review of draft-ietf-dhc-secure-dhcpv6-04.txt

Removing A6 remo= ves a potential source of inconsistency and thus improves consistency.=A0

One possible consequence of this particular change = is that information that was previously expressible via the A6 mechanism wi= ll no longer be visible. While this is not necessarily good or bad from a s= ecurity standpoint it is an issue that should be mentioned in the Security = Considerations.

Another possible security impact is that it will not be= possible to divide up administrative duties in the manner originally envis= aged in the A6 proposal. While it is far from clear that this division is u= seful (or achievable) it should probably be noted. In particular it will no= t be possible to achieve renumbering of whole domains by changing one recor= d.

It is quite possible that some domains will continue to= employ A6 domains as an administrative convenience, generating the corresp= onding AAAA records as required. This case needs more consideration from a = security point of view. It would be useful to require that such records be = ignored by applications and preferably be blocked from external view.

--
Website: http://hallamba= ker.com/

--f46d0447a08f51b27e04b654954e-- From weiler+secdir@watson.org Thu Jan 12 08:29:50 2012 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F38F921F84DF for ; Thu, 12 Jan 2012 08:29:49 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.887 X-Spam-Level: X-Spam-Status: No, score=-1.887 tagged_above=-999 required=5 tests=[AWL=0.712, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HG9h3mhPNBo8 for ; Thu, 12 Jan 2012 08:29:49 -0800 (PST) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by ietfa.amsl.com (Postfix) with ESMTP id 6854C21F846A for ; Thu, 12 Jan 2012 08:29:48 -0800 (PST) Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.4/8.14.4) with ESMTP id q0CGTl3L097332 for ; Thu, 12 Jan 2012 11:29:47 -0500 (EST) (envelope-from weiler+secdir@watson.org) Received: from localhost (weiler@localhost) by fledge.watson.org (8.14.4/8.14.4/Submit) with ESMTP id q0CGTlcb097325 for ; Thu, 12 Jan 2012 11:29:47 -0500 (EST) (envelope-from weiler+secdir@watson.org) X-Authentication-Warning: fledge.watson.org: weiler owned process doing -bs Date: Thu, 12 Jan 2012 11:29:47 -0500 (EST) From: Samuel Weiler X-X-Sender: weiler@fledge.watson.org To: secdir@ietf.org Message-ID: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (fledge.watson.org [127.0.0.1]); Thu, 12 Jan 2012 11:29:47 -0500 (EST) Subject: [secdir] Assignments X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: secdir-secretary@mit.edu List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jan 2012 16:29:50 -0000 Review instructions and related resources are at: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview Alexey Melnikov is next in the rotation. For telechat 2012-01-19 Reviewer LC end Draft Rob Austein T 2012-01-11 draft-ash-gcac-algorithm-spec-03 Alan DeKok T 2012-01-06 draft-yevstifeyev-disclosure-relation-02 Sam Hartman T 2012-01-05 draft-ietf-kitten-sasl-saml-08 Jeffrey Hutzelman T 2012-01-18 draft-ietf-marf-authfailure-report-09 Leif Johansson T 2012-01-16 draft-ietf-mile-rfc6045-bis-05 Leif Johansson T 2012-01-17 draft-ietf-mile-rfc6046-bis-05 Charlie Kaufman T 2012-01-18 draft-ietf-netext-radius-pmip6-06 Scott Kelly T 2012-01-17 draft-ietf-netext-bulk-re-registration-10 Julien Laganier T 2012-01-18 draft-ietf-marf-redaction-04 Julien Laganier T - draft-ietf-lisp-map-versioning-06 David McGrew T - draft-kompella-l2vpn-l2vpn-08 For telechat 2012-02-02 Reviewer LC end Draft Tero Kivinen T 2012-01-24 draft-ietf-6man-3627-historic-01 Chris Lonvick T 2012-01-23 draft-ietf-v6ops-ipv6-discard-prefix-02 Last calls and special requests: Reviewer LC end Draft Dave Cridland 2012-01-03 draft-os-ietf-sshfp-ecdsa-sha2-04 Steve Hanna 2012-01-13 draft-nottingham-http-new-status-03 Paul Hoffman 2012-01-12 draft-ietf-alto-reqs-12 Stephen Kent - draft-ietf-dhc-secure-dhcpv6-03-04 Warren Kumari 2012-01-24 draft-ietf-dime-pmip6-lr-06 Barry Leiba 2012-01-13 draft-ietf-pcn-signaling-requirements-07 Matt Lepinski 2012-01-26 draft-ietf-radext-radsec-10 Catherine Meadows 2012-02-03 draft-kucherawy-authres-spf-erratum-01 Tina TSOU 2011-04-23 draft-shin-augmented-pake-10 From meadows@itd.nrl.navy.mil Thu Jan 12 09:14:36 2012 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41DDC21F84D8; Thu, 12 Jan 2012 09:14:36 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yLgt-JJG7TPc; Thu, 12 Jan 2012 09:14:35 -0800 (PST) Received: from fw5540.nrl.navy.mil (fw5540.nrl.navy.mil [132.250.196.100]) by ietfa.amsl.com (Postfix) with ESMTP id 6D13C21F846A; Thu, 12 Jan 2012 09:14:34 -0800 (PST) Received: from chacs.nrl.navy.mil (sun1.fw5540.net [10.0.0.11]) by fw5540.nrl.navy.mil (8.13.8/8.13.6) with ESMTP id q0CHEWCG008200; Thu, 12 Jan 2012 12:14:32 -0500 (EST) Received: from chacs.nrl.navy.mil (sun1 [10.0.0.11]) by chacs.nrl.navy.mil (8.13.8/8.13.6) with SMTP id q0CHEVod021227; Thu, 12 Jan 2012 12:14:31 -0500 (EST) Received: from siduri.fw5540.net ([10.0.3.73]) by chacs.nrl.navy.mil (SMSSMTP 4.1.16.48) with SMTP id M2012011212143129193 ; Thu, 12 Jan 2012 12:14:31 -0500 From: Catherine Meadows Content-Type: multipart/alternative; boundary=Apple-Mail-9-189556564 Date: Thu, 12 Jan 2012 12:25:07 -0500 Message-Id: <8991BA91-8252-4DCF-8FCA-DEF5C04632D6@itd.nrl.navy.mil> To: iesg@ietf.org, secdir@ietf.org, draft-kucherawy-authres-spf-erratum.all@tools.ietf.org Mime-Version: 1.0 (Apple Message framework v1084) X-Mailer: Apple Mail (2.1084) Cc: Catherine Meadows Subject: [secdir] Secdir review of draft-kucherawy-authres-spf-erratum-01 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jan 2012 17:14:36 -0000 --Apple-Mail-9-189556564 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii I have reviewed this document as part of the security directorate's=20 ongoing effort to review all IETF documents being processed by the=20 IESG. These comments were written primarily for the benefit of the=20 security area directors. Document editors and WG chairs should treat=20 these comments just like any other last call comments. The purpose of this ID is summed up in the introduction as follows: [RFC 5451] defined a new header field for electronic mail messages that presents the results of a message authentication effort in a machine-readable format. That Request For Comments created a registry of results for a few message authentication mechanisms, one of which was the Sender Policy Framework [SPF]. The registry contains one entry that is inconsistent with the latter specification, which was noted in an erratum filed with the RFC Editor. This memo updates the IANA registries accordingly. The inconsistent header entry identifies the case in which an evaluation according to RFC 4408 fails. The result of failing such an evaluation = is that the client is explicitly not authorized to inject or relay mail using = the sender's DNS domain. RFC 5451 gave "hardfail" as the result to be listed here, while = RFC 4408 used "fail" to mean the same thing. The purpose of this ID is to recommend that = IANA mark "hardfail" as deprecated and amend the "fail" entry appropriately. This ID is definitely security relevant, as use of the wrong header = could cause a failure to recognize a failed authorization. Thus in the = Security Considerations section the authors say that "cautious implementers may wish to support = both result strings for some period of time." One quibble: I believe that the above is good advice, but it seems a = little hesitant. Why the use of the words "cautious" and "may"? Why not say that "we recommend = that"? Even if failure to recognize a failed authorization doesn't lead to any immediate = security problem, it could prevent recognition of a potential attack, or more benignly, of = a possible misconfiguration. =20 Catherine Meadows Naval Research Laboratory Code 5543 4555 Overlook Ave., S.W. Washington DC, 20375 phone: 202-767-3490 fax: 202-404-7942 email: catherine.meadows@nrl.navy.mil --Apple-Mail-9-189556564 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii

to mean the same thing. The purpose of this ID is = to recommend that IANA mark

"hardfail" as deprecated and amend = the "fail" entry appropriately.

This ID is = definitely security relevant, as use of the wrong header = could

cause a failure to recognize a failed authorization. = Thus in the Security Considerations

section the authors = say that "cautious implementers may wish to support = both

result strings for some period of = time."

One quibble: I believe that the above is = good advice, but it seems a little hesitant. Why the = use

of the words "cautious" and "may"? Why not say that = "we recommend that"? Even if failure

to recognize a = failed authorization doesn't lead to any immediate security = problem,

it could prevent recognition of a potential attack, = or more benignly, of a possible

misconfiguration. =

Catherine Meadows
Naval Research = Laboratory
Code 5543
4555 Overlook Ave., S.W.
Washington DC, = 20375
phone: 202-767-3490
fax: 202-404-7942
email: catherine.meadows@nrl.navy.= mil

= --Apple-Mail-9-189556564-- From meadows@itd.nrl.navy.mil Thu Jan 12 09:36:00 2012 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F027221F85B6; Thu, 12 Jan 2012 09:36:00 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.598 X-Spam-Level: X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rj4ivSmx6tTh; Thu, 12 Jan 2012 09:36:00 -0800 (PST) Received: from fw5540.nrl.navy.mil (fw5540.nrl.navy.mil [132.250.196.100]) by ietfa.amsl.com (Postfix) with ESMTP id 32A8021F859B; Thu, 12 Jan 2012 09:35:59 -0800 (PST) Received: from chacs.nrl.navy.mil (sun1.fw5540.net [10.0.0.11]) by fw5540.nrl.navy.mil (8.13.8/8.13.6) with ESMTP id q0CHZwmW010515; Thu, 12 Jan 2012 12:35:58 -0500 (EST) Received: from chacs.nrl.navy.mil (sun1 [10.0.0.11]) by chacs.nrl.navy.mil (8.13.8/8.13.6) with SMTP id q0CHZwgW022675; Thu, 12 Jan 2012 12:35:58 -0500 (EST) Received: from siduri.fw5540.net ([10.0.3.73]) by chacs.nrl.navy.mil (SMSSMTP 4.1.16.48) with SMTP id M2012011212355729234 ; Thu, 12 Jan 2012 12:35:57 -0500 Mime-Version: 1.0 (Apple Message framework v1084) Content-Type: multipart/alternative; boundary=Apple-Mail-10-190842733 From: Catherine Meadows In-Reply-To: Date: Thu, 12 Jan 2012 12:46:33 -0500 Message-Id: References: <8991BA91-8252-4DCF-8FCA-DEF5C04632D6@itd.nrl.navy.mil> To: "Murray S. Kucherawy" X-Mailer: Apple Mail (2.1084) Cc: "draft-kucherawy-authres-spf-erratum.all@tools.ietf.org" , "secdir@ietf.org" , Catherine Meadows , "iesg@ietf.org" Subject: Re: [secdir] Secdir review of draft-kucherawy-authres-spf-erratum-01 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jan 2012 17:36:01 -0000 --Apple-Mail-10-190842733 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 OK, sounds good! Cathy Catherine Meadows Naval Research Laboratory Code 5543 4555 Overlook Ave., S.W. Washington DC, 20375 phone: 202-767-3490 fax: 202-404-7942 email: catherine.meadows@nrl.navy.mil On Jan 12, 2012, at 12:24 PM, Murray S. Kucherawy wrote: > --> > Hi Catherine, thanks for your comments. >=20 > =20 >=20 > The language chosen is basically acknowledgement that few if any = implementations ever actually used =93hardfail=94. The error was = pointed out not long after RFC5451 was published and all of the = implementations I know of did it properly from the beginning. So the = posture is really one of =93In case anyone ever did do it the wrong way, = =85.=94 >=20 > =20 >=20 > Also, the word =93recommended=94 has specific meaning under RFC2119 = and it=92s my understanding that use of such normative language in = Security Considerations ought to be avoided. >=20 > =20 >=20 > Given all that, I=92d be fine with saying =93implementers are advised=94= versus =93cautious implementers may wish=94. I=92ll add that to the = -02 version. >=20 > =20 >=20 > -MSK >=20 > =20 >=20 > From: Catherine Meadows [mailto:meadows@itd.nrl.navy.mil]=20 > Sent: Thursday, January 12, 2012 9:25 AM > To: iesg@ietf.org; secdir@ietf.org; = draft-kucherawy-authres-spf-erratum.all@tools.ietf.org > Cc: Catherine Meadows > Subject: Secdir review of draft-kucherawy-authres-spf-erratum-01 >=20 > =20 >=20 > This ID is definitely security relevant, as use of the wrong header = could >=20 > cause a failure to recognize a failed authorization. Thus in the = Security Considerations >=20 > section the authors say that "cautious implementers may wish to = support both >=20 > result strings for some period of time." >=20 > =20 >=20 > One quibble: I believe that the above is good advice, but it seems a = little hesitant. Why the use >=20 > of the words "cautious" and "may"? Why not say that "we recommend = that"? Even if failure >=20 > to recognize a failed authorization doesn't lead to any immediate = security problem, >=20 > it could prevent recognition of a potential attack, or more benignly, = of a possible >=20 > misconfiguration. =20 >=20 > =20 >=20 > =20 >=20 > Catherine Meadows > Naval Research Laboratory > Code 5543 > 4555 Overlook Ave., S.W. > Washington DC, 20375 > phone: 202-767-3490 > fax: 202-404-7942 > email: catherine.meadows@nrl.navy.mil >=20 > =20 >=20 --Apple-Mail-10-190842733 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252 OK, = sounds good!

