[secdir] SecDir review of draft-ietf-pim-join-attributes-for-lisp-05

"Brian Weis (bew)" <bew@cisco.com> Fri, 21 October 2016 17:51 UTC

Return-Path: <bew@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACE0B1294A0; Fri, 21 Oct 2016 10:51:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.952
X-Spam-Level:
X-Spam-Status: No, score=-14.952 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5McPm_GvKN6W; Fri, 21 Oct 2016 10:51:27 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8418F12948A; Fri, 21 Oct 2016 10:51:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2710; q=dns/txt; s=iport; t=1477072287; x=1478281887; h=from:to:subject:date:message-id:content-id: content-transfer-encoding:mime-version; bh=5nWk7OJfDz3O5/f0L4YjvQ4P6ojyv4N6pXm7bNcnAf8=; b=JsEmUnlht0RcZV7KFgfGgRwUQDIsUYPDfS24wYGTVdqyRqFjsMomECnl gzTYVurw03Z2juxlw8ul3RrC5JNvkppc3oUxBIT/hrgTi5aZUKsgFmf3T WL1Ei6u04YeakPhAi2IgaCPARKiDKe2b6itY78j0JauvbwOGdGULCbZrw o=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BtAQA6VQpY/5BdJa1ZAxoBAQEBAgEBA?= =?us-ascii?q?QEIAQEBAYM+AQEBAQEdgVQHjS2rO4IHhiEcgU4/FAECAQEBAQEBAWIohGkjEVc?= =?us-ascii?q?BIgImAgQwFRIEARKIUrYsjQIBAQEBAQEBAQEBAQEBAQEBIYEHhzOGcREBMwomg?= =?us-ascii?q?j0sgi8FmhMBkA+QAZEBAR42WYR/coYogSCBAAEBAQ?=
X-IronPort-AV: E=Sophos;i="5.31,377,1473120000"; d="scan'208";a="164619835"
Received: from rcdn-core-8.cisco.com ([173.37.93.144]) by rcdn-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 21 Oct 2016 17:51:26 +0000
Received: from XCH-RTP-001.cisco.com (xch-rtp-001.cisco.com [64.101.220.141]) by rcdn-core-8.cisco.com (8.14.5/8.14.5) with ESMTP id u9LHpQLk011705 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 21 Oct 2016 17:51:26 GMT
Received: from xch-rtp-001.cisco.com (64.101.220.141) by XCH-RTP-001.cisco.com (64.101.220.141) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Fri, 21 Oct 2016 13:51:25 -0400
Received: from xch-rtp-001.cisco.com ([64.101.220.141]) by XCH-RTP-001.cisco.com ([64.101.220.141]) with mapi id 15.00.1210.000; Fri, 21 Oct 2016 13:51:25 -0400
From: "Brian Weis (bew)" <bew@cisco.com>
To: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-pim-join-attributes-for-lisp.all@tools.ietf.org" <draft-ietf-pim-join-attributes-for-lisp.all@tools.ietf.org>
Thread-Topic: SecDir review of draft-ietf-pim-join-attributes-for-lisp-05
Thread-Index: AQHSK8O+yDHqFrGIdUei87jOMqaOYg==
Date: Fri, 21 Oct 2016 17:51:25 +0000
Message-ID: <F47535A5-D16A-493A-BAD2-3FDE81E5CBC7@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.19.191.163]
Content-Type: text/plain; charset="utf-8"
Content-ID: <71744C0CEEA9A743B82A88BAA828BD39@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/Wu1OqrWSxcGyh5-1RS3ZTdy9dno>
Subject: [secdir] SecDir review of draft-ietf-pim-join-attributes-for-lisp-05
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Oct 2016 17:51:28 -0000

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.

I consider this draft to be Ready.

When a LISP-enabled site has a multicast source emitting messages to other LISP-enabled sites, PIM is used to report that there are multicast receivers within those LISP-enabled sites. These PIM messages are encapsulated with LISP over the provider network (“RLOC address space”) to a LISP ITR at site containing the multicast source. This Internet-Draft adds an attribute to PIM that enables PIM at the LISP xTR in front of a multicast receiver to indicate how it would like to receive the multicast data packets. It may indicate that the LISP multicast data messages are to be sent as native multicast LISP encapsulated packets (replicated in the provider network) or as unicast LISP packets. When unicast packets are selected, another new attribute can indicate  exactly which unicast receiver RLOC to which the multicast messages should be addressed. Security considerations of the semantics for protecting the multicast data packets are outside the scope of this document.

These new attributes are all delivered in PIM messages, which are sent encapsulated in LISP, and if a user has chosen to protect the LISP traffic across the provider network for confidentiality or privacy reasons, and/or chosen to protect the PIM packets with an integrity method, then the new attributes will also be protected. The information in the attributes related only to delivery of the packets, and there are no particular privacy considerations. The current Security Considerations section seems adequate.

Brian

-- 
Brian Weis
Security, CSG, Cisco Systems
Telephone: +1 408 526 4796
Email: bew@cisco.com