[secdir] Secdir review of draft-ietf-ospf-rfc6506bis-03
Brian Weis <bew@cisco.com> Wed, 04 December 2013 02:32 UTC
Return-Path: <bew@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 499151ADF96; Tue, 3 Dec 2013 18:32:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.502
X-Spam-Level:
X-Spam-Status: No, score=-14.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IIaADrq7ox1m; Tue, 3 Dec 2013 18:32:01 -0800 (PST)
Received: from mtv-iport-4.cisco.com (mtv-iport-4.cisco.com [173.36.130.15]) by ietfa.amsl.com (Postfix) with ESMTP id E547D1ADF70; Tue, 3 Dec 2013 18:32:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2276; q=dns/txt; s=iport; t=1386124318; x=1387333918; h=from:content-transfer-encoding:subject:date:message-id: cc:to:mime-version; bh=syaf5UXX3slxS/+U/RNm+hsh58P3oQ3sDFyLzq8o+dk=; b=H4eQbjbLvvep1LcGz7tRoTQSqU7+Hf3hqlX3BnFCCxGAe466k2nGWq/C AjcgDjcgIajwU9e2NSaB0wOfKdW3gQtYrjsFW4c4eGzrNez/XDJv+g/cB 4z4qpfeG9ABQUTldubtNvrI1i3Nn/9RM8/dJa9eTj76k20B7baVtixiW+ I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ah4FAAKTnlKrRDoI/2dsb2JhbABQCoMHuX6BIBZ0gmY/gT4BiBLBPReOIlyDJ4ETA4lCjlKGRYtOg0ob
X-IronPort-AV: E=Sophos;i="4.93,821,1378857600"; d="scan'208";a="99390912"
Received: from mtv-core-3.cisco.com ([171.68.58.8]) by mtv-iport-4.cisco.com with ESMTP; 04 Dec 2013 02:31:58 +0000
Received: from [10.154.161.34] ([10.154.161.34]) by mtv-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id rB42VsIr005899 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 4 Dec 2013 02:31:56 GMT
From: Brian Weis <bew@cisco.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 03 Dec 2013 18:31:54 -0800
Message-Id: <8BA650DC-B09E-48D3-852A-129E4592E2B5@cisco.com>
To: "<secdir@ietf.org>" <secdir@ietf.org>, The IESG <iesg@ietf.org>
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
X-Mailer: Apple Mail (2.1510)
Cc: draft-ietf-ospf-rfc6506bis.all@tools.ietf.org
Subject: [secdir] Secdir review of draft-ietf-ospf-rfc6506bis-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Dec 2013 02:32:03 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.
This document replaces (obsoletes) RFC 6506, which defines an Authentication Trailer for OSPFv3. It makes modest changes to the original specification, apparently as a result of deployment experience. It includes a positive security improvement in requiring that expired keys no longer be used rather than recommending that the expired key be used indefinitely. The specification is generally ready to publish.
I would suggest one rewording. The Introduction of RFC 6505 was published with the following justification as to why ESP sometimes cannot be used, and this was not changed in this draft:
Since there is no deterministic way to differentiate between
encrypted and unencrypted ESP packets by simply examining the packet,
it could be difficult for some implementations to prioritize certain
OSPFv3 packet types, e.g., Hello packets, over the other types.
But now RFC 5879 ("Heuristics for Detecting ESP-NULL Packets") has been published, which does describe some techniques to deterministically detect an unencrypted ESP packet. It may be still be difficult to prioritize certain OSPFv3 packets, but the justification is no longer precisely accurate. I would suggest something like the following rewording:
Implementations desiring to prioritize certain OSPFv3 packet types,
e.g., Hello packets, over the other types, often perform the
prioritization prior to decryption. Parsing ESP packets is problematic
when the prioritization code does not know whether the ESP packets
include an encryption algorithm, or are instead ESP-NULL packets [RFC2410].
Techniques exist to identify ESP packets using ESP-NULL packets
[RFC5879], which would allow these packets to be examined and
prioritized. However, the techniques may not be practically applied
within the prioritization code.
Brian
- [secdir] Secdir review of draft-ietf-ospf-rfc6506… Brian Weis
- Re: [secdir] Secdir review of draft-ietf-ospf-rfc… Bhatia, Manav (Manav)
- Re: [secdir] Secdir review of draft-ietf-ospf-rfc… Acee Lindem
- Re: [secdir] Secdir review of draft-ietf-ospf-rfc… Brian Weis
- Re: [secdir] Secdir review of draft-ietf-ospf-rfc… Bhatia, Manav (Manav)
- Re: [secdir] Secdir review of draft-ietf-ospf-rfc… Warren Kumari
- Re: [secdir] Secdir review of draft-ietf-ospf-rfc… Bhatia, Manav (Manav)
- Re: [secdir] Secdir review of draft-ietf-ospf-rfc… Tero Kivinen
- Re: [secdir] Secdir review of draft-ietf-ospf-rfc… Warren Kumari
- Re: [secdir] Secdir review of draft-ietf-ospf-rfc… Brian Weis