Re: [secdir] SECDIR review of draft-ietf-pals-mpls-tp-pw-over-bidir-lsp-08

Mach Chen <> Thu, 30 June 2016 02:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 034DE12B04D; Wed, 29 Jun 2016 19:39:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -5.647
X-Spam-Status: No, score=-5.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id N3rA2izaDVd7; Wed, 29 Jun 2016 19:39:37 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9A87D12D0C5; Wed, 29 Jun 2016 19:39:36 -0700 (PDT)
Received: from (EHLO ([]) by (MOS 4.3.7-GA FastPath queued) with ESMTP id CMX31739; Thu, 30 Jun 2016 02:39:34 +0000 (GMT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Thu, 30 Jun 2016 03:39:26 +0100
Received: from ([]) by ([]) with mapi id 14.03.0235.001; Thu, 30 Jun 2016 10:39:21 +0800
From: Mach Chen <>
To: Christian Huitema <>, "" <>, "" <>, "" <>
Thread-Topic: SECDIR review of draft-ietf-pals-mpls-tp-pw-over-bidir-lsp-08
Thread-Index: AdHSVHw3wGPy2LWlRRa/K3WxEmXT2AAHEg9Q
Date: Thu, 30 Jun 2016 02:39:20 +0000
Message-ID: <>
References: <029601d1d259$9d2a1c40$d77e54c0$>
In-Reply-To: <029601d1d259$9d2a1c40$d77e54c0$>
Accept-Language: en-US, zh-CN
Content-Language: zh-CN
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A0B0202.57748667.000E, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 36a2ce1a02483ab3701dd16be321420b
Archived-At: <>
Subject: Re: [secdir] SECDIR review of draft-ietf-pals-mpls-tp-pw-over-bidir-lsp-08
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 30 Jun 2016 02:39:40 -0000

Hi Christian,

Thanks for your review and comments!

Please see my replies inline...

> -----Original Message-----
> From: Christian Huitema []
> Sent: Thursday, June 30, 2016 6:57 AM
> To:;;
> Subject: SECDIR review of draft-ietf-pals-mpls-tp-pw-over-bidir-lsp-08
> I have reviewed this document as part of the security directorate's ongoing
> effort to review all IETF documents being processed by the IESG.  These
> comments were written primarily for the benefit of the security area directors.
> Document editors and WG chairs should treat these comments just like any
> other last call comments.
> The document is ready with 2 nits.
> The document specifies an extension to the Label Distribution Protocol (LDP,
> RFC 5036) to provide bindings between Pseudo Wires (PW) and Label Switch
> Paths (LSP) established over MPLS-TP (RFC6773). The goal is to ensure that
> both directions of the PW are mapped to the same LSP, and thus avoid
> asymmetric routing. The document specifies additional LDP extensions to carry
> the required information.
> The security section acknowledges one concern: that attackers could misuse
> the option to force a pseudo wire through an unnatural path, either as a denial
> of service attack, or to facilitate traffic interception. The proposed mitigation to
> that attack is essentially "careful Implementation", i.e. only accept binding
> requests where the LSP endpoints match the PW endpoints. Should a mismatch
> occur, I assume that the endpoint will reject the proposed binding, as specified
> in section 5, PSN Binding Operation for MS-PW.
> And here is one nit: I would like to see the verification behavior specified as part
> of the binding operations, rather than merely mentioned in the security section.

OK, how about adding the following text?

For SS-PW:
"In addition, if the received PSN tunnel/LSP end points do not match the PW end points, PE2 MUST reply with a Label Release message with status code set to "Reject - unable to use the suggested tunnel/LSPs" (TBD4) and the received PSN Tunnel Binding TLV MUST also be carried."

For MS-PW:
"In addition, if the received PSN tunnel/LSP end points do not match the PW Segment end points, the receiving PE MUST reply with a Label Release message with status code set to "Reject - unable to use the suggested tunnel/LSPs" (TBD4) and the received PSN Tunnel Binding TLV MUST also be carried."

> Also, is there a specific error case for the security failure, or just the generic
> error message?

Since this is a potential attack, seems it is safer not to deliver more specific reason to the attacker. I think the generic error message is sufficient. How do you think?

> The next nit is tied to the general security profile of LDP, which is specified to
> use TCP(MD5). There is no expectation of privacy for LDP data.
> I am not sure that the new extensions increase the "privacy surface" of LDP.
> They do carry global identifiers of source and destination, and inform about the
> path of packets between these destinations, and it seems that adversaries
> could use that for monitoring and targeting purposes. But it is possible that the
> information is already present in LDP. A note to that effect in the security
> section would have been nice.

Actually, the information is already present in both sides of the LDP session, otherwise the receiving PE cannot bind/match/compare those IDs. IMHO, this new extension does not increase the "privacy surface" of LDP. 

The aforementioned information is not special/different from other information (e.g., the FECs, Labels, PE addresses, etc.) that are already transmitted over the LDP session. I'm incline to not add extra text here if you are OK with it.

Best regards,

> -- Christian Huitema