Cathy

Catherine Meadows
Naval = Research Laboratory
Code 5543
4555 Overlook Ave., = S.W.
Washington DC, 20375
phone: 202-767-3490
fax: = 202-404-7942
email: catherine.meadows@nrl.navy.= mil

On Jan 12, 2012, at 12:24 PM, Murray S. Kucherawy = wrote:

-->
Hi Catherine, thanks for your = comments.

The language chosen is basically = acknowledgement that few if any implementations ever actually used = =93hardfail=94. The error was pointed out not long after RFC5451 = was published and all of the implementations I know of did it properly = from the beginning. So the posture is really one of =93In case = anyone ever did do it the wrong way, =85.=94

Also, the word =93recommended=94 has = specific meaning under RFC2119 and it=92s my understanding that use of = such normative language in Security Considerations ought to be = avoided.

Given all that, I=92d be fine with saying = =93implementers are advised=94 versus =93cautious implementers may = wish=94. I=92ll add that to the -02 = version.

-MSK

From: Catherine Meadows [mailto:meadows@itd.nrl.navy.mil] =
Sent: Thursday, January 12, 2012 9:25 AM
To: iesg@ietf.org; secdir@ietf.org; dra= ft-kucherawy-authres-spf-erratum.all@tools.ietf.org
Cc: = Catherine Meadows
Subject: Secdir review of = draft-kucherawy-authres-spf-erratum-01

This= ID is definitely security relevant, as use of the wrong header = could
cause a failure to = recognize a failed authorization. Thus in the Security = Considerations
section = the authors say that "cautious implementers may wish to support = both
result strings for = some period of time."

One quibble: I believe that the above is good = advice, but it seems a little hesitant. Why the = use
of the words = "cautious" and "may"? Why not say that "we recommend that"? = Even if failure
to = recognize a failed authorization doesn't lead to any immediate security = problem,
it could = prevent recognition of a potential attack, or more benignly, of a = possible
misconfiguration.=

Catherine = Meadows
Naval Research Laboratory
Code 5543
4555 Overlook Ave., = S.W.
Washington DC, 20375
phone: 202-767-3490
fax: = 202-404-7942
email: catherine.meadows@nrl.navy.= mil

= --Apple-Mail-10-190842733-- From msk@cloudmark.com Thu Jan 12 09:24:55 2012 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B59E921F85BE; Thu, 12 Jan 2012 09:24:55 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.579 X-Spam-Level: X-Spam-Status: No, score=-102.579 tagged_above=-999 required=5 tests=[AWL=0.019, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gd3Miz3S1a3Z; Thu, 12 Jan 2012 09:24:54 -0800 (PST) Received: from ht1-outbound.cloudmark.com (ht1-outbound.cloudmark.com [72.5.239.25]) by ietfa.amsl.com (Postfix) with ESMTP id 4AD7521F859A; Thu, 12 Jan 2012 09:24:54 -0800 (PST) Received: from malice.corp.cloudmark.com (172.22.10.71) by EXCH-HTCAS901.corp.cloudmark.com (172.22.10.73) with Microsoft SMTP Server (TLS) id 14.1.355.2; Thu, 12 Jan 2012 09:24:46 -0800 Received: from EXCH-C2.corp.cloudmark.com ([172.22.1.74]) by malice.corp.cloudmark.com ([172.22.10.71]) with mapi; Thu, 12 Jan 2012 09:24:53 -0800 From: "Murray S. Kucherawy" To: Catherine Meadows , "iesg@ietf.org" , "secdir@ietf.org" , "draft-kucherawy-authres-spf-erratum.all@tools.ietf.org" Date: Thu, 12 Jan 2012 09:24:53 -0800 Thread-Topic: Secdir review of draft-kucherawy-authres-spf-erratum-01 Thread-Index: AczRTbJverHZqFKRSHS5fILx6J8F7AAADXvg Message-ID: References: <8991BA91-8252-4DCF-8FCA-DEF5C04632D6@itd.nrl.navy.mil> In-Reply-To: <8991BA91-8252-4DCF-8FCA-DEF5C04632D6@itd.nrl.navy.mil> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: multipart/alternative; boundary="_000_F5833273385BB34F99288B3648C4F06F19C6C15848EXCHC2corpclo_" MIME-Version: 1.0 X-Mailman-Approved-At: Thu, 12 Jan 2012 10:19:55 -0800 Subject: Re: [secdir] Secdir review of draft-kucherawy-authres-spf-erratum-01 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jan 2012 17:24:55 -0000 --_000_F5833273385BB34F99288B3648C4F06F19C6C15848EXCHC2corpclo_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hi Catherine, thanks for your comments. The language chosen is basically acknowledgement that few if any implementa= tions ever actually used "hardfail". The error was pointed out not long af= ter RFC5451 was published and all of the implementations I know of did it p= roperly from the beginning. So the posture is really one of "In case anyon= e ever did do it the wrong way, ...." Also, the word "recommended" has specific meaning under RFC2119 and it's my= understanding that use of such normative language in Security Consideratio= ns ought to be avoided. Given all that, I'd be fine with saying "implementers are advised" versus "= cautious implementers may wish". I'll add that to the -02 version. -MSK From: Catherine Meadows [mailto:meadows@itd.nrl.navy.mil] Sent: Thursday, January 12, 2012 9:25 AM To: iesg@ietf.org; secdir@ietf.org; draft-kucherawy-authres-spf-erratum.all= @tools.ietf.org Cc: Catherine Meadows Subject: Secdir review of draft-kucherawy-authres-spf-erratum-01 This ID is definitely security relevant, as use of the wrong header could cause a failure to recognize a failed authorization. Thus in the Security = Considerations section the authors say that "cautious implementers may wish to support bot= h result strings for some period of time." One quibble: I believe that the above is good advice, but it seems a little= hesitant. Why the use of the words "cautious" and "may"? Why not say that "we recommend that"? = Even if failure to recognize a failed authorization doesn't lead to any immediate security = problem, it could prevent recognition of a potential attack, or more benignly, of a = possible misconfiguration. Catherine Meadows Naval Research Laboratory Code 5543 4555 Overlook Ave., S.W. Washington DC, 20375 phone: 202-767-3490 fax: 202-404-7942 email: catherine.meadows@nrl.navy.mil --_000_F5833273385BB34F99288B3648C4F06F19C6C15848EXCHC2corpclo_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hi Cather= ine, thanks for your comments.

The language c= hosen is basically acknowledgement that few if any implementations ever act= ually used “hardfail”. The error was pointed out not long= after RFC5451 was published and all of the implementations I know of did i= t properly from the beginning. So the posture is really one of “= ;In case anyone ever did do it the wrong way, ….”

Also, the word “recommended” has specific mean= ing under RFC2119 and it’s my understanding that use of such normativ= e language in Security Considerations ought to be avoided.

Given all that, I’d be fine with saying “implemen= ters are advised” versus “cautious implementers may wish”= . I’ll add that to the -02 version.

-MSK

<= /span>

From: Catherine Meadows = [mailto:meadows@itd.nrl.navy.mil]
Sent: Thursday, January 12, 20= 12 9:25 AM
To: iesg@ietf.org; secdir@ietf.org; draft-kucherawy-au= thres-spf-erratum.all@tools.ietf.org
Cc: Catherine Meadows
= Subject: Secdir review of draft-kucherawy-authres-spf-erratum-01

<= p class=3DMsoNormal>This ID is definitely security relevant, as use of the = wrong header could

cause a fa= ilure to recognize a failed authorization. Thus in the Security Consi= derations

section the authors= say that "cautious implementers may wish to support both

result strings for some period of time.&q= uot;

One quibble: I believe that the above is good = advice, but it seems a little hesitant. Why the use

of the words "cautious" and "ma= y"? Why not say that "we recommend that"? Even i= f failure

to recognize a fail= ed authorization doesn't lead to any immediate security problem,=

it could prevent recognition of a poten= tial attack, or more benignly, of a possible

misconfiguration.

&nbs= p;

Catherine Meadows
Naval Research Laboratory
Code 5543
4555 O= verlook Ave., S.W.
Washington DC, 20375
phone: 202-767-3490
fax: 2= 02-404-7942
email: catherine.meadows@nrl.navy.mil

