Re: [secdir] secdir review of draft-ietf-teas-gmpls-lsp-fastreroute-09
Vishnu Pavan Beeram <vbeeram@juniper.net> Tue, 04 July 2017 15:38 UTC
Return-Path: <vbeeram@juniper.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF4EE131962; Tue, 4 Jul 2017 08:38:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level:
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BhnjptNCgjoJ; Tue, 4 Jul 2017 08:38:50 -0700 (PDT)
Received: from NAM01-BY2-obe.outbound.protection.outlook.com (mail-by2nam01on0127.outbound.protection.outlook.com [104.47.34.127]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 90C00131648; Tue, 4 Jul 2017 08:38:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=ZB2b+/FttQkwY9Wk/JlTGPqNEdtZUGwCn9p94cHeKCc=; b=iwiWsGxaFaIwOToyRwbnc2M5c70Mt+moZySf2LIf2DKBAlW1O/v463XL/xIJCVzA/B5Bkvds/lVQy84BK0MsxbqZ51gl9QcMG0DRqO6sf8VrGQiUgyl2vzQanIxbGFMVpmNOemDNh6e8qJNiLQwlOzAuF/O0EYe+HRiiMvngFpM=
Received: from SN2PR05MB2512.namprd05.prod.outlook.com (10.166.213.21) by SN2PR05MB2493.namprd05.prod.outlook.com (10.166.213.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1240.6; Tue, 4 Jul 2017 15:38:49 +0000
Received: from SN2PR05MB2512.namprd05.prod.outlook.com ([10.166.213.21]) by SN2PR05MB2512.namprd05.prod.outlook.com ([10.166.213.21]) with mapi id 15.01.1240.013; Tue, 4 Jul 2017 15:38:49 +0000
From: Vishnu Pavan Beeram <vbeeram@juniper.net>
To: "Rakesh Gandhi (rgandhi)" <rgandhi@cisco.com>, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, "draft-ietf-teas-gmpls-lsp-fastreroute.all@ietf.org" <draft-ietf-teas-gmpls-lsp-fastreroute.all@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, The IESG <iesg@ietf.org>
CC: DEBORAH BRUNGARD <db3546@att.com>, Lou Berger <lberger@labn.net>, "EXT-vishnupavan@gmail.com" <vishnupavan@gmail.com>
Thread-Topic: [secdir] secdir review of draft-ietf-teas-gmpls-lsp-fastreroute-09
Thread-Index: AQHS9MsTRZa470ZjikupMw0zlXQIwKJDwaaA///I9wA=
Date: Tue, 04 Jul 2017 15:38:49 +0000
Message-ID: <233DDE34-9818-4088-A9CE-84180A34D5A4@juniper.net>
References: <CAGL6epL36m-j_UHLZ7zK+rTVNdOOTpnww1Q0i5zowxLp=+V1RA@mail.gmail.com> <E6C94EE4-C51B-47E2-AF0C-50AF1E967F44@cisco.com>
In-Reply-To: <E6C94EE4-C51B-47E2-AF0C-50AF1E967F44@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.17.0.160611
authentication-results: cisco.com; dkim=none (message not signed) header.d=none;cisco.com; dmarc=none action=none header.from=juniper.net;
x-originating-ip: [66.129.241.10]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; SN2PR05MB2493; 7:HE+XeFWsKW9o6o0t1uCAoKMGaMRqDeyeHZj9OCXisQuPlITytlDt66/cjGBstwfn0k0LE/EBpxkB7itWvqHOKQ+fJwGxS5Ji27Z5Lwd5p1u2WX0BfJnCTPTREaCBc3bQDV1z5FCW9FcqP9N4F9hCjjVHSRItmNszL6JQyCMyG7iPeHCqXucnqfG4p9+myBzJle4SrF0FwVc2zq+SXfu8Rgp5KPc34AakR50Bzm/xS8RzBbFJULIBhUx/TajpiCW7gLaDvD8zRrj6jqd6YXxdcWKxFeSn8AuwGzNmDXB5LziylXtawgHczq2DqilrOndgaaiy/28Ly7/k6XvyyJ/0KvvYj/YPa9gJwBTqz1iIbrlZ3kJU4NFc3fRuJwfCSJJmISxgy1j0wrHbbw9OZa4ylBrPE8PwScx5A1v2kwIzBaCGgcwf6PL76fj63EHPwNhzC4TH5o/yP6+W4EI7q+lRx8YcFTbgcWSM9lu1jNvWNfN0bNwFTJNIJCIK6JDxguauDplyT08AsFT8p4YkC46DOyqvXgX73OBhMYZZ8GVb+qDeGhjmm7kxXSYti/4kJsxc749oRlUk+MBhSFByqrasPgk7TiE58bA8PWIMZhVqRrI5b60AR1okqMPVhO+mUf183CKHnGLBs+I2NXpihSi8bvrxzbwwc2m3ufFVNozpiZX+QYA60bQQnWmPAhpnzicRslp2XpxNF2wFBD7auBmsXaa5tN9JArnsyFy+VJTBqGHDmumS09iWlJAscaid2Lf8r3rCJTYsReH/2N+5ANkski6pnA+jX+TJ96W9f3Au5fs=
x-ld-processed: bea78b3c-4cdb-4130-854a-1d193232e5f4,ExtAddr
x-ms-office365-filtering-correlation-id: 7132c1f4-3d05-436e-f8d9-08d4c2f2c40a
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254075)(48565401081)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:SN2PR05MB2493;
x-ms-traffictypediagnostic: SN2PR05MB2493:
