Last Call Review of draft-ietf-detnet-mpls-oam-13
review-ietf-detnet-mpls-oam-13-secdir-lc-orman-2023-12-23-00
Request | Review of | draft-ietf-detnet-mpls-oam |
---|---|---|
Requested revision | No specific revision (document currently at 15) | |
Type | Last Call Review | |
Team | Security Area Directorate (secdir) | |
Deadline | 2023-12-19 | |
Requested | 2023-12-05 | |
Authors | Greg Mirsky , Mach Chen , Balazs Varga | |
I-D last updated | 2023-12-23 | |
Completed reviews |
Genart Last Call review of -13
by Russ Housley
(diff)
Secdir Last Call review of -13 by Hilarie Orman (diff) Rtgdir Early review of -09 by Jonathan Hardwick (diff) |
|
Assignment | Reviewer | Hilarie Orman |
State | Completed | |
Request | Last Call review on draft-ietf-detnet-mpls-oam by Security Area Directorate Assigned | |
Posted at | https://mailarchive.ietf.org/arch/msg/secdir/1dtc72MP4-uA6aW2_A6IZ5ziQjA | |
Reviewed revision | 13 (document currently at 15) | |
Result | Has nits | |
Completed | 2023-12-19 |
review-ietf-detnet-mpls-oam-13-secdir-lc-orman-2023-12-23-00
Security review of Operations, Administration and Maintenance (OAM) for Deterministic Networks (DetNet) with MPLS Data Plane draft-ietf-detnet-mpls-oam-13 Do not be alarmed. I generated this review of this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written with the intent of improving security requirements and considerations in IETF drafts. Comments not addressed in last call may be included in AD reviews during the IESG review. Document editors and WG chairs should treat these comments just like any other last call comments. Deterministic networks are intended to address the requirements of real-time applications by reducing packet drops. This document defines format and usage principles of the DetNet service "Associated Channel" over a DetNet network with the MPLS data plane. The security considerations note that RFC 9055 "Deterministic Networking (DetNet) Security Considerations" has a comprehensive discussion of issues. The OAM packets with an MPLS data plane do not seem to introduce any significant new considerations. RFC 8655 "Deterministic Networking Architecture" notes that all QoS mechanisms have a generic privacy exposure because the markings may help an attacker correlative flows and thus target particular packets more effectively. The OAM packets for MPLS described in the document under consideration do seem to add headers that correlate to the underlying network flows, and these might be an attack surface that is new. This could be mentioned in the security (privacy) section. Hilarie