMTP id q3MM07cf010894; Sun, 22 Apr 2012 22:00:07 GMT
From: Joe Salowey <jsalowey@cisco.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Sun, 22 Apr 2012 15:00:07 -0700
Message-Id: <36214B77-821E-47B9-8349-A89D2800E24C@cisco.com>
To: secdir@ietf.org, The IESG <iesg@ietf.org>, draft-templin-aero.all@tools.ietf.org
Mime-Version: 1.0 (Apple Message framework v1084)
X-Mailer: Apple Mail (2.1084)
Subject: [secdir] secdir review of draft-templin-aero-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Apr 2012 22:00:09 -0000

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

I apologize for the delay in getting this review out.  Hopefully it is still useful.  

This first set of comments is primarily for the authors.

1. In section 4.4.4 on Data origin authentication the last paragraph states that only the 3rd of the above conditions is acceptable, do you really mean the 4th?
2. In section 4.4.4 there is reference to the packet including a digital signature to authenticate the origin.  What is the signature mechanism?  Is this SEND or something different? I did not see a reference to it.
3. The security considerations do not say much about the consequences of trusting an inappropriate intermediate router, ingress node or egress node. Clearly DOS to the ingress node is a possibility.   Data modification and disclosure can be a goal of an attacker who tries to control the routing.   Are there other issues the reader should be aware of (perhaps other DOS attacks such as amplification attacks).  Anything outside the considerations of RFC4861)?
4. The security consideration section indicates that spoofing protection can be provided by links that provide link layer security mechanisms.    Link Layer security mechanisms may or may not help.   I believe more information is needed here.  L2 mechanisms may not provide adequate protection of upper layer address bindings.  In some cases L2 mechanisms do not provide source origin authentication such as multicast  traffic protected with the group  key in WiFi and group security associations in 802.1AE (MACSEC). 

This set of comments is mostly for the area directors:

1. I am mostly concerned about the lack of definition for the digital signature mechanism.  Perhaps this is easily rectified by a reference to an existing specification. Its not clear to me what the specification would be (perhaps SEND??)?  Is something needed in addition? 
2.  The risks of not securing the proposal are not defined in the security considerations section. I think this would be helpful, but may not be strictly necessary.  There is some mention of Link-Layer security helping in some aspects of this, but its not clear on what characteristics the lower layer security needs to provide. 

Cheers,

Joe

v2.23.0 | Report a Bug | By Email