x-microsoft-antispam-prvs: <SN2PR05MB2493F47CBE0EE5DC5A66121BBED70@SN2PR05MB2493.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(151999592597050)(278178393323532)(26388249023172)(236129657087228)(192374486261705)(138986009662008)(82608151540597)(97927398514766)(148574349560750)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(8121501046)(5005006)(93006095)(93001095)(10201501046)(100000703101)(100105400095)(3002001)(6055026)(6041248)(20161123555025)(20161123560025)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123564025)(20161123558100)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:SN2PR05MB2493; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:SN2PR05MB2493;
x-forefront-prvs: 0358535363
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39410400002)(39850400002)(39400400002)(39840400002)(39860400002)(39450400003)(37854004)(377454003)(33656002)(2501003)(8936002)(2950100002)(7736002)(6116002)(102836003)(3846002)(53546010)(83506001)(82746002)(25786009)(86362001)(66066001)(83716003)(14454004)(478600001)(5660300001)(6486002)(77096006)(39060400002)(4326008)(229853002)(54906002)(236005)(6246003)(189998001)(6506006)(2906002)(54896002)(6306002)(6512007)(99286003)(53936002)(38730400002)(76176999)(3280700002)(50986999)(54356999)(6436002)(8676002)(81166006)(2900100001)(4001350100001)(3660700001)(230783001)(2201001)(36756003); DIR:OUT; SFP:1102; SCL:1; SRVR:SN2PR05MB2493; H:SN2PR05MB2512.namprd05.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_233DDE3498184088A9CE84180A34D5A4junipernet_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Jul 2017 15:38:49.2541 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN2PR05MB2493
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/StIthCQiNm9x-iBaS_ugoMTIrH4>
Subject: Re: [secdir] secdir review of draft-ietf-teas-gmpls-lsp-fastreroute-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jul 2017 15:38:54 -0000
Rakesh, Hi! This is a valid comment. <GMPLS-LSP-FRR> doesn’t modify any of the existing procedures defined in RFC4090, but it does supplement it. As per RFC2223, this is sufficient grounds to set the “Updates” field. Courtesy RFC2223: To be used as a reference from a new item that cannot be used alone (i.e., one that supplements a previous document), to refer to the previous document. The newer publication is a part that will supplement or be added on to the existing document; e.g., an addendum, or separate, extra information that is to be added to the original document. @Deborah — Are you ok with this? Regards, -Pavan From: "Rakesh Gandhi (rgandhi)" <rgandhi@cisco.com<mailto:rgandhi@cisco.com>> Date: Tuesday, July 4, 2017 at 10:55 AM To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com<mailto:rifaat.ietf@gmail.com>>, "draft-ietf-teas-gmpls-lsp-fastreroute.all@ietf.org<mailto:draft-ietf-teas-gmpls-lsp-fastreroute.all@ietf.org>" <draft-ietf-teas-gmpls-lsp-fastreroute.all@ietf.org<mailto:draft-ietf-teas-gmpls-lsp-fastreroute.all@ietf.org>>, "secdir@ietf.org<mailto:secdir@ietf.org>" <secdir@ietf.org<mailto:secdir@ietf.org>>, The IESG <iesg@ietf.org<mailto:iesg@ietf.org>> Cc: DEBORAH BRUNGARD <db3546@att.com<mailto:db3546@att.com>>, Lou Berger <lberger@labn.net<mailto:lberger@labn.net>>, "EXT-vishnupavan@gmail.com<mailto:EXT-vishnupavan@gmail.com>" <vishnupavan@gmail.com<mailto:vishnupavan@gmail.com>> Subject: Re: [secdir] secdir review of draft-ietf-teas-gmpls-lsp-fastreroute-09 Resent-From: <alias-bounces@ietf.org<mailto:alias-bounces@ietf.org>> Resent-To: <mtaillon@cisco.com<mailto:mtaillon@cisco.com>>, <tsaad@cisco.com<mailto:tsaad@cisco.com>>, <rgandhi@cisco.com<mailto:rgandhi@cisco.com>>, Zafar Ali <zali@cisco.com<mailto:zali@cisco.com>>, <manav.bhatia@nokia.com<mailto:manav.bhatia@nokia.com>>, <mhartley@cisco.com<mailto:mhartley@cisco.com>>, Lou Berger <lberger@labn.net<mailto:lberger@labn.net>>, Vishnu