Re: [Last-Call] secdir review of draft-ietf-6man-spring-srv6-oam

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Dan,

 

Many thanks for your comments. Greatly appreciated! 

 

As part of additional comments on received during the LC, we were is the process of updating the draft, including the security section.

 

We just posted rev 10, https://datatracker.ietf.org/doc/html/draft-ietf-6man-spring-srv6-oam-10

The security section has been updated.

 

Can you please review the updated security section and advise of your comments?

 

Thanks

 

Regards … Zafar

 

From: Dan Harkins <dharkins@xxxxxxxxxx>
Date: Thursday, April 8, 2021 at 5:53 PM
To: "last-call@xxxxxxxx" <last-call@xxxxxxxx>
Cc: "secdir@xxxxxxxx" <secdir@xxxxxxxx>, "draft-ietf-6man-spring-srv6-oam.all@xxxxxxxx" <draft-ietf-6man-spring-srv6-oam.all@xxxxxxxx>
Subject: secdir review of draft-ietf-6man-spring-srv6-oam
Resent-From: <alias-bounces@xxxxxxxx>
Resent-To: <zali@xxxxxxxxx>, <cfilsfil@xxxxxxxxx>, <satoru.matsushima@xxxxxxxxxxxxxxxx>, <daniel.voyer@xxxxxxx>, <mach.chen@xxxxxxxxxx>, <otroan@xxxxxxxxxxxxx>, <bob.hinden@xxxxxxxxx>, <ek.ietf@xxxxxxxxx>, <evyncke@xxxxxxxxx>, "ot@xxxxxxxxx" <ot@xxxxxxxxx>, "ot@xxxxxxxxx" <ot@xxxxxxxxx>
Resent-Date: Thursday, April 8, 2021 at 5:53 PM

 

 

  Hello,

 

  First of all, my apologies for the tardiness of this review....

 

  I have reviewed this document as part of the security directorate's

ongoing effort to review all IETF documents being processed by the

IESG.  These comments were written primarily for the benefit of the

security area directors.  Document editors and WG chairs should treat

these comments just like any other last call comments.

 

The summary of the review is (almost) Ready With Issues.

 

  This draft defines a flag in the Segment Routing Header that when

set will result a copy of the packet being made and forwarded for

"telemetry data collection and export." That has tremendous security

and privacy implications that are not mentioned at all in the Security

Considerations. The Security Considerations just say that there's

nothing here beyond those described in <list of other RFCs>. I don't

think that's the case.

 

  Maybe I'm completely missing something but this sounds to me like

it enables what we used to call "service spy mode" on a router-- take

a flow and fork a copy off to someone else. I think there needs to be

a lot more discussion of the implications of this.

 

  Again, sorry for the tardiness of this review.

 

  regards,

 

  Dan.

 

--

"The object of life is not to be on the side of the majority, but to

escape finding oneself in the ranks of the insane." -- Marcus Aurelius

 

 

-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux