Hello, Thanks for the quick response. inline.
On Wed, Sep 14, 2016 at 1:57 PM, Dhruv Dhody <[email protected]> wrote: > Hi Kathleen, > > Thanks for your review. > I am posting the updated security consideration text (same as in the reply to > Stephen), see inline. > >> -----Original Message----- >> From: Pce [mailto:[email protected]] On Behalf Of Kathleen Moriarty >> Sent: 14 September 2016 22:27 >> To: The IESG <[email protected]> >> Cc: [email protected]; [email protected]; >> [email protected] >> Subject: [Pce] Kathleen Moriarty's No Objection on >> draft-ietf-pce-pcep-service-aware-12: (with COMMENT) >> >> Kathleen Moriarty has entered the following ballot position for >> draft-ietf-pce-pcep-service-aware-12: No Objection >> >> When responding, please keep the subject line intact and reply to all email >> addresses included in the To and CC lines. (Feel free to cut this >> introductory >> paragraph, however.) >> >> >> Please refer to >> https://www.ietf.org/iesg/statement/discuss-criteria.html >> for more information about IESG DISCUSS and COMMENT positions. >> >> >> The document, along with other ballot positions, can be found here: >> https://datatracker.ietf.org/doc/draft-ietf-pce-pcep-service-aware/ >> >> >> >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> The security sections of the referenced documents look very good. The one >> thing I don't see mentioned is use of these metrics to perform network >> reconnaissance to perform other attacks. I'm also interested to see the >> responses to Stephen's questions. >> >> Thanks. > > > [Dhruv] Updated security consideration section reads - > OLD > This document defines new METRIC types, a new BU object, and new OF > codes which does not add any new security concerns beyond those > discussed in [RFC5440] and [RFC5541] in itself. Some deployments may > find the service aware information like delay and packet loss to be > extra sensitive and thus should employ suitable PCEP security > mechanisms like TCP-AO or [PCEPS]. > NEW > This document defines new METRIC types, a new BU object, and new OF > codes which does not add any new security concerns beyond those > discussed in [RFC5440] and [RFC5541] in itself. Some deployments may > find the service aware information like delay and packet loss to be > extra sensitive and could be used to influence path computation and > setup with adverse effect. Additionally snooping of PCEP messages > with such data may give an attacker sensitive information about the > operations of the network. Thus, such deployment should employ > suitable PCEP security mechanisms like TCP Authentication Option > (TCP-AO) [RFC5925] or [PCEPS]. The Transport Layer Security (TLS) > based procedure in [PCEPS] is considered as a security enhancement > and thus much better suited for the sensitive service aware > information. This looks good for Stephen's comment, could you add in something about reconnaissance as well? Maybe: current new: Additionally snooping of PCEP messages with such data may give an attacker sensitive information about the operations of the network. proposed new: Additionally snooping of PCEP messages with such data, or using PCEP messages for network reconnaissance, may give an attacker sensitive information about the operations of the network. Thanks, Kathleen > > > Let me know if you would like some change in wordings. > > Thanks! > Dhruv > >> >> >> _______________________________________________ >> Pce mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/pce -- Best regards, Kathleen _______________________________________________ Pce mailing list [email protected] https://www.ietf.org/mailman/listinfo/pce
