IETF Logo Mail Archive

Re: [secdir] Secdir review of draft-ietf-ospf-rfc6506bis-03

Brian Weis <bew@cisco.com> Wed, 04 December 2013 18:37 UTC

Return-Path: <bew@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC1501AC862; Wed, 4 Dec 2013 10:37:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.502
X-Spam-Level:
X-Spam-Status: No, score=-14.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bM9ZRKyYCYmv; Wed, 4 Dec 2013 10:37:20 -0800 (PST)
Received: from mtv-iport-3.cisco.com (mtv-iport-3.cisco.com [173.36.130.14]) by ietfa.amsl.com (Postfix) with ESMTP id 263F61A1EF9; Wed, 4 Dec 2013 10:37:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2503; q=dns/txt; s=iport; t=1386182237; x=1387391837; h=mime-version:subject:from:in-reply-to:date:cc: content-transfer-encoding:message-id:references:to; bh=HNhyZwbBzidgJvoNiuFpfOf5RFxTqm4gjMcwCQfSccQ=; b=E5CVvFtSYWnZCdzroM1kYixD3BdMHqqpGi3bFPL2qVQRXRx2DTALyw+K diW7PFvB9hVKxbMcej4o2gmhryx/luJzrbRAb5uJSufa0khJ5t2GzXBqa /HQU811Z+8N3g9+8PPP3DFTB0kx4Tq7MCnYmpwv7V69XG/mhYzu+UkAPK I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgEFABR1n1KrRDoJ/2dsb2JhbABQBwODB7lugSQWdIIlAQEBAwE6PwULCxguVwYTh3wFwXAXjhwGCwEdIxAHEYMPgRMDiUKOUoZFi06DShuBNQ
X-IronPort-AV: E=Sophos;i="4.93,826,1378857600"; d="scan'208";a="96936480"
Received: from mtv-core-4.cisco.com ([171.68.58.9]) by mtv-iport-3.cisco.com with ESMTP; 04 Dec 2013 18:37:15 +0000
Received: from [10.155.144.179] ([10.155.144.179]) by mtv-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id rB4IbBRI002457 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 4 Dec 2013 18:37:14 GMT
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
From: Brian Weis <bew@cisco.com>
In-Reply-To: <94A203EA12AECE4BA92D42DBFFE0AE470310EECD@eusaamb101.ericsson.se>
Date: Wed, 04 Dec 2013 10:37:13 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <15E31E00-23FA-47A4-BE3D-705D4519D2F1@cisco.com>
References: <94A203EA12AECE4BA92D42DBFFE0AE470310EECD@eusaamb101.ericsson.se>
To: Acee Lindem <acee.lindem@ericsson.com>
X-Mailer: Apple Mail (2.1510)
Cc: "draft-ietf-ospf-rfc6506bis.all@tools.ietf.org" <draft-ietf-ospf-rfc6506bis.all@tools.ietf.org>, "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>, The IESG <iesg@ietf.org>, "<secdir@ietf.org>" <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-ietf-ospf-rfc6506bis-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Dec 2013 18:37:23 -0000

Hi Acee & Manav,

On Dec 4, 2013, at 10:22 AM, Acee Lindem <acee.lindem@ericsson.com> wrote:

> I tend to agree with Manav - this seems to be a rather extreme measure and
> wouldn't be used by a router line card simply to prioritize a packet.

Agreed, but the current text essentially says "you can't do that', but in fact "you can do that but it's too much work to do on the router line card". I was suggesting you say that instead.

Thanks,
Brian

> 
> Thanks,
> Acee
> 
> On 12/4/13 8:29 AM, "Bhatia, Manav (Manav)"
> <manav.bhatia@alcatel-lucent.com> wrote:
> 
>> Hi Brian,
>> 
>> Thanks for the review. I have a comment inline.
>>> 
>>> But now RFC 5879 ("Heuristics for Detecting ESP-NULL Packets") has been
>>> published, which does describe some techniques to deterministically
>>> detect an unencrypted ESP packet. It may be still be difficult to
>>> prioritize certain OSPFv3 packets, but the justification is no longer
>>> precisely accurate. I would suggest something like the following
>>> rewording:
>> 
>> The justification still holds good as I don't think we will ever use
>> heuristics for detecting ESP-NULL control packets that need to be
>> consumed.
>> 
>> Its afaik primarily meant for firewalls that want to deep inspect
>> packets. Obviously, there is nothing there in the standard that precludes
>> it from being implemented on router's CPU path, but I doubt if we will
>> ever go down that path. If this is really required on the routers, then
>> WESP (RFC 5840) will probably be the path to go down on -- but that would
>> require protocol extensions.
>> 
>> Cheers, Manav
>> 
>>> 
>>>   Implementations desiring to prioritize certain OSPFv3 packet types,
>>>   e.g., Hello packets, over the other types, often perform the
>>>   prioritization prior to decryption. Parsing ESP packets is
>>> problematic
>>>   when the prioritization code does not know whether the ESP packets
>>>   include an encryption algorithm, or are instead ESP-NULL packets
>>> [RFC2410].
>>>   Techniques exist to identify ESP packets using ESP-NULL packets
>>>   [RFC5879], which would allow these packets to be examined  and
>>>   prioritized. However, the techniques may not be practically applied
>>>   within the prioritization code.
>>> 
>>> Brian
> 

-- 
Brian Weis
Security, Enterprise Networking Group, Cisco Systems
Telephone: +1 408 526 4796
Email: bew@cisco.com

v2.35.0 | Report a Bug | By Email | System Status