Last Call Review of draft-ietf-pals-ple-09
review-ietf-pals-ple-09-secdir-lc-huitema-2024-10-19-00
review-ietf-pals-ple-09-secdir-lc-huitema-2024-10-19-00
Draft 09 addresses many of the issues noted in my review of draft 08, but I am a bit puzzled by some additions in the security section, such as: Misconnection detection using the SSRC of the RTP header can increase the resilience to misconfiguration and some types of denial-of- service (DoS) attacks. Yes, that's probably true, but the description of how this will work in section 5.2.2 is pretty minimal. In the threat model, we may distinguish on path attackers, who can examine the traffic, and off path attackers, who may only try to inject spoofed packets. The offpath attackers will have to guess the value of the 32 bit SSRC, and will be reduced to guessing. The success of failure of this guessing depends a lot on how the SSRC is set. If the sender uses randomly allocated values, the guessing is hard. But if the sender uses a fixed value (e.g., 0), or sequentially allocated values (e.g., 0, 1, 2, ..), then the guessing is not so hard. I would feel better if 5.2.2 explained a bit how the SSRC is generated, and what to do if a received value does not match the previous ones. Another good addition to the security consideration is the paragraph stating that "One of the requirements for protecting the data plane is that the PLE packets be accepted only from valid interfaces." My only doubt is that "interface" is a bit ambiguous in the case of IPv6 routing -- physical interface or source IP address? Are you assuming that all routers in the AS are implementing BCP 38?