Re: [secdir] review of draft-ietf-mpls-loss-delay-03

Dan Frost <danfrost@cisco.com> Mon, 13 June 2011 10:15 UTC

Return-Path: <danfrost@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D164911E80B0 for <secdir@ietfa.amsl.com>; Mon, 13 Jun 2011 03:15:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7bUMr022TA-c for <secdir@ietfa.amsl.com>; Mon, 13 Jun 2011 03:15:29 -0700 (PDT)
Received: from rtp-iport-2.cisco.com (rtp-iport-2.cisco.com [64.102.122.149]) by ietfa.amsl.com (Postfix) with ESMTP id C091311E808B for <secdir@ietf.org>; Mon, 13 Jun 2011 03:15:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=danfrost@cisco.com; l=2836; q=dns/txt; s=iport; t=1307960129; x=1309169729; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=pswqAgheDmIG80h2UL6TJ7Go9Syc0GIvJdw8RRbirbQ=; b=l2e2xzCt72sqE/izsoVpXtnPi05KP2G/cL0HQKzz/iR2wHbrR3IVJDch 1n0rvbeDR0M8U68j0BJV12HHEIoiMMLWXGLwS1IdgD6TRhthPPovjlMJi jZcBv1Yr5TLpzv2sXowuAT5BFUjxaBdFWOxPsA6l3U5Ae54A0aQEKktNp o=;
X-IronPort-AV: E=Sophos;i="4.65,357,1304294400"; d="scan'208";a="236620790"
Received: from rcdn-core2-5.cisco.com ([173.37.113.192]) by rtp-iport-2.cisco.com with ESMTP; 13 Jun 2011 10:15:25 +0000
Received: from isolaria.cisco.com (isolaria.cisco.com [10.83.106.70]) by rcdn-core2-5.cisco.com (8.14.3/8.14.3) with ESMTP id p5DAFPZR011638; Mon, 13 Jun 2011 10:15:25 GMT
Received: from isolaria.cisco.com (isolaria [127.0.0.1]) by isolaria.cisco.com (8.13.1/8.13.1) with ESMTP id p5DAFOtQ026692; Mon, 13 Jun 2011 06:15:24 -0400
Received: (from danfrost@localhost) by isolaria.cisco.com (8.13.1/8.13.1/Submit) id p5DAFOqR026691; Mon, 13 Jun 2011 11:15:24 +0100
Date: Mon, 13 Jun 2011 11:15:24 +0100
From: Dan Frost <danfrost@cisco.com>
To: Stephen Kent <kent@bbn.com>
Message-ID: <20110613101524.GA26345@cisco.com>
References: <p06240800ca1af8a1d167@[128.89.89.178]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <p06240800ca1af8a1d167@[128.89.89.178]>
User-Agent: Mutt/1.5.20 (2009-06-14)
X-Mailman-Approved-At: Mon, 13 Jun 2011 05:41:38 -0700
Cc: swallow@cisco.com, loa@pi.nu, rcallon@juniper.net, stbryant@cisco.com, secdir@ietf.org
Subject: Re: [secdir] review of draft-ietf-mpls-loss-delay-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Jun 2011 10:15:31 -0000

Hi Stephen,

Thanks for your review!  However, it looks like you reviewed an
out-of-date version of draft-ietf-mpls-loss-delay.  The current version
is -03 and this version includes a rewrite of the security
considerations.  (The reference pointers between the two drafts often
don't show the latest versions of the targets so this may have caused
some confusion.)

Cheers,
-d

On Sun, Jun 12, 2011 at 07:20:22PM -0400, Stephen Kent wrote:
> I reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should
> treat these comments just like any other last call comments.
> 
> The abstract for draft-ietf-mpls-tp-loss-delay-profile-03 describes
> it as "a profile of the general MPLS loss, delay, and throughput
> measurement techniques that suffices [sic] to meet the specific
> requirements of MLS-TP." It is a very brief (5 pages, including
> boilerplate) document intended as an informational RFC. The document
> that forms the basis for this profile,
> draft-ietf-mpls-loss-delay-01, is also in progress.
> 
> The security considerations section of this document refers to the
> base document cited above. Since this document is a profile of that
> one, this is a reasonable indirection. (I note that the document
> under review cites version 1 of that base document, and that version
> 2 is now current, something that can be addressed later.) I looked
> at the security considerations section of the base specification. It
> is two paragraph in length. The first paragraph does a reasonable
> job of describing the top level security concerns associated with
> the exchange of performance monitoring messages in a context such as
> this. (The text would be better if the third concern were identified
> as "confidentiality.") The second paragraph, however, states:
> 
>    If reception or alteration of performance-related data by
>    unauthorized devices is an operational concern, authentication
>    and/or encryption procedures should be used to ensure message
>    integrity and confidentiality.  Such procedures are outside the
>    scope of this document, but have general applicability to OAM
>    protocols in MPLS networks.
> 
> First, this paragraph is poorly worded (e.g., the mixed uses of
> "authentication," "encryption," "integrity," and "confidentiality").
> Second, there is concrete reference to any candidate security
> mechanisms that can provide such services. I am not aware of any
> IETF standards that might offer such services for MPLS traffic. If
> there are none, this second paragraph is not adequate; if there are,
> they should be cited here.