Re: [secdir] SecDir Review of draft-ietf-l2vpn-vpls-mcast-14
Stewart Bryant <stbryant@cisco.com> Mon, 23 September 2013 11:05 UTC
Return-Path: <stbryant@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 890CF21F8EEA; Mon, 23 Sep 2013 04:05:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -110.599
X-Spam-Level:
X-Spam-Status: No, score=-110.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x0yzT++7N70Y; Mon, 23 Sep 2013 04:05:34 -0700 (PDT)
Received: from ams-iport-3.cisco.com (ams-iport-3.cisco.com [144.254.224.146]) by ietfa.amsl.com (Postfix) with ESMTP id 4910D21F9E40; Mon, 23 Sep 2013 04:04:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3444; q=dns/txt; s=iport; t=1379934284; x=1381143884; h=message-id:date:from:reply-to:mime-version:to:cc:subject: references:in-reply-to:content-transfer-encoding; bh=LLmean/C2jHDHzzI9rYGxD0R80qtVPpIxuPyvjrDL84=; b=VD1xnM+vag0UJgW2k9+r9YV3oJ9wyGHEXzYYmzh+OkSMKMuQCqT1dsxh soQwp+gfIPMatnj8YpAz4zbm6js+GpM5WUEFn0iMUe1H9Yl5AhmNSwXaz QdMlzB6tldUKuHj+mfKhqvYIJzRkgZqRrL1LEfHjJPfwII6ff0mf9yN8K 0=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgMFAAEfQFKQ/khR/2dsb2JhbABZgwc4wgOBHRZ0giUBAQEEOEABEAsYCRYPCQMCAQIBRQYBDAEHAQEQh3EMuymPQyIHhB4Dl3yRd4Ml
X-IronPort-AV: E=Sophos;i="4.90,872,1371081600"; d="scan'208";a="17738379"
Received: from ams-core-1.cisco.com ([144.254.72.81]) by ams-iport-3.cisco.com with ESMTP; 23 Sep 2013 11:04:22 +0000
Received: from cisco.com (mrwint.cisco.com [64.103.70.36]) by ams-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id r8NB4K0I009930 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 23 Sep 2013 11:04:20 GMT
Received: from [IPv6:::1] (localhost [127.0.0.1]) by cisco.com (8.14.4+Sun/8.8.8) with ESMTP id r8NB4JQB018818; Mon, 23 Sep 2013 12:04:19 +0100 (BST)
Message-ID: <52402033.2030604@cisco.com>
Date: Mon, 23 Sep 2013 12:04:19 +0100
From: Stewart Bryant <stbryant@cisco.com>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130801 Thunderbird/17.0.8
MIME-Version: 1.0
To: Yakov Rekhter <yakov@juniper.net>, Catherine A Meadows <catherine.meadows@nrl.navy.mil>
References: <69ED1CC5-F819-481A-BB90-FB2178A07DDD@nrl.navy.mil> <201309222250.r8MMo9L61035@magenta.juniper.net>
In-Reply-To: <201309222250.r8MMo9L61035@magenta.juniper.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: draft-ietf-l2vpn-vpls-mcast.all@tools.ietf.org, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] SecDir Review of draft-ietf-l2vpn-vpls-mcast-14
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: stbryant@cisco.com
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Sep 2013 11:05:48 -0000
Cathy, Thank you for the review. The only update I can see, which only shows in the tools page and not the datatracker, is by RFC5462, and given the subject matter of RFC5462 the only change can be the renaming of the EXP bits to TC bits. This is well known in the MPLS community, and enhances rather than diminishes security. There were a few people that felt inclined to do production network experiments with these distinctly non-experimental bits and the purpose of RFC5462, was to stop that happening. There is no implication for this draft. - Stewart On 22/09/2013 23:50, Yakov Rekhter wrote: > Cathy, > >> I have reviewed this document as part of the security directorate's >> ongoing effort to review all IETF documents being processed by the >> IESG. These comments were written primarily for the benefit of the >> security area directors. Document editors and WG chairs should treat >> these comments just like any other last call comments. >> >> >> This ID describes a method by which service providers for Virtual >> Private LANs can use multicast trees for routing >> muilticast messages to customers in VPLS. This extends RFC's >> 4761 "Virtual Private LAN Service using >> BGP for Auto-Discovery and Signaling" and 4762, "Virtual Private LAN Services >> over MPLS Label Distribution Protocol (LDP) Signaling". In these RFC's, the >> ingress Provider Edge Device (ingress PE) >> replicates a copy of the message for each relevant exit PE. This can become >> a performance bottleneck when the >> number of recipients is large. This ID addresses this problem. >> >> This ID addresses mainly internal network management, and so, as the authors >> point out in the Security Considerations Section, >> it does not introduce many security problems other than already discussed in >> those RFC's, which are mainly addressed by the >> security features of BGP, upon which the protocols rely. The main security >> issue introduced by this draft is that neither >> BGP nor VPLS provide for secrecy of the multicast tree data. However, as the >> authors point out, providing such security >> is the responsibility of the Service Provider managing the LAN, and this >> is beyond the scope of VPLS. >> >> I do not think any modifications or extensions need to be made to the >> security section, but I have a couple of other questions: >> >> This ID is described as being intended for use with RFC's 4761 and 4762, but >> when I checked on 4761 in the ID tracker, >> it said that it is updated by 4762, although 4762 itself says nothing >> about this. In that case, is there any reason to provide support for >> 4761? Or was this an error in the ID tracker? > If indeed the ID tracker said that 4761 is updated by 4762, then this > indeed is an error in the ID tracker. > >> Likewise, the ID refers to both 4761 and 4762 for definitions of terms. What >> happens if the two RFC's don't agree on >> a definition? Should one default to 4762, or to the RFC the implementer >> is using? According to RFC 4762, the protocol >> defined by the two RFC's, although they perform similar functions, >> are independent and incompatible, so this could >> make possibly a difference. > To the RFC the implementer is using. > > Yakov. > > . > -- For corporate legal information go to: http://www.cisco.com/web/about/doing_business/legal/cri/index.html
- [secdir] SecDir Review of draft-ietf-l2vpn-vpls-m… Catherine A Meadows
- Re: [secdir] SecDir Review of draft-ietf-l2vpn-vp… Stewart Bryant
- Re: [secdir] SecDir Review of draft-ietf-l2vpn-vp… Yakov Rekhter