[secdir] secdir review of draft-ietf-ospf-encapsulation-cap-06

David Mandelberg <david@mandelberg.org> Sat, 26 August 2017 18:49 UTC

Return-Path: <david@mandelberg.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AA0B132981 for <secdir@ietfa.amsl.com>; Sat, 26 Aug 2017 11:49:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zgaZGsHzeqta for <secdir@ietfa.amsl.com>; Sat, 26 Aug 2017 11:49:04 -0700 (PDT)
Received: from nm24-vm6.access.bullet.mail.gq1.yahoo.com (nm24-vm6.access.bullet.mail.gq1.yahoo.com [216.39.63.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5E17E132977 for <secdir@ietf.org>; Sat, 26 Aug 2017 11:49:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1503773342; bh=cyQT23u/xOJ3LS43PbkPXzD2lGWlj05JLh3Oys+f+NA=; h=To:From:Subject:Date:From:Subject; b=X+NZZqq1xFle8lwvh7HlsK+pEcPyhKhPKSkapoqxKmXXyZKOW9u7TQp9OXEO9xa3dunSaMTUrb3SqztynLdC6nkIvAVEB+42lEV0nvaQJDWZORRWbVf3fFjqexHPJ6/c0soUP9Pf3lt9YcrmpIhAMosEwMc5Ze0PDknx4Brlz0Q16hD47w72y4WOh8R25/xYFSvqwoxrfMauL7IlsbIBXtuela0Mot0W2xR4wjsCHLuEa7ctJhRUVa1stPcOzbdEwLN32x4UveqD+LJ+A24cklypm+bJWTtVP8cY8CM2wfaABnyay6j+yX4t5OxD8uQstkqlTO0EctPby93i9kipdw==
Received: from [216.39.60.167] by nm24.access.bullet.mail.gq1.yahoo.com with NNFMP; 26 Aug 2017 18:49:02 -0000
Received: from [98.138.226.244] by tm3.access.bullet.mail.gq1.yahoo.com with NNFMP; 26 Aug 2017 18:49:02 -0000
Received: from [127.0.0.1] by smtp115.sbc.mail.ne1.yahoo.com with NNFMP; 26 Aug 2017 18:49:02 -0000
X-Yahoo-Newman-Id: 321512.62011.bm@smtp115.sbc.mail.ne1.yahoo.com
X-Yahoo-Newman-Property: ymail-3
X-YMail-OSG: vXBA5nUVM1laMUWilzSRvJmFj0HzJHaTmUUFAvcqx7RtR15 EqfuWu39s7NwANcOj4VCUs9MLKHshRxyRTS1eu2u8D_aAJZbZ6p5BSA6nf7N DqJtTeSaJha0Lv5ZzADr.ohMB9ePlZZoRySR68pisHMQAwkVl0xi4zZnLSVq VAQLuiHUCLUQnzRGwzXE.kzJ8r7wDIVFdW3264qkrwdCkGk_dVhY4Btsk.w9 9ieMAcal_bSeMz_AIJ0ftDUuEoPHvGjhj5aUBkZyTICLXc.vv7IFSwNVyq4P HCiOw7F6vhQUfyJ6fkSmYkAfLgNEBf1pxLCC1txRg_xB2UyAH2PEAd9b2ToF 3ttANePW2mhzA3juzAdplgnfL886ZC2oTTxtzHrDEh0ryTLMki_z3ahvwEP7 j67Zjgx9BPzHvwloRIhxstWPyaN9Yz0CZyi9BnxFP9D0etx3_DtmIfF7k3kt HSCJ_INYbWlpBa3m6Vs1FanrnvZwy7RwHNPRcW3e1KTfM0hcZBvaQ5ppZwjc Wsbtpe0O3ywgG
X-Yahoo-SMTP: 4kJJK.qswBDPuwyc5wW.BPAQqNXdy5j09UNyeAS0pyOQ708-
Received: from [192.168.1.127] (DD-WRT [192.168.1.1]) by uriel.mandelberg.org (Postfix) with ESMTPSA id 3B44E1C60A1; Sat, 26 Aug 2017 14:49:01 -0400 (EDT)
To: iesg@ietf.org, secdir@ietf.org, draft-ietf-ospf-encapsulation-cap.all@ietf.org
From: David Mandelberg <david@mandelberg.org>
Message-ID: <475c78dc-c872-8795-2d99-81b28df97aed@mandelberg.org>
Date: Sat, 26 Aug 2017 14:49:00 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/iDNG9PIryeD5swvjyHo20l_SkI0>
Subject: [secdir] secdir review of draft-ietf-ospf-encapsulation-cap-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 26 Aug 2017 18:49:06 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

The summary of the review is Ready with nits.

This document extends OSPF for use with tunnels. As mentioned in the 
security considerations, an attacker who can modify routing information 
can cause packets to be misdirected or dropped. However, that seems to 
be the general nature of routing attacks. I don't know if this document 
makes such attacks any more likely or more severe, but it would be nice 
to see a bit more discussion of that in the security considerations. 
E.g., are OSPF attacks without tunneling less severe because of some 
limitation on where packets can be forwarded, while tunneling makes it 
easier to forward packets to anywhere on the Internet? Or is that not 
the case? (I'm not very familiar with OSPF or with the environments it's 
typically used in.)