Last Call Review of draft-ietf-bess-mvpn-global-table-mcast-02
review-ietf-bess-mvpn-global-table-mcast-02-secdir-lc-meadows-2015-08-13-00

Request Review of draft-ietf-bess-mvpn-global-table-mcast
Requested rev. no specific revision (document currently at 03)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2015-08-18
Requested 2015-08-06
Draft last updated 2015-08-13
Completed reviews Genart Telechat review of -02 by Christer Holmberg (diff)
Secdir Last Call review of -02 by Catherine Meadows (diff)
Assignment Reviewer Catherine Meadows
State Completed
Review review-ietf-bess-mvpn-global-table-mcast-02-secdir-lc-meadows-2015-08-13
Reviewed rev. 02 (document currently at 03)
Review result Has Issues
Review completed: 2015-08-13

Review
review-ietf-bess-mvpn-global-table-mcast-02-secdir-lc-meadows-2015-08-13

I have reviewed this document as part of the security directorate's 

ongoing effort to review all IETF documents being processed by the 

IESG.  These comments were written primarily for the benefit of the 

security area directors.  Document editors and WG chairs should treat 

these comments just like any other last call comments.

This ID describes adapts Multicast Virtual Private Network (MVPN) procedures and protocols described in

RFC’s 6513, 6514 to non-VPN specific multicast, referred to as Global Table Multicast (GTM)  in this document.

MVPN is typically used by a service provider that provides VPN service to its customers.  In this architecture

one or more customer routers attach to a single Provider Edge (PE) router, that may support one or more

VPNs.  Each PE contains a separate Virtual Routing and Forwarding Table (VRF) for each VPN to which it is attached.

The main difference between MVPN and the new GTM procedures described in this document is that in GTM the routing

information is stored in a global table.  The document describes changes in procedures that need to be made when using

a GTM instead of an MVPN.

I have some issues with the Security Considerations section of this documents.  It describes security issues

that the authors have identified, but it is hard to figure out exactly what features of the proposed GTM procedure give rise to them and what

can be done to address them.  

In particular:

This document makes use of a BGP SAFI (MCAST-VPN routes) that was
   originally designed for use in VPN contexts only.  It also makes use
   of various BGP path attributes and extended communities (VRF Route
   Import Extended Community, Source AS Extended Community, Route Target
   Extended Community) that were originally intended for use in VPN
   contexts.  If these routes and/or attributes leak out into "the
   wild", multicast data flows may be distributed in an unintended and/
   or unauthorized manner.

What is not clear here is what is additional risk of information leaking out into the wild  the use of the GTM procedures proposed

in this document would incur.  Does the use in a wider context mean that the information is more widely distributed and thus has

more chance of leaking?  Or does it mean that an incorrectly implemented GTM procedure might confuse sensitive routes with nonsensitive ones,

and distribute them inappropriately?  Or both?  A sample scenario would be useful here.    It would also be helpful to see suggestions for mitigation.

Internet providers often make extensive use of BGP communities (ie,
   adding, deleting, modifying communities throughout a network).  As
   such, care should be taken to avoid deleting or modifying the VRF
   Route Import Extended Community and Source AS Extended Community.
   Incorrect manipulation of these ECs may result in multicast streams
   being lost or misrouted.

I’m not sure how this is related to the document.  Could you show how this becomes more of a risk as a result of using the new GTM procedures?

The procedures of this document require certain BGP routes to carry
   IP multicast group addresses.  Generally such group addresses are
   only valid within a certain scope.  If a BGP route containing a group
   address is distributed outside the boundaries where the group address
   is meaningful, unauthorized distribution of multicast data flows may
   occur.

Is this a new requirement or is this one that is incurred by other types of procedures as well?  Again, can you suggest any mitigations?

Also a few nits:

First line, second paragraph of Security Considerations Section Section:

This document makes use of a BGP SAFI (MCAST-VPN routes) that was
   originally designed for use in VPN contexts only.

I assume you mean to say:  “The protocols and procedures described in this document make use …”

First line, second paragraph, Section 2.3.4

The SFS procedure works in VPN context as along the following
   assumption holds

That should be “as long as”, not “as along”.

I consider this ready with issues, in that the Security Considerations section needs to give a much clearer

account of the security risks that may be incurred, and mitigations need to be suggested whenever possible.

Cathy Meadows

 




Catherine Meadows

Naval Research Laboratory

Code 5543

4555 Overlook Ave., S.W.

Washington DC, 20375

phone: 202-767-3490

fax: 202-404-7942

email: 

catherine.meadows at nrl.navy.mil