Re: [secdir] secdir review of draft-ietf-mpls-mna-requirements-13
Adrian Farrel <adrian@olddog.co.uk> Thu, 02 May 2024 17:32 UTC
Return-Path: <adrian@olddog.co.uk>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15726C14F5F3; Thu, 2 May 2024 10:32:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.796
X-Spam-Level:
X-Spam-Status: No, score=-2.796 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=olddog.co.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sSEP-8Be9nLW; Thu, 2 May 2024 10:32:43 -0700 (PDT)
Received: from mta5.iomartmail.com (mta5.iomartmail.com [62.128.193.155]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10FF7C14F6BE; Thu, 2 May 2024 10:32:27 -0700 (PDT)
Received: from vs4.iomartmail.com (vs4.iomartmail.com [10.12.10.122]) by mta5.iomartmail.com (8.14.7/8.14.7) with ESMTP id 442HWPsE015287; Thu, 2 May 2024 18:32:25 +0100
Received: from vs4.iomartmail.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id EDFE14604F; Thu, 2 May 2024 18:32:24 +0100 (BST)
Received: from vs4.iomartmail.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id E0F884604A; Thu, 2 May 2024 18:32:24 +0100 (BST)
Received: from asmtp1.iomartmail.com (unknown [10.12.10.248]) by vs4.iomartmail.com (Postfix) with ESMTPS; Thu, 2 May 2024 18:32:24 +0100 (BST)
Received: from LAPTOPK7AS653V (82-69-109-75.dsl.in-addr.zen.co.uk [82.69.109.75]) (authenticated bits=0) by asmtp1.iomartmail.com (8.14.7/8.14.7) with ESMTP id 442HWOb0007472 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 2 May 2024 18:32:24 +0100
Reply-To: adrian@olddog.co.uk
From: Adrian Farrel <adrian@olddog.co.uk>
To: 'Dan Harkins' <dharkins@lounge.org>, secdir@ietf.org, iesg@ietf.org, draft-ietf-mpls-mna-requirements.all@ietf.org
References: <c4fcf267-c222-4a3f-9015-1443d66a2c1a@lounge.org>
In-Reply-To: <c4fcf267-c222-4a3f-9015-1443d66a2c1a@lounge.org>
Date: Thu, 02 May 2024 18:32:24 +0100
Organization: Old Dog Consulting
Message-ID: <10c401da9cb6$b216f1c0$1644d540$@olddog.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQLMrQX3yu9RBSOcR2GY/mvnvpLw0q+gCtww
Content-Language: en-gb
X-Originating-IP: 82.69.109.75
X-Thinkmail-Auth: adrian@olddog.co.uk
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=olddog.co.uk; h=reply-to :from:to:references:in-reply-to:subject:date:message-id :mime-version:content-type:content-transfer-encoding; s= 20221128; bh=fMFbkVzczIn8vlMHj/CrM6uSVux7D1Rjlfabk8x+cns=; b=1hK nTzAT+srueorio/A/evE/Mdo3hJbemoFTZPyDWHdm8SWK9xxu9kVmrL83ILiBR7a m+LSaGMxP1o/d90A2t3nONN9hjOfilM6mp//Qk2O1XkGrI4acWbSNKvbBjU7cifO OmHZVNvhv38x5YXSCyOJhabaQjjDQYjZpxOItTHMqOwFyaqCCWuSt03HvHCFVtMY 3CZUuX52gHbMxuM55Hc6i0BjNcjX+hPIuk0ZUErPYNmibwF11bBL5TZFObaPRwPd xKzP4XUXa5h5r5WxNSvoe5nWGlSDg1ycHqTkbzfQ+/s8pzdFAeKaen88SXY9GFyJ xSfi4HotaDpcZLsBs7A==
X-TM-AS-GCONF: 00
X-TM-AS-Product-Ver: IMSVA-9.1.0.2090-9.0.0.1002-28352.003
X-TM-AS-Result: No--29.648-10.0-31-10
X-imss-scan-details: No--29.648-10.0-31-10
X-TMASE-Version: IMSVA-9.1.0.2090-9.0.1002-28352.003
X-TMASE-Result: 10--29.648300-10.000000
X-TMASE-MatchedRID: Jm7Yxmmj9OnxIbpQ8BhdbCkMR2LAnMRpmdrHMkUHHq/PlmI4N1s8ir3m JhWCLMZXpFedpgCFxaV/VxmhnwoAT0kkO4zqprNO+Basxm9uZ4ef3vz+spHZTp6kzGIOnjuG5mR eq9wtVQ2YwUcPfyF0+3CXlPiCQTEbpANxWw95dxNM7OLvNT++6SkDYTG6KmZa/8+V9Cs8Xbqjpk LLuf8Iz3ltHBgbMVRxcWDkBZ3nhB4znw+i+raCo52uXLKwL+3FW+HVwTKSJIbW2YYHslT0I/U/q 2uVn7ajoqcOfCUl94wA1SrLuejrkvtzqsXu3a66nVTWWiNp+v/Exmr5hqNL1vHvvmEceItbmyUD 106b1ObDaE2o6SPVcM9gc1n8GYlrUMJNi8DXwslOKksNozKUfajjU7p61FDB9cax+ZCiv660coU GCvymFIZy0wSpO436TDW61Lsl8qMmC1NuoSXJFPZOZ2c2VQUgw3txRCEvO8/Cvo6DOxRiGlIv55 2wXaSu585VzGMOFzABi3kqJOK62VOm2gN+nomsxEHRux+uk8irEHfaj14Zyf+K1r6Y/VHIA/3R8 k/14e0=
X-TMASE-SNAP-Result: 1.821001.0001-0-1-22:0,33:0,34:0-0
