Re: Secdir last call review of draft-ietf-lisp-sec-13

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Takeshi,
thanks for taking the time to review the document.

Please see below for comments. Unless you have objections we plan to publish an updated rev by monday.

On 10/10/17 7:58 AM, Takeshi Takahashi wrote:
Reviewer: Takeshi Takahashi
Review result: Ready

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG. These comments
were written primarily for the benefit of the security area directors. Document
editors and WG chairs should treat these comments just like any other last call
comments.

I would say this document is ready with nits, but the nits are very minor.

[comments that require chages to the current draft]
1. I guess the authors mix up "reply" and "replay" in Section 6.6. "Reply
attacks" could be "Replay attacks".

fixed, thanks!

[comments that does not necessarily require changes to the current draft]
2. The security aspect of LISP is addressed not only in this draft but also in
RFC6830 and in RFC7835. If I understood correctly, LISP-SEC addressed a part of
the threats mentioned in RFC7835. Then, it would be nice if the authors could
clarify what types of further threats that are not mentioned in LISP-SEC still
exist by referring to RFC6830 and RFC7835.

Section 3 of LISP-SEC provides the cross references with the threat model of RFC 7835. LISP-SEC focuses particularly on the threads described in section  3.7 and 3.8 of RFC 7835 that describes attacks that "target EID-to-RLOC mappings, including manipulations of Map-Request and Map-Reply messages, and malicious ETR EID prefix overclaiming."

We should change the first sentence of section 3 to read:
"LISP-SEC addresses the control plane threats, described in *Section 3.7 and 3.8 of* [RFC7835], that target EID-to-RLOC mappings, including manipulations of Map-Request and Map-Reply messages, and malicious ETR EID prefix overclaiming."


3. DOS/DDoS was mentioned in the introduction section, but it was not discussed
in the later sections. It would be nice if the authors could address DoS/DDoS
issues as well.



Good point. We should add a Section 6.7 that reads:

"6.7 Denial of Service and Distributed Denial of Service Attacks

LISP-SEC mitigates the risks of  Denial of Service and Distributed Denial of Service attacks by protecting the integrity and authenticating the origin of the Map-Request/Map-Reply messages, and by preventing malicious ETRs from overclaiming EID prefixes that could re-direct traffic directed to a potentially large number of hosts."


Thanks,

Fabio






[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]