[secdir] SECDIR review of draft-ietf-mpls-ldp-dod-08

Stephen Kent <kent@bbn.com> Mon, 20 May 2013 02:17 UTC

Return-Path: <kent@bbn.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id BE25521F8F0F for <secdir@ietfa.amsl.com>; Sun, 19 May 2013 19:17:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=-0.001, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id H0a8dLu6vV60 for <secdir@ietfa.amsl.com>; Sun, 19 May 2013 19:17:08 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com []) by ietfa.amsl.com (Postfix) with ESMTP id 7EA7F21F8F0E for <secdir@ietf.org>; Sun, 19 May 2013 19:17:08 -0700 (PDT)
Received: from dommiel.bbn.com ([]:52850 helo=COMSEC.local) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1UeFen-00073S-NE; Sun, 19 May 2013 22:17:02 -0400
Message-ID: <5199879B.5010701@bbn.com>
Date: Sun, 19 May 2013 22:16:59 -0400
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:17.0) Gecko/20130328 Thunderbird/17.0.5
MIME-Version: 1.0
To: secdir <secdir@ietf.org>, Sean Turner <turners@ieca.com>, thomas.beckhaus@telekom.de, bruno.decraene@orange.com, kishoret@juniper.net, maciek@cisco.com, lmartini@cisco.com, Adrian Farrel <adrian@olddog.co.uk>, loa@pi.nu, rcallon@juniper.net, swallow@cisco.com
Content-Type: multipart/alternative; boundary="------------060300020102080306090400"
Subject: [secdir] SECDIR review of draft-ietf-mpls-ldp-dod-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 May 2013 02:17:15 -0000

I reviewed this document as part of the security directorate's ongoing 
effort to review all IETF documents being processed by the IESG.These 
comments were written primarily for the benefit of the security area 
directors.Document editors and WG chairs should treat these comments 
just like any other last call comments.

An overall comment: There are numerous (minor) English errors throughout 
the document, which I hope will be addressed through the RFC Editor process.

The abstract says that the document describes LDP DoD (downstream on 
demand) use cases and lists required LDP DoD procedures in the context 
of Seamless MPLS design. It also describes a new, optional TLV type in 
the LDP Label Request message. The intent of creating the new type is to 
enable "fast-up" convergence.

Section 2 of the document is devoted to a description of reference 
access topologies that will make use of this new MPLS feature. These 
topologies are divided into two classes: ones that can be supported via 
static routes and ones that require use of a dedicated IGP, e.g., ISIS, 
OSPF (v2 or v3), andRIP (v2 or ng), by the access network.

Section 3 describes use cases for LDP DoD. It too distinguishes between 
topologies that use static routing vs. an IGP, and examines various 
types of failures that may affect the LDP DoD nodes. This section 
includes a lot of normative text, yet almost all instances of the words 
"must" and "should" are lowercase. The authors should revisit this 
section to determine if there need to be more MUSTs and SHOULDs.

Section 4 describes the label request procedure. It too contains 
normative text, yet almost all instances of "must" and "should" are 
lowercase. As with Section 3, the authors should revisit this section to 
determine if there need to be more MUSTs and SHOULDs.

Section 5 describes the LDP extension to enable "Fast-Up" convergence. 
In this very brief section the authors seem to have done a better job of 
using uppercase terms in normative text.

Section 7 addresses Security Considerations. It cites RFC 5920, the 
Security Framework for MPLS and GMPLS as the primary reference 
applicable to security concerns that arise in the MPLS DoD context. RFC 
5920 devotes several pages to a discussion of service provider and 
inter-provider security topics, so it seems natural to cite it here. (It 
too suffers from a tendency to use the words "must," "should," and "may" 
only in lowercase, despite the apparent normative nature of the comments 
being made.) Sections 9.1 and 9.2 are odd parts of 5920; the former 
enumerates potential attacks, and the latter enumerates "deference 
techniques" without bothering to establish the mapping between the two!


This I-D also cites the Security Consideration section of the MPLS LDP 
specification (RFC 5036), noting a need for message authenticity and 
integrity, and for protection against spoofing and DoS attacks. RFC 5036 
contains a more conventional Security Considerations section, which 
seems appropriate to cite here.

In addition to the references to prior RFCs, this section analyzes 
several security contexts:, in terms of tampering with packet flow 
direction, data and control plane security, and network node security. 
The discussion of attacks on packet flow direction seems fairly good, 
except for the ABR LSR network side case, for which the offered advice 
is vague. The data place security discussion seems to be a set of 
suggestions, but with a mix of normative and informative terms; Section 
7.2 definitely needs work.

The discussion of control plane security in Section 7.3 is shorter, but 
not much better. It suggests that the reader be familiar with a KARP I-D 
(I-D.ietf-karp-routing-tcp-analysis. This recommendation is not a 
precise recommendation and thus ought to be reconsidered. The text here 
also suggests use of TCP/MD5, recommending TCP/AO only if the former is 
not considered good enough. RFC 5925 (TCP-AO) obsoletes RFC 2385 (use of 
TCP/MD5 in BGP). This calls into question whether it is appropriate to 
recommend use of TCP/MD5 at all. The subsection ends with two 
suggestions: employ better authentication in access locations with lower 
physical security, and use "stricter network protection mechanism." The 
former advice seems good, but the latter is too amorphous to be of much use.

The final subsection in Security Considerations (7.4) discusses 
additional precautions an operator might employ for nodes that are 
considered to be at risk due to degraded physical security. Addressing 
this concern seems reasonable, but the advice is pretty generic, and the 
wording here is especially poor.