[secdir] draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf-15
"Osterweil, Eric" <eosterweil@verisign.com> Thu, 19 November 2015 16:20 UTC
Return-Path: <eosterweil@verisign.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D9D21B2C46 for <secdir@ietfa.amsl.com>; Thu, 19 Nov 2015 08:20:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6hjrK2NcEFhV for <secdir@ietfa.amsl.com>; Thu, 19 Nov 2015 08:20:32 -0800 (PST)
Received: from mail-oi0-x263.google.com (mail-oi0-x263.google.com [IPv6:2607:f8b0:4003:c06::263]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A5E21B2C30 for <secdir@ietf.org>; Thu, 19 Nov 2015 08:20:26 -0800 (PST)
Received: by oiww189 with SMTP id w189so5510096oiw.2 for <secdir@ietf.org>; Thu, 19 Nov 2015 08:20:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verisign-com.20150623.gappssmtp.com; s=20150623; h=from:to:subject:thread-topic:thread-index:date:message-id :accept-language:content-language:content-type:content-id :content-transfer-encoding:mime-version; bh=sTH+r7NtkbxwCbbF1z7Ow8DVtbD2mUqAWfsXGYStnTM=; b=KfbuUQe8AVV0qsEgyNGrUgYVLivL1N1vMFeXKMoIie4etQYO6Tb4aq7FUGreqG54Y7 dmX5QTwtJrkWxTXQNNWay4/sAQnWYYe7UAkvv70eQ3BZSd0atgPDgkKjWMeKjzkI0X3x 09FlAQi6PnXKuHQgCGpo1fs8+8iMgl/KrPEapkDq+N6x643Ka9S5oHf0wtLdRdVdqv3w 344mWXkRlS+4+ogIpsJWEnUJWw/jSK+ayOnpEyVDQ7xybSdb9vvAT02venJK0EP5belY jpIWB4GxietiTZte5yL2hcse4NiV2T9gzv6P7rmA6J9yvCXJWtlKNxb2EooUgkLbyNfY uHRA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:thread-topic:thread-index:date :message-id:accept-language:content-language:content-type:content-id :content-transfer-encoding:mime-version; bh=sTH+r7NtkbxwCbbF1z7Ow8DVtbD2mUqAWfsXGYStnTM=; b=Bqblh3CehGKBkxlPVp13g+8ywoJt05pPqdn+H5r8vL9N2yBipX5KNND1Mq9fz4e0pm sA+pbBZx98rWNO8TAL4QL3BJmGA26zr12z4mriw2nohKFXMTqVFv3SF8RD6yDtHTqy3r 0xjiIwLZjmxZvCOpaij9OJNT0TfMrBY2q0fprqv91RJMav56VAgGwUmztDiAp9Wei0Gd D6h1wNNLfS+TxvC+vQB6PFN1NfzWrovf48AUwgDSZmeXKlUVN0/E6h/0SdbZYbgK/z5x OI3diA30KnebP/yvzpQdcocN2ttBmN+i2tW3wKb6DW2EPAzOqhQzLjRPhOQqOOtCP1Av m1oQ==
X-Gm-Message-State: ALoCoQmmt0+NfrMZ74PE9GF+syhjplkkbhAVUKEDNyZAOYVXjorNSecXNVzFiEnpn647MVSmSfJAeG4dXKfIqS0kDjyDpq+0Ig==
X-Received: by 10.141.1.6 with SMTP id c6mr8556803qhd.9.1447950025480; Thu, 19 Nov 2015 08:20:25 -0800 (PST)
Received: from brn1lxmailout01.verisign.com (brn1lxmailout01.verisign.com. [72.13.63.41]) by smtp-relay.gmail.com with ESMTPS id f126sm654033qkb.8.2015.11.19.08.20.25 (version=TLS1 cipher=AES128-SHA bits=128/128); Thu, 19 Nov 2015 08:20:25 -0800 (PST)
X-Relaying-Domain: verisign.com
Received: from BRN1WNEXCHM01.vcorp.ad.vrsn.com (brn1wnexchm01 [10.173.152.255]) by brn1lxmailout01.verisign.com (8.13.8/8.13.8) with ESMTP id tAJGKOKC028221 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 19 Nov 2015 11:20:24 -0500
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by BRN1WNEXCHM01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Thu, 19 Nov 2015 11:20:23 -0500
From: "Osterweil, Eric" <eosterweil@verisign.com>
To: "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf.all@tools.ietf.org" <draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf.all@tools.ietf.org>
Thread-Topic: draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf-15
Thread-Index: AQHRIuYw7V87NEQ2wUqsDEPnZR2Utg==
Date: Thu, 19 Nov 2015 16:20:23 +0000
Message-ID: <0C547F4D-FC84-4835-AA73-F6FA76319592@verisign.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.173.152.4]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <957791C7A2ABE24B852F8A6BE020E250@verisign.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/o6pmg50_gT3MLL4bOH0a3uDDPUM>
Subject: [secdir] draft-ietf-mpls-lsp-ping-mpls-tp-oam-conf-15
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2015 16:20:34 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. I believe this draft is ready with (possibly minor) issues: In Section 2.1.1, the authors describe BFD Authentication, and it seems quite appropriate and well described. I was, however, wondering if authentication (the same sub-TLV or different) was needed or should be used for the mechanisms in Sections 2.1.2 and 2.1.3. If the authentication described by 2.1.1 is already expected to be applicable to these other TLVs, it was not immediately clear. Maybe some additional description of this would be helpful to readers. In Section 3, there is a great level of granularity proposed around describing authorization errors: Auth not supported, Type not supported, and Key mismatch (this is excellent). One question, is there a missing statement for an outright authentication failure? In Section 6 Security Considerations, it would be nice (if possible) to mention any privacy considerations. For example, can an unauthorized agents probe capabilities or configurations (such as, authentication or otherwise) of devices? That is, can someone learn that authentication is being required, and what parameters are needed, etc? Is all data transmitted in the clear? Eric
- [secdir] draft-ietf-mpls-lsp-ping-mpls-tp-oam-con… Osterweil, Eric
- Re: [secdir] draft-ietf-mpls-lsp-ping-mpls-tp-oam… Gregory Mirsky