Re: [Last-Call] Secdir last call review of draft-ietf-bier-oam-requirements-12

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Barry,
thank you for your comments and suggestions. I agree that even though this document lists requirements for BIER OAM, the Security Consideration section should be more useful to a reader. Below is the proposed update:
OLD TEXT:
   This document lists the OAM requirement for a BIER-enabled domain and
   does not raise any security concerns or issues in addition to ones
   common to networking.
NEW TEXT:
   This document lists the OAM requirement for a BIER-enabled domain and
   thus inherits security considerations discussed in [RFC8279] and
   [RFC8296].  Another general security aspect results from using active
   OAM protocols, according to the [RFC7799], in a multicast network.
   Active OAM protocols inject specially constructed test packets, and
   some active OAM protocols are based on the echo request/reply
   principle.  In the multicast network, test packets are replicated as
   data packets, thus creating a possible amplification effect of
   multiple echo responses being transmitted to the sender of the echo
   request.  Thus, an implementation of BIER OAM MUST protect the
   control plane from spoofed replies.  Also, an implementation of BIER
   OAM MUST provide control of the number of BIER OAM messages sent to
   the control plane.

What are your thoughts about the new text? I greatly appreciate your comments, suggestions, and questions.

Regards,
Greg

On Wed, Aug 9, 2023 at 12:09 PM Barry Leiba via Datatracker <noreply@xxxxxxxx> wrote:
Reviewer: Barry Leiba
Review result: Has Issues

The only comment I have from a security standpoint is that the Security
Considerations seem basically absent, saying no more than "Nothing to see
here."  That's common and easy to say, but I expected some explanation of how
the requirements specified in the document are needed to ensure a robust and
secure BIER system.  I wouldn't expect pages of text, but I'm surprised to see
nothing at all.  Is it really the case that an OAM system for BIER would do
nothing to enhance security, nothing to alert us to BIER-specific attacks?


-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux