Russ:

Just checking to see that all = the issues you raised in for draft-hares-i2rs-auth-trans on the SEC-DIR = list:

To: "'Russ Housley'" References: <00e901d14435$0d92b950$28b82bf0$@ndzh.com> In-Reply-To: Date: Sat, 2 Jan 2016 19:45:00 -0500 Message-ID: <006801d145bf$fd4df5f0$f7e9e1d0$@ndzh.com> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0069_01D14596.147AFB30" X-Mailer: Microsoft Outlook 14.0 Thread-Index: AQKUFkxonBTXeDmpyINqGwK33R98eAFpup72nVgFS8A= Content-Language: en-us X-Authenticated-User: skh@ndzh.com Archived-At: Cc: 'Kathleen Moriarty' , secdir@ietf.org Subject: Re: [secdir] Early SecDir Reviews X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 03 Jan 2016 00:45:06 -0000 This is a multipart message in MIME format. ------=_NextPart_000_0069_01D14596.147AFB30 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Russ: Thank you for letting me know your comments have been addressed. I will review the section 2.4 and SEC-REQ-09 to address the overlap. Sue Hares From: Russ Housley [mailto:housley@vigilsec.com] Sent: Saturday, January 02, 2016 4:33 PM To: Susan Hares Cc: 'Kathleen Moriarty'; 'Stephen Farrell'; secdir@ietf.org Subject: Re: [secdir] Early SecDir Reviews Sue: I believe that my comments have been addresses. I still see a great deal of overlap between Section 2.4 and requirements SEC-REQ-09. Russ On Dec 31, 2015, at 8:37 PM, Susan Hares wrote: Russ: Just checking to see that all the issues you raised in for draft-hares-i2rs-auth-trans on the SEC-DIR list: http://www.ietf.org/mail-archive/web/secdir/current/msg05964.html are answered in WG version of this draft: draft-ietf-i2rs-protocol-security-requirements-01 https://datatracker.ietf.org/doc/draft-ietf-i2rs-protocol-security-requireme nts/ I'm ready to send this to the IESG for publication, but in checking on the SEC-DIR list, I did not see an OK. Thank you for all your help to improve this draft on I2RS protocol security. Sue Hares ------=_NextPart_000_0069_01D14596.147AFB30 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Russ:

Thank you for letting me know your comments have been = addressed. I will review the section 2.4 and SEC-REQ-09 to address = the overlap.

Sue Hares

From:= = Russ Housley [mailto:housley@vigilsec.com]
Sent: Saturday, = January 02, 2016 4:33 PM
To: Susan Hares
Cc: = 'Kathleen Moriarty'; 'Stephen Farrell'; = secdir@ietf.org
Subject: Re: [secdir] Early SecDir = Reviews

Sue:

I = believe that my comments have been = addresses.

I = still see a great deal of overlap between Section 2.4 and requirements = SEC-REQ-09.

Russ

On = Dec 31, 2015, at 8:37 PM, Susan Hares wrote:

Russ:<= /o:p>

Just = checking to see that all the issues you raised in for = draft-hares-i2rs-auth-trans on the SEC-DIR = list:

http://www.ietf.org/mail-archive/web/secdir/current/msg05964.html

are = answered in WG version of this draft: = draft-ietf-i2rs-protocol-security-requirements-01

https://datatracker.ietf.org/doc/draft-ietf-i2rs-protoco= l-security-requirements/

I’m = ready to send this to the IESG for publication, but in checking on the = SEC-DIR list,

I did not = see an OK.

Thank you = for all your help to improve this draft on I2RS protocol = security.

Sue Hares =

------=_NextPart_000_0069_01D14596.147AFB30-- From nobody Mon Jan 4 05:25:29 2016 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2743F1A88B2; Mon, 4 Jan 2016 05:25:26 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -14.511 X-Spam-Level: X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bjsskQCwnTfa; Mon, 4 Jan 2016 05:25:24 -0800 (PST) Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3C831A88B1; Mon, 4 Jan 2016 05:25:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2424; q=dns/txt; s=iport; t=1451913924; x=1453123524; h=from:to:subject:date:message-id:content-id: content-transfer-encoding:mime-version; bh=xGLiWQlTsAKZ/JUsv80fwK3q2I40G6DeZ7AMbOSSiJ4=; b=MbbVQqw+7cSIt+qSOE53b6yqiVc+GvBC98fwmE4d7s7q9YZM4Sxk/2ow 43M0c5tGQb7oyA6JvT8K/jBVvW09rvfNmH82EUfF3pUeVRILEAd/j7G/M ZCdhxDYliMrXR5VIhU1/VLSpFn+9nMKCZa5omUIs76GrSJ4uH1K9oZDVv A=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0D9AQAEcopW/5hdJa1egzqBRYhTs3UBD?= =?us-ascii?q?YFkhi19OBQBAQEBAQEBgQqEOyMRVwEaCAImAgQwFQIQBAGIQa9EkRkBAQEBAQE?= =?us-ascii?q?BAwEBAQEBAR2BAYVVgg8IgmiHcy6BGwWXBgGIMIUggVyERohZjjkBIAEBQoQKh?= =?us-ascii?q?HqBCAEBAQ?= X-IronPort-AV: E=Sophos;i="5.20,520,1444694400"; d="scan'208";a="223873651" Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 04 Jan 2016 13:25:23 +0000 Received: from XCH-RCD-001.cisco.com (xch-rcd-001.cisco.com [173.37.102.11]) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id u04DPNTk014858 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 4 Jan 2016 13:25:23 GMT Received: from xch-aln-004.cisco.com (173.36.7.14) by XCH-RCD-001.cisco.com (173.37.102.11) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Mon, 4 Jan 2016 07:25:22 -0600 Received: from xch-aln-004.cisco.com ([173.36.7.14]) by XCH-ALN-004.cisco.com ([173.36.7.14]) with mapi id 15.00.1104.009; Mon, 4 Jan 2016 07:25:23 -0600 From: "Klaas Wierenga (kwiereng)" To: "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-spring-problem-statement.all@tools.ietf.org" Thread-Topic: review of draft-ietf-spring-problem-statement-06 Thread-Index: AQHRRvNdX54wnez3UU6k7dgZ7LgM5g== Date: Mon, 4 Jan 2016 13:25:23 +0000 Message-ID: <98C9C83C-68AF-4593-A441-48C6EE7A9DA7@cisco.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-messagesentrepresentingtype: 1 x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [10.61.195.236] Content-Type: text/plain; charset="utf-8" Content-ID: <0168C46CBB4ED8439E498AF5B5ED4321@emea.cisco.com> Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: Subject: [secdir] review of draft-ietf-spring-problem-statement-06 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jan 2016 13:25:26 -0000 SGksDQoNCkkgaGF2ZSByZXZpZXdlZCB0aGlzIGRvY3VtZW50IGFzIHBhcnQgb2YgdGhlIHNlY3Vy aXR5IGRpcmVjdG9yYXRlJ3Mgb25nb2luZyBlZmZvcnQgdG8gcmV2aWV3IGFsbCBJRVRGIGRvY3Vt ZW50cyBiZWluZyBwcm9jZXNzZWQgYnkgdGhlIElFU0cuIFRoZXNlIGNvbW1lbnRzIHdlcmUgd3Jp dHRlbiBwcmltYXJpbHkgZm9yIHRoZSBiZW5lZml0IG9mIHRoZSBzZWN1cml0eSBhcmVhIGRpcmVj dG9ycy4gRG9jdW1lbnQgZWRpdG9ycyBhbmQgV0cgY2hhaXJzIHNob3VsZCB0cmVhdCB0aGVzZSBj b21tZW50cyBqdXN0IGxpa2UgYW55IG90aGVyIGxhc3QgY2FsbCBjb21tZW50cy4NCg0KVGhpcyBk b2N1bWVudCBwcm92aWRlcyBhIHByb2JsZW0gc3RhdGVtZW50IGZvciBzb3VyY2UgYmFzZWQgdW5p Y2FzdCByb3V0aW5nIGFyY2hpdGVjdHVyZS4gVGhlIGRvY3VtZW50IGV4YW1pbmVzIGEgbnVtYmVy IG9mIHR5cGljYWwgdXNlIGNhc2VzIGluIG9yZGVyIHRvIGNvbWUgdXAgd2l0aCB0aGUgcmVxdWly ZW1lbnRzIGZvciB0aGUgdGFyZ2V0IGFyY2hpdGVjdHVyZS4NCg0KSSBiZWxpZXZlIHRoZSBkb2N1 bWVudCBpcyBjbGVhciBhbmQgd2VsbC13cml0dGVuIGFuZCByZWFkeSBmb3IgcHVibGljYXRpb24s IHdpdGggb25lIHNtYWxsIG5pdCwgc2VlIGJlbG93Lg0KDQpUaGUgU2VjdXJpdHkgQ29uc2lkZXJh dGlvbnMgc2VjdGlvbiBpcyBhIGxpdHRsZSBiaXQgbGlnaHQsIGJ1dCBpbiBsaW5lIHdpdGggdGhl IHJlc3Qgb2YgdGhlIGRvY3VtZW50LCBzbyBJIGJlbGlldmUgc3VmZmljaWVudCwgcHJvdmlkZWQg dGhhdCBhIG1vcmUgZGV0YWlsZWQgYW5hbHlzaXMgaXMgZG9uZSBpbiBmb3J0aGNvbWluZyBkb2N1 bWVudHMuIEkgaGF2ZSBvbmUgc21hbGwgbml0LCBpbiB0aGUgZG9jdW1lbnQgaXQgc2F5czoNCg0K 4oCUDQpUaGVyZSBpcyBhbiBhc3N1bWVkIHRydXN0IG1vZGVsIHN1Y2ggdGhhdCB0aGUgc291cmNl IGltcG9zaW5nIGFuDQogICBleHBsaWNpdCByb3V0ZSBvbiBhIHBhY2tldCBpcyBhc3N1bWVkIHRv IGJlIGFsbG93ZWQgdG8gZG8gc28uICBJdCBpcw0KICAgYXNzdW1lZCB0aGF0IHRoZSBkZWZhdWx0 IGJlaGF2aW9yIGlzIHRvIHN0cmlwIGFueSBpbnRlcm5hbCByb3V0aW5nDQogICBpbmZvcm1hdGlv biBmcm9tIHRoZSBwYWNrZXQgYmVmb3JlIHRoZSBwYWNrZXQgaXMgZm9yd2FyZGVkIG91dHNpZGUN CiAgIHRoZSBkb21haW4uICBJbiBzdWNoIGNvbnRleHQgdHJ1c3QgYm91bmRhcmllcyBTSE9VTEQg c3RyaXAgZXhwbGljaXQNCiAgIHJvdXRlcyBmcm9tIGEgcGFja2V0Lg0K4oCUDQoNCkl0IGlzIHVu Y2xlYXIgdG8gbWUgd2hldGhlciB0aGUgaWRlYSBpcyB0aGF0IGlmIHRoYXQgKm9ubHkgaW50ZXJu YWwqIGluZm8gaXMgc3RyaXBwZWQsIG9yICphbGwqLCBpLmUuIGlmIHRoZSBwcm92aWRlZCByb3V0 ZSBpcyB7aW50ZXJuYWwgaG9zdCAxLCBpbnRlcm5hbCBob3N0IDIsIGludGVybmFsIGhvc3QgMywg ZXh0ZXJuYWwgaG9zdCAxLCBleHRlcm5hbCBob3N0IDJ9LCBpcyB0aGUgaWRlYSB0aGF0IGF0IGVn cmVzcyB0aGUgd2hvbGUgc3BlY2lmaWMgcm91dGUgaXMgdHJpcHBlZCBvciB0aGF0IHdoYXQgcmVt YWlucyBpcyB7ZXh0ZXJuYWwgaG9zdCAxLCBleHRlcm5hbCBob3N0IDIpLCB3aXRoIGxlYXZpbmcg dXAgdG8gdGhlIHRyYW5zaXQgb3IgZGVzdGluYXRpb24gbmV0d29yayB0byBhcHBseSDigJxzdHJp cHBpbmcgcG9saWN54oCdIG9uIHRoZSByZW1haW5kZXIuIFBsZWFzZSBjbGFyaWZ5Lg0KDQpLbGFh cw== From nobody Mon Jan 4 08:27:44 2016 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 001D01A8A08; Mon, 4 Jan 2016 08:27:40 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.859 X-Spam-Level: X-Spam-Status: No, score=-3.859 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8Q_ifgYBCrqu; Mon, 4 Jan 2016 08:27:35 -0800 (PST) Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8593F1A89AE; Mon, 4 Jan 2016 08:27:34 -0800 (PST) X-IronPort-AV: E=Sophos;i="5.20,521,1444687200"; d="asc'?scan'208,217";a="195528516" Received: from geve.inrialpes.fr ([194.199.24.116]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-SHA; 04 Jan 2016 17:27:32 +0100 From: Vincent Roca X-Pgp-Agent: GPGMail 2.5.2 Content-Type: multipart/signed; boundary="Apple-Mail=_779C5F10-1796-48F0-BBF2-428B089AB52F"; protocol="application/pgp-signature"; micalg=pgp-sha512 Date: Mon, 4 Jan 2016 17:27:31 +0100 Message-Id: To: IESG , secdir@ietf.org, draft-ietf-cdni-control-triggers@tools.ietf.org Mime-Version: 1.0 (Mac OS X Mail 8.2 $2104$) X-Mailer: Apple Mail (2.2104) Archived-At: Subject: [secdir] Secdir review of draft-ietf-cdni-control-triggers-11 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jan 2016 16:27:41 -0000 --Apple-Mail=_779C5F10-1796-48F0-BBF2-428B089AB52F Content-Type: multipart/alternative; boundary="Apple-Mail=_57CC3254-247B-4FBF-B89D-4131EF64E1E9" --Apple-Mail=_57CC3254-247B-4FBF-B89D-4131EF64E1E9 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hello, I have reviewed this document as part of the security directorate=E2=80=99= s ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments = just like any other last call comments. Summary: not totally ready There are several topics I=E2=80=99d like to discuss: 1- Concerning the use of TLS to carry CI/T traffic, I see it is = mandatory to implement, but still optional to use (1st sentence of = Section 8.1). Is it still reasonable in current Internet? At a minimum I = would expect a =C2=AB MUST support =C2=BB / =C2=AB SHOULD use =C2=BB. 2- Section 8.1, please check the paragraph =C2=AB Note that in a =C2=AB = diamond =C2=BB configuration [=E2=80=A6] =C2=BB. This paragraph is = rather confusing to me. Confusion comes from: - the lack of description of the =C2=AB diamond configuration =C2=BB. = I understand there is one dCDN on top and multiple uCDN directly = connected below, am I right? - the notion of =C2=AB content acquired from a uCDN =C2=BB. If I = understand correctly, it means =C2=AB content that has been acquired = after a uCDN request to do so =C2=BB. I initially thought there were = some mistakes in the use of uCDN / dCDN=E2=80=A6 3- With this =C2=AB diamond configuration =C2=BB, since several uCDN can = act upon the same content, what happens if they behave in a non = coordinated manner (i.e., in the general case)? For instance let=E2=80=99s= imagine one of them asks the dCDN to delete the content or cancel the = initial command. What happens if another uCDN then asks the dCDN to = invalidate this content, providing the URL of the Trigger Status = Resource which (if I understand correctly) is no longer valid? This =C2=AB= diamond configuration =C2=BB can be a little bit tricky and no clear = guideline is provided in the document. 4- Concerning privacy aspects, I would be much more cautious than the = authors. For instance, I wouldn't claim "there are no privacy concerns = for End Users" because the CI/T protocol does not carry information = about individual End Users (section 8.3). The dCDN knows that there are = users interested (or at the opposite no user interested) by a certain = content in the region served by a uCDN. Therefore, the protocol only = provides k-anonymity, where k is the number of End Users in the region. = Depending on the content sensitivity and k value, this k-anonymity may = still raise privacy issues, even if the individual End User activity = logs are not available to the dCDN (I assume TLS is used to prevent = eavesdropping=E2=80=A6). Typo: ** Section 8.3: =C2=AB ... prevents parties other party..." Cheers, Vincent --Apple-Mail=_57CC3254-247B-4FBF-B89D-4131EF64E1E9 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8 Hello,

I have reviewed this document as part of the = security directorate=E2=80=99s ongoing
effort to review = all IETF documents being processed by the IESG. These
comments were written primarily for the benefit of the = security area
directors. Document editors and WG = chairs should treat these comments just
like any other = last call comments.

Summary: not totally ready

There are several topics I=E2=80=99d like to = discuss:

1- Concerning the use of TLS to carry CI/T traffic, I see it = is mandatory to implement, but still optional to use (1st sentence of = Section 8.1). Is it still reasonable in current Internet? At a minimum I = would expect a =C2=AB MUST support =C2=BB / =C2=AB SHOULD = use =C2=BB.

2- Section 8.1, please = check the paragraph =C2=AB Note that in a =C2=AB diamond =C2= =BB configuration [=E2=80=A6] =C2=BB. This paragraph is rather = confusing to me. Confusion comes from:

- the = lack of description of the =C2=AB diamond configuration =C2=BB. = I understand there is one dCDN on top and multiple uCDN directly = connected below, am I right?

- the notion of = =C2=AB content acquired from a uCDN =C2=BB. If I understand = correctly, it means =C2=AB content that has been acquired after a = uCDN request to do so =C2=BB. I initially thought there were some = mistakes in the use of uCDN / dCDN=E2=80=A6

3- = With this =C2=AB diamond configuration =C2=BB, since several = uCDN can act upon the same content, what happens if they behave in a non = coordinated manner (i.e., in the general case)? For instance let=E2=80=99s= imagine one of them asks the dCDN to delete the content or cancel the = initial command. What happens if another uCDN then asks the dCDN to = invalidate this content, providing the URL of the Trigger Status = Resource which (if I understand correctly) is no longer valid? This = =C2=AB diamond configuration =C2=BB can be a little bit tricky = and no clear guideline is provided in the document.

4- Concerning privacy aspects, I would be much more cautious = than the authors. For instance, I wouldn't claim "there are no privacy = concerns for End Users" because the CI/T protocol does not carry = information about individual End Users (section 8.3). The dCDN knows = that there are users interested (or at the opposite no user interested) = by a certain content in the region served by a uCDN. Therefore, the = protocol only provides k-anonymity, where k is the number of End Users = in the region. Depending on the content sensitivity and k value, this = k-anonymity may still raise privacy issues, even if the individual End = User activity logs are not available to the dCDN (I assume TLS is used = to prevent eavesdropping=E2=80=A6).

Typo:

** Section 8.3: =C2=AB ... prevents parties other = party..."

Cheers,

Vincent

= --Apple-Mail=_57CC3254-247B-4FBF-B89D-4131EF64E1E9-- --Apple-Mail=_779C5F10-1796-48F0-BBF2-428B089AB52F Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJWip10AAoJEHBYw8t72N4rL10QALUfmfUPxZdOEXd/JfB/qPIV /qdsQXggyveaTFOUEqMEsnYLzkenmndmt7b4MUjRgCqeLvRX5kub+Fk/DiZ+snbK w2n9hGzxgUJ8l1rC8FFv60VEOFiRJ6aKyycCPNjlzKf2YRJz9u60UWY4DQurr0BT Mxp4g6Ynd6p66aG2IeVMjAMixCO2XRn/4TI/iGydZTml0BcB7lw+iexQwWbII79/ DTfqQ6UOlncjcKvbBgwxr6Zyq59UNKe6+Sd4pHCAjTal/gl/xtzFBpGeHszhD/93 i8hcUxW9nQxgXvmsQ15TbviUixS8dgTqmMJbk0NxjZLdpZ7FnuQGOXCPPIFJaJvW /dyFtdGTcGcztKD5Ig+pynB2su+3UECSATYjaxtHbYJcQ5QNhx+9QFRhxTfha/QF yn4aRPv+oy5GsYi0GDNLkKdGpw5h5WrAL3r87yGy1ZH3EK6RWyBXmjwuc5MYeO5Z ewQoZkf9qyuvYuWC3rHMJldEF++QHA/KvhRViC4w4cm8Qm7RBpHx3T1/X2mwd60Y 1OsWYSZjwKoRj5rFq9qqqA9O67+ivr5vs14/n6xWo5gCmiP04Qw8u3l4Gi0liWlM eQdG2LxuUm69E582Nzek2Nt23d/6FwivYBOLwC69pBnwNfG6xTkZzXzGsnkzcrVZ fE9VjqMJ2wKYmTejfQIM =bKMi -----END PGP SIGNATURE----- --Apple-Mail=_779C5F10-1796-48F0-BBF2-428B089AB52F-- From nobody Mon Jan 4 10:30:15 2016 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF38C1A0302; Mon, 4 Jan 2016 10:30:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.211 X-Spam-Level: X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ffn2FzUd3_p8; Mon, 4 Jan 2016 10:30:11 -0800 (PST) Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 563BC1A02F1; Mon, 4 Jan 2016 10:30:10 -0800 (PST) Received: from 172.18.7.190 (EHLO lhreml403-hub.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CGI48577; Mon, 04 Jan 2016 18:30:07 +0000 (GMT) Received: from LHREML708-CAH.china.huawei.com (10.201.5.202) by lhreml403-hub.china.huawei.com (10.201.5.217) with Microsoft SMTP Server (TLS) id 14.3.235.1; Mon, 4 Jan 2016 18:30:06 +0000 Received: from SZXEML427-HUB.china.huawei.com (10.82.67.182) by lhreml708-cah.china.huawei.com (10.201.5.202) with Microsoft SMTP Server (TLS) id 14.3.235.1; Mon, 4 Jan 2016 18:30:06 +0000 Received: from szxeml557-mbs.china.huawei.com ([169.254.6.252]) by szxeml427-hub.china.huawei.com ([10.82.67.182]) with mapi id 14.03.0235.001; Tue, 5 Jan 2016 02:30:00 +0800 From: Tina TSOU To: "Org Secdir@Ietf." , "draft-ietf-hip-rfc5205-bis.all@ietf.org" , "Org Iesg@Ietf." Thread-Topic: Secdir Review of draft-ietf-hip-rfc5205-bis-08 Thread-Index: AQHRRx3rdmz2/NeS50O5q3NB4825KA== Date: Mon, 4 Jan 2016 18:29:59 +0000 Message-ID: References: <568A94BF.4000004@si6networks.com> In-Reply-To: <568A94BF.4000004@si6networks.com> Accept-Language: en-US Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: Content-Type: text/plain; charset="gb2312" Content-Transfer-Encoding: base64 MIME-Version: 1.0 X-CFilter-Loop: Reflected X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020205.568ABA30.010D, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.6.252, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32 X-Mirapoint-Loop-Id: 0d68602873392bc2c3feb5a5c235de25 Archived-At: Subject: [secdir] Secdir Review of draft-ietf-hip-rfc5205-bis-08 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Jan 2016 18:30:13 -0000 RGVhciBhbGwsDQoNCkhhcHB5IE5ldyBZZWFyIDIwMTYhDQoNCkkgaGF2ZSByZXZpZXdlZCB0aGlz IGRvY3VtZW50IGFzIHBhcnQgb2YgdGhlIHNlY3VyaXR5IGRpcmVjdG9yYXRloa9zIG9uZ29pbmcg ZWZmb3J0IHRvIHJldmlldyBhbGwgSUVURiBkb2N1bWVudHMgYmVpbmcgcHJvY2Vzc2VkIGJ5IHRo ZSBJRVNHLiBUaGVzZSBjb21tZW50cyB3ZXJlIHdyaXR0ZW4gcHJpbWFyaWx5IGZvciB0aGUgYmVu ZWZpdCBvZiB0aGUgc2VjdXJpdHkgYXJlYQ0KZGlyZWN0b3JzLiBEb2N1bWVudCBlZGl0b3JzIGFu ZCBXRyBjaGFpcnMgc2hvdWxkIHRyZWF0IHRoZXNlIGNvbW1lbnRzIGp1c3QgbGlrZSBhbnkgb3Ro ZXIgbGFzdCBjYWxsIGNvbW1lbnRzLg0KDQoqKiBUZWNobmljYWwgKioNCg0KKiBTZWN0aW9uIDg6 DQoNCllvdSByZWZlciB0byBJUFNFQ0tFWSBSUiBbUkZDNDAyNV0gdG8gbm90ZSBzb21lIG9mIHRo ZSBwb3NzaWJsZSB0aHJlYXRzDQpmb3IgSElQIFJScy4gSSB0aGluayB5b3Ugc2hvdWxkIHNwZWxs IHRoZXNlIG91dCwgYW5kIGRpc2N1c3MgdGhlbQ0KZXhwbGljaXRseS4NCg0KDQoNCioqIEVkaXRv cmlhbCAqKg0KDQoqIFNlY3Rpb24gMywgcGFnZSA0Og0KPiAgSW4gdGhlIGZvbGxvd2luZywgd2Ug YXNzdW1lIHRoYXQgdGhlIEluaXRpYXRvciBmaXJzdCBxdWVyaWVzIGZvciBISVANCj4gIHJlc291 cmNlIHJlY29yZHMgYXQgdGhlIFJlc3BvbmRlciBGUUROLg0KDQpzL2F0L2Zvci8NCg0KDQoqIFNl Y3Rpb24gMywgcGFnZSA0Og0KPiBhbmQgZnVydGhlciBxdWVyaWVzIGZvciB0aGUgc2FtZSBvd25l ciBuYW1lIFNIT1VMRCBOT1QgYmUNCj4gIG1hZGUuDQoNCldoYXQncyBhbiAib3duZXIgbmFtZSI/ IE1heWJlIHRoaXMgc2hvdWxkIGJlICJkb21haW4gbmFtZSIsIGluc3RlYWQ/DQoNCg0KKiBTZWN0 aW9uIDMsIHBhZ2UgNToNCj4gIE5vdGUgdGhhdCBzdG9yaW5nIEhJUCBSUiBpbmZvcm1hdGlvbiBp biB0aGUgRE5TIGF0IGFuIEZRRE4gdGhhdCBpcw0KPiAgYXNzaWduZWQgdG8gYSBub24tSElQIG5v ZGUgbWlnaHQgaGF2ZSBpbGwgZWZmZWN0cyBvbiBpdHMgcmVhY2hhYmlsaXR5DQo+ICBieSBISVAg bm9kZXMuDQoNCnMvYS9hbi8NCg0KDQoqIFNlY3Rpb24gNC4yLCBwYWdlIDk6DQo+IFRoZSBSVlMN Cj4gIGluZm9ybWF0aW9uIG1heSBiZSBjb3BpZWQgYW5kIGFsaWduZWQgYWNyb3NzIG11bHRpcGxl IFJScywgb3IgbWF5IGJlDQo+ICBkaWZmZXJlbnQgZm9yIGVhY2ggb25lOyBhIGhvc3QgTVVTVCBj aGVjayB0aGF0IHRoZSBSVlMgdXNlZCBpcw0KPiAgYXNzb2NpYXRlZCB3aXRoIHRoZSBISSBiZWlu ZyB1c2VkLCB3aGVuIG11bHRpcGxlIGNob2ljZXMgYXJlDQo+ICBwcmVzZW50LiINCg0KVGhlcmUn cyBubyBtYXRjaGluZyBxdW90ZSBzaWduIGZvciB0aGlzIG9uZS4NCg0KDQpUaGFuayB5b3UsDQpU aW5hDQoNCg0K From nobody Tue Jan 5 08:36:39 2016 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A7BB1A8862; Tue, 5 Jan 2016 08:23:14 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.911 X-Spam-Level: X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8nHegz0G2Xeb; Tue, 5 Jan 2016 08:23:12 -0800 (PST) Received: from smtp-fr.alcatel-lucent.com (fr-hpgre-esg-01.alcatel-lucent.com [135.245.210.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C10151A8861; Tue, 5 Jan 2016 08:23:11 -0800 (PST) Received: from fr711usmtp1.zeu.alcatel-lucent.com (unknown [135.239.2.122]) by Websense Email Security Gateway with ESMTPS id 268CE6694081; Tue, 5 Jan 2016 16:23:07 +0000 (GMT) Received: from FR712WXCHHUB03.zeu.alcatel-lucent.com (fr712wxchhub03.zeu.alcatel-lucent.com [135.239.2.74]) by fr711usmtp1.zeu.alcatel-lucent.com (GMO) with ESMTP id u05GN9nw031584 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 5 Jan 2016 17:23:09 +0100 Received: from FR711WXCHMBA02.zeu.alcatel-lucent.com ([169.254.2.107]) by FR712WXCHHUB03.zeu.alcatel-lucent.com ([135.239.2.74]) with mapi id 14.03.0195.001; Tue, 5 Jan 2016 17:23:09 +0100 From: "Murray, Rob (Rob)" To: Vincent Roca Thread-Topic: Secdir review of draft-ietf-cdni-control-triggers-11 Thread-Index: AQHRRwzfQRQykiwnh0mW9gDUEP6L557tC9uA Date: Tue, 5 Jan 2016 16:23:08 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/0.0.0.151217 x-originating-ip: [135.239.27.41] Content-Type: text/plain; charset="utf-8" Content-ID: <3CE4C68AF250A2439BE81ABD8DAEA03C@exchange.lucent.com> Content-Transfer-Encoding: base64 MIME-Version: 1.0 Archived-At: X-Mailman-Approved-At: Tue, 05 Jan 2016 08:36:34 -0800 Cc: "draft-ietf-cdni-control-triggers@tools.ietf.org" , IESG , "secdir@ietf.org" Subject: Re: [secdir] Secdir review of draft-ietf-cdni-control-triggers-11 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Jan 2016 16:23:14 -0000 SGkgVmluY2VudCAtIG1hbnkgdGhhbmtzIGZvciB0aGUgcmV2aWV3LCByZXNwb25zZXMgaW5saW5l IGJlbG93Li4uDQoNCkNoZWVycywNClJvYi4NCg0KPiBGcm9tOiBWaW5jZW50IFJvY2EgPHZpbmNl bnQucm9jYUBpbnJpYS5mcj5EYXRlOiBNb25kYXksIDQgSmFudWFyeSAyMDE2IGF0IDE2OjI3DQo+ IFRvOiBJRVNHIDxpZXNnQGlldGYub3JnPiwgPHNlY2RpckBpZXRmLm9yZz4sIDxkcmFmdC1pZXRm LWNkbmktY29udHJvbC10cmlnZ2Vyc0B0b29scy5pZXRmLm9yZz4NCj4gQ2M6IFZpbmNlbnQgUm9j YSA8dmluY2VudC5yb2NhQGlucmlhLmZyPg0KPiBTdWJqZWN0OiBTZWNkaXIgcmV2aWV3IG9mIGRy YWZ0LWlldGYtY2RuaS1jb250cm9sLXRyaWdnZXJzLTExDQo+DQo+IEhlbGxvLA0KPg0KPiBJIGhh dmUgcmV2aWV3ZWQgdGhpcyBkb2N1bWVudCBhcyBwYXJ0IG9mIHRoZSBzZWN1cml0eSBkaXJlY3Rv cmF0ZeKAmXMgb25nb2luZw0KPiBlZmZvcnQgdG8gcmV2aWV3IGFsbCBJRVRGIGRvY3VtZW50cyBi ZWluZyBwcm9jZXNzZWQgYnkgdGhlIElFU0cuIFRoZXNlDQo+IGNvbW1lbnRzIHdlcmUgd3JpdHRl biBwcmltYXJpbHkgZm9yIHRoZSBiZW5lZml0IG9mIHRoZSBzZWN1cml0eSBhcmVhDQo+IGRpcmVj dG9ycy4gRG9jdW1lbnQgZWRpdG9ycyBhbmQgV0cgY2hhaXJzIHNob3VsZCB0cmVhdCB0aGVzZSBj b21tZW50cyBqdXN0DQo+IGxpa2UgYW55IG90aGVyIGxhc3QgY2FsbCBjb21tZW50cy4NCj4NCj4g U3VtbWFyeTogbm90IHRvdGFsbHkgcmVhZHkNCj4NCj4NCj4gVGhlcmUgYXJlIHNldmVyYWwgdG9w aWNzIEnigJlkIGxpa2UgdG8gZGlzY3VzczoNCj4NCj4gMS0gQ29uY2VybmluZyB0aGUgdXNlIG9m IFRMUyB0byBjYXJyeSBDSS9UIHRyYWZmaWMsIEkgc2VlIGl0IGlzIG1hbmRhdG9yeQ0KPiB0byBp bXBsZW1lbnQsIGJ1dCBzdGlsbCBvcHRpb25hbCB0byB1c2UgKDFzdCBzZW50ZW5jZSBvZiBTZWN0 aW9uIDguMSkuIElzDQo+IGl0IHN0aWxsIHJlYXNvbmFibGUgaW4gY3VycmVudCBJbnRlcm5ldD8g QXQgYSBtaW5pbXVtIEkgd291bGQgZXhwZWN0IGENCj4gwqsgTVVTVCBzdXBwb3J0IMK7IC8gwqsg U0hPVUxEIHVzZSDCuy4NCg0KU2VjdGlvbiA4LjEgZ29lcyBvbiB0byBzYXkgLi4uDQoNCiAgIFsg Li4uIGRlc2NyaXB0aW9uIG9mIGJlbmVmaXRzIG9mIEhUVFBTIC4uLiBdDQoNCiAgIEluIGFuIGVu dmlyb25tZW50IHdoZXJlIGFueSBzdWNoIHByb3RlY3Rpb24gaXMgcmVxdWlyZWQsIG11dHVhbGx5 DQogICBhdXRoZW50aWNhdGVkIGVuY3J5cHRlZCB0cmFuc3BvcnQgTVVTVCBiZSB1c2VkIHRvIGVu c3VyZQ0KICAgY29uZmlkZW50aWFsaXR5IG9mIHRoZSBDSS9UIGluZm9ybWF0aW9uLiBUbyB0aGF0 IGVuZCwgVExTIE1VU1QgYmUNCiAgIHVzZWQgYnkgQ0kvVCwgaW5jbHVkaW5nIGF1dGhlbnRpY2F0 