Last Call Review of draft-ietf-roll-admin-local-policy-02
review-ietf-roll-admin-local-policy-02-secdir-lc-hanna-2015-01-02-00
| Request | Review of | draft-ietf-roll-admin-local-policy |
|---|---|---|
| Requested revision | No specific revision (document currently at 03) | |
| Type | Last Call Review | |
| Team | Security Area Directorate (secdir) | |
| Deadline | 2014-12-24 | |
| Requested | 2014-12-11 | |
| Authors | Peter Van der Stok , Robert Cragie | |
| I-D last updated | 2015-01-02 | |
| Completed reviews |
Secdir Last Call review of -02
by Steve Hanna
(diff)
Opsdir Last Call review of -02 by Scott O. Bradner (diff) |
|
| Assignment | Reviewer | Steve Hanna |
| State | Completed | |
| Request | Last Call review on draft-ietf-roll-admin-local-policy by Security Area Directorate Assigned | |
| Reviewed revision | 02 (document currently at 03) | |
| Result | Not ready | |
| Completed | 2015-01-02 |
review-ietf-roll-admin-local-policy-02-secdir-lc-hanna-2015-01-02-00
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document describes a technique for automatically managing the boundaries of the admin-local multicast scope in a border router, using MPL (Multicast Protocol for Low power and Lossy Networks). In my view, this document is Not Ready. The document is hard to understand. For example, the acronyms MPL and MPL4 are used throughout the document but they are not defined. After reading the document several times, I have concluded that section 3.2 contains the most important part of the document: an algorithm for automatically defining the boundaries of the admin-local multicast scope using MPL. This section basically says that a border router should periodically send an MPL message on all interfaces to the ALL_MPL_FORWARDERS multicast address with admin-local scope. It should also listen for such messages on all interfaces. If it receives such a message, that interface should be marked as part of the admin-local scope. This algorithm seems problematic from a security standpoint. Because any device on a network can send an MPL message to the ALL_MPL_FORWARDERS multicast address with admin-local scope, the boundaries of the admin-local multicast scope can be expanded by attackers fairly easily. Such manipulation may permit nodes that should be outside a particular administrative domain to join that domain and participate in receiving and sending multicast traffic within that domain. The implications of such an attack are not clear to me because I am not familiar with the protocols and devices that use admin-local multicast scope. However, it seems likely that expanding the admin-local multicast scope will permit external attackers to more easily monitor multicast traffic that should be private and to inject multicast messages into a relatively trusted domain. In addition to this fundamental concern, I have a few minor concerns about the readability of the document. However, I seem to have mislaid my notes during the holidays. Because this review is already late and I’m on vacation, I will send the review now and follow up with the minor concerns at a later date if I can find them when I return to the office. Thanks, Steve Attachment: smime.p7s Description: S/MIME cryptographic signature