Re: [secdir] secdir review of draft-ietf-pals-mc-pon-04

<> Thu, 01 September 2016 14:07 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3CD4A12D0C1; Thu, 1 Sep 2016 07:07:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.168
X-Spam-Status: No, score=-3.168 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.548, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id eb3LXRwMAb4s; Thu, 1 Sep 2016 07:07:12 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9F26112D96B; Thu, 1 Sep 2016 06:54:55 -0700 (PDT)
X-SBRS: None
Received: from unknown (HELO ([]) by with ESMTP/TLS/AES256-GCM-SHA384; 01 Sep 2016 15:54:54 +0200
Received: from (unknown []) by (Postfix) with ESMTPS; Thu, 1 Sep 2016 15:54:53 +0200 (CEST)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1178.4; Thu, 1 Sep 2016 15:54:53 +0200
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1178.4; Thu, 1 Sep 2016 15:54:52 +0200
Received: from ([]) by ([]) with mapi id 15.00.1178.000; Thu, 1 Sep 2016 15:54:52 +0200
Thread-Topic: secdir review of draft-ietf-pals-mc-pon-04
Thread-Index: AdIERGNJ4u3omnmWQ2+8lMLF4/56GQAE89FQ
Date: Thu, 01 Sep 2016 13:54:52 +0000
Message-ID: <>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_71cbf9b3372247f297987d0bb1acdd67MUCSE609infineoncom_"
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [secdir] secdir review of draft-ietf-pals-mc-pon-04
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 01 Sep 2016 14:07:16 -0000

Resending with correct draft alias.


From: Hanna Steve (IFAM CCS SMD AMR)
Sent: Thursday, September 01, 2016 7:57 AM
To: ''; ''; ''
Subject: secdir review of draft-ietf-pals-mc-pon-04

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

Summary: Ready with issues

The security considerations section of this document seems reasonable and correct. However, I'm concerned that bringing ICCP into the PON has some security risks that have not been properly called out and mitigated. As the Security Considerations section says:

   In many passive optical networks the optical paths between

   OLT and ONTs traverse publicly accessible facilities including

   public attachments (e.g. telephone poles)

Note that I'm pretty sure that ONT should be ONU here and in several other places in the Security Considerations.

My concern is that section 4.2 says that "When a fault is detected on its working PW (e.g., by VCCV BFD), a working OLT SHOULD turn off its associated PON interface and then send an ICCP message with PON State TLV with local PON Port State being set to notify the protection OLT of the PON fault." Since the working PW has failed, the working OLT will presumably send this ICCP message to the protection PW over the PON. That means that any other authorized or unauthorized party on the PON could also send such a message. I'm not very familiar with ICCP but the Security Considerations section of RFC 7275 seems to say that ICCP messages are frequently authenticated only by looking at the source IP address, which is an exceedingly weak method of authentication susceptible to easy forgery. Using MD5 (as permitted by RFC 7275) isn't much better. The impact of permitting attackers to easily forge ICCP messages on the PON is not clear to me but it seems that the attacker could at least prevent proper failover and maybe force failover or even force failure. Of course, an attacker on the PON could also just jam the PON by setting their laser always on but ICCP attacks would be much trickier to detect. I would suggest that TCP-AO be required at least for ICCP messages sent or received on the PON.

Two minor typos:

1)      In section 3, "protect OLTs" should be "protection OLTs".

2)      In the Security Considerations, "ONT" should be "ONU". At least, I assume so. If not, ONT should be defined.

Thanks for your consideration,