aW9uIG9mIHRoZSByZW1vdGUgZW5kLg0KDQouLi4gdGhlIEludGVybmV0IGlzIGNsZWFybHkgYW4g ZW52aXJvbm1lbnQgd2hlcmUgc3VjaCBwcm90ZWN0aW9uIGlzDQpyZXF1aXJlZCwgYW5kIGl0J2xs IG9mdGVuIGJlIHVzZWQgZm9yIHRoZXNlIGludGVyZmFjZXMgLSB3ZSBjb3VsZCBzdGF0ZQ0KdGhh dCBleHBsaWNpdGx5LCB3b3VsZCB0aGF0IGFkZHJlc3MgdGhlIGNvbmNlcm4/DQoNCkJ1dCwgQ0kv VCBjb3VsZCBhbHNvIGJlIGRlcGxveWVkIHRvIHJ1biBvdmVyIGEgVlBOIG9yIHByaXZhdGUgbmV0 d29yaw0KYmV0d2VlbiB0d28gaW50ZXJjb25uZWN0ZWQgQ0ROcywgaW4gc3VjaCBhbiBlbnZpcm9u bWVudCBIVFRQUyB0cmFuc3BvcnQNCndvdWxkIG5vdCBoYXZlIHRoZSBzYW1lIGJlbmVmaXRzLg0K DQoNCj4gMi0gU2VjdGlvbiA4LjEsIHBsZWFzZSBjaGVjayB0aGUgcGFyYWdyYXBoIMKrIE5vdGUg dGhhdCBpbiBhIMKrIGRpYW1vbmQgwrsNCj4gY29uZmlndXJhdGlvbiBb4oCmXSDCuy4gVGhpcyBw YXJhZ3JhcGggaXMgcmF0aGVyIGNvbmZ1c2luZyB0byBtZS4gQ29uZnVzaW9uDQo+IGNvbWVzIGZy b206DQo+IC0gdGhlIGxhY2sgb2YgZGVzY3JpcHRpb24gb2YgdGhlIMKrIGRpYW1vbmQgY29uZmln dXJhdGlvbiDCuy4gSSB1bmRlcnN0YW5kDQo+IHRoZXJlIGlzIG9uZSBkQ0ROIG9uIHRvcCBhbmQg bXVsdGlwbGUgdUNETiBkaXJlY3RseSBjb25uZWN0ZWQgYmVsb3csIGFtIEkNCj4gcmlnaHQ/DQoN ClllcywgdGhhdCdzIHJpZ2h0LiBUaGUgZHJhZnQgc2F5czoNCg0KICAgTm90ZSB0aGF0IGluIGEg ImRpYW1vbmQiIGNvbmZpZ3VyYXRpb24sIHdoZXJlIG9uZSB1Q0ROJ3MgY29udGVudCBjYW4NCiAg IGJlIGFjcXVpcmVkIHZpYSBtb3JlIHRoYW4gb25lIGRpcmVjdGx5LWNvbm5lY3RlZCB1Q0ROLA0K DQpXb3VsZCB0aGUgZm9sbG93aW5nIHJlYXJyYW5nZW1lbnQgaGVscD8gLi4uDQoNCiAgIEEgImRp YW1vbmQiIGNvbmZpZ3VyYXRpb24gaXMgb25lIHdoZXJlIGEgZENETiBjYW4gYWNxdWlyZSBhIHVD RE4ncw0KICAgY29udGVudCB2aWEgbW9yZSB0aGFuIG9uZSBkaXJlY3RseS1jb25uZWN0ZWQgdUNE Ti4gTm90ZSB0aGF0DQogICBpbiBhIGRpYW1vbmQgY29uZmlndXJhdGlvbiBbLi4uXQ0KDQoNCj4g LSB0aGUgbm90aW9uIG9mIMKrIGNvbnRlbnQgYWNxdWlyZWQgZnJvbSBhIHVDRE4gwrsuIElmIEkg dW5kZXJzdGFuZCBjb3JyZWN0bHksDQo+IGl0IG1lYW5zIMKrIGNvbnRlbnQgdGhhdCBoYXMgYmVl biBhY3F1aXJlZCBhZnRlciBhIHVDRE4gcmVxdWVzdCB0byBkbyBzbyDCuy4NCj4gSSBpbml0aWFs bHkgdGhvdWdodCB0aGVyZSB3ZXJlIHNvbWUgbWlzdGFrZXMgaW4gdGhlIHVzZSBvZiB1Q0ROIC8g ZENETuKApg0KDQpBIGRDRE4gd2lsbCBhbHdheXMgYWNxdWlyZSBjb250ZW50IGZyb20gYSB1Q0RO IGJlY2F1c2UgaXQncyBiZWVuIHJlcXVlc3RlZA0KdG8gZG8gc28gKHdpdGhvdXQgYSByZXF1ZXN0 IGl0IHdvbid0IGtub3cgdGhlIFVSTCBpbiB0aGUgdUNETikuDQoNClRoZSByZXF1ZXN0IGNhbiBi ZSBmcm9tIGFuIGVuZC1jbGllbnQgb3IgYSBmdXJ0aGVyLWRvd25zdHJlYW0gQ0ROLCBpbiB3aGlj aA0KY2FzZSB0aGUgY29udGVudCB3aWxsIGJlIGFjcXVpcmVkIG9uLWRlbWFuZCwgb3IgaXQgY2Fu IGJlIGEgQ0kvVA0KcHJlLXBvc2l0aW9uaW5nIHJlcXVlc3QgZnJvbSBhIHVDRE4uDQoNCkRvZXMg dGhhdCBoZWxwPyBJJ20gbm90IHN1cmUgd2hhdCBjaGFuZ2Ugb3IgY2xhcmlmaWNhdGlvbiB5b3Un cmUgYXNraW5nIGZvci4NCg0KDQo+IDMtIFdpdGggdGhpcyDCqyBkaWFtb25kIGNvbmZpZ3VyYXRp b24gwrssIHNpbmNlIHNldmVyYWwgdUNETiBjYW4gYWN0IHVwb24gdGhlDQo+IHNhbWUgY29udGVu dCwgd2hhdCBoYXBwZW5zIGlmIHRoZXkgYmVoYXZlIGluIGEgbm9uIGNvb3JkaW5hdGVkIG1hbm5l ciAoaS5lLiwNCj4gaW4gdGhlIGdlbmVyYWwgY2FzZSk/IEZvciBpbnN0YW5jZSBsZXTigJlzIGlt YWdpbmUgb25lIG9mIHRoZW0gYXNrcyB0aGUgZENETg0KPiB0byBkZWxldGUgdGhlIGNvbnRlbnQg b3IgY2FuY2VsIHRoZSBpbml0aWFsIGNvbW1hbmQuIFdoYXQgaGFwcGVucyBpZiBhbm90aGVyDQo+ IHVDRE4gdGhlbiBhc2tzIHRoZSBkQ0ROIHRvIGludmFsaWRhdGUgdGhpcyBjb250ZW50LCBwcm92 aWRpbmcgdGhlIFVSTCBvZiB0aGUNCj4gVHJpZ2dlciBTdGF0dXMgUmVzb3VyY2Ugd2hpY2ggKGlm IEkgdW5kZXJzdGFuZCBjb3JyZWN0bHkpIGlzIG5vIGxvbmdlciB2YWxpZD8NCj4gVGhpcyDCqyBk aWFtb25kIGNvbmZpZ3VyYXRpb24gwrsgY2FuIGJlIGEgbGl0dGxlIGJpdCB0cmlja3kgYW5kIG5v IGNsZWFyDQo+IGd1aWRlbGluZSBpcyBwcm92aWRlZCBpbiB0aGUgZG9jdW1lbnQuDQoNCkEgdHJp Z2dlciBzdGF0dXMgcmVzb3VyY2UgYmVsb25ncyB0byBvbmUgdUNETiBhbmQgY2Fubm90IGJlIGFj Y2Vzc2VkIG9yDQptYW5pcHVsYXRlZCBieSBhbnkgb3RoZXIgQ0ROLCBzZWN0aW9uIDMgcGFyYSAz IHNheXM6DQoNCiAgIFRyaWdnZXIgU3RhdHVzIFJlc291cmNlcyBiZWxvbmdpbmcgdG8gYSB1Q0RO IE1VU1QgTk9UDQogICBiZSB2aXNpYmxlIHRvIGFueSBvdGhlciBDRE4uIFRoZSBkQ0ROIGNvdWxk LCBmb3IgZXhhbXBsZSwgYWNoaWV2ZQ0KICAgdGhpcyBieSBvZmZlcmluZyBkaWZmZXJlbnQgY29s bGVjdGlvbiBVUkxzIHRvIGVhY2ggdUNETiwgYW5kL29yIGJ5DQogICBmaWx0ZXJpbmcgdGhlIHJl c3BvbnNlIGJhc2VkIG9uIHRoZSB1Q0ROIHdpdGggd2hpY2ggdGhlIEhUVFAgY2xpZW50DQogICBp cyBhc3NvY2lhdGVkLg0KDQpDb250ZW50IGFsd2F5cyBvcmlnaW5hdGVzIGZyb20gb25lIHVDRE4s IGJ1dCBpbiBhIGRpYW1vbmQgY29uZmlncmF0aW9uIHRoZXJlDQptYXkgYmUgbXVsdGlwbGUgcm91 dGVzICh2aWEgb3RoZXIgQ0ROcykgdG8gYSBnaXZlbiBkQ0ROLg0KDQpUaGUgbW9zdCBjb21tb24g c2NlbmFyaW8gbWF5IHdlbGwgYmUgdGhhdCB0aGUgdUNETiB3aWxsIGluaXRpYXRlIGFsbCBvZiB0 aGUNCkNJL1QgY29tbWFuZHMgcmVsYXRlZCB0byBpdHMgY29udGVudCwgYW5kIHRob3NlIGNvbW1h bmRzIHdpbGwgc2ltcGx5IGJlDQpmb3J3YXJkZWQgYnkgaW50ZXJtZWRpYXRlIENETnMuDQoNCkJ1 dCwgdGhlcmUncyBub3RoaW5nIHRvIHN0b3AgYW4gaW50ZXJtZWRpYXRlIENETiBpbml0aWF0aW5n IG9yIG1vZGlmeWluZw0KQ0kvVCBjb21tYW5kcyAtIGFuZCBzb21lIG1vZGlmaWNhdGlvbnMgb2Yg dGhlIGNvbW1hbmQgd2lsbCBiZSBuZWNlc3NhcnkNCihmb3IgZXhhbXBsZSwgbWV0YWRhdGEgVVJM cyB3aWxsIG5lZWQgdG8gYmUgY2hhbmdlZCkuDQoNCkJ5IGFuYWx5c2lzIG9mIGxvZyBmaWxlcyBp dCB3aWxsIHByb2JhYmx5IGJlIHBvc3NpYmxlIHRvIHdvcmsgb3V0IHdoaWNoDQp1Q0ROIGFuIGlu ZGl2aWR1YWwgY2FjaGUgaW4gdGhlIGRDRE4gYWNxdWlyZWQgZWFjaCBjYWNoZWQgcmVzb3VyY2Ug ZnJvbS4NCkJ1dCB0aGUgY2FjaGUgaXMgbm90IHJlcXVpcmVkIHRvIGtlZXAgYSBsaXZlIHJlY29y ZCBvZiB0aGF0LCBhbmQgaXQNCnByb2JhYmx5IHdvbid0LiBJbiB0aGF0IGNhc2UsIHdoZW4gaXQg cmVjZWl2ZXMgYSBDSS9UIGNvbW1hbmQgdG8gaW52YWxpZGF0ZQ0Kb3IgcHVyZ2UgY29udGVudCwg dGhlIGRDRE4gc2hvdWxkIGFwcGx5IHRoYXQgY29tbWFuZCB0byBhbnkgY29udGVudCBpdA0KbWF5 IGhhdmUgYWNxdWlyZWQgZnJvbSB0aGUgdUNETiBpdCBnb3QgdGhlIENJL1QgY29tbWFuZCBmcm9t Lg0KDQpTbyB0aGVyZSBpcyBzY29wZSBmb3IgYSBtYWxpY2lvdXMgaW50ZXJtZWRpYXRlIENETiB0 byBjYXVzZSBleHRyYSBwcm9jZXNzaW5nDQphbmQgYWNxdWlzaXRpb24gYnkgYSBkQ0ROIChhbmQg dGhhdCdzIG1lbnRpb25lZCBpbiBzZWN0aW9uIDgpLiBCdXQgYQ0KbWFsaWNpb3VzIENETiBpcyBs aWtlbHkgdG8gZmluZCBpdHNlbGYgcmVtb3ZlZCBmcm9tIHRoZSBDRE4gZmVkZXJhdGlvbiBmYWly bHkNCnF1aWNrbHkgLSB0aGVyZSB3aWxsIG5lY2Vzc2FyaWx5IGJlIGEgbGV2ZWwgb2YgdHJ1c3Qg YmV0d2VlbiBpbnRlcmNvbm5lY3RlZA0KQ0ROcy4NCg0KV291bGQgaXQgaGVscCB0byBzcGVsbCBv dXQgc29tZSBvZiB0aGF0IGluIHRoZSBkcmFmdD8gKFRoZSBzYW1lIG9yIHZlcnkNCnNpbWlsYXIg dGV4dCBoYXMgYmVlbiB1c2VkIGluIHNldmVyYWwgb2YgdGhlIENETkkgZHJhZnRzLikNCg0KDQo+ IDQtIENvbmNlcm5pbmcgcHJpdmFjeSBhc3BlY3RzLCBJIHdvdWxkIGJlIG11Y2ggbW9yZSBjYXV0 aW91cyB0aGFuIHRoZSBhdXRob3JzLg0KPiBGb3IgaW5zdGFuY2UsIEkgd291bGRuJ3QgY2xhaW0g InRoZXJlIGFyZSBubyBwcml2YWN5IGNvbmNlcm5zIGZvciBFbmQgVXNlcnMiDQo+IGJlY2F1c2Ug dGhlIENJL1QgcHJvdG9jb2wgZG9lcyBub3QgY2FycnkgaW5mb3JtYXRpb24gYWJvdXQgaW5kaXZp ZHVhbCBFbmQNCj4gVXNlcnMgKHNlY3Rpb24gOC4zKS4gVGhlIGRDRE4ga25vd3MgdGhhdCB0aGVy ZSBhcmUgdXNlcnMgaW50ZXJlc3RlZCAob3IgYXQNCj4gdGhlIG9wcG9zaXRlIG5vIHVzZXIgaW50 ZXJlc3RlZCkgYnkgYSBjZXJ0YWluIGNvbnRlbnQgaW4gdGhlIHJlZ2lvbiBzZXJ2ZWQNCj4gYnkg YSB1Q0ROLiBUaGVyZWZvcmUsIHRoZSBwcm90b2NvbCBvbmx5IHByb3ZpZGVzIGstYW5vbnltaXR5 LCB3aGVyZSBrIGlzIHRoZQ0KPiBudW1iZXIgb2YgRW5kIFVzZXJzIGluIHRoZSByZWdpb24uIERl cGVuZGluZyBvbiB0aGUgY29udGVudCBzZW5zaXRpdml0eSBhbmQNCj4gayB2YWx1ZSwgdGhpcyBr LWFub255bWl0eSBtYXkgc3RpbGwgcmFpc2UgcHJpdmFjeSBpc3N1ZXMsIGV2ZW4gaWYgdGhlDQo+ IGluZGl2aWR1YWwgRW5kIFVzZXIgYWN0aXZpdHkgbG9ncyBhcmUgbm90IGF2YWlsYWJsZSB0byB0 aGUgZENETiAoSSBhc3N1bWUNCj4gVExTIGlzIHVzZWQgdG8gcHJldmVudCBlYXZlc2Ryb3BwaW5n 4oCmKS4NCg0KSSBkb24ndCB0aGluayB0aGF0IGFuYWx5c2lzIGlzIGNvcnJlY3QuLi4NCg0KSXJy ZXNwZWN0aXZlIG9mIENJL1QsIHRoZSBkQ0ROIHdpbGwgYWx3YXlzIGtub3cgd2hvJ3MgYWNjZXNz aW5nIHRoZSBjb250ZW50LA0KY2xpZW50cyBhcmUgbWFraW5nIHRoZWlyIHJlcXVlc3RzIGRpcmVj dGx5IHRvIGl0Lg0KDQpUaGUgQ0kvVCBpbnRlcmZhY2UgaXMgb25seSBhIHNtYWxsIHBhcnQgb2Yg Q0ROIEludGVyY29ubmVjdGlvbi4gVGhlcmUgYXJlDQpvdGhlciBpbnRlcmZhY2VzIGZvciBkaXN0 cmlidXRpb24gb2YgbWV0YWRhdGEsIHJlcXVlc3Qgcm91dGluZywgYW5kIHJldHJpZXZhbA0Kb2Yg ZENETiBsb2cgZmlsZXMgYnkgdGhlIHVDRE4uDQoNClNpZ25pZmljYW50IHdvcmsgd2VudCBpbiB0 byB0aGUgQ0ROSSBsb2dnaW5nIGludGVyZmFjZSB0byBtYWtlIGl0IHBvc3NpYmxlDQp0byBhbm9u eW1pc2UvYWdncmVnYXRlIGVuZC1jbGllbnQgaW5mb3JtYXRpb24gYmVmb3JlIHNoYXJpbmcgaXQg d2l0aCBhDQp1Q0ROIC0gYnV0IHRoYXQncyBub3QgcmVsZXZhbnQgdG8gdGhlIENJL1QgaW50ZXJm YWNlLCB3aGljaCBkb2VzIG5vdCBjYXJyeQ0KYW55IGVuZC11c2VyIHNwZWNpZmljIGluZm9ybWF0 aW9uLg0KDQpUaGUgQ0kvVCBpbnRlcmZhY2UgZG9lcyBub3QgZXhwb3NlIGFueSBkQ0ROIGluZm9y bWF0aW9uIGFib3V0IGVuZC1jbGllbnRzIHRvDQp0aGUgdUNETi4NCg0KDQo+IFR5cG86DQo+DQo+ ICoqIFNlY3Rpb24gOC4zOiDCqyAuLi4gcHJldmVudHMgcGFydGllcyBvdGhlciBwYXJ0eS4uLiIN Cg0KV2lsbCBmaXgsIHRoYW5rcy4NCg0KDQo+IENoZWVycywNCj4NCj4gIFZpbmNlbnQNCg0K From nobody Wed Jan 6 00:27:45 2016 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B15231A89A0; Wed, 6 Jan 2016 00:27:43 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.56 X-Spam-Level: X-Spam-Status: No, score=-6.56 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_FR=0.35, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oeqXJ_44L3Ln; Wed, 6 Jan 2016 00:27:40 -0800 (PST) Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 195781A8997; Wed, 6 Jan 2016 00:27:39 -0800 (PST) X-IronPort-AV: E=Sophos;i="5.20,528,1444687200"; d="asc'?scan'208";a="195815698" Received: from geve.inrialpes.fr ([194.199.24.116]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-SHA; 06 Jan 2016 09:27:38 +0100 Mime-Version: 1.0 (Mac OS X Mail 8.2 $2104$) Content-Type: multipart/signed; boundary="Apple-Mail=_CB7C5BBA-397B-4033-B4B8-357BB548950F"; protocol="application/pgp-signature"; micalg=pgp-sha512 X-Pgp-Agent: GPGMail 2.5.2 From: Vincent Roca In-Reply-To: Date: Wed, 6 Jan 2016 09:27:37 +0100 Message-Id: References:

