Last Call Review of draft-ietf-pals-p2mp-pw-03
review-ietf-pals-p2mp-pw-03-secdir-lc-kivinen-2017-08-24-00

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

This document describes the mechanims to signal point-to-multipoint
pseudowires using LDP. The security considerations section simply
points to the RFC4447bis (i.e., RFC8077) saying that security
mechanisms described there are adequate.

On the other hand RFC8077, says that LDP MD5 authentication key option
as described in the section 2.9 of RFC5036 MUST be implemented. The
section 2.9 of RFC5036 describes TCP MD5 signature option for LDP.
This might have been adequate security for some protocol in 2007 (when
RFC5036 was published, altought MD5 was already then known to be
broken), but it IS NOT adequate security in 2017.

I understand that this document is not really the one supposed to
update the security option for the LDP, but there is
draft-ijln-mpls-rfc5036bis which is moving LDP to internet standard
still trying to keep the same broken MD5 based security in it. I think
this document should include note saying, that security of the RFC5036
is no longer adequate for any use because it uses broken security
protocol, but there is nothing better out there yet (or is there, I do
not know enough of the LDP to know that), and perhaps point to the
rfc5036bis also in hopes that it might some day fix the security of
the LDP.

I think this document (or whole PW and LDP system) has issues that
needs to be fixed before it can be published.
-- 
kivinen@iki.fi