Telechat Review of draft-ietf-bier-mpls-encapsulation-09
review-ietf-bier-mpls-encapsulation-09-secdir-telechat-atkins-2017-10-19-00

Request Review of draft-ietf-bier-mpls-encapsulation
Requested rev. no specific revision (document currently at 12)
Type Telechat Review
Team Security Area Directorate (secdir)
Deadline 2017-10-24
Requested 2017-09-26
Other Reviews Genart Telechat review of -09 by Peter Yee (diff)
Opsdir Last Call review of -10 by Al Morton (diff)
Genart Telechat review of -10 by Peter Yee (diff)
Review State Completed
Reviewer Derek Atkins
Review review-ietf-bier-mpls-encapsulation-09-secdir-telechat-atkins-2017-10-19
Posted at https://mailarchive.ietf.org/arch/msg/secdir/w8qqQtzlEi00uToUGT0N8XVuHkI
Reviewed rev. 09 (document currently at 12)
Review result Ready
Draft last updated 2017-10-19
Review completed: 2017-10-19

Review
review-ietf-bier-mpls-encapsulation-09-secdir-telechat-atkins-2017-10-19

Hi,

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written with the intent of improving
security requirements and considerations in IETF drafts.  Comments
not addressed in last call may be included in AD reviews during the
IESG review.  Document editors and WG chairs should treat these
comments just like any other last call comments.

Summary:

Ready to publish.

Details:

Obviously the security of this solution is based on the full trust of
the complete end-to-end BIER network.  There is no cryptography to
ensure that a packet is not manipulated enroute which would change the
bit-fields.  The good news is that it's probably hard to inject a
BIER-headed packet into the network from the outside (once it hits an
external router it would be re-encapsulated).  On the other hand there
is nothing to stop a bad-actor internal router from creating a bogus
BIER header or modifying an existing BIER header.  I suspect this is
already handled in the MPLS and IGP Security Considerations, but I
wanted to ensure that the IESG was aware of this restriction (which is
not explicitly stated here).

-derek
-- 
       Derek Atkins                 617-623-3745
       derek@ihtfp.com             www.ihtfp.com
       Computer and Internet Security Consultant