To: "Murray, Rob (Rob)" X-Mailer: Apple Mail (2.2104) Archived-At: Cc: "draft-ietf-cdni-control-triggers@tools.ietf.org" , IESG , "secdir@ietf.org" Subject: Re: [secdir] Secdir review of draft-ietf-cdni-control-triggers-11 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jan 2016 08:27:43 -0000 --Apple-Mail=_CB7C5BBA-397B-4033-B4B8-357BB548950F Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hello Rob, > Hi Vincent - many thanks for the review, responses inline below=E2=80=A6= You=E2=80=99re welcome. >> There are several topics I=E2=80=99d like to discuss: >>=20 >> 1- Concerning the use of TLS to carry CI/T traffic, I see it is = mandatory >> to implement, but still optional to use (1st sentence of Section = 8.1). Is >> it still reasonable in current Internet? At a minimum I would expect = a >> =C2=AB MUST support =C2=BB / =C2=AB SHOULD use =C2=BB. >=20 > Section 8.1 goes on to say ... >=20 > [ ... description of benefits of HTTPS ... ] >=20 > In an environment where any such protection is required, mutually > authenticated encrypted transport MUST be used to ensure > confidentiality of the CI/T information. To that end, TLS MUST be > used by CI/T, including authentication of the remote end. >=20 > ... the Internet is clearly an environment where such protection is > required, and it'll often be used for these interfaces - we could = state > that explicitly, would that address the concern? >=20 > But, CI/T could also be deployed to run over a VPN or private network > between two interconnected CDNs, in such an environment HTTPS = transport > would not have the same benefits. Yes, that=E2=80=99s my point. Say explicitly that Internet is an example = of environment where such a protection is mandatory. >> 2- Section 8.1, please check the paragraph =C2=AB Note that in a =C2=AB= diamond =C2=BB >> configuration [=E2=80=A6] =C2=BB. This paragraph is rather confusing = to me. Confusion >> comes from: >> - the lack of description of the =C2=AB diamond configuration =C2=BB. = I understand >> there is one dCDN on top and multiple uCDN directly connected below, = am I >> right? >=20 > Yes, that's right. The draft says: >=20 > Note that in a "diamond" configuration, where one uCDN's content can > be acquired via more than one directly-connected uCDN, >=20 > Would the following rearrangement help? ... >=20 > A "diamond" configuration is one where a dCDN can acquire a uCDN's > content via more than one directly-connected uCDN. Note that > in a diamond configuration [=E2=80=A6] Yes, I prefer this version. However, can the same =C2=AB uCDN=E2=80=99s = content =C2=BB be available at several uCDNs in this diamond configuration? Said = differently, what about the following text: A =C2=AB diamond =C2=BB configuration is one where a dCDN can = acquire a given content via more than one directly-connected uCDN. Note that = [=E2=80=A6] >> - the notion of =C2=AB content acquired from a uCDN =C2=BB. If I = understand correctly, >> it means =C2=AB content that has been acquired after a uCDN request = to do so =C2=BB. >> I initially thought there were some mistakes in the use of uCDN / = dCDN=E2=80=A6 >=20 > A dCDN will always acquire content from a uCDN because it's been = requested > to do so (without a request it won't know the URL in the uCDN). >=20 > The request can be from an end-client or a further-downstream CDN, in = which > case the content will be acquired on-demand, or it can be a CI/T > pre-positioning request from a uCDN. >=20 > Does that help? I=E2=80=99m not sure what change or clarification = you're asking for. Forget my comment, I misunderstood the notion of uCDN=E2=80=A6 I should = have read RFC 6707 before! >> 3- With this =C2=AB diamond configuration =C2=BB, since several uCDN = can act upon the >> same content, what happens if they behave in a non coordinated manner = (i.e., >> in the general case)? For instance let=E2=80=99s imagine one of them = asks the dCDN >> to delete the content or cancel the initial command. What happens if = another >> uCDN then asks the dCDN to invalidate this content, providing the URL = of the >> Trigger Status Resource which (if I understand correctly) is no = longer valid? >> This =C2=AB diamond configuration =C2=BB can be a little bit tricky = and no clear >> guideline is provided in the document. >=20 > A trigger status resource belongs to one uCDN and cannot be accessed = or > manipulated by any other CDN, section 3 para 3 says: >=20 > Trigger Status Resources belonging to a uCDN MUST NOT > be visible to any other CDN. The dCDN could, for example, achieve > this by offering different collection URLs to each uCDN, and/or by > filtering the response based on the uCDN with which the HTTP client > is associated. I see=E2=80=A6 However, if multiple uCDNs can act on the same content = (what is said), even if each uCDN uses a different URL, will simultaneous CI/T commands = for the same content be managed correctly? This is not said in section 3 paragraph 3 either and this is a key point. > Content always originates from one uCDN, but in a diamond configration = there > may be multiple routes (via other CDNs) to a given dCDN. >=20 > The most common scenario may well be that the uCDN will initiate all = of the > CI/T commands related to its content, and those commands will simply = be > forwarded by intermediate CDNs. >=20 > But, there's nothing to stop an intermediate CDN initiating or = modifying > CI/T commands - and some modifications of the command will be = necessary > (for example, metadata URLs will need to be changed). >=20 > By analysis of log files it will probably be possible to work out = which > uCDN an individual cache in the dCDN acquired each cached resource = from. > But the cache is not required to keep a live record of that, and it > probably won't. In that case, when it receives a CI/T command to = invalidate > or purge content, the dCDN should apply that command to any content it > may have acquired from the uCDN it got the CI/T command from. >=20 > So there is scope for a malicious intermediate CDN to cause extra = processing > and acquisition by a dCDN (and that's mentioned in section 8). But a > malicious CDN is likely to find itself removed from the CDN federation = fairly > quickly - there will necessarily be a level of trust between = interconnected > CDNs. >=20 > Would it help to spell out some of that in the draft? (The same or = very > similar text has been used in several of the CDNI drafts.) Yes, this paragraph is worth being detailed a little bit. In your explanations you mention intermediate CDNs while original text = only mentions directly connected uCDNs. The notion of =C2=AB intermediate CDN = =C2=BB is only discussed in sections 2.3 and 4.8. Since malicious intermediate = CDNs are part of a valid attack model, it is worth to explain it (or give a = reference to another document). >> 4- Concerning privacy aspects, I would be much more cautious than the = authors. >> For instance, I wouldn't claim "there are no privacy concerns for End = Users" >> because the CI/T protocol does not carry information about individual = End >> Users (section 8.3). The dCDN knows that there are users interested = (or at >> the opposite no user interested) by a certain content in the region = served >> by a uCDN. Therefore, the protocol only provides k-anonymity, where k = is the >> number of End Users in the region. Depending on the content = sensitivity and >> k value, this k-anonymity may still raise privacy issues, even if the >> individual End User activity logs are not available to the dCDN (I = assume >> TLS is used to prevent eavesdropping=E2=80=A6). >=20 > I don't think that analysis is correct... >=20 > Irrespective of CI/T, the dCDN will always know who's accessing the = content, > clients are making their requests directly to it. >=20 > The CI/T interface is only a small part of CDN Interconnection. There = are > other interfaces for distribution of metadata, request routing, and = retrieval > of dCDN log files by the uCDN. >=20 > Significant work went in to the CDNI logging interface to make it = possible > to anonymise/aggregate end-client information before sharing it with a > uCDN - but that's not relevant to the CI/T interface, which does not = carry > any end-user specific information. >=20 > The CI/T interface does not expose any dCDN information about = end-clients to > the uCDN. My comment is also caused by my misunderstanding of uCDN in the = architecture. So yes, I agree with you that there=E2=80=99s no privacy issue here. In any case, thanks for your detailed answer. And sorry for my = misunderstanding of the architecture. Cheers, Vincent --Apple-Mail=_CB7C5BBA-397B-4033-B4B8-357BB548950F Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJWjM/5AAoJEHBYw8t72N4rlB8P/3nG188/R0gAlDtK+oELM82P yBk+gfHDdzBKoEW8LTeW/6WD4/TnkN/LY3aWEDHB5Q++l7l14xfLhcQeGEsz7qes 4UBs828xjCHvougxIa5Uja6UB+ilQ+9H8kkqcRUccWdafvXNTgDLwYd7LGrCwLJG yLgblqWJcQ7Ot/bCq/koYqScG6SGGbwZBRi9FeBAtoJb4Xlq7vKXiV+zslWOyglP I1HS2ZUlKysYzMKv8eBXLM2enWveIWLvjYSBRSxa5pFL81fLomQPGL8NU/T0NHl2 zq4dw7i7BGTwdewz04WaSQ4MXIarlDCbTJtU0BHO1AHPoKLd2xfTOov0oweALWqk 6deUHMUccjasw1bsH2013QQRkMkfzyFhTDnkxFk3zIWgD8PI1g+HCfHXtBn+2JCF /mCHnIjGcW7vFR99Q4y3NXdiAOWdKIAgkLQXYE5+NtFp8XFXfFcW9dIIWbqllNwO H9Ymi5z0vUFPAnZW/SSBJQXgtRRG0UIU94O0ioJrnu3+R/jyBlORHA32bDx1HR3x AaJ9vqhegsRzaeNGEY48v59/6v8TgrNFEmo54e45AodNdoQJzI7G2kYJl57ic4qw wLIQtw38ZVYlCRRkmVkBtMr2sY5HgbrXC0qW34a0epM6MACihy5E9nmJYEOegCMW jFXn5wlYALetRZOHO3Ho =QW4a -----END PGP SIGNATURE----- --Apple-Mail=_CB7C5BBA-397B-4033-B4B8-357BB548950F-- From nobody Wed Jan 6 04:10:27 2016 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 260421ACD45 for ; Wed, 6 Jan 2016 00:31:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.379 X-Spam-Level: X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OtCUWrH3XyjX for ; Wed, 6 Jan 2016 00:31:03 -0800 (PST) Received: from mail-ig0-x235.google.com (mail-ig0-x235.google.com [IPv6:2607:f8b0:4001:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 019A21ACCEC for ; Wed, 6 Jan 2016 00:31:02 -0800 (PST) Received: by mail-ig0-x235.google.com with SMTP id ik10so27869759igb.1 for ; Wed, 06 Jan 2016 00:31:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tieto.com; s=google; h=from:references:in-reply-to:mime-version:thread-index:date :message-id:subject:to:content-type:content-transfer-encoding; bh=ghaVLOM4qseeuAytHfJVO/qm3cP/H8kAmkakq6mcmPA=; b=acNNCR7c1dkM9eWr/GyvLTAsgnNkd0cnHyLqPdXSL56PZUEl1wnBFUoNfyEdm4h1kM 5BsuAr8guqzaCzuGuyPbuaJjNw2lfJGpQdGTACcKtdMFkqwomF7eyyKmu0eAmUFniQIt 7Vi1JUNm+WgInQQby2cQ6o/OYvInzVsjbvYWk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:references:in-reply-to:mime-version :thread-index:date:message-id:subject:to:content-type :content-transfer-encoding; bh=ghaVLOM4qseeuAytHfJVO/qm3cP/H8kAmkakq6mcmPA=; b=g0icQbSPv+SszQF9tGN6jAg3bl+684VaTnC60UTCsIaa0xBEBNFbhsCJN4ayL5kDZx iHSOAT5Dxv5XbJJ9FLeJgCJE7dj/tQQWTnPMzo5xyBnxowB66bmAUsMVfWc2VG7IaJ/v alVBdnJRAQjH3wLqyn2in1rHpYcYXmNh8ru8sydji9EVovo5d1Br/6qeHe9AGulKRRg5 yT8tJSvQyWk4s70Y2yWnlIPbh6O7Jj9Bv9p+x4A4QCLXMpUqyj3sfFyA7xdTiNN8nj3c kKOi9BydeQxa9j9rh4b060AB7qh5p3xWx5SKBx9N+G8mTZTze4LVMzwonL7UybHX2mUy zqDA== X-Gm-Message-State: ALoCoQlEw2bLxR8mIMTnqLvE9tG+uNLAIua2o8qjXtNsLmgTa/DSjluNNBes/AdXNKVhqrM60gOMVB0tg4iBwtbOY3vBlMq+yvLE/OzacCA8Xqt4N3ekyX0l2GHcQj54sGdHWtc1Zjm4FAk5rHCxNCV9w1gMLVIPsg== X-Received: by 10.50.128.198 with SMTP id nq6mr7992984igb.96.1452069061676; Wed, 06 Jan 2016 00:31:01 -0800 (PST) From: Karen Elisabeth Egede Nielsen References: <5674683F.30308@nostrum.com> In-Reply-To: <5674683F.30308@nostrum.com> MIME-Version: 1.0 X-Mailer: Microsoft Outlook 15.0 Thread-Index: AQIPY17I5aUwGrMMl8p8hgIOJvXwg55x7j4A Date: Wed, 6 Jan 2016 09:31:00 +0100 Message-ID: <4abd43f956e62870df92d15cb8662b36@mail.gmail.com> To: Robert Sparks , secdir@ietf.org, iesg@ietf.org, draft-ietf-tsvwg-sctp-failover.all@ietf.