Re: [secdir] Secdir review of draft-ietf-mpls-ldp-igp-sync-bcast-04

Sriganesh Kini <sriganesh.kini@ericsson.com> Fri, 01 October 2010 20:09 UTC

Return-Path: <sriganesh.kini@ericsson.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 326613A6E04; Fri, 1 Oct 2010 13:09:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.42
X-Spam-Level:
X-Spam-Status: No, score=-2.42 tagged_above=-999 required=5 tests=[AWL=0.179, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OsKPYln8A3J6; Fri, 1 Oct 2010 13:09:18 -0700 (PDT)
Received: from imr3.ericy.com (imr3.ericy.com [198.24.6.13]) by core3.amsl.com (Postfix) with ESMTP id EE1CC3A6E26; Fri, 1 Oct 2010 13:08:00 -0700 (PDT)
Received: from eusaamw0711.eamcs.ericsson.se ([147.117.20.178]) by imr3.ericy.com (8.13.8/8.13.8) with ESMTP id o91K7sHi006247 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 1 Oct 2010 15:08:34 -0500
Received: from EUSAACMS0703.eamcs.ericsson.se ([169.254.1.219]) by eusaamw0711.eamcs.ericsson.se ([147.117.20.178]) with mapi; Fri, 1 Oct 2010 16:08:21 -0400
From: Sriganesh Kini <sriganesh.kini@ericsson.com>
To: Tobias Gondrom <tobias.gondrom@gondrom.org>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Date: Fri, 01 Oct 2010 16:08:20 -0400
Thread-Topic: Secdir review of draft-ietf-mpls-ldp-igp-sync-bcast-04
Thread-Index: ActeOEH0nE1Z3sFDSQGL1ipD7jocMgDa/Icw
Message-ID: <5A5E55DF96F73844AF7DFB0F48721F0F56F5FDE903@EUSAACMS0703.eamcs.ericsson.se>
References: <4CA081F7.60304@gondrom.org>
In-Reply-To: <4CA081F7.60304@gondrom.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailman-Approved-At: Mon, 04 Oct 2010 11:35:57 -0700
Cc: "swallow@cisco.com" <swallow@cisco.com>, Wenhu Lu <wenhu.lu@ericsson.com>, "draft-ietf-mpls-ldp-igp-sync-bcast.all@tools.ietf.org" <draft-ietf-mpls-ldp-igp-sync-bcast.all@tools.ietf.org>, "adrian.farrel@huawei.com" <adrian.farrel@huawei.com>, "martin.vigoureux@alcatel-lucent.com" <martin.vigoureux@alcatel-lucent.com>, "loa@pi.nu" <loa@pi.nu>
Subject: Re: [secdir] Secdir review of draft-ietf-mpls-ldp-igp-sync-bcast-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Oct 2010 20:09:20 -0000
X-List-Received-Date: Fri, 01 Oct 2010 20:09:20 -0000

Hello Tobias,

Pls see inline at [Sri].

Thanks

> -----Original Message-----
> From: Tobias Gondrom [mailto:tobias.gondrom@gondrom.org]
> Sent: Monday, September 27, 2010 4:37 AM
> To: iesg@ietf.org; secdir@ietf.org
> Cc: draft-ietf-mpls-ldp-igp-sync-bcast.all@tools.ietf.org;
> Sriganesh Kini; Wenhu Lu; swallow@cisco.com; loa@pi.nu; 
> adrian.farrel@huawei.com; martin.vigoureux@alcatel-lucent.com
> Subject: Secdir review of draft-ietf-mpls-ldp-igp-sync-bcast-04
> 
> 
>  I have reviewed this document as part of the security directorate's 
> ongoing effort to review all IETF documents being processed by the 
> IESG.  These comments were written primarily for the benefit of the 
> security area directors.
> Document editors and WG chairs should treat these comments just like 
> any other last call comments.
> 
> 
> draft-ietf-mpls-ldp-igp-sync-bcast-04
> LDP IGP Synchronization for broadcast networks
> 
> the draft updates RFC 5443 (LDP IGP Synchronization) It basically 
> proposes the following mechanism: "If an interface is not a 'cut-edge'
> then the updating of the LSA with that link to the pseudo-node is 
> postponed until LDP is operational."
> 
> The document states that there would be no security considerations 
> beyond RFC5443.
> I am not certain of that. Although the idea behind bcast is good, it 
> adds a new mechanism beyond 5443.
> To make sure the security considerations are accurate, I'd like to 
> raise two questions for the authors/WG:
> 1. Which security implications does the WG see for removing a coming 
> up link from the LSDB?

[Sri] Since the link is only delayed from being added to the LSDB we don't believe there are any new/additional security implications.

> 2. Can there be a gap between the algorithm to determine "cut-edge" 
> and TTL (e.g. may not qualify for "cut-edge" and thus be removed from 
> LSDB, but have a large number of links and effectively not be 
> reachable)?

[Sri] This problem is not unique to this draft. Even in RFC 5443 when the link has high metric, an alternate path with num hops > 255 (but a lower path metric than the directly connected link's max metric) can result in unreachability.

> 
> and three minor editorial comments:
> - section 3, last paragraph:
> s/Since A's cost to reach B not high/Since A's cost to reach B is not 
> high

[Sri] Accepted

> - Appendix A: Computation of 'cut-edge'
> there should be an informative reference for mentioned "Dijkstra's 
> algorithm"

[Sri] Accepted. Will refer to RFC 2328 sec 16.1

> - abbreviation "SPF" should list the its expanded term (Shortest Path
> First) at first mentioning.

[Sri] Accepted.

> 
> Best regards, Tobias
> 
> 
> 
> 
>