= --_000_F5833273385BB34F99288B3648C4F06F19C6C15848EXCHC2corpclo_-- From kivinen@iki.fi Fri Jan 13 05:25:02 2012 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDC9121F8433; Fri, 13 Jan 2012 05:25:02 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.574 X-Spam-Level: X-Spam-Status: No, score=-102.574 tagged_above=-999 required=5 tests=[AWL=0.025, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7wk8QtFx1ez5; Fri, 13 Jan 2012 05:25:02 -0800 (PST) Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) by ietfa.amsl.com (Postfix) with ESMTP id F22CA21F844C; Fri, 13 Jan 2012 05:25:01 -0800 (PST) Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.3/8.14.3) with ESMTP id q0DDOspb005379 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 13 Jan 2012 15:24:54 +0200 (EET) Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.3/8.12.11) id q0DDOoCS028575; Fri, 13 Jan 2012 15:24:50 +0200 (EET) X-Authentication-Warning: fireball.kivinen.iki.fi: kivinen set sender to kivinen@iki.fi using -f MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <20240.12450.545737.582209@fireball.kivinen.iki.fi> Date: Fri, 13 Jan 2012 15:24:50 +0200 From: Tero Kivinen To: iesg@ietf.org, secdir@ietf.org X-Mailer: VM 7.19 under Emacs 21.4.1 X-Edit-Time: 4 min X-Total-Time: 4 min Cc: draft-ietf-6man-3627-historic.all@tools.ietf.org Subject: [secdir] Review of draft-ietf-6man-3627-historic-01 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jan 2012 13:25:02 -0000 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document moves RFC3627 (Use of /127 Prefix Length Between Routers Considered Harmful) to historic as it has already been superseded by standard track document RFC6164 (Using 127-Bit IPv6 Prefixes on Inter-Router Links). The security considerations section says there are no new security considerations, and I think thisi is accurate. I have no comments for this document. -- kivinen@iki.fi From shanna@juniper.net Fri Jan 13 12:01:14 2012 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12B3221F8448; Fri, 13 Jan 2012 12:01:14 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.599 X-Spam-Level: X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H8DSbSPTIox0; Fri, 13 Jan 2012 12:01:13 -0800 (PST) Received: from exprod7og127.obsmtp.com (exprod7og127.obsmtp.com [64.18.2.210]) by ietfa.amsl.com (Postfix) with ESMTP id AD57711E80AD; Fri, 13 Jan 2012 12:00:52 -0800 (PST) Received: from P-EMHUB03-HQ.jnpr.net ([66.129.224.36]) (using TLSv1) by exprod7ob127.postini.com ([64.18.6.12]) with SMTP ID DSNKTxCNdI2mv9psM928MBHXSxY+WsabjS/h@postini.com; Fri, 13 Jan 2012 12:00:59 PST Received: from p-emfe01-wf.jnpr.net (172.28.145.24) by P-EMHUB03-HQ.jnpr.net (172.24.192.37) with Microsoft SMTP Server (TLS) id 8.3.213.0; Fri, 13 Jan 2012 11:59:55 -0800 Received: from EMBX01-WF.jnpr.net ([fe80::1914:3299:33d9:e43b]) by p-emfe01-wf.jnpr.net ([fe80::d0d1:653d:5b91:a123%11]) with mapi; Fri, 13 Jan 2012 14:59:54 -0500 From: Stephen Hanna To: "draft-nottingham-http-new-status@tools.ietf.org" , "secdir@ietf.org" , "ietf@ietf.org" Date: Fri, 13 Jan 2012 14:59:53 -0500 Thread-Topic: secdir review of draft-nottingham-http-new-status-03 Thread-Index: AczSLeo7PTPAq42hRwirXy24basViA== Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: [secdir] secdir review of draft-nottingham-http-new-status-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jan 2012 20:01:14 -0000 I have reviewed this document as part of the security directorate's=20 ongoing effort to review all IETF documents being processed by the=20 IESG. These comments were written primarily for the benefit of the=20 security area directors. Document editors and WG chairs should treat=20 these comments just like any other last call comments. This document specifies new HTTP status codes for a variety of common situations. Although I am not an HTTP expert, it seems to me that this document is clear, well-written, and reasonable. >From a security perspective, this document seems to have little impact either positive or negative. However, the Security Considerations section does not meet our usual standards. While the authors include a subsection on each new status code, they do not explain clearly what the security implications are for each status code and how any possible negative impacts could be reduced. Riccardo Bernardini already commented on this issue during IETF LC. However, I do not agree with Mr. Bernardini that sections 7.1 and 7.2 are not security related. Rather, the security implications are just not clearly stated. For example, section 7.2 points out that servers may not want to always use the 429 status code when receiving too many requests from one client. This has security implications in that a server under attack with excessive requests from one client may compound the problem by queuing 429 status codes for every request from that client. However, this is not stated explicitly in section 7.2. Fleshing out the subsections of section 7 (Security Considerations) should help solve the problem by providing a clear description of security problems related to these result codes and recommended mitigations. Section 7.4 does a decent job of describing the problems but fails to describe mitigations. I think that having the client use HTTPS instead of HTTP for important requests and limiting the effects of HTTP (not HTTPS) responses is an obvious mitigation. I do have a question about the issues raised in Appendix B. These are all legitimate issues. However, it seems to me that having status code 511 should help with these. A browser or non-browser application could recognize status code 511 as an indication that a captive portal is in use and avoid capturing favicons, looking for P3P files, and doing other things that should wait until after the captive portal is blocking access. When the original website stops returning 511, such activities could resume. I may be wrong in suggesting these ideas but if not it would be good to note them here. From shanna@juniper.net Fri Jan 13 13:38:01 2012 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FE2711E8072; Fri, 13 Jan 2012 13:38:01 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.599 X-Spam-Level: X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jmLJwx5rmiPG; Fri, 13 Jan 2012 13:38:00 -0800 (PST) Received: from exprod7og104.obsmtp.com (exprod7og104.obsmtp.com [64.18.2.161]) by ietfa.amsl.com (Postfix) with ESMTP id E33431F0C38; Fri, 13 Jan 2012 13:37:45 -0800 (PST) Received: from P-EMHUB02-HQ.jnpr.net ([66.129.224.36]) (using TLSv1) by exprod7ob104.postini.com ([64.18.6.12]) with SMTP ID DSNKTxCkKbHP00G72Ri3Abpj4eTMkCEanwp7@postini.com; Fri, 13 Jan 2012 13:37:51 PST Received: from p-emfe01-wf.jnpr.net (172.28.145.24) by P-EMHUB02-HQ.jnpr.net (172.24.192.36) with Microsoft SMTP Server (TLS) id 8.3.213.0; Fri, 13 Jan 2012 13:26:30 -0800 Received: from EMBX01-WF.jnpr.net ([fe80::1914:3299:33d9:e43b]) by p-emfe01-wf.jnpr.net ([fe80::d0d1:653d:5b91:a123%11]) with mapi; Fri, 13 Jan 2012 16:26:29 -0500 From: Stephen Hanna To: Julian Reschke Date: Fri, 13 Jan 2012 16:26:28 -0500 Thread-Topic: secdir review of draft-nottingham-http-new-status-03 Thread-Index: AczSMbESPXFYh7cpTSiWb/c10V+TNAABO4tQ Message-ID: References: <4F109383.1090505@gmx.de> In-Reply-To: <4F109383.1090505@gmx.de> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: "draft-nottingham-http-new-status@tools.ietf.org" , "ietf@ietf.org" , "secdir@ietf.org" Subject: Re: [secdir] secdir review of draft-nottingham-http-new-status-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jan 2012 21:38:01 -0000 Julian, I'm sure that in your view one sentence is adequate to explain all the security implications of each status code. However, you may want to consider that some readers may not have quite the same deep grasp of the matter that you do. Therefore, I think it would be wise to provide more explanation. Here's an example for section 7.2 on status code 429 (Too Many Requests): Section 7.2 429 Too Many Requests While status code 429 can be helpful in figuring out why a server is not responding to requests, it can also be harmful. When a server is under attack or simply receiving a very large number of requests from a single party, responding to each of these requests with a 429 status code will consume resources that could be better used in other ways. Therefore, a server in such circumstances may choose to send a 429 status code only the first time a client exceeds its limit and ignore subsequent requests from this client until its limit is no longer exceeded. Other approaches may also be employed. As you can see, I described security problems that could occur with this status code and explained how those problems can be avoided or mitigated. While it's true that these problems could occur when a more generic status code is used to handle the case of "too many requests", that does not mean that they are not relevant to this document. On the contrary, the fact that this document is providing more detailed status codes gives us the opportunity and one can argue the obligation to provide more detailed security analysis relevant to these more detailed status codes. And I'm glad that you saw the value in my comment about Appendix B! Thanks, Steve > -----Original Message----- > From: Julian Reschke [mailto:julian.reschke@gmx.de] > Sent: Friday, January 13, 2012 3:27 PM > To: Stephen Hanna > Cc: draft-nottingham-http-new-status@tools.ietf.org; secdir@ietf.org; > ietf@ietf.org > Subject: Re: secdir review of draft-nottingham-http-new-status-03 >=20 > On 2012-01-13 20:59, Stephen Hanna wrote: > > I have reviewed this document as part of the security directorate's > > ongoing effort to review all IETF documents being processed by the > > IESG. These comments were written primarily for the benefit of the > > security area directors. Document editors and WG chairs should treat > > these comments just like any other last call comments. > > > > This document specifies new HTTP status codes for a variety of > > common situations. Although I am not an HTTP expert, it seems > > to me that this document is clear, well-written, and reasonable. >=20 > +1 >=20 > >> From a security perspective, this document seems to have little > > impact either positive or negative. However, the Security > > Considerations section does not meet our usual standards. > > While the authors include a subsection on each new status code, > > they do not explain clearly what the security implications are > > for each status code and how any possible negative impacts > > could be reduced. >=20 > In general, the proposed new codes just allow to describe a problem > more > clearly; previously, a more generic status code would have to be used. >=20 > As such, they do not change security at all. >=20 > > Riccardo Bernardini already commented on this issue during > > IETF LC. However, I do not agree with Mr. Bernardini that > > sections 7.1 and 7.2 are not security related. Rather, the > > security implications are just not clearly stated. For example, > > section 7.2 points out that servers may not want to always > > use the 429 status code when receiving too many requests > > from one client. This has security implications in that > > a server under attack with excessive requests from one > > client may compound the problem by queuing 429 status codes > > for every request from that client. However, this is not > > stated explicitly in section 7.2. Fleshing out the subsections >=20 > "Servers are not required to use the 429 status code; when limiting > resource usage, it may be more appropriate to just drop connections, or > take other steps." >=20 > > of section 7 (Security Considerations) should help solve the > > problem by providing a clear description of security problems > > related to these result codes and recommended mitigations. > > Section 7.4 does a decent job of describing the problems > > but fails to describe mitigations. I think that having the > > client use HTTPS instead of HTTP for important requests > > and limiting the effects of HTTP (not HTTPS) responses > > is an obvious mitigation. >=20 > It's not the job of this spec to completely describe security > considerations with respect to captive portals. >=20 > All the spec does is defining a new status code that, when used, makes > captive portals a bit better to work with. >=20 > > I do have a question about the issues raised in Appendix B. > > These are all legitimate issues. However, it seems to me > > that having status code 511 should help with these. A >=20 > Indeed; that's why 511 is there in the first place. The introduction to > Appendix B should state that. >=20 > > ... >=20 > Best regards, Julian From paul.hoffman@vpnc.org Sat Jan 14 15:46:28 2012 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4751B21F84CE for ; Sat, 14 Jan 2012 15:46:28 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.456 X-Spam-Level: X-Spam-Status: No, score=-102.456 tagged_above=-999 required=5 tests=[AWL=-0.084, BAYES_00=-2.599, SARE_SUB_OBFU_Q1=0.227, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o3OI5nLOvuJu for ; Sat, 14 Jan 2012 15:46:28 -0800 (PST) Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id D8FB321F84C4 for ; Sat, 14 Jan 2012 15:46:27 -0800 (PST) Received: from [10.20.30.103] (50-0-66-4.dsl.dynamic.fusionbroadband.com [50.0.66.4]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.3) with ESMTP id q0ENkNMF094256 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Sat, 14 Jan 2012 16:46:25 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) From: Paul Hoffman Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Sat, 14 Jan 2012 15:46:23 -0800 Message-Id: To: secdir Mime-Version: 1.0 (Apple Message framework v1251.1) X-Mailer: Apple Mail (2.1251.1) Cc: draft-ietf-alto-reqs-all@tools.ietf.org Subject: [secdir] Secdir review of draft-ietf-alto-reqs X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Jan 2012 23:46:28 -0000 Greetings again. This is a security review of draft-ietf-alto-reqs, = "Application-Layer Traffic Optimization (ALTO) Requirements". An ALTO = protocol would allow optimization of network resources when information = is in multiple places; a client can ask a server where to get the = information, and the server can give hopefully-intelligent answers based = on what the server knows of the network load, server load, network = topology, and so on. This document does quite a good job of covering the many security issues = with such a protocol. It lays out many of the competing security = considerations, particularly the privacy of each party and, being a = requirements document, doesn't answer any of the hard questions that = will need to come in the upcoming protocol document. --Paul Hoffman From brian.e.carpenter@gmail.com Sat Jan 14 18:52:09 2012 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 866F021F84AF; Sat, 14 Jan 2012 18:52:09 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -103.568 X-Spam-Level: X-Spam-Status: No, score=-103.568 tagged_above=-999 required=5 tests=[AWL=0.031, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SXWxvtVuAxo6; Sat, 14 Jan 2012 18:52:09 -0800 (PST) Received: from mail-ey0-f172.google.com (mail-ey0-f172.google.com [209.85.215.172]) by ietfa.amsl.com (Postfix) with ESMTP id 956BB21F84AA; Sat, 14 Jan 2012 18:52:08 -0800 (PST) Received: by eaad11 with SMTP id d11so614716eaa.31 for ; Sat, 14 Jan 2012 18:52:07 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=7pa9oy1GahKFJlFML1oAjbVF85gxb8d6jpb7CUlNAYo=; b=wlc+imrm5yRsCe8qWJAOBXgaOmtRkWExZah8SchnVL3X+wqNWi2d1HDZY7FD9ggH5B 3JWJdtZ+PF9m0HkpiPvWgZPiXPhytvkWyDgjI+WoI1mAR0OB5yCJjCHBgaz0S+utkTZK f5mdbvI5cKtMTcQG+cc2wdlpgR3dU9eJ0D1fo= Received: by 10.213.19.139 with SMTP id a11mr2057071ebb.87.1326595926472; Sat, 14 Jan 2012 18:52:06 -0800 (PST) Received: from [10.1.1.4] ([121.98.251.219]) by mx.google.com with ESMTPS id t1sm52096113eeb.3.2012.01.14.18.52.02 (version=SSLv3 cipher=OTHER); Sat, 14 Jan 2012 18:52:06 -0800 (PST) Message-ID: <4F123F4B.3000403@gmail.com> Date: Sun, 15 Jan 2012 15:51:55 +1300 From: Brian E Carpenter Organization: University of Auckland User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: Phillip Hallam-Baker References: In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: drc@cloudflare.com, jiangsheng@huawei.com, iesg@ietf.org, secdir@ietf.org Subject: Re: [secdir] Secdir review: http://www.ietf.org/id/draft-jiang-a6-to-historic-00.txt X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Jan 2012 02:52:09 -0000 PHB, Thanks for the review. See below. On 2012-01-13 02:18, Phillip Hallam-Baker wrote: > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the IESG. > These comments were written primarily for the benefit of the security area > directors. Document editors and WG chairs should treat these comments > just like any other last call comments. > > Overview > > A6 was a proposed replacement for AAAA records. A6 has not achieved the > anticipated level of support or provided the anticipated benefits in > practice. This draft moves A6 to historic, deprecating use of A6 records. > > > Comments: > > Removing A6 removes a potential source of inconsistency and thus improves > consistency. > > One possible consequence of this particular change is that information that > was previously expressible via the A6 mechanism will no longer be visible. > While this is not necessarily good or bad from a security standpoint it is > an issue that should be mentioned in the Security Considerations. Can do. > > Another possible security impact is that it will not be possible to divide > up administrative duties in the manner originally envisaged in the A6 > proposal. While it is far from clear that this division is useful (or > achievable) it should probably be noted. In particular it will not be > possible to achieve renumbering of whole domains by changing one record. Indeed; that was the hope when A6 was designed, and in fact it's because the 6renum WG is taking a new look at this area that we decided it was time to clear the decks. > > It is quite possible that some domains will continue to employ A6 domains > as an administrative convenience, generating the corresponding AAAA records > as required. This case needs more consideration from a security point of > view. It would be useful to require that such records be ignored by > applications and preferably be blocked from external view. We already recommend "Removing A6 handling from all new or updated host stacks" and we could add a recommendation for apps to ignore them. Blocking visibility of RRs is generally not something the DNS community likes, though. Brian From leifj@sunet.se Mon Jan 16 02:02:31 2012 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3A1821F8584; Mon, 16 Jan 2012 02:02:30 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t3TSnMptXaem; Mon, 16 Jan 2012 02:02:30 -0800 (PST) Received: from backup-server.nordu.net (backup-server.nordu.net [IPv6:2001:948:4:1::66]) by ietfa.amsl.com (Postfix) with ESMTP id 1E0DD21F853C; Mon, 16 Jan 2012 02:02:29 -0800 (PST) Received: from [109.105.104.164] (dhcp30.se-tug.nordu.net [109.105.104.164] (may be forged)) (authenticated bits=0) by backup-server.nordu.net (8.14.3/8.14.3) with ESMTP id q0GA2NYP017760 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 16 Jan 2012 11:02:26 +0100 (CET) Message-ID: <4F13F5AE.9060205@sunet.se> Date: Mon, 16 Jan 2012 11:02:22 +0100 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20111124 Thunderbird/8.0 MIME-Version: 1.0 To: secdir@ietf.org, draft-ietf-mile-rfc6045-bis.all@tools.ietf.org, iesg@ietf.org X-Enigmail-Version: 1.3.4 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: [secdir] Secdir review: draft-ietf-mile-rfc6045-bis-05 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jan 2012 10:02:31 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. These document updates RFC6045 - Real-time Inter-network Defence (RID) The document defines a way to communicate IODEF objects between Service Providers. In general I find the document well written and I especially like the way the XML schema is described in ASCII graphics. A few comments: - - The term "Network Provider" is still used in parts of the document where it might be better to be consistent with the new term "Service Provider" (the name-change is announced in the introduction). - - The introduction states that the document moves RFC6505 to Historic status and also that it updates RFC6505. This is confusing to me. It seems like this is a simple case of an update that changes the document status (Informational -> Standards Track) and I'm not sure Historic needs to enter into it. - - The discussions on PKI issues and trust is quite good but I would have liked to see an explicit mention of the fact that strong name- key binding is the key to establishing a good trust infrastructure. The use of PKI is strongly encouraged but for smaller consortia it would be entirely feasible to establish the required level of trust by manually sharing keys instead of running a PKI. - - The security considerations section re-iterates a dependency on PKI and PKI federations to fulfill the trust requirements of RID consortia. However it is worth noting that very few examples of the type of PKI federations that RID depend on, exist in the wild. Cheers Leif -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8T9asACgkQ8Jx8FtbMZndm7ACfaMed3PP8yZcLCOAbvfAk6QsN Lx8An1G/mntbsaGHJp8OQ88tgjawpx6d =qsnU -----END PGP SIGNATURE----- From kathleen.moriarty@emc.com Mon Jan 16 05:55:05 2012 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56D3021F85DA; Mon, 16 Jan 2012 05:55:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.516 X-Spam-Level: X-Spam-Status: No, score=-6.516 tagged_above=-999 required=5 tests=[AWL=0.083, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ueeZ-GhYH92z; Mon, 16 Jan 2012 05:55:04 -0800 (PST) Received: from mexforward.lss.emc.com (mexforward.lss.emc.com [128.222.32.20]) by ietfa.amsl.com (Postfix) with ESMTP id 736CB21F85B8; Mon, 16 Jan 2012 05:55:04 -0800 (PST) Received: from hop04-l1d11-si02.isus.emc.com (HOP04-L1D11-SI02.isus.emc.com [10.254.111.55]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id q0GDsq5p029465 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 16 Jan 2012 08:55:02 -0500 Received: from mailhub.lss.emc.com (mailhubhoprd04.lss.emc.com [10.254.222.226]) by hop04-l1d11-si02.isus.emc.com (RSA Interceptor); Mon, 16 Jan 2012 08:54:47 -0500 Received: from mxhub34.corp.emc.com (mxhub34.corp.emc.com [10.254.93.82]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id q0GDsk4a019601; Mon, 16 Jan 2012 08:54:46 -0500 Received: from mx06a.corp.emc.com ([169.254.1.153]) by mxhub34.corp.emc.com ([::1]) with mapi; Mon, 16 Jan 2012 08:54:46 -0500 From: To: , , , Date: Mon, 16 Jan 2012 08:54:45 -0500 Thread-Topic: Secdir review: draft-ietf-mile-rfc6045-bis-05 Thread-Index: AczUNiTspYAh0W1uQy+8X1SNhyYRqwAH4Qdw Message-ID: References: <4F13F5AE.9060205@sunet.se> In-Reply-To: <4F13F5AE.9060205@sunet.se> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-EMM-MHVC: 1 Subject: Re: [secdir] Secdir review: draft-ietf-mile-rfc6045-bis-05 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Jan 2012 13:55:05 -0000 Hello Leif, Thank you very much for the security review! I agree with your comments on PKI and will update the draft accordingly. I= agree that keys could be shared directly or that a consortium may be the p= rovider of keys so that there is only one PKI for the entire sharing group = as an alternative to each participant having a PKI (that would be a barrier= to use if it were required). Sean Turner had provided some specific guidance on the updates RFC6045 that= I have ready to go in the next revision. This included some comments from= David Harrington where they assisted with recommended text on how this sho= uld be handled. I will clean up the use of NP/Network Provider as well. Thank you, Kathleen -----Original Message----- From: Leif Johansson [mailto:leifj@sunet.se]=20 Sent: Monday, January 16, 2012 5:02 AM To: secdir@ietf.org; draft-ietf-mile-rfc6045-bis.all@tools.ietf.org; iesg@i= etf.org Subject: Secdir review: draft-ietf-mile-rfc6045-bis-05 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. These document updates RFC6045 - Real-time Inter-network Defence (RID) The document defines a way to communicate IODEF objects between Service Providers. In general I find the document well written and I especially like the way the XML schema is described in ASCII graphics. A few comments: - - The term "Network Provider" is still used in parts of the document where it might be better to be consistent with the new term "Service Provider" (the name-change is announced in the introduction). - - The introduction states that the document moves RFC6505 to Historic status and also that it updates RFC6505. This is confusing to me. It seems like this is a simple case of an update that changes the document status (Informational -> Standards Track) and I'm not sure Historic needs to enter into it. - - The discussions on PKI issues and trust is quite good but I would have liked to see an explicit mention of the fact that strong name- key binding is the key to establishing a good trust infrastructure. The use of PKI is strongly encouraged but for smaller consortia it would be entirely feasible to establish the required level of trust by manually sharing keys instead of running a PKI. - - The security considerations section re-iterates a dependency on PKI and PKI federations to fulfill the trust requirements of RID consortia. However it is worth noting that very few examples of the type of PKI federations that RID depend on, exist in the wild. Cheers Leif -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8T9asACgkQ8Jx8FtbMZndm7ACfaMed3PP8yZcLCOAbvfAk6QsN Lx8An1G/mntbsaGHJp8OQ88tgjawpx6d =3DqsnU -----END PGP SIGNATURE----- From leifj@sunet.se Tue Jan 17 04:39:43 2012 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60F1721F85E4; Tue, 17 Jan 2012 04:39:43 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.599 X-Spam-Level: X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g7M0JBkdjrSd; Tue, 17 Jan 2012 04:39:42 -0800 (PST) Received: from backup-server.nordu.net (backup-server.nordu.net [IPv6:2001:948:4:1::66]) by ietfa.amsl.com (Postfix) with ESMTP id 4881421F85DF; Tue, 17 Jan 2012 04:39:42 -0800 (PST) Received: from [192.36.125.231] (dhcp.pilsnet.sunet.se [192.36.125.231] (may be forged)) (authenticated bits=0) by backup-server.nordu.net (8.14.3/8.14.3) with ESMTP id q0HCdZm8012011 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 17 Jan 2012 13:39:39 +0100 (CET) Message-ID: <4F156C07.5000200@sunet.se> Date: Tue, 17 Jan 2012 13:39:35 +0100 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20111124 Thunderbird/8.0 MIME-Version: 1.0 To: secdir@ietf.org, draft-ietf-mile-rfc6046-bis.all@tools.ietf.org, iesg@ietf.org X-Enigmail-Version: 1.3.4 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: [secdir] Secdir review of draft-ietf-mile-rfc6046-bis-05 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2012 12:39:43 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. These document updates RFC6046 - Transport of Real-time Internetwork Defense (RID) Messages over HTTP/TLS This document defines HTTP/TLS as a transport for RID/IODEF messages and is part of a joint update of RFC6046 and RFC6045. In general I find the document clearly written. I have only a few comments - - The text on PKI requirements from RFC6045bis should be more clearly and consistently referenced in RFC6046bis. In particular I found the following somewhat confusing: "At minimum, each RID system MUST trust a set of X.509 Issuer identities ("Certificate Authorities") [RFC5280] to directly authenticate RID system peers with which it is willing to exchange information, and/or a specific white list of X.509 Subject identities of RID system peers." Does the "directly" mean that there should be no intermediary CAs? I would move any discussion on the nature of the PKI beast to RFC6045bis and reference it from here. - - The RID-Callback-Token is underspecified, or I'm missing a reference to where its defined. I would have liked to see ABNF (yes I know its very simple), the semantics for how the peer should act when receiving a callback token (which may have expired, not point to anything useful, etc etc) some advice on how to generate the tokens and a discussion (in the security considerations!) on what can happen if you screw up and introduce collisions. Cheers Leif -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8VbAcACgkQ8Jx8FtbMZncXtQCdH6EXyJxECGipAYbiSQvXSj8L KxcAoKMQWwNgCubVfHR98jbhzOJPYrgQ =KK6r -----END PGP SIGNATURE----- From julian.reschke@gmx.de Fri Jan 13 12:26:53 2012 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDD2721F8498 for ; Fri, 13 Jan 2012 12:26:53 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -103.604 X-Spam-Level: X-Spam-Status: No, score=-103.604 tagged_above=-999 required=5 tests=[AWL=-1.005, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VGe2x8lyJqVk for ; Fri, 13 Jan 2012 12:26:52 -0800 (PST) Received: from mailout-de.gmx.net (mailout-de.gmx.net [213.165.64.23]) by ietfa.amsl.com (Postfix) with SMTP id 7CF1021F848C for ; Fri, 13 Jan 2012 12:26:52 -0800 (PST) Received: (qmail invoked by alias); 13 Jan 2012 20:26:51 -0000 Received: from p5DCC28C9.dip.t-dialin.net (EHLO [192.168.178.36]) [93.204.40.201] by mail.gmx.net (mp069) with SMTP; 13 Jan 2012 21:26:51 +0100 X-Authenticated: #1915285 X-Provags-ID: V01U2FsdGVkX1/1gFl4Jo31RC5WyQUqS1V15w7h84H03l+atE5rFN Ih+kw4M/O5gn69 Message-ID: <4F109383.1090505@gmx.de> Date: Fri, 13 Jan 2012 21:26:43 +0100 From: Julian Reschke User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1 MIME-Version: 1.0 To: Stephen Hanna References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 X-Mailman-Approved-At: Wed, 18 Jan 2012 08:22:31 -0800 Cc: "draft-nottingham-http-new-status@tools.ietf.org" , "ietf@ietf.org" , "secdir@ietf.org" Subject: Re: [secdir] secdir review of draft-nottingham-http-new-status-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Jan 2012 20:26:53 -0000 On 2012-01-13 20:59, Stephen Hanna wrote: > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > This document specifies new HTTP status codes for a variety of > common situations. Although I am not an HTTP expert, it seems > to me that this document is clear, well-written, and reasonable. +1 >> From a security perspective, this document seems to have little > impact either positive or negative. However, the Security > Considerations section does not meet our usual standards. > While the authors include a subsection on each new status code, > they do not explain clearly what the security implications are > for each status code and how any possible negative impacts > could be reduced. In general, the proposed new codes just allow to describe a problem more clearly; previously, a more generic status code would have to be used. As such, they do not change security at all. > Riccardo Bernardini already commented on this issue during > IETF LC. However, I do not agree with Mr. Bernardini that > sections 7.1 and 7.2 are not security related. Rather, the > security implications are just not clearly stated. For example, > section 7.2 points out that servers may not want to always > use the 429 status code when receiving too many requests > from one client. This has security implications in that > a server under attack with excessive requests from one > client may compound the problem by queuing 429 status codes > for every request from that client. However, this is not > stated explicitly in section 7.2. Fleshing out the subsections "Servers are not required to use the 429 status code; when limiting resource usage, it may be more appropriate to just drop connections, or take other steps." > of section 7 (Security Considerations) should help solve the > problem by providing a clear description of security problems > related to these result codes and recommended mitigations. > Section 7.4 does a decent job of describing the problems > but fails to describe mitigations. I think that having the > client use HTTPS instead of HTTP for important requests > and limiting the effects of HTTP (not HTTPS) responses > is an obvious mitigation. It's not the job of this spec to completely describe security considerations with respect to captive portals. All the spec does is defining a new status code that, when used, makes captive portals a bit better to work with. > I do have a question about the issues raised in Appendix B. > These are all legitimate issues. However, it seems to me > that having status code 511 should help with these. A Indeed; that's why 511 is there in the first place. The introduction to Appendix B should state that. > ... Best regards, Julian From sra@hactrn.net Wed Jan 18 10:27:29 2012 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B84221F870A; Wed, 18 Jan 2012 10:27:29 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.6 X-Spam-Level: X-Spam-Status: No, score=-102.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yjT-ofe95sFF; Wed, 18 Jan 2012 10:27:28 -0800 (PST) Received: from cyteen.hactrn.net (cyteen.hactrn.net [IPv6:2002:425c:4242:0:210:5aff:fe86:1f54]) by ietfa.amsl.com (Postfix) with ESMTP id 2B0B921F8714; Wed, 18 Jan 2012 10:27:28 -0800 (PST) Received: from thrintun.hactrn.net (thrintun.hactrn.net [IPv6:2002:425c:4242:0:219:d1ff:fe12:5d30]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client CN "thrintun.hactrn.net", Issuer "Grunchweather Associates" (verified OK)) by cyteen.hactrn.net (Postfix) with ESMTPS id 2A82E2845C; Wed, 18 Jan 2012 18:27:26 +0000 (UTC) Received: from thrintun.hactrn.net (localhost [IPv6:::1]) by thrintun.hactrn.net (Postfix) with ESMTP id F280817C86; Wed, 18 Jan 2012 13:27:25 -0500 (EST) Date: Wed, 18 Jan 2012 13:27:25 -0500 From: Rob Austein To: iesg@ietf.org, secdir@ietf.org, draft-ash-gcac-algorithm-spec.all@tools.ietf.org User-Agent: Wanderlust/2.14.0 (Africa) Emacs/23.3 Mule/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=US-ASCII Message-Id: <20120118182725.F280817C86@thrintun.hactrn.net> Subject: [secdir] draft-ash-gcac-algorithm-spec-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Jan 2012 18:27:29 -0000 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document describes an experimental "connection admission control" algorithm, that is, an algorithm by which an IP/MPLS service provider's equipment might decide whether or not to allow a new connection such as a new VoIP call, given various constraints such as quality of service issues. The draft is slated for experimental status and cautions against indiscriminate deployment on operational networks. I am sorry to have to say at this late date that I found the Security Considerations of this draft woefully inadequate. The IESG will have to decide to what extent (if any) this matters for document on the experimental track. The algorithm is not a protocol, rather it is layered on top of a barrel full of existing protocols, and appears to be an attempt to provide a uniform and generic decision layer on top of all that. As such, it depends on various parameters carried by the underlying protocols. Nowhere do I see any discussion of the extent to which this makes the algorithm's decisions vulnerable to attacks on any of the underlying protocols (or, more likely, to attacks on whichever happens to be the weakest of the underlying protocols this week). To reader who is not an MPLS expert, it's unclear where one would even begin such an analysis, which is one of the reasons why such things are supposed to be discussed in the Security Considerations. Furthermore, there is very little discussion of threats that might derive from gaming the algorithm itself. The entirety of the Security Considerations section consists of a brief discussion of one threat ("theft-of-service attacks" due to users claiming emergency priority for their flows) with a somewhat opaque claim that RSVP-TE signalling policy can be used to defeat the attack. I see no discussion of other results of gaming the algorithm, such as DoS attacks by allowing new flows when the algorithm should have prevented them, denying resources to legitimate flows by rejecting new flows when the algorithm should have allowed them, tinkering with the bandwidth parameters, etc. In view of the lateness of this review and the experimental status requested, I will understand if the IESG passes this document in spite of these issues. Caveat: As may be obvious from the above, I am not an MPLS expert. From kent@bbn.com Thu Jan 19 15:51:21 2012 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD54621F8471 for ; Thu, 19 Jan 2012 15:51:21 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -105.84 X-Spam-Level: X-Spam-Status: No, score=-105.84 tagged_above=-999 required=5 tests=[AWL=-0.639, BAYES_00=-2.599, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=1.396, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JvftrPlv-3YR for ; Thu, 19 Jan 2012 15:51:19 -0800 (PST) Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id B866921F86F1 for ; Thu, 19 Jan 2012 15:51:18 -0800 (PST) Received: from dhcp89-089-066.bbn.com ([128.89.89.66]:49338) by smtp.bbn.com with esmtp (Exim 4.74 (FreeBSD)) (envelope-from ) id 1Ro1lA-0008yr-0l; Thu, 19 Jan 2012 18:51:12 -0500 Mime-Version: 1.0 Message-Id: Date: Thu, 19 Jan 2012 18:51:09 -0500 To: secdir@ietf.org From: Stephen Kent Content-Type: multipart/alternative; boundary="============_-885105424==_ma============" Cc: rdroms.ietf@gmail.com, john_brzozowski@cable.comcast.com, ted.lemon@nominum.com, shenshuo@cnnic.cn, jiangsheng@huawei.com Subject: [secdir] review of draft-ietf-dhc-secure-dhcpv6-04.txt X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jan 2012 23:51:21 -0000 --============_-885105424==_ma============ Content-Type: text/plain; charset="iso-8859-1" ; format="flowed" Content-Transfer-Encoding: quoted-printable I reviewed this document=20 (draft-ietf-dhc-secure-dhcpv6-04.txt) as part of=20 the security directorate's ongoing effort to=20 review all IETF documents being processed by the=20 IESG. These comments were written primarily for=20 the benefit of the security area directors.=20 Document editors and WG chairs should treat these=20 comments just like any other last call comments. This document needs significant work because: - numerous English language errors that make it hard to read - inconsistencies between different sections of the document are present - the incomplete description of sender and receiver processing - it contains a questionable technical proposal for flexibility re placement of the new sig option - alg agility is not correctly described for the sig option, and examples are alg specific - some examples are erroneous The comments provided below are keyed to the sections of the document. Abstract "If not secured, DHCPv6 is vulnerable to various=20 attacks, particularly fake attack." Presumably=20 the authors are referring to "spoofing" attacks.=20 The commonly employed terminology should be used=20 here. 1. Introduction Same comment for 1st paragraph here. The 2nd paragraph cites=20 draft-ietf-csi-dhcpv6-cga-ps and says that it=20 introduced "requirements of using CGA to secure=20 DHCPv6." The cited document does not define=20 requirements for using use CGAs to secure DHCP,=20 contrary to what is stated here. The cited=20 document analyzes how one might use DHCPv6 to=20 configure CGA parameters in host clients, and how=20 one might use CGAs to counter spoofing attacks=20 against DHCPv6 servers. At the time this SECDIR=20 review is being written, the cited document has=20 6 DISCUSS votes, suggesting that it requires=20 significant revision, and making it a=20 questionable basis for establishing=20 "requirements" for CGA use in the DHCHv6 context. The following statement "=8Aor where available=20 security mechanisms are not sufficient, =8A" is too=20 vague, e.g., it fails to say what/why available=20 security mechanisms do no suffice. 2. Security Overview It appears that this section is intended to=20 describe the need for security mechanisms that=20 counter DHCPv6 server spoofing attacks. It does=20 so very poorly. It is haphazard and redundant in=20 its organization, and some of the text is=20 confusing, at best. This section begins by stating "DHCPv6 is a=20 client/server protocol that provides managed and=20 stateful configuration of devices." I question=20 the "stateful" part of this assertion. DHCP is=20 designed to avoid the need for hosts to manually=20 configured, which is very "stateful." Since a=20 DHCP server typically assigns an address to a=20 host from a pool, and only for the duration of a=20 "lease" this behavior is not a great example of=20 statefullness. SO, it is not clear what aspects=20 of "state" the authors have in mind here. The text says "In the basic DHCPv6=20 specifications, regular IPv6 addresses are used."=20 I presume the authors mean that the DHCP server=20 uses a "regular" IPv6 address for itself, but=20 since DHCPv6 servers provide IPv6 addresses to=20 their clients, this statement is ambiguous. The last paragraph on page 3 begins with double=20 quotes, but this appears to be a typo. This=20 paragraph provides two examples of possible=20 motivations for attacker that spoofs DHCP=20 responses. Do the authors assert that these the=20 most important motivations, the only ones, or=20 what? The document quotes from RFC 3315. It isn't clear=20 if this is intended to extend the description of=20 adverse outcomes from spoofing a DHCPv6 server,=20 or if it is merely a restatement of the generic=20 concern cited in the prior paragraphs. The next paragraph uses many words to describe a=20 MITM attack, which the document already noted at=20 the bottom of page 3. The paragraph then goes on=20 to say "This becomes important to detect and=20 prevent when encrypted traffic is allowed to pass=20 through firewalls." This is a confusing statement=20 at best. If the traffic is encrypted, a MITM=20 attack does not provide an adversary with a lot=20 of interesting info to collect via a MITM attack.=20 It isn't clear what the authors were trying to=20 communicate here. The document states "Once servers start updating=20 DNS and other directory services, attackers may=20 spoof DHCP servers to register incorrect=20 information in those services." Which "servers"=20 are being cited as the subject here? Who is=20 updating them? This 1-sentence paragraph does not=20 explain the role that DHCPv6 server spoofing=20 plays in the cited concern. The document states "Another possible attack is=20 that attackers may be able to gain unauthorized=20 access to some resources, such as network=20 access." Unauthorized network access is a valid=20 security concern, but the authors fail to explain=20 how DHCP spoofing is related to this generic=20 concern. One usually associates RADIUS, NEA and=20 similar protocols as more relevant to network=20 access control. The authors discuss two key management mechanisms=20 defined for DHCPv6, and conclude by saying "In=20 either way, the security of key itself is in=20 question mark." Even if one deletes the last word=20 to make the sentence readable, the assertion is=20 not supported when discussing the first option,=20 i.e., initial manual distribution of a symmetric=20 key. Kerberos has made use of this approach for=20 many years, with reasonable success. A better=20 criticism is that manual key distribution runs=20 counter to the goal of minimizing the=20 configuration data needed at each host,=20 consistent with the goals of DHCP use. Also,=20 manual key distribution is viewed as less secure=20 than automated key distribution mechanisms. This section ends with a paragraph citing another=20 security option, i.e., use of IPsec, to secure=20 server and relay agent communications. (The=20 document misspells the protocol name.)=20 "Furthermore, the manual configuration and static=20 keys are potential issue makers." IPsec does not=20 require use of manual key management or static=20 keys, so this comment is inappropriate. 3. Secure DHCPv6 Overview The proposed mechanism calls for each DHCPv6=20 server to use a CGA for its own address, and to=20 digitally sign the messages it sends using the=20 private key corresponding to the public key=20 linked to the DHCPv6 server address. This=20 mechanism counters DHCPv6 server spoofing, IF all=20 clients are configured with the CGAs of=20 authorized DHCPv6 servers. This section of the=20 document does not describe this critical=20 configuration requirement. Instead, this document=20 cite draft-ietf-dhc-cga-config-dhcpv6. The cited=20 document talks about how to use DHCPv6 to control=20 CGA generation on clients. It does not describe=20 configuring client with the CGAs of authorized=20 DHCPv6 servers. Thus the cited document does not=20 address this issue. The text includes a curious statement "By using=20 the signature option, the verification of data=20 integrity and replay protections can also be=20 achieved without the authentication option." It=20 is true that if one were to verify a signature on=20 a received message, but not verify that the=20 sending CGA is that of an authorized DHCPv6=20 server, that connectionless message integrity is=20 achieved. However, it is not clear that this=20 security function is useful, in isolation. Also,=20 the text in this section provides no analysis to=20 show why use of the signature, by itself,=20 provides replay protection. (One would need to=20 describe the context established by DHCP message=20 exchanges to make such an argument.) The section ends with a very confusing paragraph.=20 The paragraph appears to be discussing how to=20 make use of the proposed CGA-based security=20 mechanism when a relay agent lies between the=20 server and clients. The text is not clear, and=20 thus does not constitute a solid argument for why=20 this works. 4.1 New Components In discussing how to extend DHCPv6 syntax to make=20 use of the proposed CGA security mechanism, the=20 section includes a statement "The authority of a=20 public key is established through the address=20 ownership proof mechanism, by using CGAs." This=20 is not true, unless clients are configured to=20 know the CGAs of all authorized DHCPv6 servers=20 with which the clients may interact. 4.2 Support for algorithm agility This section begins with a sloppy=20 characterization of hash function requirements,=20 including a quote from RFC 4270 "The recent=20 attacks have demonstrated that one of those=20 security properties is not true." This quote is=20 not useful on this context, since the authors=20 fail to indicate which of the two cited security=20 properties is not true here. The section goes on=20 to say that "=8Aour analysis shows none of these=20 attacks are currently doable." The authors=20 provide no analysis to support this assertion,=20 nor a cite to a document that would do so. Thus,=20 either this statement needs to be removed, or=20 support for it needs to be provided. More importantly, it appears that algorithm=20 agility support for Secure DHCPv6 is based (in=20 large part) on carrying the hash and signature=20 algorithm IDs in the Signature Option. That is=20 different from the RFC 4270 analysis of how to=20 enable algorithm agility for the CGA itself.=20 Moreover, a credible algorithm agility solution=20 requires a system-level discussion of how=20 communicating servers, relays, and clients know=20 which algorithms can be used in dealing with each=20 other. This document does not include such a=20 discussion, nor does it describe how to=20 transition from one algorithm to another, within=20 the context of a network. For example, do all=20 servers have to be upgraded to offer a new=20 algorithm simultaneously? How about relays and=20 clients? 5 Extensions for Secure DHCPv6 Since this section introduces a new DHCPv6=20 option, the document needs to state that it=20 updates RFC 3315. 5.1 CGA Parameters Option The description of this new option includes the=20 following text: "Note that a future extension MAY=20 provide a mechanism allowing the owner of an=20 address and the signer to be different parties."=20 =46irst, this is a misuse of "MAY." Second, this=20 text is not appropriate for a syntax=20 specification at this time, i.e., what should an=20 implementer do based on this statement? 5.2 Signature Option I question the soundness of the proposed design.=20 The fact that the signature option can be placed=20 anywhere in the DHCPv6 message strikes me as=20 dangerous. It imposes a requirement on a receiver=20 to treat the protected and unprotected portions=20 of the message differently, for any possible=20 placement of the signature option. This adds=20 complexity to implementations, since the security=20 checking would have to indicate to the rest of=20 message processing which parts of a message were=20 checked and which were not verified. Unless there=20 are DHCHv6 options that may be modified (or=20 added) legitimately when a message traverses a=20 relay, it is not clear why there needs to be a=20 provision to exclude any portions of a DHCPv6=20 message from the integrity/authentication check.=20 "COULD" is not an RFC 2119-defined term. The option carries an explicit hash algorithm ID,=20 which is good, but the text says: "RSA signature=20 [RSA] with SHA-1 [sha-1] is adopted. In order to=20 provide hash algorithm agility, SHA-1 is assigned=20 an initial value 0x0000 in this document." Why is=20 a signature algorithm part of this definition=20 (vs. just a hash algorithm), when there is a=20 separate signature algorithm ID field? The text=20 here is inconsistent with the latter IANA=20 considerations. It appears that the mention of=20 RSA is an error, but it would be better to just=20 remove any mention of an initial algorithm value=20 here. The description of initial values for the=20 signature algorithm ID, and the second hash=20 algorithm ID also should be removed from this=20 text, and appear only in the IANA considerations=20 section. The discussion of the key hash field runs counter=20 to the goal of algorithm agility. The reference=20 to SHA-1 should be removed, if the intent is to=20 define the key hash algorithm via the=20 previously-mentioned parameter. The key hash, if=20 it is to be a fixed length, merely needs to be=20 defined as the leftmost 128 bits of the hash=20 value of the public key of the sender. The description of how to compute the signature=20 field is wrong. The text describes the fields=20 over which the hash is to be computed. Instead=20 the text says "The signature constructed by using=20 the sender's private key over the following=20 sequence of octets." The first value is a message type tag value,=20 which is said to have been computed as a random=20 value by the editor of the specification. The=20 document needs to explain why this value needs to=20 be part of the input to the hash function, and=20 how is was generated. The current text is=20 inadequate. 6.1 Processing rules of sender The discussion of processing provided here is=20 piecemeal. The text should provide comprehensive,=20 step-by-step processing instructions. As noted in my comments above, authentication of=20 an address, as provided by CGA use, does not=20 prevent spoofing attacks related to higher layer=20 functionality. Thus, for example, unless a client=20 knows the CGA of a server or relay agent,=20 authenticating the address of the purported=20 server or relay agent does not prevent spoofing,=20 the type of attack cited at the beginning of this=20 document as the primary rationale for the=20 mechanisms proposed here. The text at the end of the introductory sentence=20 says: "can be configured to send Secure DHCPv6=20 messages only if CGAs have been configured on=20 it." It is not clear whether this is saying that=20 the sender has to have a "configured" CGA (e.g.,=20 vs. a dynamically-generated CGA), or if the=20 sender needs to have a configured list of=20 recipient CGAs, or something else. It probably is=20 feasible to configure clients with the CGAs of=20 servers or relay agents, but this document did=20 not address that issue. If the authors envision=20 client use of CGAs for DHCPv6 security, they need=20 to explain how this will be managed. The=20 management ought not undermine the anonymity=20 features that are a hallmark of client use of=20 CGAs, and it must not include a circular=20 dependency. (For example, one of the documents=20 cited in this document calls for using DHCPv6 to=20 supply CGA configuration parameters to client.=20 That would not seem to be compatible with a=20 client using DHCPv6 and CGAs to communicate with=20 a server, initially.) This section ends with the statement: "The CGA of=20 DHCPv6 server will not lose during relaying so=20 that the client can verify CGA address and=20 signature." I presume this means that the CGA or=20 the server will not be lost when it passes=20 through the relay, but the English is awkward, at=20 best. 6.2 Receiver processing Here too the discussion of processing is=20 piecemeal. The text should provide comprehensive,=20 step-by-step processing instructions. The "Minbits" discussion is NOT supportive of=20 algorithm agility. It seems to refer to a minimum=20 RSA key size, without mentioning RSA. This key=20 size recommendation would be inappropriate for=20 DSA, ECDSA, etc. Also, the phrase "SHOULD be=20 1024 bits" is inappropriate. If this were the=20 default length, then it ought to be a MUST. Also,=20 the text says: "Any implementation SHOULD follow=20 prudent cryptographic practice in determining the=20 appropriate key lengths." This might be=20 reasonable (though ambiguous) advice for a site,=20 but not for an implementation. Protocol standards=20 establish requirements for default or mandatory=20 to implement algorithms and key sizes, and ALL=20 compliant implementations support the cited=20 algorithms. The guidance provided re messages that fail to=20 include the CGA or Signature options is not=20 helpful, as it fails to say what behavior is=20 required when a receiver treats a message as=20 unsecured? Saying that a receiver MAY discard the=20 message is too vague, i.e., if the receiver=20 processes it, what SHOULD/MUST the receiver do=20 differently, in the absence of either or both of=20 these options? This ambiguity seems to contradict=20 the later statement that "Only the messages that=20 get through both CGA and signature verifications=20 are accepted as secured DHCPv6 messages and=20 continue to be handled for their contained DHCPv6=20 options." It is also runs counter to the later=20 statement "Messages that do not pass all the=20 above tests MUST be silently discarded if the=20 host has been configured to accept only secured=20 DHCPv6 messages." This discrepancy needs to be=20 resolved. The text mandates verification of the Signature=20 option using a public key that is either acquired=20 from the CGA option, or "one known by other=20 means." The latter phrase is too vague to be=20 useful. It also contradicts the statement in=20 section 5.1: "This specification requires that=20 the public key found from the CGA Parameters=20 field in the CGA option MUST be that referred by=20 the Key Hash field in the Signature option." Later in this section there is a discussion of=20 how to handle messages that fail the requisite=20 checks. The texts states "Messages that do not=20 pass all the above tests MUST be silently=20 discarded if the host has been configured to=20 accept only secured DHCPv6 messages. The messages=20 MAY be accepted if the host has been configured=20 to accept both secured and unsecured messages but=20 MUST be treated as an unsecured message. The=20 receiver MAY also otherwise silently discard=20 packets." This last sentence is confusing, given=20 the previous two sentences. Also, what are the=20 security semantics of a receiver that is=20 configured to accept both secured and unsecured=20 DHCPv6 messages? Does this makes sense for=20 servers, clients, and relays? The document seems=20 to be lacking a system-level discussion of the=20 issue of how Secure DHCPv6 can be deployed,=20 incrementally, and whether a mixed mode of=20 operation makes sense on a long term or only a=20 transient basis. The text later in Section 6.1 states that the=20 Signature option is the last one in the message,=20 hence all the prior options are covered by the=20 signature. That seems appropriate, but the text=20 there does not restrict what options MAY be=20 present (as opposed to the two options that MUST=20 be present). Thus this might create ambiguity for=20 a receiver, e.g., how SHOULD/MUST a receiver deal=20 with a secured messages that also contains=20 unsigned options? Is this something that needs to=20 be configured for each server/relay/client? What=20 are the right configuration capabilities to deal=20 with this, e.g., does the configuration need to=20 enumerate what unsigned options are allowed to be=20 processed, etc? 6.3 Processing rules of Relay Agent Two more instances of "will not lose" in this section, that need to be fixed= =2E 7. Security Considerations At the top of page 13 the discussion is=20 confusing, at best. The authors seem to suggest=20 that the proposed mechanisms do not require use=20 of a "pre-notified DHCPv6 server address." But,=20 absent such configuration info, the use of the=20 proposed mechanisms do NOT prevent server=20 spoofing. Then the text suggests that such=20 configuration info may be needed, but that this=20 creates potential DoS vulnerabilities. The=20 authors then punt on this question. This is not=20 acceptable. The authors cannot have it both ways.=20 Either they are mandating use of fixed CGAs for=20 servers, or not. The security properties of the=20 proposed mechanisms are greatly affected by this=20 choice. There are several examples here of incorrect use=20 of MAY, when referring to future options that=20 might be defined to deal with a mix of secured=20 and unsecured messages. As noted above, the=20 current specification allows a node to accept=20 both secured and unsecured message, without=20 discussing what behavior is required, and without=20 a specification of how such a node might be=20 configured to limit possible damage. There is=20 also no system-level discussion of whether it is=20 necessary to configure some nodes, e.g., servers,=20 to operate in this mode because of an anticipated=20 deployment model. The text here provides vague security advice=20 "=8Awhen link-local CGAs are used by the DHCPv6=20 clients, it is recommended to use a slightly=20 higher Sec value." The text then asserts that=20 "When higher Sec values are used, the relative=20 advantage of attacking link-local addresses=20 becomes insignificant." Since no specific Sec=20 values are recommended, this latter statement is=20 unsupported, at best. There is a typo in the ultimate paragraph for=20 this section: "=8Aused in the RSA signature in=20 Secure." Should be "=8Aused in the RSA signature in=20 Secure DHCPv6." Since algorithm agility is=20 emphasized here, why are only RSA-based=20 signatures cited? --============_-885105424==_ma============ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable review of draft-ietf-dhc-secure-dhcpv6-04.txt

I reviewed this document (draft-ietf-dhc-secure-dhcpv6-04.txt) as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments.

This document needs significant work because:

- numerous English language errors that make it hard to read

- inconsistencies between different sections of the document are present

- the incomplete description of sender and receiver processing

- it contains a questionable technical proposal for flexibility re

placement of the new sig option

- alg agility is not correctly described for the sig option, and

examples are alg specific

- some examples are erroneous

The comments provided below are keyed to the sections of the document.

Abstract

"If not secured, DHCPv6 is vulnerable to various attacks, particularly fake attack." Presumably the authors are referring to "spoofing" attacks. The commonly employed terminology should be used here.

1. Introduction

Same comment for 1st paragraph here.

The 2nd paragraph cites draft-ietf-csi-dhcpv6-cga-ps and says that it introduced "requirements of using CGA to secure DHCPv6." The cited document does not define requirements for using use CGAs to secure DHCP, contrary to what is stated here. The cited document analyzes how one might use DHCPv6 to configure CGA parameters in host clients, and how one might use CGAs to counter spoofing attacks against DHCPv6 servers. At the time this SECDIR review is being written, the cited document has 6 DISCUSS votes, suggesting that it requires significant revision, and making it a questionable basis for establishing "requirements" for CGA use in the DHCHv6 context.

The following statement "=8Aor where available security mechanisms are not sufficient, =8A" is too vague, e.g., it fails to say what/why available security mechanisms do no suffice.

2. Security Overview

It appears that this section is intended to describe the need for security mechanisms that counter DHCPv6 server spoofing attacks. It does so very poorly. It is haphazard and redundant in its organization, and some of the text is confusing, at best.

This section begins by stating "DHCPv6 is a client/server protocol that provides managed and stateful configuration of devices." I question the "stateful" part of this assertion. DHCP is designed to avoid the need for hosts to manually configured, which is very "stateful." Since a DHCP server typically assigns an address to a host from a pool, and only for the duration of a "lease" this behavior is not a great example of statefullness. SO, it is not clear what aspects of "state" the authors have in mind here.

The text says "In the basic DHCPv6 specifications, regular IPv6 addresses are used." I presume the authors mean that the DHCP server uses a "regular" IPv6 address for itself, but since DHCPv6 servers provide IPv6 addresses to their clients, this statement is ambiguous.

The last paragraph on page 3 begins with double quotes, but this appears to be a typo. This paragraph provides two examples of possible motivations for attacker that spoofs DHCP responses. Do the authors assert that these the most important motivations, the only ones, or what?

The document quotes from RFC 3315. It isn't clear if this is intended to extend the description of adverse outcomes from spoofing a DHCPv6 server, or if it is merely a restatement of the generic concern cited in the prior paragraphs.

The next paragraph uses many words to describe a MITM attack, which the document already noted at the bottom of page 3. The paragraph then goes on to say "This becomes important to detect and prevent when encrypted traffic is allowed to pass through firewalls." This is a confusing statement at best. If the traffic is encrypted, a MITM attack does not provide an adversary with a lot of interesting info to collect via a MITM attack. It isn't clear what the authors were trying to communicate here.

The document states "Once servers start updating DNS and other directory services, attackers may spoof DHCP servers to register incorrect information in those services." Which "servers" are being cited as the subject here? Who is updating them? This 1-sentence paragraph does not explain the role that DHCPv6 server spoofing plays in the cited concern.

The document states "Another possible attack is that attackers may be able to gain unauthorized access to some resources, such as network access." Unauthorized network access is a valid security concern, but the authors fail to explain how DHCP spoofing is related to this generic concern. One usually associates RADIUS, NEA and similar protocols as more relevant to network access control.

The authors discuss two key management mechanisms defined for DHCPv6, and conclude by saying "In either way, the security of key itself is in question mark." Even if one deletes the last word to make the sentence readable, the assertion is not supported when discussing the first option, i.e., initial manual distribution of a symmetric key. Kerberos has made use of this approach for many years, with reasonable success. A better criticism is that manual key distribution runs counter to the goal of minimizing the configuration data needed at each host, consistent with the goals of DHCP use. Also, manual key distribution is viewed as less secure than automated key distribution mechanisms.

This section ends with a paragraph citing another security option, i.e., use of IPsec, to secure server and relay agent communications. (The document misspells the protocol name.) "Furthermore, the manual configuration and static keys are potential issue makers." IPsec does not require use of manual key management or static keys, so this comment is inappropriate.

3. Secure DHCPv6 Overview

The proposed mechanism calls for each DHCPv6 server to use a CGA for its own address, and to digitally sign the messages it sends using the private key corresponding to the public key linked to the DHCPv6 server address. This mechanism counters DHCPv6 server spoofing, IF all clients are configured with the CGAs of authorized DHCPv6 servers. This section of the document does not describe this critical configuration requirement. Instead, this document cite draft-ietf-dhc-cga-config-dhcpv6. The cited document talks about how to use DHCPv6 to control CGA generation on clients. It does not describe configuring client with the CGAs of authorized DHCPv6 servers. Thus the cited document does not address this issue.

The text includes a curious statement "By using the signature option, the verification of data integrity and replay protections can also be achieved without the authentication option." It is true that if one were to verify a signature on a received message, but not verify that the sending CGA is that of an authorized DHCPv6 server, that connectionless message integrity is achieved. However, it is not clear that this security function is useful, in isolation. Also, the text in this section provides no analysis to show why use of the signature, by itself, provides replay protection. (One would need to describe the context established by DHCP message exchanges to make such an argument.)

The section ends with a very confusing paragraph. The paragraph appears to be discussing how to make use of the proposed CGA-based security mechanism when a relay agent lies between the server and clients. The text is not clear, and thus does not constitute a solid argument for why this works.

4.1 New Components

In discussing how to extend DHCPv6 syntax to make use of the proposed CGA security mechanism, the section includes a statement "The authority of a public key is established through the address ownership proof mechanism, by using CGAs." This is not true, unless clients are configured to know the CGAs of all authorized DHCPv6 servers with which the clients may interact.

4.2 Support for algorithm agility

This section begins with a sloppy characterization of hash function requirements, including a quote from RFC 4270 "The recent attacks have demonstrated that one of those security properties is not true." This quote is not useful on this context, since the authors fail to indicate which of the two cited security properties is not true here. The section goes on to say that "=8Aour analysis shows none of these attacks are currently doable." The authors provide no analysis to support this assertion, nor a cite to a document that would do so. Thus, either this statement needs to be removed, or support for it needs to be provided.

More importantly, it appears that algorithm agility support for Secure DHCPv6 is based (in large part) on carrying the hash and signature algorithm IDs in the Signature Option. That is different from the RFC 4270 analysis of how to enable algorithm agility for the CGA itself. Moreover, a credible algorithm agility solution requires a system-level discussion of how communicating servers, relays, and clients know which algorithms can be used in dealing with each other. This document does not include such a discussion, nor does it describe how to transition from one algorithm to another, within the context of a network. For example, do all servers have to be upgraded to offer a new algorithm simultaneously? How about relays and clients?

5 Extensions for Secure DHCPv6

Since this section introduces a new DHCPv6 option, the document needs to state that it updates RFC 3315.

5.1 CGA Parameters Option

The description of this new option includes the following text: "Note that a future extension MAY provide a mechanism allowing the owner of an address and the signer to be different parties." First, this is a misuse of "MAY." Second, this text is not appropriate for a syntax specification at this time, i.e., what should an implementer do based on this statement?

5.2 Signature Option

I question the soundness of the proposed design. The fact that the signature option can be placed anywhere in the DHCPv6 message strikes me as dangerous. It imposes a requirement on a receiver to treat the protected and unprotected portions of the message differently, for any possible placement of the signature option. This adds complexity to implementations, since the security checking would have to indicate to the rest of message processing which parts of a message were checked and which were not verified. Unless there are DHCHv6 options that may be modified (or added) legitimately when a message traverses a relay, it is not clear why there needs to be a provision to exclude any portions of a DHCPv6 message from the integrity/authentication check. "COULD" is not an RFC 2119-defined term.

The option carries an explicit hash algorithm ID, which is good, but the text says: "RSA signature [RSA] with SHA-1 [sha-1] is adopted. In order to provide hash algorithm agility, SHA-1 is assigned an initial value 0x0000 in this document." Why is a signature algorithm part of this definition (vs. just a hash algorithm), when there is a separate signature algorithm ID field? The text here is inconsistent with the latter IANA considerations. It appears that the mention of RSA is an error, but it would be better to just remove any mention of an initial algorithm value here. The description of initial values for the signature algorithm ID, and the second hash algorithm ID also should be removed from this text, and appear only in the IANA considerations section.

The discussion of the key hash field runs counter to the goal of algorithm agility. The reference to SHA-1 should be removed, if the intent is to define the key hash algorithm via the previously-mentioned parameter. The key hash, if it is to be a fixed length, merely needs to be defined as the leftmost 128 bits of the hash value of the public key of the sender.

The description of how to compute the signature field is wrong. The text describes the fields over which the hash is to be computed. Instead the text says "The signature constructed by using the sender's private key over the following sequence of octets."

The first value is a message type tag value, which is said to have been computed as a random value by the editor of the specification. The document needs to explain why this value needs to be part of the input to the hash function, and how is was generated. The current text is inadequate.

6.1 Processing rules of sender

The discussion of processing provided here is piecemeal. The text should provide comprehensive, step-by-step processing instructions.
As noted in my comments above, authentication of an address, as provided by CGA use, does not prevent spoofing attacks related to higher layer functionality. Thus, for example, unless a client knows the CGA of a server or relay agent, authenticating the address of the purported server or relay agent does not prevent spoofing, the type of attack cited at the beginning of this document as the primary rationale for the mechanisms proposed here.

The text at the end of the introductory sentence says: "can be configured to send Secure DHCPv6 messages only if CGAs have been configured on it." It is not clear whether this is saying that the sender has to have a "configured" CGA (e.g., vs. a dynamically-generated CGA), or if the sender needs to have a configured list of recipient CGAs, or something else. It probably is feasible to configure clients with the CGAs of servers or relay agents, but this document did not address that issue. If the authors envision client use of CGAs for DHCPv6 security, they need to explain how this will be managed. The management ought not undermine the anonymity features that are a hallmark of client use of CGAs, and it must not include a circular dependency. (For example, one of the documents cited in this document calls for using DHCPv6 to supply CGA configuration parameters to client. That would not seem to be compatible with a client using DHCPv6 and CGAs to communicate with a server, initially.)

This section ends with the statement: "The CGA of DHCPv6 server will not lose during relaying so that the client can verify CGA address and signature." I presume this means that the CGA or the server will not be lost when it passes through the relay, but the English is awkward, at best.

6.2 Receiver processing

Here too the discussion of processing is piecemeal. The text should provide comprehensive, step-by-step processing instructions.

The "Minbits" discussion is NOT supportive of algorithm agility. It seems to refer to a minimum RSA key size, without mentioning RSA. This key size recommendation would be inappropriate for DSA, ECDSA, etc. Also, the phrase "SHOULD be 1024 bits" is inappropriate. If this were the default length, then it ought to be a MUST. Also, the text says: "Any implementation SHOULD follow prudent cryptographic practice in determining the appropriate key lengths." This might be reasonable (though ambiguous) advice for a site, but not for an implementation. Protocol standards establish requirements for default or mandatory to implement algorithms and key sizes, and ALL compliant implementations support the cited algorithms.

The guidance provided re messages that fail to include the CGA or Signature options is not helpful, as it fails to say what behavior is required when a receiver treats a message as unsecured? Saying that a receiver MAY discard the message is too vague, i.e., if the receiver processes it, what SHOULD/MUST the receiver do differently, in the absence of either or both of these options? This ambiguity seems to contradict the later statement that "Only the messages that get through both CGA and signature verifications are accepted as secured DHCPv6 messages and continue to be handled for their contained DHCPv6 options." It is also runs counter to the later statement "Messages that do not pass all the above tests MUST be silently discarded if the host has been configured to accept only secured DHCPv6 messages." This discrepancy needs to be resolved.

The text mandates verification of the Signature option using a public key that is either acquired from the CGA option, or "one known by other means." The latter phrase is too vague to be useful. It also contradicts the statement in section 5.1: "This specification requires that the public key found from the CGA Parameters field in the CGA option MUST be that referred by the Key Hash field in the Signature option."

Later in this section there is a discussion of how to handle messages that fail the requisite checks. The texts states "Messages that do not pass all the above tests MUST be silently discarded if the host has been configured to accept only secured DHCPv6 messages. The messages MAY be accepted if the host has been configured to accept both secured and unsecured messages but MUST be treated as an unsecured message. The receiver MAY also otherwise silently discard packets." This last sentence is confusing, given the previous two sentences. Also, what are the security semantics of a receiver that is configured to accept both secured and unsecured DHCPv6 messages? Does this makes sense for servers, clients, and relays? The document seems to be lacking a system-level discussion of the issue of how Secure DHCPv6 can be deployed, incrementally, and whether a mixed mode of operation makes sense on a long term or only a transient basis.

The text later in Section 6.1 states that the Signature option is the last one in the message, hence all the prior options are covered by the signature. That seems appropriate, but the text there does not restrict what options MAY be present (as opposed to the two options that MUST be present). Thus this might create ambiguity for a receiver, e.g., how SHOULD/MUST a receiver deal with a secured messages that also contains unsigned options? Is this something that needs to be configured for each server/relay/client? What are the right configuration capabilities to deal with this, e.g., does the configuration need to enumerate what unsigned options are allowed to be processed, etc?

6.3 Processing rules of Relay Agent

Two more instances of "will not lose" in this section, that need to be fixed.

7. Security Considerations

At the top of page 13 the discussion is confusing, at best. The authors seem to suggest that the proposed mechanisms do not require use of a "pre-notified DHCPv6 server address." But, absent such configuration info, the use of the proposed mechanisms do NOT prevent server spoofing. Then the text suggests that such configuration info may be needed, but that this creates potential DoS vulnerabilities. The authors then punt on this question. This is not acceptable. The authors cannot have it both ways. Either they are mandating use of fixed CGAs for servers, or not. The security properties of the proposed mechanisms are greatly affected by this choice.

There are several examples here of incorrect use of MAY, when referring to future options that might be defined to deal with a mix of secured and unsecured messages. As noted above, the current specification allows a node to accept both secured and unsecured message, without discussing what behavior is required, and without a specification of how such a node might be configured to limit possible damage. There is also no system-level discussion of whether it is necessary to configure some nodes, e.g., servers, to operate in this mode because of an anticipated deployment model.

The text here provides vague security advice "=8Awhen link-local CGAs are used by the DHCPv6 clients, it is recommended to use a slightly higher Sec value." The text then asserts that "When higher Sec values are used, the relative advantage of attacking link-local addresses becomes insignificant." Since no specific Sec values are recommended, this latter statement is unsupported, at best.

There is a typo in the ultimate paragraph for this section: "=8Aused in the RSA signature in Secure." Should be "=8Aused in the RSA signature in Secure DHCPv6." Since algorithm agility is emphasized here, why are only RSA-based signatures cited?

