IETF Logo Mail Archive

[secdir] Secdir last call review of draft-ietf-sfc-oam-framework

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Mon, 20 April 2020 07:30 UTC

Return-Path: <tirumaleswarreddy_konda@mcafee.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D9C03A131C for <secdir@ietfa.amsl.com>; Mon, 20 Apr 2020 00:30:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.188
X-Spam-Level:
X-Spam-Status: No, score=-0.188 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, T_SPF_TEMPERROR=0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MmrX6NSlJnXM for <secdir@ietfa.amsl.com>; Mon, 20 Apr 2020 00:30:42 -0700 (PDT)
Received: from us-smtp-delivery-140.mimecast.com (us-smtp-delivery-140.mimecast.com [216.205.24.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41FDB3A1332 for <secdir@ietf.org>; Mon, 20 Apr 2020 00:30:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=mimecast20190606; t=1587367801; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=fT3cJ/YcErs5bYNFAjaXUhexPXRHSzUsiFMItzUHZwU=; b=ILZ3q5NxDOeyPBGOSQ33Y6mykh4YFk/NlVRxWPsL7nvO5Eca01zJSKxT60OwGk2t5DprAi VY5bRYHFt6jkqlKUz9XqLJnBblE7pm65VE0oHBn+OKR6IhUf7aqOcjymiMjJkomgksU6XI +a8Hf6XoL5idsI8nDFGmyUy0oYHHP54=
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02lp2052.outbound.protection.outlook.com [104.47.36.52]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-472-lSdcVMwWNUCO_QqxtPud5g-1; Mon, 20 Apr 2020 03:28:11 -0400
X-MC-Unique: lSdcVMwWNUCO_QqxtPud5g-1
Received: from CY4PR1601MB1254.namprd16.prod.outlook.com (2603:10b6:903:d4::12) by CY4PR1601MB1112.namprd16.prod.outlook.com (2603:10b6:903:d2::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2921.25; Mon, 20 Apr 2020 07:28:07 +0000
Received: from CY4PR1601MB1254.namprd16.prod.outlook.com ([fe80::8172:432c:9870:d8fc]) by CY4PR1601MB1254.namprd16.prod.outlook.com ([fe80::8172:432c:9870:d8fc%5]) with mapi id 15.20.2921.027; Mon, 20 Apr 2020 07:28:07 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: "secdir@ietf.org" <secdir@ietf.org>, "sfc@ietf.org" <sfc@ietf.org>, "draft-ietf-sfc-ioam-nsh.all@ietf.org" <draft-ietf-sfc-ioam-nsh.all@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-sfc-oam-framework
Thread-Index: AdYW4VRPPDX1YR3aSqa2kbIsbH1Dgg==
Date: Mon, 20 Apr 2020 07:28:07 +0000
Message-ID: <CY4PR1601MB12541726BC79551C2A2EBBF0EAD40@CY4PR1601MB1254.namprd16.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.5.0.44
dlp-reaction: no-action
x-originating-ip: [185.221.69.46]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3bafca21-96ce-430a-2cc8-08d7e4fc5f63
x-ms-traffictypediagnostic: CY4PR1601MB1112:
x-microsoft-antispam-prvs: <CY4PR1601MB111211983389D2000087A7BAEAD40@CY4PR1601MB1112.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 03793408BA
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CY4PR1601MB1254.namprd16.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(10009020)(4636009)(136003)(376002)(396003)(366004)(346002)(39860400002)(32952001)(52536014)(66946007)(66556008)(66476007)(66446008)(64756008)(86362001)(81156014)(9686003)(450100002)(76116006)(33656002)(71200400001)(55016002)(8676002)(8936002)(6506007)(5660300002)(316002)(110136005)(2906002)(26005)(7696005)(478600001)(186003)(85282002); DIR:OUT; SFP:1101;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 1wOQLyLEiEWORvmn+tZgaW75Y8pIlPTscM2pt13sw1TNSRjPs9lssYbHU05WcyQ4wJtn+BexYIu2NBKoj4HywHjwZ/3eZQq6Vns/dfsGdW9/QYUEpQYQiiIFNcYFls5/2lLhVRVHkw1ezR2wjyY/GqcfCREWubbRISyaRU2j7rvAYyzZimfrCFnkF7xAMeEDqgUGL+cSx/iePgjtS1jVelCtMykn7RIL6l9FSHtEaSyDijrkrw9XNC+V+biHH6cUxOPFTfjcxHaqmQFPsddtJL0yZG28+wVCOxOKVhBeRsisYMO8h+siKK0k6YkahO0TJvppaK/oD0CcArYrdGJOnB4lxdlagA/YtdseIdN3SKQ01/RL1TmyFb+ub6Jc7ryPrWj5BlD0Nu7w4i0B/FswuJHf0cLottfaQGXHhdfXbNq0iO2YWM0t7+2v1NqAv8Zo1w+G87KkmLnASArVcfhTpu2rwF5N9JitZ/G39pGKprl3AVciaA1VlijwcOUzixGHnS8B7WaePMSBk/NQ5+0yYA==
x-ms-exchange-antispam-messagedata: c3hnrbAUDZwiJCOGfTP9FGkV5pzPHmGV/n8DQ/o8ExpsT63X9QtRxV5OKcNMzcF/00EZa06XlfvVypracUdwoipTXShCRMhKriOCcPvLv2Lns10VYGuVpM4HbtFpvTfjAIgOSmDfLI0xTrzJT6Gm1g==
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: mcafee.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3bafca21-96ce-430a-2cc8-08d7e4fc5f63
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Apr 2020 07:28:07.8771 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: WGZTtS0AG6v+YtHGCTWiqeHzhAUoam1BZVVXwjihHvLnjY91BKfkx5BFE7LXfL42ooeTB/+B//zEzgf9OfE47M8zuSKIpZFdSvK5dI5ePrtYF7W1PIiprWaf/0ggvZNy
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR1601MB1112
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: mcafee.com
Content-Type: multipart/alternative; boundary="_000_CY4PR1601MB12541726BC79551C2A2EBBF0EAD40CY4PR1601MB1254_"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/_ZLOeMdFsLFHqT0dM9sTHPXCOnU>
Subject: [secdir] Secdir last call review of draft-ietf-sfc-oam-framework
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Apr 2020 07:30:57 -0000

Reviewer: Tirumaleswar Reddy

Review result: Ready with issues





I reviewed this document as part of the security directorate's ongoing effort to review all IETF documents entering the IESG.  These comments are directed at the security area director(s).  Document editors and WG chairs should treat

these comments like any other last call comments.



This document provides a reference framework for OAM for SFC.



Comments:



1. The document in Section 8 discusses various attacks (including both security and privacy) but does not discuss any protection mechanisms other than proposing rate-limiting.  It is suggesting drafts proposing the OAM solution should address the attacks but I don't see any security

mechanisms discussed in draft-ietf-sfc-ioam-nsh to address the attacks.



2. More discussion is required on the internal attacks.

(a) How are attack packets bypassing SFC detected and blocked ?

(b) How is sensitive information protected from eavesdroppers ?

(c) How is DoS/DDoS attack of misusing the OAM channel is mitigated ?

(d) Rate-limiting blocks both good and bad OAM probes and is a weak mitigation strategy. Anomaly detection (e.g., deep learning techinques) and identifying the attacker look like a better strategy.



Cheers,
-Tiru

v2.23.0 | Report a Bug | By Email