If the security considerations are addressed in a different document, this should be stated in the security considerations section.
On Mon, Jan 7, 2019 at 12:05 PM Stewart Bryant <[email protected]> wrote: > > On 07/01/2019 16:11, Phillip Hallam-Baker wrote: > > Reviewer: Phillip Hallam-Baker > Review result: Has Issues > > The document describes the problem and solution pretty clearly. Unfortunately, > there is no discussion of the security considerations which is not appropriate > for a document addressing an availability which is a security issue. > > While microloops can form by chance, some consideration should be given to the > possibility that an attacker could induce a loop to perform a DoS attack. > > In section 1 the text says: > > [RFC8405] defines a solution that satisfies this problem statement > and this document captures the reasoning of the provided solution. > > It is safe to assume that the reader of this text would have read > normative reference RFC8405 and thus would be fully aware of the security > issues related to the solution being analysed. > > An attacker that had access to a network such that they could induce > microloops would have the ability to do many worse things to the network. > > If they were able to attack in-band they could poison the routing system > to take it down in far more interesting ways. Operators use security at the > physical and network layer to prevent this. > > If they were operating at the physical layer then they could take circuits > down at will and cause microloops in the base protocol, traffic overloads > and application malfunction. > > Thus if the attacker could deploy either of those attacks in a network to > induce micro-loops, then any security considerations in this draft would > count for nothing. > > The draft is an analysis, and thus I think that it correctly states that > it introduces no additional matters for security consideration. > > - Stewart > > -- Website: http://hallambaker.com/
_______________________________________________ rtgwg mailing list [email protected] https://www.ietf.org/mailman/listinfo/rtgwg
