Hi Barry,
thank you for your kind consideration of the proposed update. I've uploaded the new version.
Regards,
Greg
On Wed, Aug 9, 2023 at 7:28 PM Barry Leiba <barryleiba@xxxxxxxxxxxx> wrote:
Thanks, Greg, for considering my comments; the text you propose is useful. I can’t attest to its completeness, as routing and OAM aren’t my expertise. But it makes it clear that thought was put into this.BarryOn Wed, Aug 9, 2023 at 6:50 PM Greg Mirsky <gregimirsky@xxxxxxxxx> wrote:Hi Barry,thank you for your comments and suggestions. I agree that even though this document lists requirements for BIER OAM, the Security Consideration section should be more useful to a reader. Below is the proposed update:OLD TEXT:This document lists the OAM requirement for a BIER-enabled domain anddoes not raise any security concerns or issues in addition to onescommon to networking.NEW TEXT:This document lists the OAM requirement for a BIER-enabled domain andthus inherits security considerations discussed in [RFC8279] and[RFC8296]. Another general security aspect results from using activeOAM protocols, according to the [RFC7799], in a multicast network.Active OAM protocols inject specially constructed test packets, andsome active OAM protocols are based on the echo request/replyprinciple. In the multicast network, test packets are replicated asdata packets, thus creating a possible amplification effect ofmultiple echo responses being transmitted to the sender of the echorequest. Thus, an implementation of BIER OAM MUST protect thecontrol plane from spoofed replies. Also, an implementation of BIEROAM MUST provide control of the number of BIER OAM messages sent tothe control plane.What are your thoughts about the new text? I greatly appreciate your comments, suggestions, and questions.Regards,GregOn Wed, Aug 9, 2023 at 12:09 PM Barry Leiba via Datatracker <noreply@xxxxxxxx> wrote:Reviewer: Barry Leiba
Review result: Has Issues
The only comment I have from a security standpoint is that the Security
Considerations seem basically absent, saying no more than "Nothing to see
here." That's common and easy to say, but I expected some explanation of how
the requirements specified in the document are needed to ensure a robust and
secure BIER system. I wouldn't expect pages of text, but I'm surprised to see
nothing at all. Is it really the case that an OAM system for BIER would do
nothing to enhance security, nothing to alert us to BIER-specific attacks?
-- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call