Re: [Softwires] Alissa Cooper's Discuss on draft-ietf-softwire-yang-14: (with DISCUSS and COMMENT)

<> Fri, 11 January 2019 08:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D57FF128D09; Fri, 11 Jan 2019 00:05:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id P4fkG3XwxP3l; Fri, 11 Jan 2019 00:05:23 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7BC0612872C; Fri, 11 Jan 2019 00:05:23 -0800 (PST)
Received: from (unknown [xx.xx.xx.64]) by (ESMTP service) with ESMTP id 43bb5F4rn2z11Bq; Fri, 11 Jan 2019 09:05:21 +0100 (CET)
Received: from Exchangemail-eme2.itn.ftgroup (unknown [xx.xx.31.60]) by (ESMTP service) with ESMTP id 43bb5F39W6zDq7k; Fri, 11 Jan 2019 09:05:21 +0100 (CET)
Received: from OPEXCLILMA3.corporate.adroot.infra.ftgroup ([fe80::60a9:abc3:86e6:2541]) by OPEXCLILM7F.corporate.adroot.infra.ftgroup ([fe80::c1d7:e278:e357:11ad%19]) with mapi id 14.03.0415.000; Fri, 11 Jan 2019 09:05:21 +0100
From: <>
To: Alissa Cooper <>
CC: "" <>, Sheng Jiang <>, "" <>, "" <>, "" <>, The IESG <>
Thread-Topic: Alissa Cooper's Discuss on draft-ietf-softwire-yang-14: (with DISCUSS and COMMENT)
Thread-Index: AQHUp531nyQbZoe6gEijOUpzA5LYPKWptaPg
Date: Fri, 11 Jan 2019 08:05:20 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B93302E0648A6@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
References: <>
In-Reply-To: <>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <>
Subject: Re: [Softwires] Alissa Cooper's Discuss on draft-ietf-softwire-yang-14: (with DISCUSS and COMMENT)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: softwires wg discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 11 Jan 2019 08:05:26 -0000

Hi Alissa, 

Please see inline. 


> -----Message d'origine-----
> De : Alissa Cooper []
> Envoyé : mardi 8 janvier 2019 23:03
> À : The IESG
> Cc :; Sheng Jiang; softwire-
> Objet : Alissa Cooper's Discuss on draft-ietf-softwire-yang-14: (with DISCUSS
> and COMMENT)
> Alissa Cooper has entered the following ballot position for
> draft-ietf-softwire-yang-14: Discuss
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> Please refer to
> for more information about IESG DISCUSS and COMMENT positions.
> The document, along with other ballot positions, can be found here:
> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> The security considerations do not seem to follow the YANG security
> guidelines
> <>. They do not
> list the specific writeable and readable subtrees/nodes and why they are
> sensitive. The fact that all the writeable nodes could "negatively affect
> network operations" seems trivially true for most writeable YANG module
> nodes.
> In the case of these modules, there seem to be multiple different threats
> relevant to different nodes, including exposure of data about individual
> users/customers, potential for disruption of the operations of the BR or CE,
> etc.

[Med] This is fair. We can elaborate as follows: 

   All data nodes defined in the YANG modules which can be created,
   modified, and deleted (i.e., config true, which is the default) are
   considered sensitive.  Write operations (e.g., edit-config) applied
   to these data nodes without proper protection can negatively affect
   network operations.  An attacker who is able to access the BR can
   undertake various attacks, such as:

   o  Setting the value of 'br-ipv6-addr' on the CE to point to an
      illegitimate BR so that it can intercept all the traffic sent by a
      CE.  Illegitimately intercepting users' traffic is an attack with
      severe implications on privacy.

   o  Setting the MTU to a low value, which may increase the number of
      fragments ('softwire-payload-mtu').

   o  Disabling hairpinning (i.e., setting 'enable-hairpinning' to 'false')
      to prevent communications between CEs.

   o  Setting 'softwire-num-max' to an arbitrary high value, which may
      be exploited by a misbehaving user to perform a DoS on the binding
      BR by mounting a massive number of softwires.

   o  Setting 'icmpv4-rate' or 'icmpv6-rate' to a low value, which may
      lead to the deactivation of ICMP messages handling.

   o  Accessing to privacy data maintained by the BR (e.g., the binding
      table or the algorithm configuration).  Such data can be misused
      to track the activity of a host.

   o  Instructing the BR to install entries which in turn will induce a
      DDoS attack by means of the notifications generated by the BR.
      This DDoS can be softened by defining a notification interval, but
      given that this interval parameter can be disabled or set to a low
      value by the misbehaving entity, the same problem will be

> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> I think "external party" would make more sense than "abuse party."

[Med] This information is not revealed to every "external" party but only under some regulatory restrictions when an abuse is reported (check Section 13.1 of RFC6269). 

I changed the text to "a party victim of an abuse". Hope this is better.