Last Call Review of draft-ietf-pals-mpls-tp-pw-over-bidir-lsp-08
review-ietf-pals-mpls-tp-pw-over-bidir-lsp-08-secdir-lc-huitema-2016-06-30-00
| Request | Review of | draft-ietf-pals-mpls-tp-pw-over-bidir-lsp |
|---|---|---|
| Requested revision | No specific revision (document currently at 09) | |
| Type | Last Call Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2016-07-04 | |
| Requested | 2016-06-23 | |
| Authors | Mach Chen , Wei Cao , Attila Takacs , Ping Pan | |
| I-D last updated | 2016-06-30 | |
| Completed reviews |
Genart Telechat review of -08
by Roni Even
(diff)
Secdir Last Call review of -08 by Christian Huitema (diff) Opsdir Last Call review of -06 by Sarah Banks (diff) Rtgdir Early review of -06 by Daniele Ceccarelli (diff) |
|
| Assignment | Reviewer | Christian Huitema |
| State | Completed | |
| Request | Last Call review on draft-ietf-pals-mpls-tp-pw-over-bidir-lsp by Security Area Directorate Assigned | |
| Reviewed revision | 08 (document currently at 09) | |
| Result | Has nits | |
| Completed | 2016-06-30 |
review-ietf-pals-mpls-tp-pw-over-bidir-lsp-08-secdir-lc-huitema-2016-06-30-00
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The document is ready with 2 nits. The document specifies an extension to the Label Distribution Protocol (LDP, RFC 5036) to provide bindings between Pseudo Wires (PW) and Label Switch Paths (LSP) established over MPLS-TP (RFC6773). The goal is to ensure that both directions of the PW are mapped to the same LSP, and thus avoid asymmetric routing. The document specifies additional LDP extensions to carry the required information. The security section acknowledges one concern: that attackers could misuse the option to force a pseudo wire through an unnatural path, either as a denial of service attack, or to facilitate traffic interception. The proposed mitigation to that attack is essentially "careful Implementation", i.e. only accept binding requests where the LSP endpoints match the PW endpoints. Should a mismatch occur, I assume that the endpoint will reject the proposed binding, as specified in section 5, PSN Binding Operation for MS-PW. And here is one nit: I would like to see the verification behavior specified as part of the binding operations, rather than merely mentioned in the security section. Also, is there a specific error case for the security failure, or just the generic error message? The next nit is tied to the general security profile of LDP, which is specified to use TCP(MD5). There is no expectation of privacy for LDP data. I am not sure that the new extensions increase the "privacy surface" of LDP. They do carry global identifiers of source and destination, and inform about the path of packets between these destinations, and it seems that adversaries could use that for monitoring and targeting purposes. But it is possible that the information is already present in LDP. A note to that effect in the security section would have been nice. -- Christian Huitema