I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.
This document presented an interesting challenge for a security review
in that it is building on several other referenced RFCs [1] each of
which has it's own set of references and security consideration
section. Also, the .10 version of the ID was posted on the 19 Apr and
the security ADs recently posted some comments for discussion.
I have not previously had the opportunity (or need) to examine the
fairly large set of documents that this ID builds upon and could be
missing (or mis-understanding) some important aspects. I tried to do
the review as someone that wanted to "do the right security thing" for
implementing or deploying this capability. Given these caveats,
following are my comments on the document:
- Resolution of Tim's 'Discuss (2010-04-19)' comment should provide
additional information in this document. However, it's not clear to
me that the security considerations section of this document and
RFC5440 and RFC5671 (individually or jointly) provide what the PCE
Architecture document [RFC4655] says will be expected for each PCE
solution.
-- Although the need for Applicability statements to detail security
related issues and techniques is stated in 4655, the word
'Applicability' is not in 5440 and is only in the title and
abstract of 5671. The 5671 applicability examination is related to
"the applicability of PCE to path computation for P2MP TE LSPs in
MPLS and GMPLS networks." but does not provide security related
applicability specifics as expected in 4655.
--- Although this may seem like "spec legalism", I think this lack of
specification will likely have direct impacts on implementations
and will result in the lack of interoperability between
implementations (except for TCP-AO (or TCP-MD5)).
--- This may be my lack of background in this area but 4655 has a
number of statements that there are different security concerns
when the PCE architecture is used in an intra-domain case vs an
inter-domain (or multi-domain) cases. I was not able to find
enough guidance in this document (or 5440 or 5671) that would
identify what information elements would be more (or less?)
sensitive in inter-domain or multi-domain use cases. Neither was
there any useful guidance on what different security techniques
should be applied in these different cases/environments.
---- This is further complicated in that RFC5440 enumerates several
security vulnerabilities but only identifies TCP-MD5 as a MUST be
implemented. Other security techniques are described but it's
unclear when (or if) these should be used. Without any other
MUST implement requirements or use case recommendations, it's
unclear whether or not any of the other mechanisms will be
implemented.
--- RFC4875 Security Considerations requires that the ingress LSR of a
P2MP TE LSP the leaves for the P2MP LSP for use in multi-vendor
deployments. Although it's not clear that this document needs to
provide this requirement, I wanted to flag the requirement in case
that it had been overlooked.
Russ
[1] nice technology list by Sandy Murphy in an earlier email to the
secdir & iesg lists
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf