Last Call Review of draft-ietf-mpls-return-path-specified-lsp-ping-12
review-ietf-mpls-return-path-specified-lsp-ping-12-secdir-lc-hoffman-2013-08-29-00

Request Review of draft-ietf-mpls-return-path-specified-lsp-ping
Requested rev. no specific revision (document currently at 15)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2013-09-04
Requested 2013-08-22
Authors Mach Chen, Wei Cao, Ning So, Frederic JOUNAY, Simon DeLord
Draft last updated 2013-08-29
Completed reviews Genart Last Call review of -12 by Roni Even (diff)
Genart Telechat review of -13 by Roni Even (diff)
Secdir Last Call review of -12 by Paul Hoffman (diff)
Assignment Reviewer Paul Hoffman
State Completed
Review review-ietf-mpls-return-path-specified-lsp-ping-12-secdir-lc-hoffman-2013-08-29
Reviewed rev. 12 (document currently at 15)
Review result Ready
Review completed: 2013-08-29

Review
review-ietf-mpls-return-path-specified-lsp-ping-12-secdir-lc-hoffman-2013-08-29

This document defines a set of extensions to MPLS to allow the failure detection mode (basically, a ping) to know which path to use in the reply. Given that MPLS is a protocol that is only run between gateways that fully trust each other, there are not many security considerations for such an extensions. The entire Security Considerations section reads:

   Security considerations discussed in [RFC4379] apply to this
   document.  In addition to that, in order to prevent using the
   extension defined in this document for "proxying" any possible
   attacks, the return path LSP MUST have destination to the same node
   where the forward path is from.

That actually seems sufficient, given that the underlying protocol is not meant to have any non-administrative security features.

--Paul Hoffman