IETF Logo Mail Archive

Re: [secdir] Secdir last call review of draft-ietf-rift-applicability-14

Watson Ladd <watsonbladd@gmail.com> Thu, 18 April 2024 19:28 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97A0CC14F680; Thu, 18 Apr 2024 12:28:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mAGOGkjz8PVa; Thu, 18 Apr 2024 12:28:02 -0700 (PDT)
Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D22EAC14F61A; Thu, 18 Apr 2024 12:28:02 -0700 (PDT)
Received: by mail-wm1-x32b.google.com with SMTP id 5b1f17b1804b1-41551639550so8812335e9.2; Thu, 18 Apr 2024 12:28:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713468481; x=1714073281; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=HP7wAVOtlwa/DpSc1LMQSdJZSLVaKywJb8/9GMCJxTM=; b=OJnBB9gMcfMboNvLFkKXyeaiqRGHrdL2Mqz7xE6//dmt1zPA58/gwC5bQ5as/ib/vQ wfFvWctZ5b95nDu2c1r+E2BDW/Opnzg3ED+qqOTNZcWK/xpmmxn6ABbv7vqnLSQciQ41 wv7hypBUrYBOCnKul79kHO57frKpvJzzETUx/OJUPqxtMvB8LPMBkCTDyawDVUNnbYNe D+9+GhHMaO7/PULwX9bUwBgd7wELVNeUB6uqLWeQ17U+fXOIlSGrRYW3R67WWmLjftMz qa5nPV4/p6/K2bOXxl2ENIKUcnic7TqjyRIn+hO4GVYLKEZsmyzo7+B5B3n28cATR1PW T0EA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713468481; x=1714073281; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=HP7wAVOtlwa/DpSc1LMQSdJZSLVaKywJb8/9GMCJxTM=; b=Q8pS6YaPJ84WHj0QugS21oNWjHH2NttmY+XTyeIYd9GKJImN28RpqCi9v2OJZWlTlg FwV1aIbif8FXo4mMAlrUhtbw5+HdwDsLQONlhQCzQDEpZ+Z7ouDG3A2QjkP5UN2hU1rz IC1QlUuCYzXL03lyzIJ3M7Tbb7XDP/jxJ7xzOZMVSJJpYgh1GUbWyEV3GEtHosvUWpMF WD1HkCPDatZd89qceR659p2Zl93d5I3CGgFU1fsmrSW79W9GIGtAuP9Ee64ywO8zjDEx 1FvfucnjZka6w7lw20ODpGrXNaQbGf6pJ2pLrzsyFZc5CuaA6lUm43wgBBfppT8Tb6GS ExTw==
X-Forwarded-Encrypted: i=1; AJvYcCVSAJVE9vwX7JKYm1JZGzHUUknuO7akzYsIOdivOhLUmJORClXb+08Dr7lTDs670LdAtjrFnDBTxTn6L2JjOv1BjfUR4JKSj7Q7ZsPdM6Ql/1IPvgMUltI72YlP3kTmiEaZmsDA4G9+c1aaoJZamqp0m3ZTTz70MtKXg4xHhA==
X-Gm-Message-State: AOJu0YxGSTLed0odYsjXEkuFcRGzTstmWz5EDPmCj4RIdjdovzkr2kAB y4k7/nWCkEKR266hfwQAHDVSwpJy8Ux8qT+dKG12M2YeFDMKgxIEOlZpIju2S6blDeiaNiz2veW Ltr9RFlhfU+0K4D5Jm6Vl08C2Wq9gkw==
X-Google-Smtp-Source: AGHT+IGKqqlzQUvYfWFD7bYYrDw0zhvCu+5ZNFzdb5S0ysRIpqbhDKD23uy2a0VxBGTUfY+bMLCARlzgOMNvCO1fI+g=
X-Received: by 2002:a5d:6ad2:0:b0:34a:4ad9:a93f with SMTP id u18-20020a5d6ad2000000b0034a4ad9a93fmr172953wrw.55.1713468480707; Thu, 18 Apr 2024 12:28:00 -0700 (PDT)
MIME-Version: 1.0
References: <171346691888.35849.11446635845987775680@ietfa.amsl.com> <152A3F33-B9D4-4BA9-BC53-852D2745349A@juniper.net>
In-Reply-To: <152A3F33-B9D4-4BA9-BC53-852D2745349A@juniper.net>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Thu, 18 Apr 2024 12:27:49 -0700
Message-ID: <CACsn0cnx_VmEO1UoFY4xchH=XCdFwHeE4rVxtQ7zPqXcq6Fu4g@mail.gmail.com>
To: Antoni Przygienda <prz@juniper.net>
Cc: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-rift-applicability.all@ietf.org" <draft-ietf-rift-applicability.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "rift@ietf.org" <rift@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/q8XFxNtwa6zlfdIycq4Cm3bI0WA>
Subject: Re: [secdir] Secdir last call review of draft-ietf-rift-applicability-14
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Apr 2024 19:28:03 -0000

On Thu, Apr 18, 2024 at 12:18 PM Antoni Przygienda <prz@juniper.net> wrote:
>
> Hmm, surprising comment a bit …
>
> RIFT draft has a serious security section in 6.9 and a serious security considerations sections in section 9 and IMO it belongs there. AFAIS those section cover extensively security models possible and all kind of threats/consdierations on secure implementations. Of course lots of that could be moved into applicability (should it? Is security “applicability” even and if so, which part of it? Guide how to deploy it securely? ) but I don’t think that’s the intention and I’m bits lost further what “specificity” means here specifically ;-)  e.g.   Key management considerations do not seem particularly specific to rift as a protocol AFAIS  unless what is desired is some RFC reference that describes key management in routing protocols and the pluses/minuses .

As an example of the kind of interaction I'm thinking about RIFT says
"use one symmetric key for ZRT". The applicability document seems (and
maybe I'm wrong in this) to have VMs directly participate in the
fabric for mobility. That means all VMs have the symmetric key. You
probably don't want that.

Sincerely,
Watson Ladd

v2.23.0 | Report a Bug | By Email