draft-ietf-lisp-sec-25.txt Document Write-up
As required by RFC 4858, this is the current template for the Document Shepherd
Write-Up.
(1) What type of RFC is being requested (BCP, Proposed Standard,
Internet Standard, Informational, Experimental, or Historic)? Why is
this the proper type of RFC? Is this type of RFC indicated in the
title page header?
This document is targeting publication as Proposed Standard.
The document introduces security features, for the LISP main
specification, which are mandatory to implement when LISP is
deployed in an open environment like the Internet.
Because the documents with the main LISP specification are
published as Proposed Standard, this document of the same type.
The RFC type is clearly marked in the title page header.
(2) The IESG approval announcement includes a Document Announcement
Write-Up. Please provide such a Document Announcement Write-Up. Recent
examples can be found in the "Action" announcements for approved
documents. The approval announcement contains the following sections:
Technical Summary:
This document describes a security mechanism aiming at
providing origin authentication, integrity and anti-replay protection
to LISP map lookup process. In addition, it provides protection against
prefix over-claiming attacks, ensuring that the sender of a
Map-Reply providing the mapping for a certain EID-prefix is
entitled to do so according to what is registered in the
associated Map-Server. The whole mechanism is based on
One-Time-Keys (OTK) used to compute Keyed-Hashing Message
Authentication (HMAC). The mechanism is mandatory to implement in public
deployments of LISP.
Working Group Summary:
The document has been around since 2011, and has been discussed
several times. From the beginning, there was strong support, because
the WG felt that the having a mechanism to protect the map lookup
process was really important in order to make possible have public
deployments that cannot be easily attacked.
The support of the document has been always present, while the
document evolved. The discussion in the WG mainly focused
on clearly identify what the proposed mechanism protect or which level
of security it provides.
The version of the document that was approved during WG Last
Call is -12. The document went through the usual IETF process and was
even scheduled to be discussed in the IESG telechat. However, at that
time the document was "experimental". At the same time, there where the
new LISP specification documents that were advancing as Proposed
Standard. The security review of these new documents concluded that LISP
public deployments, like in the Internet, MUST implement LISP-SEC.
So the document was sent back in order to put it in the standard track
and make sure that it is consistent with the new specifications. This
work has been done and generated a few revisions due to the security
review. Early this year (2021), publication has been requested for the
main LISP specifications and this document will complete the set of
specifications.
Document Quality:
Are there existing implementations of the protocol? Have a significant
number of vendors indicated their plan to implement the specification?
Are there any reviewers that merit special mention as having done a
thorough review, e.g., one that resulted in important changes or a
conclusion that the document had no substantive issues? If there was a
MIB Doctor, Media Type or other expert review, what was its course
(briefly)? In the case of a Media Type review, on what date was the
request posted?
There is a strong interest in LISP-SEC especially by potential
LISP adopters because protecting the map lookup process is key to
have a robust system where mapping information cannot be tempered.
Even further, LISP-SEC is mandatory to implement in public LISP
deployments.
Personnel:
Who is the Document Shepherd?
Luigi Iannone <ggx@gigix.net>
Who is the Responsible Area Director?
Alvaro Retana <aretana.ietf@gmail.com>
(3) Briefly describe the review of this document that was performed by
the Document Shepherd. If this version of the document is not ready
for publication, please explain why the document is being forwarded to
the IESG.
I reviewed carefully revision -23 of the document. I had few editorial
issues that have been fixed in the follow-up revisions by the authors.
The text is sufficiently clear and understandable. Back when LISP-SEC
past WG Last Call, I have checked the mailinglist and meeting minutes
and publication WG consensus has been reached appropriately. During the
revision work up to the latest version fo the document the WG has been
updated regularly on the advances. No discontent or objection to the
modification has been ever shown.
I checked the ID nits (output provided on point 11)
and everything is clear with the exception of a warning due to
the notation used in the document which the idnits tools mistakenly
considers being a citation.
(4) Does the document Shepherd have any concerns about the depth or
breadth of the reviews that have been performed?
As the document shepherd I have no concerns.
(5) Do portions of the document need review from a particular or from
broader perspective, e.g., security, operational complexity, AAA, DNS,
DHCP, XML, or internationalization? If so, describe the review that
took place.
