[secdir] SECDIR review of draft-ietf-mpls-ldp-dod-08
Stephen Kent <kent@bbn.com> Mon, 20 May 2013 02:17 UTC
Return-Path: <kent@bbn.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE25521F8F0F for <secdir@ietfa.amsl.com>; Sun, 19 May 2013 19:17:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Level:
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H0a8dLu6vV60 for <secdir@ietfa.amsl.com>; Sun, 19 May 2013 19:17:08 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by ietfa.amsl.com (Postfix) with ESMTP id 7EA7F21F8F0E for <secdir@ietf.org>; Sun, 19 May 2013 19:17:08 -0700 (PDT)
Received: from dommiel.bbn.com ([192.1.122.15]:52850 helo=COMSEC.local) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1UeFen-00073S-NE; Sun, 19 May 2013 22:17:02 -0400
Message-ID: <5199879B.5010701@bbn.com>
Date: Sun, 19 May 2013 22:16:59 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130328 Thunderbird/17.0.5
MIME-Version: 1.0
To: secdir <secdir@ietf.org>, Sean Turner <turners@ieca.com>, thomas.beckhaus@telekom.de, bruno.decraene@orange.com, kishoret@juniper.net, maciek@cisco.com, lmartini@cisco.com, Adrian Farrel <adrian@olddog.co.uk>, loa@pi.nu, rcallon@juniper.net, swallow@cisco.com
Content-Type: multipart/alternative; boundary="------------060300020102080306090400"
Subject: [secdir] SECDIR review of draft-ietf-mpls-ldp-dod-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 May 2013 02:17:15 -0000
I reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.These comments were written primarily for the benefit of the security area directors.Document editors and WG chairs should treat these comments just like any other last call comments. An overall comment: There are numerous (minor) English errors throughout the document, which I hope will be addressed through the RFC Editor process. The abstract says that the document describes LDP DoD (downstream on demand) use cases and lists required LDP DoD procedures in the context of Seamless MPLS design. It also describes a new, optional TLV type in the LDP Label Request message. The intent of creating the new type is to enable "fast-up" convergence. Section 2 of the document is devoted to a description of reference access topologies that will make use of this new MPLS feature. These topologies are divided into two classes: ones that can be supported via static routes and ones that require use of a dedicated IGP, e.g., ISIS, OSPF (v2 or v3), andRIP (v2 or ng), by the access network. Section 3 describes use cases for LDP DoD. It too distinguishes between topologies that use static routing vs. an IGP, and examines various types of failures that may affect the LDP DoD nodes. This section includes a lot of normative text, yet almost all instances of the words "must" and "should" are lowercase. The authors should revisit this section to determine if there need to be more MUSTs and SHOULDs. Section 4 describes the label request procedure. It too contains normative text, yet almost all instances of "must" and "should" are lowercase. As with Section 3, the authors should revisit this section to determine if there need to be more MUSTs and SHOULDs. Section 5 describes the LDP extension to enable "Fast-Up" convergence. In this very brief section the authors seem to have done a better job of using uppercase terms in normative text. Section 7 addresses Security Considerations. It cites RFC 5920, the Security Framework for MPLS and GMPLS as the primary reference applicable to security concerns that arise in the MPLS DoD context. RFC 5920 devotes several pages to a discussion of service provider and inter-provider security topics, so it seems natural to cite it here. (It too suffers from a tendency to use the words "must," "should," and "may" only in lowercase, despite the apparent normative nature of the comments being made.) Sections 9.1 and 9.2 are odd parts of 5920; the former enumerates potential attacks, and the latter enumerates "deference techniques" without bothering to establish the mapping between the two! ** This I-D also cites the Security Consideration section of the MPLS LDP specification (RFC 5036), noting a need for message authenticity and integrity, and for protection against spoofing and DoS attacks. RFC 5036 contains a more conventional Security Considerations section, which seems appropriate to cite here. In addition to the references to prior RFCs, this section analyzes several security contexts:, in terms of tampering with packet flow direction, data and control plane security, and network node security. The discussion of attacks on packet flow direction seems fairly good, except for the ABR LSR network side case, for which the offered advice is vague. The data place security discussion seems to be a set of suggestions, but with a mix of normative and informative terms; Section 7.2 definitely needs work. The discussion of control plane security in Section 7.3 is shorter, but not much better. It suggests that the reader be familiar with a KARP I-D (I-D.ietf-karp-routing-tcp-analysis. This recommendation is not a precise recommendation and thus ought to be reconsidered. The text here also suggests use of TCP/MD5, recommending TCP/AO only if the former is not considered good enough. RFC 5925 (TCP-AO) obsoletes RFC 2385 (use of TCP/MD5 in BGP). This calls into question whether it is appropriate to recommend use of TCP/MD5 at all. The subsection ends with two suggestions: employ better authentication in access locations with lower physical security, and use "stricter network protection mechanism." The former advice seems good, but the latter is too amorphous to be of much use. The final subsection in Security Considerations (7.4) discusses additional precautions an operator might employ for nodes that are considered to be at risk due to degraded physical security. Addressing this concern seems reasonable, but the advice is pretty generic, and the wording here is especially poor.
- [secdir] SECDIR review of draft-ietf-mpls-ldp-dod… Stephen Kent
- Re: [secdir] SECDIR review of draft-ietf-mpls-ldp… Stephen Kent