[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: draft-dasilva-l2tp-relaysvc-07.txt
In message <200310300147.h9U1lBH05340@cichlid.raleigh.ibm.com>, Thomas Narten w
rites:
>"Steven M. Bellovin" <smb@research.att.com> writes:
>
>> I'm very unhappy with it, but I apparently didn't object the first time
>> it came around, so I don't feel I should change my mind now.
>
>Please clarify. Are you unhappy with the L2TP aspects, or with the
>underlying PPPoE aspects (which are kind of hard to fix at this point
>in time).
That's what I get for being lazy -- I was about to supply what I would
write as a DISCUSS, but decided not to bother...
My problem is the Security Considerations section. There's no
discussion of the danger, if any, of an attacker modifying messages.
For example, there's text saying
... the LAC MUST send a
PPPoE Active Discovery Terminate packet (PADT) to the host to
indicate that the connection has been terminated
A fraudulent PADT message is presumably a denial of service attack.
Since I wasn't going to vote again, I didn't go back and reread the
base l2tp specs to understand if there might be information that needs
to be confidential; when I review MIB documents, I insist that the
authors do that analysis. 2661 notes some sensitive values; I'm not
sure if they're applicable here.
Beyond that, it doesn't say what to do about security threats.
What is the mandatory-to-implement security mechanism? It speaks of
two, but doesn't mandate either. That's a sure recipe for
non-interoperability.
--Steve Bellovin, http://www.research.att.com/~smb