IETF Logo Mail Archive

Re: [secdir] Secdir last call review of draft-ietf-bier-oam-requirements-12

Barry Leiba <barryleiba@computer.org> Thu, 10 August 2023 02:28 UTC

Return-Path: <barryleiba@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 493DDC1524B2; Wed, 9 Aug 2023 19:28:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.409
X-Spam-Level:
X-Spam-Status: No, score=-1.409 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aLEXJI_fC0S0; Wed, 9 Aug 2023 19:28:49 -0700 (PDT)
Received: from mail-lf1-f42.google.com (mail-lf1-f42.google.com [209.85.167.42]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E053C151530; Wed, 9 Aug 2023 19:28:11 -0700 (PDT)
Received: by mail-lf1-f42.google.com with SMTP id 2adb3069b0e04-4fe11652b64so596541e87.0; Wed, 09 Aug 2023 19:28:11 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1691634489; x=1692239289; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=LYWCWzn9659qIjdpbPwMHGYr0y7nv5xue288Wl12E+g=; b=GxPYD+M5Q6GUSBLGTq8uKF+hm2aPIIszcvboqFWe+Fg6xoIEehNF1axsTal/99eUsY 2wSSRShstB54MRpRFJzp0W99SsshKlFM+0LBsuwxU49fffJE9ePpuOfLv7nULFgLwuk+ Y3D+rANW2yhSY2E76t7nPWlgu4c4h3CFNauvLHMH8tJ5snLnVVUeJVtQaDzLgjezOikA O91+oKBZZWrQAQ2GMmaIxad1WGviJid2eAXpNJSKpMR8jsYgtYBAgTiil9XqeZ2WQxQ9 2yGsAiB5nYNUQfs4d5QhczraOh/OV11tq8uX6+U5DBHTYIrt4j3pSgTv6ehMCnyK8i4Z p8eg==
X-Gm-Message-State: AOJu0Yzc+c1GIM7S/8mkL8i1ULiPl+kuY9J3TSiknbZ2zct34zneXh5H en7Q6sJk5AUkTk1memIUwW1kTGnC7uEfR6CR6Kw=
X-Google-Smtp-Source: AGHT+IHgTZ4jrCcC/Lb6DwZuoueYIKPe6RXIJgjH0z+KXmFHnx5ylsce1XsA7jMS0kOufekMuCzKY8O4F01SPyKl//k=
X-Received: by 2002:a05:6512:acf:b0:4f8:6e6e:4100 with SMTP id n15-20020a0565120acf00b004f86e6e4100mr775002lfu.52.1691634489328; Wed, 09 Aug 2023 19:28:09 -0700 (PDT)
MIME-Version: 1.0
References: <169160814305.42427.16864377745174297952@ietfa.amsl.com> <CA+RyBmUrffiM6PE1L_bsm+VpKaga3jtLFNF=OduORiXiUPCW_A@mail.gmail.com>
In-Reply-To: <CA+RyBmUrffiM6PE1L_bsm+VpKaga3jtLFNF=OduORiXiUPCW_A@mail.gmail.com>
From: Barry Leiba <barryleiba@computer.org>
Date: Wed, 09 Aug 2023 22:27:58 -0400
Message-ID: <CALaySJ+H8fnerC-vKOz+25u_KTuFL2dZ06CjzRfj=cQA+jb5RQ@mail.gmail.com>
To: Greg Mirsky <gregimirsky@gmail.com>
Cc: bier@ietf.org, draft-ietf-bier-oam-requirements.all@ietf.org, last-call@ietf.org, secdir@ietf.org
Content-Type: multipart/alternative; boundary="000000000000d386840602885857"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/PD-dGScmlg4PH_SuIqr7twRO74Y>
Subject: Re: [secdir] Secdir last call review of draft-ietf-bier-oam-requirements-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Aug 2023 02:28:51 -0000

Thanks, Greg, for considering my comments; the text you propose is useful.
I can’t attest to its completeness, as routing and OAM aren’t my
expertise.  But it makes it clear that thought was put into this.

Barry

On Wed, Aug 9, 2023 at 6:50 PM Greg Mirsky <gregimirsky@gmail.com> wrote:

> Hi Barry,
> thank you for your comments and suggestions. I agree that even though this
> document lists requirements for BIER OAM, the Security Consideration
> section should be more useful to a reader. Below is the proposed update:
> OLD TEXT:
>    This document lists the OAM requirement for a BIER-enabled domain and
>    does not raise any security concerns or issues in addition to ones
>    common to networking.
> NEW TEXT:
>    This document lists the OAM requirement for a BIER-enabled domain and
>    thus inherits security considerations discussed in [RFC8279] and
>    [RFC8296].  Another general security aspect results from using active
>    OAM protocols, according to the [RFC7799], in a multicast network.
>    Active OAM protocols inject specially constructed test packets, and
>    some active OAM protocols are based on the echo request/reply
>    principle.  In the multicast network, test packets are replicated as
>    data packets, thus creating a possible amplification effect of
>    multiple echo responses being transmitted to the sender of the echo
>    request.  Thus, an implementation of BIER OAM MUST protect the
>    control plane from spoofed replies.  Also, an implementation of BIER
>    OAM MUST provide control of the number of BIER OAM messages sent to
>    the control plane.
>
> What are your thoughts about the new text? I greatly appreciate your
> comments, suggestions, and questions.
>
> Regards,
> Greg
>
> On Wed, Aug 9, 2023 at 12:09 PM Barry Leiba via Datatracker <
> noreply@ietf.org> wrote:
>
>> Reviewer: Barry Leiba
>> Review result: Has Issues
>>
>> The only comment I have from a security standpoint is that the Security
>> Considerations seem basically absent, saying no more than "Nothing to see
>> here."  That's common and easy to say, but I expected some explanation of
>> how
>> the requirements specified in the document are needed to ensure a robust
>> and
>> secure BIER system.  I wouldn't expect pages of text, but I'm surprised
>> to see
>> nothing at all.  Is it really the case that an OAM system for BIER would
>> do
>> nothing to enhance security, nothing to alert us to BIER-specific attacks?
>>
>>
>>

v2.23.0 | Report a Bug | By Email