Re: [secdir] SECDIR review of draft-ietf-pals-seamless-vccv-02

Stewart Bryant <> Wed, 27 April 2016 09:37 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 23D2012D694; Wed, 27 Apr 2016 02:37:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id aiicy-5fXcDK; Wed, 27 Apr 2016 02:37:31 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:400c:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 168FA12D5E9; Wed, 27 Apr 2016 02:31:50 -0700 (PDT)
Received: by with SMTP id a17so7809201wme.0; Wed, 27 Apr 2016 02:31:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to; bh=L71op/rH1joACXb0Zci24SI3rhLuo76+//MfbBYY2RU=; b=nTANdMnnSfhlQA5wVxBBMP4D+qsOVawoHaIg8mvNiJHXpew94Em5Cj58npTDiMee22 yZI3rdBXhgJsPAj+xmiXvlMR9YSTQJfsOu5MtieZ1eFR17OmKzgZWn72c8DWRAbne4PO py9g5RUZET+C1XmK0GatyjBjLMx2JMnuWEA7M6IfVUlPnDGomtRPRwMRzvbf29EJUmCU MxgexM7mqe7fJiw0dGWcGkKqEwb+u7poQrWSajQed3yKEbtqYdbf23ynvwFI5I1q0N7K znx1jE06BWzn59UjmSCv9wVdi+49uvJkaW7NnhThwAplHiQce//g6sIo1VMG5s4+OOWC 6t4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to; bh=L71op/rH1joACXb0Zci24SI3rhLuo76+//MfbBYY2RU=; b=hP9xWbxZiF7EUG2MRFi9oyeh4Haa0zsqwrATJ6+DdTTRNdE3PMB+dpF05Vw670FaWj RkACBhw26T3sYdoLbFlMPMC8xNEUV+Mg4ax6znjfj48nVbE4qPVeKoeA0dBDRYVkBDO3 p/qMZU283aPOi49eVBWELYB4iTSmz5SvtF6qZmVZOeBTDfi/nL85zRbW/FEiDZuBSpED Oy9JUbxe+Fi0oGG1iBXlAYkJHxoeZb6yJsb5JGXrxJJsD8UJ+4aJF5dYZQFksh6+nH+m hJs51y/kudbxc1yD4QpoCkueL+fGZtCH5ZkJbUcqr7eGwJT2tre5LKAI2cifErYPSZyT FChA==
X-Gm-Message-State: AOPr4FWZbK4tUBo/suRpHAlLb0/NtMhtJgQw1S/eKlw4yaeWx0Y7fAeD9SKo0jGHSP3aGg==
X-Received: by with SMTP id c8mr7949870wjs.89.1461749508624; Wed, 27 Apr 2016 02:31:48 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id o128sm7432749wmb.19.2016. (version=TLSv1/SSLv3 cipher=OTHER); Wed, 27 Apr 2016 02:31:47 -0700 (PDT)
To: Phillip Hallam-Baker <>, "Andrew G. Malis" <>
References: <> <> <>
From: Stewart Bryant <>
Message-ID: <>
Date: Wed, 27 Apr 2016 10:31:45 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------040703010801030303090403"
Archived-At: <>
Cc:, "" <>, "" <>
Subject: Re: [secdir] SECDIR review of draft-ietf-pals-seamless-vccv-02
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 27 Apr 2016 09:37:33 -0000

On 26/04/2016 15:51, Phillip Hallam-Baker wrote:
> Yes, I think that what is needed is IAB review of what is going on
> rather than action on this particular draft.
Sorry - what is the scope of your proposed IAB review?
> In particular, I don't consider a protocol suitable to be considered
> an IETF standard unless people can buy devices from multiple vendors
> and configure them to work together securely.

Sure, but I would like to see an evidence based assessment of the specific
problem you are seeing in the field. So far none has been brought to 
PALS (ne PWE3)
or MPLS as far as I am aware. Carlos can talk to L2TP, but again I have not
heard of a specific problem ever being raised.

If one is raised we will address it in the appropriate WG.

> The security approach outlined in 5085 is mix and match with a large
> dose of handwaving. It desperately needs to be reconsidered and a
> security architecture written up. I don't think that you can expect
> interoperability on the basis of that description.

If we do that, we should really do it in two halves, MPLS and L2TP. Since
PALS over MPLS runs the MPLS control and dataplane the solution needs
to be owned by MPLS. Similarly any LT2P work belongs in L2TPext.

> The Snowden documents demonstrate that 'well managed enterprise
> networks' are attacked on a daily basis and that this is the basis for
> mass surveillance.

Right, but I cannot see why anyone would want to mass surveil the OAM
protocol, and we inherit the security enhancements to the underlying
data and control planes.

> I do not consider IPSEC to be a suitable security mechanism for this
> type of system. If I was given the design brief, I would insist that
> every message be authenticated by digital signature rather than a MAC
> and the control messages logged. I might use a MAC for
> pre-authentication to prevent DoS attack on the control plane. But the
> control messages should be fixed in non repudiable fashion.

We need to examine this statement in more detail to understand which element
of the system you are concerned about. However please remember that some
elements of the dataplane and OAM are cost and time sensitive.

> That is the only way I could be confident that PRISM class attack
> against the network had not been performed.

That is all very well, but we do need an eco-system that is prepared to
pay for any upgrade. The place to start here is with an operator requirement
draft. Given a requirements RFC agreed by the operator community, I am
sure we will design the necessary technology to fullfill those requirements.


> On Tue, Apr 26, 2016 at 10:18 AM, Andrew G. Malis <> wrote:
>> Phillip,
>> On behalf of the PALS WG, thanks for your review.
>> To be clear, this sounds like more a comment on RFC 5085 than it does a
>> comment on the draft in question. So is there any action requested regarding
>> the draft?
>> Also, you many not be aware that pseudowires are almost exclusively used in
>> well-managed private enterprise services networks, usually either physically
>> or logically separated from the public Internet for reasons of both traffic
>> management and assurance to enterprise customers that their private traffic
>> is well separated from the Internet. Thus interception is less a threat than
>> it may be for protocols that are used in the public Internet.
>> Thanks,
>> Andy
>> On Tue, Apr 26, 2016 at 8:48 AM, Phillip Hallam-Baker
>> <> wrote:
>>> I have reviewed this document as part of the security directorate's
>>> ongoing effort to review all IETF documents being processed by the
>>> IESG. These comments were written primarily for the benefit of the
>>> security area directors. Document editors and WG chairs should treat
>>> these comments just like any other last call comments.
>>> This document is an incremental change to a layer 2 virtualization
>>> layer (Software Defined Networking). As such it properly references
>>> RFC5085 for security considerations.
>>> That said, I am a bit surprised at the security considerations in
>>> RFC5085 which points out that denial of service is an issue but not
>>> the introduction of a new set of opportunities for interception. This
>>> is surprising given that BGP interception had already been used in
>>> international hostilities when the RFC was published.
>>> Further the proposed solution is to sprinkle on some magic IPSEC dust
>>> or equivalent. While that might be an appropriate approach in an
>>> experimental protocol, it is hardly adequate for a production protocol
>>> with implications for Internet security as a whole.
>>> Given the critical function of this layer and the date of its
>>> inception, I would expect to see a comprehensive security architecture
>>> developed as part of the overall scheme.