Re: [secdir] secdir review of draft-li-pwe3-ms-pw-pon-04
Stewart Bryant <stbryant@cisco.com> Mon, 29 August 2011 18:55 UTC
Return-Path: <stbryant@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 408FF21F8C5E; Mon, 29 Aug 2011 11:55:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.541
X-Spam-Level:
X-Spam-Status: No, score=-110.541 tagged_above=-999 required=5 tests=[AWL=0.058, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fue8RLzb+cPu; Mon, 29 Aug 2011 11:55:45 -0700 (PDT)
Received: from ams-iport-1.cisco.com (ams-iport-1.cisco.com [144.254.224.140]) by ietfa.amsl.com (Postfix) with ESMTP id 6E18B21F8C47; Mon, 29 Aug 2011 11:55:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=stbryant@cisco.com; l=3673; q=dns/txt; s=iport; t=1314644230; x=1315853830; h=message-id:date:from:reply-to:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=XCIPRclwNrp4TNCje/5s+QeZo5wctFRq4sdHUJTuJ4U=; b=jQA3enzwrZmKNC+lyFoKJUmNxCLc2mJhnqOw61kIst1YECUuO6IZQyVn eD4pqawGZXNvcXD2RRAtJqdicujE1WxsKf+n38xAgpV/n92ugyMVKHx0R VCfM4z1s0YgrObOGCh6upLC2LBTHv67J5PRZXcrr6JbBxhUa2uzZJRWao Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av8EAHrgW06Q/khM/2dsb2JhbABCp3N3gUABAQEBAxIBAgEiQAEQCxgJFg8JAwIBAgFFBg0BBwEBHodUmn8BgyUPAZtUhkwEkx+RBQ
X-IronPort-AV: E=Sophos;i="4.68,297,1312156800"; d="scan'208";a="113030044"
Received: from ams-core-3.cisco.com ([144.254.72.76]) by ams-iport-1.cisco.com with ESMTP; 29 Aug 2011 18:57:07 +0000
Received: from cisco.com (mrwint.cisco.com [64.103.70.36]) by ams-core-3.cisco.com (8.14.3/8.14.3) with ESMTP id p7TIv7Jw018651; Mon, 29 Aug 2011 18:57:07 GMT
Received: from stbryant-mac2.local (localhost [127.0.0.1]) by cisco.com (8.14.4+Sun/8.8.8) with ESMTP id p7TIv2G8019877; Mon, 29 Aug 2011 19:57:02 +0100 (BST)
Message-ID: <4E5BE0FD.2070704@cisco.com>
Date: Mon, 29 Aug 2011 19:57:01 +0100
From: Stewart Bryant <stbryant@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0) Gecko/20110812 Thunderbird/6.0
MIME-Version: 1.0
To: Glen Zorn <glenzorn@gmail.com>
References: <4E5A36CC.6070506@gmail.com>
In-Reply-To: <4E5A36CC.6070506@gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: daniel@olddog.co.uk, "secdir@ietf.org" <secdir@ietf.org>, pwe3-chairs@ietf.org, The IESG <iesg@ietf.org>, adrian@olddog.co.uk, hongyu.lihongyu@huawei.com, robin@huawei.com
Subject: Re: [secdir] secdir review of draft-li-pwe3-ms-pw-pon-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: stbryant@cisco.com
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Aug 2011 18:55:46 -0000
Hi Glen, "just out of curiosity, why is this not a pwe3 WG document?" The PWE3 WG considered that a PW running over a layer that the IETF was not responsible for was out of their scope. IETF is responsible for IP and MPLS, but not PON. However the document was reviewed by the PWE3 WG, and they are fine with the document being sponsored by their AD. - Stewart On 28/08/2011 13:38, Glen Zorn wrote: > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > I have virtually no knowledge of MPLS and no desire to acquire any. I > do know a little bit about PON, probably enough to be dangerous. For > these reasons I will not comment upon the technical aspects of the > document, instead limiting my comments to editorial issues and the > Security Considerations section. I do have one general question, > though: just out of curiosity, why is this not a pwe3 WG document? > > > EDITORIAL > > Abstract > > The acronym "MPLS" should be expanded on first use > > s/an MPLS Packet Switched Network/a MPLS Packet Switched Network/ > > It is sometimes lamented that the people writing the IETF standards are > most often not the people implementing said standards. I think that > this may actually be a blessing in disguise, however: if the people > writing the standards really don't know the difference between a pointer > to an object (e.g, "[RFC3985]") and the object itself (RFC 3985), I > don't want them writing code! > > > Section 7.1 > > The references to G.987 and G.987.3 are formatted differently from > those for the other ITU-T documents. > > The references for RFC 3031, RFC 4447 and RFC 5036 are formatted > incorrectly (leading '"' and trailing '".' characters). > > > SECURITY CONSIDERATIONS > > This section seems woefully inadequate to me. It is a single paragraph, > reproduced in full (with interspersed commentary) below. > > G-PON/XG-PON has its own security mechanism to guarantee each ONU is > isolated on the G-PON/XG-PON link layer. > > Where is the G-PON security mechanism defined? Presumably in one of the > 6 ITU-T standards referenced, but which one? > > Other security issues are > unchanged from those applying as standard to PWs and MS-PWs. Please > refer to the referenced architectures and protocol specifications for > further details. > > One of the referenced architectures, specified in RFC 3895, says > > It is outside the scope of this > specification to fully analyze and review the risks of PWE3, > particularly as these risks will depend on the PSN. An example > should make the concern clear. A number of IETF standards employ > relatively weak security mechanisms when communicating nodes are > expected to be connected to the same local area network. The Virtual > Router Redundancy Protocol [RFC3768] is one instance. The relatively > weak security mechanisms represent a greater vulnerability in an > emulated Ethernet connected via a PW. > > This seems to me to specifically assign risk analysis and review of > novel pseudowires (which this would seem to be) to the designers of > such, but this draft does not show any evidence of that analysis. > > > -- For corporate legal information go to: http://www.cisco.com/web/about/doing_business/legal/cri/index.html
- [secdir] secdir review of draft-li-pwe3-ms-pw-pon… Glen Zorn
- Re: [secdir] secdir review of draft-li-pwe3-ms-pw… Stewart Bryant
- Re: [secdir] secdir review of draft-li-pwe3-ms-pw… Glen Zorn
- Re: [secdir] secdir review of draft-li-pwe3-ms-pw… Stewart Bryant