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-DomainID: tieto.com Archived-At: X-Mailman-Approved-At: Wed, 06 Jan 2016 04:10:26 -0800 Subject: Re: [secdir] Secdir review: draft-ietf-tsvwg-sctp-failover-14 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jan 2016 08:31:05 -0000 Hi Robert, Thanks a lot for your comments. Please find feedback inline below. BR, Karen > -----Original Message----- > From: Robert Sparks [mailto:rjsparks@nostrum.com] > Sent: 18. december 2015 21:11 > To: secdir@ietf.org; iesg@ietf.org; > draft-ietf-tsvwg-sctp-failover.all@ietf.org > Subject: Secdir review: draft-ietf-tsvwg-sctp-failover-14 > > I have reviewed this document as part of the security directorate's > ongoing > effort to review all IETF documents being processed by the IESG. These > comments were written primarily for the benefit of the security area > directors. Document editors and WG chairs should treat these comments > just like any other last call comments. > > Summary: Ready for publication as Proposed Standard but with nits that > should be considered > > This document defines a set of new SCTP sender behaviors that lead to > quicker failover. The behaviors have an obvious security consideration (i= t > is > much easier for an attacker trigger failover, and potentially steer > traffic to the > most favorable of the available paths for the attacker's purposes). The > document makes this very clear, and has a reasonable discussion in the > Security Considerations section. > > The shepherd writeup notes that what is here is widely (if partially in > some > cases) implemented and deployed. > > There are a few places I suggest would benefit from more attention: > > There are several places in the text that allow (MAY) the sender to choos= e > not to behave in the manner this document is trying to standardize. See > item > B in section 3.2, and item C in section 4 for example. These seem out of > place > - if something is doing those things, you might as well say they're > implementing some other unstandardized extension for failover. Why do > you need to include these statements? [Karen Elisabeth Egede Nielsen] The motivation for including the statements is to motivate the SHOULD statements (and to qualify the usage of SHOULD opposed to MUST). We have understood that such clarification was desirable (?). However for clarity in the specification we would be very happy to follow your guidance and remove the MAY paragraphs in section 3.2 and in section 4. We would however not like to use MUSTs. Would this action address your concerns ? > They don't standardize whatever private "because I know better" behavior > the endpoints they are discussing are engaging in. Consider deleting them= , > or > restructuring the text to make this look less like protocol definition. > (It's > particularly odd that B in 3.2 uses MAY, but A does not use SHOULD). > [Karen Elisabeth Egede Nielsen] The reason A does not use a SHOULD is because the RFC4960 text does not use a capital SHOULD. But perhaps we coul= d use a capital SHOULD in SCTP-PF even if we are referring to text that uses a non-capital should in RC4960 ? > The third paragraph of section 4 has a "does not compromise the fault > tolerance" condition, leaving what would be considered a compromise very > vague. Again, an endpoint choosing a different dormant state operation > than > the one you're standardizing here isn't behaving in a standard way. > Why do you need this paragraph? If you're going to keep it, consider > pointing > to or providing more discussion on what you mean by the condition. > > There are many unusual phrases used in the text. These are harder to read > than they need to be, and will be even harder to translate. Please > consider > an editorial pass _before_ this is in the RFC Editor's hands. > Search for "compromisation", "at exceed of which", "failover to deploy", > and > "unequivocally information" to get a feel for what I'm pointing to. > > [Karen Elisabeth Egede Nielsen] Thanks. #1: Compromisation/compromise: We could use =E2=80=9Clower/lowering off/decrease=E2=80=9D to be more preci= se. Would you think this would resolve your concern ? #2: Exceed of which: The PFMR defines the new intermediate PF threshold on the destination address error counter at exceed of which the destination address is classified as PF. We can reformulate to: The PFMR defines the new intermediate PF threshold on the destination address error counter. When this threshold is exceeded, the destination address is classified as PF. Would you think this would resolve your concern ? #3: Failover to deploy: i When there is outbound data to send and the destination address presently used for data transmission is in PF state, the sender SHOULD choose a destination address in active state, if one exists, and failover to deploy this destination address for data transmission. We can reformulate: i When there is outbound data to send and the destination address presently used for data transmission is in PF state, the sender SHOULD choose a destination address in active state, if one exists and deploy this destination address for data transmission. Would you think this would resolve your concern ? #4: unequivocally information: This would go away if we removed the MAY statement as suggested above. > > > > From nobody Wed Jan 6 07:33:43 2016 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 712501A8776; Wed, 6 Jan 2016 07:33:41 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.91 X-Spam-Level: X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L3E_gS9yT9KK; Wed, 6 Jan 2016 07:33:39 -0800 (PST) Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 645631A8768; Wed, 6 Jan 2016 07:33:33 -0800 (PST) Received: from unnumerable.local (pool-96-226-213-187.dllstx.fios.verizon.net [96.226.213.187]) (authenticated bits=0) by nostrum.com (8.15.2/8.14.9) with ESMTPSA id u06FXV5m024634 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=OK); Wed, 6 Jan 2016 09:33:32 -0600 (CST) (envelope-from rjsparks@nostrum.com) X-Authentication-Warning: raven.nostrum.com: Host pool-96-226-213-187.dllstx.fios.verizon.net [96.226.213.187] claimed to be unnumerable.local To: Karen Elisabeth Egede Nielsen , secdir@ietf.org, iesg@ietf.org, draft-ietf-tsvwg-sctp-failover.all@ietf.org References: <5674683F.30308@nostrum.com> <4abd43f956e62870df92d15cb8662b36@mail.gmail.com> From: Robert Sparks Message-ID: <568D33CC.1010804@nostrum.com> Date: Wed, 6 Jan 2016 09:33:32 -0600 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.5.0 MIME-Version: 1.0 In-Reply-To: <4abd43f956e62870df92d15cb8662b36@mail.gmail.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit Archived-At: Subject: Re: [secdir] Secdir review: draft-ietf-tsvwg-sctp-failover-14 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jan 2016 15:33:41 -0000 On 1/6/16 2:31 AM, Karen Elisabeth Egede Nielsen wrote: > Hi Robert, > > Thanks a lot for your comments. > Please find feedback inline below. > > BR, Karen > >> -----Original Message----- >> From: Robert Sparks [mailto:rjsparks@nostrum.com] >> Sent: 18. december 2015 21:11 >> To: secdir@ietf.org; iesg@ietf.org; >> draft-ietf-tsvwg-sctp-failover.all@ietf.org >> Subject: Secdir review: draft-ietf-tsvwg-sctp-failover-14 >> >> I have reviewed this document as part of the security directorate's >> ongoing >> effort to review all IETF documents being processed by the IESG. These >> comments were written primarily for the benefit of the security area >> directors. Document editors and WG chairs should treat these comments >> just like any other last call comments. >> >> Summary: Ready for publication as Proposed Standard but with nits that >> should be considered >> >> This document defines a set of new SCTP sender behaviors that lead to >> quicker failover. The behaviors have an obvious security consideration (it >> is >> much easier for an attacker trigger failover, and potentially steer >> traffic to the >> most favorable of the available paths for the attacker's purposes). The >> document makes this very clear, and has a reasonable discussion in the >> Security Considerations section. >> >> The shepherd writeup notes that what is here is widely (if partially in >> some >> cases) implemented and deployed. >> >> There are a few places I suggest would benefit from more attention: >> >> There are several places in the text that allow (MAY) the sender to choose >> not to behave in the manner this document is trying to standardize. See >> item >> B in section 3.2, and item C in section 4 for example. These seem out of >> place >> - if something is doing those things, you might as well say they're >> implementing some other unstandardized extension for failover. Why do >> you need to include these statements? > [Karen Elisabeth Egede Nielsen] The motivation for including the statements > is to motivate the SHOULD statements (and to qualify the usage of SHOULD > opposed to MUST). > We have understood that such clarification was desirable (?). > > However for clarity in the specification we would be > very happy to follow your guidance and remove the MAY paragraphs in section > 3.2 and in section 4. > We would however not like to use MUSTs. > > Would this action address your concerns ? The document should provide explanation when using a SHOULD to let implementers know what circumstances warrant not following the SHOULD. What are the risks? In this particular case, you're saying "The implementation SHOULD do this standard thing, but it MAY go do some nonstandard thing". That does not make sense. _WHY_ do you not want to use MUSTs? If its only so that someone can go do non-standard things, say MUST. Some implementations do proprietary things all the time - they're just not working in a standardized way. If its because you think some other document will come along later and define a different, but still standardized behavior, use MUST and have that document update this one when the time comes. > > > >> They don't standardize whatever private "because I know better" behavior >> the endpoints they are discussing are engaging in. Consider deleting them, >> or >> restructuring the text to make this look less like protocol definition. >> (It's >> particularly odd that B in 3.2 uses MAY, but A does not use SHOULD). >> > [Karen Elisabeth Egede Nielsen] The reason A does not use a SHOULD is > because the RFC4960 text does not use a capital SHOULD. Because 4960 is (implicitly) saying MUST. If you implement 4960, you do what 6.4.1 says. I think you're pointing to the "should try to send" inside 6.4.1 - you are not making the same statement in this document. As this sentence is written, this extension to SCTP says the implementation SHOULD follow the SCTP spec, which does not make sense. My preference would be that you remove B (as argued above), and simply say "When choosing amng multiple destination addresses in active state an SCTP sender will follow the guiding principles in section 6.4.1 of [RFC4960] of choosing most divergent source-destination pairs..." > But perhaps we could > use > a capital SHOULD in SCTP-PF even if we are referring to text that uses a > non-capital should in RC4960 ? > >> The third paragraph of section 4 has a "does not compromise the fault >> tolerance" condition, leaving what would be considered a compromise very >> vague. Again, an endpoint choosing a different dormant state operation >> than >> the one you're standardizing here isn't behaving in a standard way. >> Why do you need this paragraph? If you're going to keep it, consider >> pointing >> to or providing more discussion on what you mean by the condition. >> >> There are many unusual phrases used in the text. These are harder to read >> than they need to be, and will be even harder to translate. Please >> consider >> an editorial pass _before_ this is in the RFC Editor's hands. >> Search for "compromisation", "at exceed of which", "failover to deploy", >> and >> "unequivocally information" to get a feel for what I'm pointing to. >> >> > [Karen Elisabeth Egede Nielsen] > Thanks. I've responded to the instances below inline, but please note that I did not provide an exhaustive list - these were examples. Please look through the rest of the document for other opportunities to simplify the text. > > #1: Compromisation/compromise: > > We could use “lower/lowering off/decrease” to be more precise. > > Would you think this would resolve your concern ? Yes, you're on the right track. > > #2: Exceed of which: > > The PFMR defines > the new intermediate PF threshold on the destination address > error counter at exceed of which the destination address is > classified as PF. > > We can reformulate to: > > The PFMR defines > the new intermediate PF threshold on the destination address > error counter. When this threshold is exceeded, the destination > address is > classified as PF. > > Would you think this