I do not think that a additional specific review is needed (other than
the usual ones).
(6) Describe any specific concerns or issues that the Document
Shepherd has with this document that the Responsible Area Director
and/or the IESG should be aware of? For example, perhaps he or she is
uncomfortable with certain parts of the document, or has concerns
whether there really is a need for it. In any event, if the WG has
discussed those issues and has indicated that it still wishes to
advance the document, detail those concerns here.
I have no specific concerns or issues to point out.
(7) Has each author confirmed that any and all appropriate IPR
disclosures required for full conformance with the provisions of BCP
78 and BCP 79 have already been filed. If not, explain why?
All authors have made conforming IPR disclosure.
(8) Has an IPR disclosure been filed that references this document? If
so, summarize any WG discussion and conclusion regarding the IPR
disclosures.
No IPR disclosures have been filed.
(9) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with others
being silent, or does the WG as a whole understand and agree with it?
There has been clear strong consensus behind this document,
showing that the WG as a whole understands and agree with it.
(10) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarise the areas of conflict in separate
email messages to the Responsible Area Director. (It should be in a
separate email because this questionnaire is publicly available.)
Nobody did show discontent nor threatened an appeal.
(11) Identify any ID nits the Document Shepherd has found in this
document. (See http://www.ietf.org/tools/idnits/ and the
Internet-Drafts Checklist). Boilerplate checks are not enough; this
check needs to be thorough.
idnits 2.17.00 (12 Aug 2021)
/tmp/idnits14237/draft-ietf-lisp-sec-25.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
No issues found here.
Miscellaneous warnings:
----------------------------------------------------------------------------
-- The document date (8 December 2021) is 6 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Missing Reference: 'Key ID' is mentioned on line 620, but not defined
Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
(12) Describe how the document meets any required formal review
criteria, such as the MIB Doctor, media type, and URI type reviews.
No formal review is required.
(13) Have all references within this document been identified as
either normative or informative?
Only normative references are present. They are clearly
identified as such.
(14) Are there normative references to documents that are not ready
for advancement or are otherwise in an unclear state? If such
normative references exist, what is the plan for their completion?
There are no normative references in unclear state.
(15) Are there downward normative references references (see RFC
3967)? If so, list these downward references to support the Area
Director in the Last Call procedure.
There are no downward normative references.
(16) Will publication of this document change the status of any
existing RFCs? Are those RFCs listed on the title page header, listed
in the abstract, and discussed in the introduction? If the RFCs are
not listed in the Abstract and Introduction, explain why, and point to
the part of the document where the relationship of this document to
the other RFCs is discussed. If this information is not in the
document, explain why the WG considers it unnecessary.
No existing RFC's status will change due to the publication
of this document.
(17) Describe the Document Shepherd's review of the IANA
considerations section, especially with regard to its consistency with
the body of the document. Confirm that all protocol extensions that
the document makes are associated with the appropriate reservations in
IANA registries. Confirm that any referenced IANA registries have been
clearly identified. Confirm that newly created IANA registries include
a detailed specification of the initial contents for the registry,
that allocations procedures for future registrations are defined, and
a reasonable name for the new registry has been suggested (see RFC
5226).
This document instruct IANA to create five different registries,
namely:
- ECM AD Type Registry, with values ranging from 0 to 255.
- Map-Reply AD Type Registry, with values ranging from 0 to 255.
- HMAC Functions, with values ranging from 0 to 65535.
- Key Wrap Functions, with values ranging from 0 to 65535.
- Key Derivation Functions, with values ranging from 0 to 65535.
Initial content for all of the above registries is well identified and
future allocations is requested to be assigned according to the
"Specification Required" policy defined in RFC5226.
(18) List any new IANA registries that require Expert Review for
future allocations. Provide any public guidance that the IESG would
find useful in selecting the IANA Experts for these new registries.
No expert review is required.
(19) Describe reviews and automated checks performed by the Document
Shepherd to validate sections of the document written in a formal
language, such as XML code, BNF rules, MIB definitions, etc.
The document does not contain anything written in a formal
language, hence, no validation and/or check has been
performed.