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/bokrt5O7ECCsgOZ9TG4hYZmACes>
Subject: Re: [secdir] secdir review of draft-ietf-mpls-mna-requirements-13
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 May 2024 17:32:48 -0000
Hi Dan, [Speaking as document shepherd] Many thanks for taking the time to do a review, and for your constructive comments. The authors may have a different view, but herewith my thoughts. > I have reviewed draft-ietf-mpls-mna-requirements-13 as part of > the security directorate's ongoing effort to review all IETF documents > being processed by the IESG. These comments were written primarily > for the benefit of the security area directors. Document editors and > WG chairs should treat these comments just like any other last call > comments. > > The summary of the review is "Ready with Issues". I wanted to > say Not Ready since my issue seems important to me but others > may not see it that way. ADs, take a look. Fair enough. Anyway, all review comments are taken seriously. > The document specifies requirements solutions to use cases that > specify new operations on MPLS packets. All of the requirements > seem correct (with the possible exception of one which I'll get to) > given my general ignorance of MPLS but my issue is that these > operations are called "Network Actions", which make sense, good > name, but the the actions to be performed are indicated by > "Network Action Indicators (NAIs)". These NAIs are to be encoded > according to RFC 3031, which is the MPLS Architecture document. > RFC 3031 does not specify an encoding of a thing called an NAI. Ah, since NAIs are a new thing, you wouldn't find them in RFC 3031. So, encoded in MPLS *consistent*with* RFC 3031. If the text is not clear about that, we need to change it. > Unfortunately, RFC 4282 does. It defines a "Network Access > Identifier" which is technically different than a "Network Action > Indicator" but I think the naming in this draft unfortunately needs > to be changed. IESG members who make the decision may disagree > but I find it confusing to see acronyms redefined like this and > unfortunately RFC 4282 was there first. OK. RFC 7542 obsoleted RFC 4282. But your point stands. Yes, we hadn't noticed the pre-existence of NAI, and it's re-use is unfortunate, but perhaps not catastrophic since it is used in the context of "MPLS NAI". The list of abbreviations at https://www.rfc-editor.org/materials/abbrev.expansion.txt is peppered with duplicate expansions, although, to be fair, it does already include Network Access Identifier. [I did write RFC 5513 to address such problems :-] There would be quite a lot of editorial work in a number of follow-up documents if we did make a change, so I'd like to punt this to the ADs as the Higher Authority. > The requirement I had a problem with was 38: "NAIs MUST be > allocated through the IANA process specified in the MNA solution > specification." If you're going to define some thing in a draft > (even if you give it a new name) and require IANA to allocate them > then you should have create a registry for these things. Making > the solution documents allocate their own registries for these > things seems wrong, IMHO. Good point. I think this should flip to... "MNA solution specifications MUST request IANA to create registries and make allocations from those registries for NAIs as necessary to ensure unambiguous identification of NAs." > Also, requirement 28 says, "Pint-to-Point (P2P)"-- cheers!-- > should be "Point-to-Point (P2P). :-) Cheers (indeed), Adrian
- [secdir] secdir review of draft-ietf-mpls-mna-req… Dan Harkins
- Re: [secdir] secdir review of draft-ietf-mpls-mna… Adrian Farrel
- Re: [secdir] secdir review of draft-ietf-mpls-mna… Matthew Bocci (Nokia)