would resolve your concern ? yes > > #3: Failover to deploy: > > i When there is outbound data to send and the destination > address presently used for data transmission is in PF state, > the sender SHOULD choose a destination address in active > state, if one exists, and failover to deploy this destination > address for data transmission. > > We can reformulate: > > i When there is outbound data to send and the destination > address presently used for data transmission is in PF state, > the sender SHOULD choose a destination address in active > state, if one exists and deploy this destination > address for data transmission. > > Would you think this would resolve your concern ? instead of 'deploy' consider saying 'use'? > > #4: unequivocally information: > > This would go away if we removed the MAY statement as suggested above. ack. > >> >> >> From nobody Thu Jan 7 04:51:46 2016 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B5181A897E for ; Thu, 7 Jan 2016 04:51:44 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.121 X-Spam-Level: X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NbuURqslqLvs for ; Thu, 7 Jan 2016 04:51:42 -0800 (PST) Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E506E1A8966 for ; Thu, 7 Jan 2016 04:51:41 -0800 (PST) Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.14.8) with ESMTPS id u07CpbHm018322 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Thu, 7 Jan 2016 14:51:37 +0200 (EET) Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id u07CpbEx016539; Thu, 7 Jan 2016 14:51:37 +0200 (EET) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <22158.24409.570434.999060@fireball.acr.fi> Date: Thu, 7 Jan 2016 14:51:37 +0200 From: Tero Kivinen To: secdir@ietf.org X-Edit-Time: 0 min X-Total-Time: 0 min Archived-At: Subject: [secdir] Assignments X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: secdir-secretary@mit.edu List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jan 2016 12:51:44 -0000 Review instructions and related resources are at: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview Tobias Gondrom is next in the rotation. For telechat 2016-01-07 Reviewer LC end Draft Steve Hanna T 2015-11-30 draft-ietf-dnsop-edns-tcp-keepalive-05 Chris Inacio T 2015-12-07 draft-ietf-dnsop-5966bis-05 Russ Mundy T 2015-12-21 draft-leiba-netmod-regpolicy-update-02 Joe Salowey TR2015-09-07 draft-josefsson-scrypt-kdf-04 Rich Salz T 2015-12-21 draft-ietf-isis-pcr-04 For telechat 2016-01-21 Alan DeKok T 2016-01-18 draft-ietf-nfsv4-rfc3530-migration-update-07 Shawn Emery T 2016-01-18 draft-ietf-tcpm-undeployed-03 Yoav Nir TR2015-12-14 draft-ietf-dnsop-cookies-08 Joe Salowey T 2015-12-21 draft-ietf-dnsop-edns-client-subnet-06 Carl Wallace T 2015-12-24 draft-ietf-ippm-active-passive-05 For telechat 2016-02-04 Daniel Kahn Gillmor T 2016-02-02 draft-mahesh-mef-urn-01 Last calls and special requests: Derek Atkins 2016-01-18 draft-ietf-dnsop-edns-chain-query-05 Shaun Cooley 2016-01-15 draft-ietf-lisp-threats-14 Donald Eastlake 2016-01-18 draft-ietf-opsawg-hmac-sha-2-usm-snmp-new-01 Daniel Kahn Gillmor E None draft-ietf-rtcweb-security-08 Jeffrey Hutzelman 2015-12-04 draft-ietf-core-block-18 Eric Osterweil 2016-01-05 draft-campbell-art-rfc5727-update-02 Hannes Tschofenig 2015-12-28 draft-ietf-hip-rfc5204-bis-07 Brian Weis E None draft-ietf-cdni-uri-signing-06 Frank Xialiang E None draft-ietf-netconf-restconf-09 Tom Yu E None draft-ietf-netconf-yang-library-03 Dacheng Zhang E None draft-ietf-netconf-yang-patch-07 -- kivinen@iki.fi From nobody Thu Jan 7 06:31:38 2016 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C83BA1A8AB4; Thu, 7 Jan 2016 06:31:36 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.711 X-Spam-Level: X-Spam-Status: No, score=-2.711 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e4b1xERVeF27; Thu, 7 Jan 2016 06:31:35 -0800 (PST) Received: from prod-mail-xrelay07.akamai.com (prod-mail-xrelay07.akamai.com [23.79.238.175]) by ietfa.amsl.com (Postfix) with ESMTP id BCEAA1A8AB6; Thu, 7 Jan 2016 06:31:35 -0800 (PST) Received: from prod-mail-xrelay07.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id E4DDA433460; Thu, 7 Jan 2016 14:31:34 +0000 (GMT) Received: from prod-mail-relay11.akamai.com (prod-mail-relay11.akamai.com [172.27.118.250]) by prod-mail-xrelay07.akamai.com (Postfix) with ESMTP id CEDB2433436; Thu, 7 Jan 2016 14:31:34 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1452177094; bh=U13zLyz4qmXVrFH6aUf4+CNmryKi/GZ4mNvggkbiboA=; l=993; h=From:To:Date:From; b=xY+tXMZb5VtQBcopyQs0FX1afifSl7Z2yKSXZw8Kj7KOJlTw5sHTedtQ/abW13e7w ypOfnwsDg65K6WS2OZ5Expo8+vGowUsa7d1YtjYJKph5lCtteywSjkf1JAFj348lBA tuXFnTDoEpxlQ651GSxZ6/aRPyQSLIZGusJz0dkQ= Received: from email.msg.corp.akamai.com (ecp.msg.corp.akamai.com [172.27.123.34]) by prod-mail-relay11.akamai.com (Postfix) with ESMTP id C35A52026; Thu, 7 Jan 2016 14:31:34 +0000 (GMT) Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb6.msg.corp.akamai.com (172.27.123.65) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Thu, 7 Jan 2016 06:31:34 -0800 Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1076.000; Thu, 7 Jan 2016 09:31:34 -0500 From: "Salz, Rich" To: "iesg@ietf.org" , "secdir@ietf.org" , "draft-ietf-isis-pcr.all@tools.ietf.org" Thread-Topic: Secdir review of draft-ietf-isis-pcr Thread-Index: AdFJV2sZ6YNAx+82Rc2AGiyuIvBJ/g== Date: Thu, 7 Jan 2016 14:31:33 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-exchange-transport-fromentityheader: Hosted x-originating-ip: [172.19.33.93] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Archived-At: Subject: [secdir] Secdir review of draft-ietf-isis-pcr X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jan 2016 14:31:37 -0000 I have reviewed this document as part of the security directorate's ongoing= effort to review all IETF documents being processed by the IESG. These co= mments were written primarily for the benefit of the security area director= s. Document editors and WG chairs should treat these comments just like an= y other last call comments. My view: Ready with issues, about the security considerations section. I know very little about IS-IS, or even the overall routing discipline. One nit is that this document cannot easily be read stand-alone. That is p= robably okay, but a pointer to background RFC's are a definition of terms (= e.g., sub-TLV) would be helpful. I do not understand how "reserving capacity" or "specifying capacity" canno= t be used as a denial of service attack. Perhaps that is related to the ab= ove paragraph? Is there authentication (perhaps out of band) between IS-IS= systems? Message integrity that prevents spoofing or modification? Thanks. From nobody Thu Jan 7 08:00:59 2016 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 560E21A87BF; Thu, 7 Jan 2016 00:33:43 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 2.215 X-Spam-Level: ** X-Spam-Status: No, score=2.215 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RELAY_IS_203=0.994, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id snYSjH_Xb_Yc; Thu, 7 Jan 2016 00:33:41 -0800 (PST) Received: from mail.sfc.wide.ad.jp (shonan.sfc.wide.ad.jp [203.178.142.130]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A1851A87AC; Thu, 7 Jan 2016 00:33:40 -0800 (PST) Received: from mail-yk0-f175.google.com (mail-yk0-f175.google.com [209.85.160.175]) by mail.sfc.wide.ad.jp (Postfix) with ESMTPSA id 5BC9227812A; Thu, 7 Jan 2016 17:33:38 +0900 (JST) Received: by mail-yk0-f175.google.com with SMTP id v14so239146979ykd.3; Thu, 07 Jan 2016 00:33:38 -0800 (PST) MIME-Version: 1.0 X-Received: by 10.129.46.208 with SMTP id u199mr74353754ywu.129.1452155616865; Thu, 07 Jan 2016 00:33:36 -0800 (PST) Received: by 10.129.147.5 with HTTP; Thu, 7 Jan 2016 00:33:36 -0800 (PST) In-Reply-To: <568D33CC.1010804@nostrum.com> References: <5674683F.30308@nostrum.com> <4abd43f956e62870df92d15cb8662b36@mail.gmail.com> <568D33CC.1010804@nostrum.com> Date: Thu, 7 Jan 2016 00:33:36 -0800 X-Gmail-Original-Message-ID: Message-ID: From: Yoshifumi Nishida To: Robert Sparks Content-Type: multipart/alternative; boundary=001a11408592b3bdda0528ba5301 Archived-At: X-Mailman-Approved-At: Thu, 07 Jan 2016 08:00:59 -0800 Cc: Karen Elisabeth Egede Nielsen , draft-ietf-tsvwg-sctp-failover.all@ietf.org, The IESG , secdir@ietf.org Subject: Re: [secdir] Secdir review: draft-ietf-tsvwg-sctp-failover-14 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jan 2016 08:33:43 -0000 --001a11408592b3bdda0528ba5301 Content-Type: text/plain; charset=UTF-8 Hi Robert, On Wed, Jan 6, 2016 at 7:33 AM, Robert Sparks wrote: > > > On 1/6/16 2:31 AM, Karen Elisabeth Egede Nielsen wrote: > >> Hi Robert, >> >> Thanks a lot for your comments. >> Please find feedback inline below. >> >> BR, Karen >> >> -----Original Message----- >>> From: Robert Sparks [mailto:rjsparks@nostrum.com] >>> Sent: 18. december 2015 21:11 >>> To: secdir@ietf.org; iesg@ietf.org; >>> draft-ietf-tsvwg-sctp-failover.all@ietf.org >>> Subject: Secdir review: draft-ietf-tsvwg-sctp-failover-14 >>> >>> I have reviewed this document as part of the security directorate's >>> ongoing >>> effort to review all IETF documents being processed by the IESG. These >>> comments were written primarily for the benefit of the security area >>> directors. Document editors and WG chairs should treat these comments >>> just like any other last call comments. >>> >>> Summary: Ready for publication as Proposed Standard but with nits that >>> should be considered >>> >>> This document defines a set of new SCTP sender behaviors that lead to >>> quicker failover. The behaviors have an obvious security consideration >>> (it >>> is >>> much easier for an attacker trigger failover, and potentially steer >>> traffic to the >>> most favorable of the available paths for the attacker's purposes). The >>> document makes this very clear, and has a reasonable discussion in the >>> Security Considerations section. >>> >>> The shepherd writeup notes that what is here is widely (if partially in >>> some >>> cases) implemented and deployed. >>> >>> There are a few places I suggest would benefit from more attention: >>> >>> There are several places in the text that allow (MAY) the sender to >>> choose >>> not to behave in the manner this document is trying to standardize. See >>> item >>> B in section 3.2, and item C in section 4 for example. These seem out of >>> place >>> - if something is doing those things, you might as well say they're >>> implementing some other unstandardized extension for failover. Why do >>> you need to include these statements? >>> >> [Karen Elisabeth Egede Nielsen] The motivation for including the >> statements >> is to motivate the SHOULD statements (and to qualify the usage of SHOULD >> opposed to MUST). >> We have understood that such clarification was desirable (?). >> >> However for clarity in the specification we would be >> very happy to follow your guidance and remove the MAY paragraphs in >> section >> 3.2 and in section 4. >> We would however not like to use MUSTs. >> >> Would this action address your concerns ? >> > The document should provide explanation when using a SHOULD to let > implementers know what circumstances warrant not following the SHOULD. What > are the risks? > > In this particular case, you're saying "The implementation SHOULD do this > standard thing, but it MAY go do some nonstandard thing". That does not > make sense. > > _WHY_ do you not want to use MUSTs? If its only so that someone can go do > non-standard things, say MUST. Some implementations do proprietary things > all the time - they're just not working in a standardized way. If its > because you think some other document will come along later and define a > different, but still standardized behavior, use MUST and have that document > update this one when the time comes. With regard to Section 3.2 and Section 4 case you mentioned, both cases have several possible destinations to send data. We provide rules to pick a destination, but it might not be the best one as the knowledge SCTP stack can have is limited. (so, this might be a risk) So, If users can leverage external knowledge, we tried to allow them to override the rules. But, I think we don't need to standardize this part as you point out. Removing it is fine for me. Thanks, -- Yoshi --001a11408592b3bdda0528ba5301 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable

Hi Robert,

On Wed, Jan 6, 2016 at 7:33 = AM, Robert Sparks <rjsparks@nostrum.com> wrote:

On 1/6/16 2:31 AM, Karen Elisabeth Egede Nielsen wrote:

Hi Robert,

Thanks a lot for your comments.
Please find feedback inline below.

BR, Karen

-----Original Message-----
From: Robert Sparks [mailto:rjsparks@nostrum.com]
Sent: 18. december 2015 21:11
To: secdir@ietf.org; iesg@ietf.org; draft-ietf-tsvwg-sctp-failover.all@ietf.org
Subject: Secdir review: draft-ietf-tsvwg-sctp-failover-14

I have reviewed this document as part of the security directorate's
ongoing
effort to review all IETF documents being processed by the IESG.=C2=A0 Thes= e
comments were written primarily for the benefit of the security area
directors.=C2=A0 Document editors and WG chairs should treat these comments=
just like any other last call comments.

Summary: Ready for publication as Proposed Standard but with nits that
should be considered

This document defines a set of new SCTP sender behaviors that lead to
quicker failover. The behaviors have an obvious security consideration (it<= br> is
much easier for an attacker trigger failover, and potentially steer
traffic to the
most favorable of the available paths for the attacker's purposes). The=
document makes this very clear, and has a reasonable discussion in the
Security Considerations section.

The shepherd writeup notes that what is here is widely (if partially in
some
cases) implemented and deployed.

There are a few places I suggest would benefit from more attention:

There are several places in the text that allow (MAY) the sender to choose<= br> not to behave in the manner this document is trying to standardize. See
item
B in section 3.2, and item C in section 4 for example. These seem out of place
- if something is doing those things, you might as well say they're
implementing some other unstandardized extension for failover. Why do
you need to include these statements?

[Karen Elisabeth Egede Nielsen] The motivation for including the statements=
is to motivate the SHOULD statements (and to qualify the usage of SHOULD opposed to MUST).
We have understood that such clarification was desirable (?).

However for clarity in the specification we would be
very happy to follow your guidance and remove the MAY paragraphs in section=
3.2 and in section 4.
We would however not like to use MUSTs.

Would this action address your concerns ?

The document should provide explanation when using a SHOULD to let implemen= ters know what circumstances warrant not following the SHOULD. What are the= risks?

In this particular case, you're saying "The implementation SHOULD = do this standard thing, but it MAY go do some nonstandard thing". That= does not make sense.

_WHY_ do you not want to use MUSTs? If its only so that someone can go do n= on-standard things, say MUST. Some implementations do proprietary things al= l the time - they're just not working in a standardized way. If its bec= ause you think some other document will come along later and define a diffe= rent, but still standardized behavior, use MUST and have that document upda= te this one when the time comes.

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. My view: Ready with issues, about the security considerations section. I know very little about IS-IS, or even the overall routing discipline. One nit is that this document cannot easily be read stand-alone. That is probably okay, but a pointer to background RFC's are a definition of terms (e.g., sub-TLV) would be helpful.