Pavan Beeram <vbeeram@juniper.net<mailto:vbeeram@juniper.net>>, <aretana@cisco.com<mailto:aretana@cisco.com>>, <db3546@att.com<mailto:db3546@att.com>>, <akatlas@gmail.com<mailto:akatlas@gmail.com>> Resent-Date: Tuesday, July 4, 2017 at 10:55 AM Thanks Rifaat for the review of this document. Hi Deborah, Lou, Pavan, Any thoughts on the following suggestion? “Because the document extends RFC4090, it should add "Updates: 4090" at the top of the document.” Thanks, Rakesh From: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com<mailto:rifaat.ietf@gmail.com>> Date: Tuesday, July 4, 2017 at 9:32 AM To: "draft-ietf-teas-gmpls-lsp-fastreroute.all@ietf.org<mailto:draft-ietf-teas-gmpls-lsp-fastreroute.all@ietf.org>" <draft-ietf-teas-gmpls-lsp-fastreroute.all@ietf.org<mailto:draft-ietf-teas-gmpls-lsp-fastreroute.all@ietf.org>>, "secdir@ietf.org<mailto:secdir@ietf.org>" <secdir@ietf.org<mailto:secdir@ietf.org>>, The IESG <iesg@ietf.org<mailto:iesg@ietf.org>> Subject: [secdir] secdir review of draft-ietf-teas-gmpls-lsp-fastreroute-09 Resent-From: <alias-bounces@ietf.org<mailto:alias-bounces@ietf.org>> Resent-To: "=SMTP:mtaillon@cisco. com" <mtaillon@cisco.com<mailto:mtaillon@cisco.com>>, <tsaad@cisco.com<mailto:tsaad@cisco.com>>, "=SMTP:rgandhi@cisco. com" <rgandhi@cisco.com<mailto:rgandhi@cisco.com>>, Zafar Ali <zali@cisco.com<mailto:zali@cisco.com>>, <manav.bhatia@nokia.com<mailto:manav.bhatia@nokia.com>>, <mhartley@cisco.com<mailto:mhartley@cisco.com>>, Lou Berger <lberger@labn.net<mailto:lberger@labn.net>>, <vbeeram@juniper.net<mailto:vbeeram@juniper.net>>, <aretana@cisco.com<mailto:aretana@cisco.com>>, DEBORAH BRUNGARD <db3546@att.com<mailto:db3546@att.com>>, <akatlas@gmail.com<mailto:akatlas@gmail.com>> Resent-Date: Tuesday, July 4, 2017 at 9:40 AM I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Summary: Ready with Nits I did not have enough background on MLPS and GMPLS and their related RFCs, so I had to do some reading to get some familiarity with this subject to be able to provide some reasonable review of this document. This document builds on an existing mechanism, "Fast Reroute Extensions to RSVP-TE for LSP Tunnels" defined in RFC4090, which defines a mechanism to establish a backup tunnels for local LSP tunnels. One limitation of the existing mechanism is that in some situations it might assign different uni-directional bypass tunnels for the forward and reverse directions. This document extends the mechanism defined in RFC4090, by adding a new BYPASS_ASSIGNMENT subobject to the existing RECORD_ROUTE Object (RRO) used in PATH and RESV requests, to allow the establishment of a bi-directional bypass tunnel. The security of the existing mechanism still applies with the new mechanism, and the security section discusses the implications of the new subobject and the new error associated with that, which seems reasonable. The document also points to an MPLS/GMPLS Security Framework (RFC5920) document that has an extensive discussion of the security of MPLS/GMPLS network in general that also applies to this document. Nits Because the document extends RFC4090, it should add "Updates: 4090" at the top of the document. Regards, Rifaat
- [secdir] secdir review of draft-ietf-teas-gmpls-l… Rifaat Shekh-Yusef
- Re: [secdir] secdir review of draft-ietf-teas-gmp… Rakesh Gandhi (rgandhi)
- Re: [secdir] secdir review of draft-ietf-teas-gmp… Vishnu Pavan Beeram
- Re: [secdir] secdir review of draft-ietf-teas-gmp… Rakesh Gandhi (rgandhi)
- Re: [secdir] secdir review of draft-ietf-teas-gmp… BRUNGARD, DEBORAH A
- Re: [secdir] secdir review of draft-ietf-teas-gmp… Rakesh Gandhi (rgandhi)
- Re: [secdir] secdir review of draft-ietf-teas-gmp… Rakesh Gandhi (rgandhi)