[secdir] SECDIR review of draft-ietf-teas-mpls-tp-rsvpte-ext-associated-lsp-07

Stephen Kent <kent@bbn.com> Fri, 06 March 2015 20:13 UTC

Return-Path: <kent@bbn.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 3700E1A7004 for <secdir@ietfa.amsl.com>; Fri, 6 Mar 2015 12:13:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id NvABLJeWXbnZ for <secdir@ietfa.amsl.com>; Fri, 6 Mar 2015 12:13:24 -0800 (PST)
Received: from smtp.bbn.com (smtp.bbn.com []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FF801A7002 for <secdir@ietf.org>; Fri, 6 Mar 2015 12:13:24 -0800 (PST)
Received: from ssh.bbn.com ([]:60553 helo=COMSEC.home) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from <kent@bbn.com>) id 1YTycN-0006Dc-4K; Fri, 06 Mar 2015 15:13:07 -0500
Message-ID: <54FA0A51.9080406@bbn.com>
Date: Fri, 06 Mar 2015 15:13:05 -0500
From: Stephen Kent <kent@bbn.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: secdir <secdir@ietf.org>, zhangfei7@huawei.com, jingrq@ctbri.com.cn, rgandhi@cisco.com, lberger@labn.net, db3546@att.com, akatlas@gmail.com, adrian@olddog.co.uk, mhartley@cisco.com
Content-Type: multipart/alternative; boundary="------------090900000005060101020601"
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/lLzdRki0cOkb-PF0Q56ejQC-u-w>
Subject: [secdir] SECDIR review of draft-ietf-teas-mpls-tp-rsvpte-ext-associated-lsp-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Mar 2015 20:13:31 -0000

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.These comments were written with the intent of improving security 
requirements and considerations in IETF drafts.Comments not addressed in 
last call may be included in AD reviews during the IESG review.Document 
editors and WG chairs should treat these comments just like any other 
last call comments.

As far as security is concerned, I see no problems with this document. 
Tracing back through the list of Security Consideration sections of 
cited documents in one case leads to a disappointing origin in RFC 2747. 
The other chain is shorter and more relevant, and it provides greater 
confidence that this document yields no new security concerns.

This document describes extensions to RSVP to enable creating a 
bidirectional LSP from two p-t-p unidirectional LSPs.

The security considerations section consists of just two paragraphs. The 
first cites the security considerations section of RFC 6780 (RSVP 
Association Objects) as encompassing any security issues that might 
arise in this context. (The assertion is that this document introduces 
no new signaling information, and thus no new security concerns.)

The Security Considerations section of 6780 is also two paragraphs in 
length. That text states that no new security considerations have been 
introduced, because no new procedures have been defined. Hence it cites 
theSecurity Considerations sections of RFC 4872 and 4873.

RFC 4872 cites RFC 4426 (RFC 4873 cites RFC 4872).

The security considerations section of 4426 is almost a full page. It 
specifies security services that are required to protect the GMPLS 
recovery mechanisms defined in that document, but does not point to ANY 
security mechanisms that should be employed.

RFC 4872 also establishes a few security-relevant requirements for RSVP 
signaling, and cites RFC 2747 as specifying the required security 
mechanisms. (4872 also notes that IPsec could be employed for hop-by-hop 
integrity and authentication, and cites RFC 3473. I note that 3473 is 
from 2003, and thus refers to IPsec and IKE RFCs that have been obsoleted!)

RFC 2747 specifies crypto authentication mechanisms for RSVP, but dates 
from 2000. It anticipates that “ … the IETF will define a standard key 
management protocol” and thus omits specification of such in that 
document. (A fun walk down memory lane …)

The second paragraph of the Security Considerations section of this I-D 
notes that additional information is conveyed in the REVERSE_LSP object, 
but that the information is not fundamentally different from what is 
carried in a bidirectional LSP message. Thus, the argument is that no 
fundamentally different information is being transmitted. This paragraph 
cites RFC 5920 (Security Framework for MPLS and GMPLS Networks) as 
relevant. I agree that 5920 seems to be most appropriate RFC in this