--============_-885105424==_ma============-- From new-work-bounces@ietf.org Thu Jan 19 13:39:15 2012 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E138521F86D7; Thu, 19 Jan 2012 13:39:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1327009155; bh=j+ePg8OGFsLixDSWtTvCWVrdQ8fd3b+3F3skcvNPRmE=; h=From:To:Mime-Version:Message-Id:Date:Subject:Reply-To:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: Content-Type:Content-Transfer-Encoding:Sender; b=H6jOYLDfGiUuNgf+CXtoOWuv5pqKo2mpY1yT9TSPgdc6b9e18HJiyOYElHCeKuYGZ ciaO9OGNLKbYYxrSzqG+6bTlZSjtzR0BS950BrgQ37A9XR2GbRuL9LJm+jNBjkPF6c Q1QG0oq6Xy8bTnyVhhZTyUJ3RO2WAdA/uUnMVkPU= X-Original-To: new-work@ietf.org Delivered-To: new-work@ietfa.amsl.com Received: by ietfa.amsl.com (Postfix, from userid 30) id CA48521F86D7; Thu, 19 Jan 2012 13:39:14 -0800 (PST) From: IESG Secretary To: new-work@ietf.org Mime-Version: 1.0 Message-Id: <20120119213914.CA48521F86D7@ietfa.amsl.com> Date: Thu, 19 Jan 2012 13:39:14 -0800 (PST) X-BeenThere: new-work@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: new-work-bounces@ietf.org Errors-To: new-work-bounces@ietf.org X-Mailman-Approved-At: Fri, 20 Jan 2012 05:21:40 -0800 Subject: [secdir] [new-work] WG Review: Recharter of Locator/ID Separation Protocol (lisp) X-BeenThere: secdir@ietf.org Reply-To: iesg@ietf.org List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Jan 2012 21:39:16 -0000 A modified charter has been submitted for the Locator/ID Separation Protocol (lisp) working group in the Internet Area of the IETF. The IESG has not made any determination as yet. The modified charter is provided below for informational purposes only. Please send your comments to the IESG mailing list (iesg@ietf.org) by Thursday, January 26, 2012 Locator/ID Separation Protocol (lisp) ------------------------------------- Current Status: Active Last updated: 2012-01-19 Chairs: Joel Halpern Terry Manderson Internet Area Directors: Ralph Droms Jari Arkko Internet Area Advisor: Jari Arkko Secretaries: Wassim Haddad Luigi Iannone Mailing Lists: General Discussion: lisp@ietf.org To Subscribe: https://www.ietf.org/mailman/listinfo/lisp Archive: http://www.ietf.org/mail-archive/web/lisp/current/maillist.html Description of Working Group: The IAB's October 2006 Routing and Addressing Workshop (RFC 4984) rekindled interest in scalable routing and addressing architectures for the Internet. Among the many issues driving this renewed interest are concerns about the scalability of the routing system. Since the IAB workshop, several proposals have emerged which attempt to address the concerns expressed there and elsewhere. In general, these proposals are based on the "locator/identifier separation". The basic idea behind the separation is that the Internet architecture combines two functions, routing locators, (where you are attached to the network) and identifiers (who you are) in one number space: The IP address. Proponents of the separation architecture postulate that splitting these functions apart will yield several advantages, including improved scalability for the routing system. The separation aims to decouple locators and identifiers, thus allowing for efficient aggregation of the routing locator space and providing persistent identifiers in the identifier space. LISP requires no changes to end-systems or to most routers. LISP aims for an incrementally deployable protocol. A number of approaches are being looked at in parallel in other contexts. The IRTF RRG examined several proposals, some of which were published as IRTF-track Experimental RFCs. The LISP WG is chartered to work on the LISP base protocol, completing the ongoing work, and any items which directly impact LISP protocol structures and are related to using LISP for improving Internet routing scalability. Specifically, the group will work on: - LISP security threats and solutions - MIBs - deployment models - allocation of EID space - alternate mapping system designs In addition, if work chartered in some other IETF WG requires changes in the LISP base protocol or any items which directly impact LISP protocol structures, then the LISP WG is chartered to work on such changes. The working group will encourage and support interoperable LISP implementations as well as defining requirements for alternate mapping systems. The Working Group will also develop security profiles for LISP and the various LISP mapping systems. It is expected that the results of specifying, implementing, and testing LISP will be fed to the general efforts at the IETF and IRTF to understand which type of a solution is optimal. The LISP WG is not chartered to develop a standard solution for solving the routing scalability problem at this time. The specifications developed by the WG are Experimental and labeled with accurate disclaimers about their limitations and not fully understood implications for Internet traffic. In addition, as these issues are understood, the working group will analyze and document the implications of LISP on Internet traffic, applications, routers, and security. This analysis will explain what role LISP can play in scalable routing. The analysis should also look at scalability and levels of state required for encapsulation, decapsulation, liveness, and so on as well as the manageability and operability of LISP. Specifically, the group will work on: - documenting areas that need experimentation - summarizing the results of implementation, experiments, and deployment experience - describing the implications of employing LISP - operational guidance for using LISP Goals and Milestones Jun 2012 Forward draft-ietf-lisp-mib to the IESG Jun 2012 Forward draft-ietf-lisp-sec to the IESG Jun 2012 Forward to the IESG an operational document which should include cache management and ETR synchronization techniques (draft-ietf-lisp-deployment). Oct 2012 Forward to the IESG a document providing a solution to replay issues with Map-Register/Map-Notify Dec 2013 Publish an example cache management specification. Dec 2013 Forward to the IESG an evaluation of the security threat to cache maintenance (draft-ietf-lisp-threats) Dec 2013 Forward to the IESG a document addressing the areas which require further experimentation. Jun 2014 Evaluate the applicability and coverage for LISP from a reuse of SIDR technology. Jun 2014 Summarize results of specifying, implementing, and testing LISP and forward to IESG and/or IRTF. Jun 2014 Analyze and document the implications of LISP deployments in Internet topologies and forward to IESG for publication. Dec 2014 Re-charter or close _______________________________________________ new-work mailing list new-work@ietf.org https://www.ietf.org/mailman/listinfo/new-work From jiangsheng@huawei.com Thu Jan 19 17:09:35 2012 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88B1121F8597 for ; Thu, 19 Jan 2012 17:09:34 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.498 X-Spam-Level: X-Spam-Status: No, score=-6.498 tagged_above=-999 required=5 tests=[AWL=0.100, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LASAacVeysIZ for ; Thu, 19 Jan 2012 17:09:31 -0800 (PST) Received: from szxga03-in.huawei.com (szxga03-in.huawei.com [119.145.14.66]) by ietfa.amsl.com (Postfix) with ESMTP id C16A721F858F for ; Thu, 19 Jan 2012 17:09:30 -0800 (PST) Received: from huawei.com (szxga03-in [172.24.2.9]) by szxga03-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0LY200JTPOJNIM@szxga03-in.huawei.com> for secdir@ietf.org; Fri, 20 Jan 2012 09:09:23 +0800 (CST) Received: from szxrg02-dlp.huawei.com ([172.24.2.119]) by szxga03-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0LY200LB8OJN4O@szxga03-in.huawei.com> for secdir@ietf.org; Fri, 20 Jan 2012 09:09:23 +0800 (CST) Received: from szxeml214-edg.china.huawei.com ([172.24.2.119]) by szxrg02-dlp.huawei.com (MOS 4.1.9-GA) with ESMTP id AGL16044; Fri, 20 Jan 2012 09:09:20 +0800 Received: from SZXEML417-HUB.china.huawei.com (10.82.67.156) by szxeml214-edg.china.huawei.com (172.24.2.29) with Microsoft SMTP Server (TLS) id 14.1.323.3; Fri, 20 Jan 2012 09:09:09 +0800 Received: from SZXEML506-MBS.china.huawei.com ([169.254.3.236]) by szxeml417-hub.china.huawei.com ([10.82.67.156]) with mapi id 14.01.0323.003; Fri, 20 Jan 2012 09:09:13 +0800 Date: Fri, 20 Jan 2012 01:09:11 +0000 From: Sheng Jiang In-reply-to: X-Originating-IP: [10.108.4.99] To: Stephen Kent , "secdir@ietf.org" Message-id: <5D36713D8A4E7348A7E10DF7437A4B92185A715D@SZXEML506-MBS.china.huawei.com> MIME-version: 1.0 Content-type: multipart/alternative; boundary="Boundary_(ID_1qSLGszScnzXsRNcb8ymdw)" Content-language: zh-CN Accept-Language: en-GB, zh-CN, en-US Thread-topic: review of draft-ietf-dhc-secure-dhcpv6-04.txt Thread-index: AQHM1wVGR+IsEftM3kywUBVOpvWIcZYUcUbw X-MS-Has-Attach: X-MS-TNEF-Correlator: x-cr-hashedpuzzle: DvzT EhS3 SU5P XyDZ Y1hP gyNm iDC5 sMI9 u8SB v2PZ xdVk 1k7+ 4Npp 4XRJ 81OG /JQ5; 6; agBvAGgAbgBfAGIAcgB6AG8AegBvAHcAcwBrAGkAQABjAGEAYgBsAGUALgBjAG8AbQBjAGEAcwB0AC4AYwBvAG0AOwBrAGUAbgB0AEAAYgBiAG4ALgBjAG8AbQA7AHIAZAByAG8AbQBzAC4AaQBlAHQAZgBAAGcAbQBhAGkAbAAuAGMAbwBtADsAcwBlAGMAZABpAHIAQABpAGUAdABmAC4AbwByAGcAOwBzAGgAZQBuAHMAaAB1AG8AQABjAG4AbgBpAGMALgBjAG4AOwB0AGUAZAAuAGwAZQBtAG8AbgBAAG4AbwBtAGkAbgB1AG0ALgBjAG8AbQA=; Sosha1_v1; 7; {A454111C-2104-497E-98FF-F61E3CC09FC8}; agBpAGEAbgBnAHMAaABlAG4AZwBAAGgAdQBhAHcAZQBpAC4AYwBvAG0A; Fri, 20 Jan 2012 01:09:01 GMT; UgBFADoAIAByAGUAdgBpAGUAdwAgAG8AZgAgAGQAcgBhAGYAdAAtAGkAZQB0AGYALQBkAGgAYwAtAHMAZQBjAHUAcgBlAC0AZABoAGMAcAB2ADYALQAwADQALgB0AHgAdAA= x-cr-puzzleid: {A454111C-2104-497E-98FF-F61E3CC09FC8} X-CFilter-Loop: Reflected References: X-Mailman-Approved-At: Fri, 20 Jan 2012 05:21:40 -0800 Cc: "rdroms.ietf@gmail.com" , "ted.lemon@nominum.com" , "shenshuo@cnnic.cn" , "john_brzozowski@cable.comcast.com" Subject: Re: [secdir] review of draft-ietf-dhc-secure-dhcpv6-04.txt X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jan 2012 01:09:35 -0000 --Boundary_(ID_1qSLGszScnzXsRNcb8ymdw) Content-type: text/plain; charset=iso-8859-2 Content-transfer-encoding: quoted-printable Hi, Stephen, Thanks so much for your carefully reviewing. It is very helpful for us to i= mprove this draft. I will integrate your comments in next version and come = back to you before submission (it will be early Feb, giving that we will st= art the Chinese New Year holiday soon) . Best regards, Sheng From: Stephen Kent [mailto:kent@bbn.com] Sent: Friday, January 20, 2012 7:51 AM To: secdir@ietf.org Cc: shenshuo@cnnic.cn; Sheng Jiang; ted.lemon@nominum.com; john_brzozowski@= cable.comcast.com; rdroms.ietf@gmail.com Subject: review of draft-ietf-dhc-secure-dhcpv6-04.txt I reviewed this document (draft-ietf-dhc-secure-dhcpv6-04.txt) as part of t= he security directorate's ongoing effort to review all IETF documents being= processed by the IESG. These comments were written primarily for the bene= fit of the security area directors. Document editors and WG chairs should = treat these comments just like any other last call comments. This document needs significant work because: - numerous English language errors that make it hard to read - inconsistencies between different sections of the document are present - the incomplete description of sender and receiver processing - it contains a questionable technical proposal for flexibility re placement of the new sig option - alg agility is not correctly described for the sig option, and examples are alg specific - some examples are erroneous The comments provided below are keyed to the sections of the document. Abstract "If not secured, DHCPv6 is vulnerable to various attacks, particularly fake= attack." Presumably the authors are referring to "spoofing" attacks. The c= ommonly employed terminology should be used here. 1. Introduction Same comment for 1st paragraph here. The 2nd paragraph cites draft-ietf-csi-dhcpv6-cga-ps and says that it intro= duced "requirements of using CGA to secure DHCPv6." The cited document does= not define requirements for using use CGAs to secure DHCP, contrary to wha= t is stated here. The cited document analyzes how one might use DHCPv6 to c= onfigure CGA parameters in host clients, and how one might use CGAs to coun= ter spoofing attacks against DHCPv6 servers. At the time this SECDIR review= is being written, the cited document has 6 DISCUSS votes, suggesting that= it requires significant revision, and making it a questionable basis for e= stablishing "requirements" for CGA use in the DHCHv6 context. The following statement "=A9or where available security mechanisms are not = sufficient, =A9" is too vague, e.g., it fails to say what/why available sec= urity mechanisms do no suffice. 2. Security Overview It appears that this section is intended to describe the need for security = mechanisms that counter DHCPv6 server spoofing attacks. It does so very poo= rly. It is haphazard and redundant in its organization, and some of the tex= t is confusing, at best. This section begins by stating "DHCPv6 is a client/server protocol that pro= vides managed and stateful configuration of devices." I question the "state= ful" part of this assertion. DHCP is designed to avoid the need for hosts t= o manually configured, which is very "stateful." Since a DHCP server typica= lly assigns an address to a host from a pool, and only for the duration of = a "lease" this behavior is not a great example of statefullness. SO, it is = not clear what aspects of "state" the authors have in mind here. The text says "In the basic DHCPv6 specifications, regular IPv6 addresses a= re used." I presume the authors mean that the DHCP server uses a "regular" = IPv6 address for itself, but since DHCPv6 servers provide IPv6 addresses to= their clients, this statement is ambiguous. The last paragraph on page 3 begins with double quotes, but this appears to= be a typo. This paragraph provides two examples of possible motivations fo= r attacker that spoofs DHCP responses. Do the authors assert that these the= most important motivations, the only ones, or what? The document quotes from RFC 3315. It isn't clear if this is intended to ex= tend the description of adverse outcomes from spoofing a DHCPv6 server, or = if it is merely a restatement of the generic concern cited in the prior par= agraphs. The next paragraph uses many words to describe a MITM attack, which the doc= ument already noted at the bottom of page 3. The paragraph then goes on to = say "This becomes important to detect and prevent when encrypted traffic is= allowed to pass through firewalls." This is a confusing statement at best.= If the traffic is encrypted, a MITM attack does not provide an adversary w= ith a lot of interesting info to collect via a MITM attack. It isn't clear = what the authors were trying to communicate here. The document states "Once servers start updating DNS and other directory se= rvices, attackers may spoof DHCP servers to register incorrect information = in those services." Which "servers" are being cited as the subject here? Wh= o is updating them? This 1-sentence paragraph does not explain the role tha= t DHCPv6 server spoofing plays in the cited concern. The document states "Another possible attack is that attackers may be able = to gain unauthorized access to some resources, such as network access." Una= uthorized network access is a valid security concern, but the authors fail = to explain how DHCP spoofing is related to this generic concern. One usuall= y associates RADIUS, NEA and similar protocols as more relevant to network = access control. The authors discuss two key management mechanisms defined for DHCPv6, and c= onclude by saying "In either way, the security of key itself is in question= mark." Even if one deletes the last word to make the sentence readable, th= e assertion is not supported when discussing the first option, i.e., initia= l manual distribution of a symmetric key. Kerberos has made use of this app= roach for many years, with reasonable success. A better criticism is that m= anual key distribution runs counter to the goal of minimizing the configura= tion data needed at each host, consistent with the goals of DHCP use. Also,= manual key distribution is viewed as less secure than automated key distri= bution mechanisms. This section ends with a paragraph citing another security option, i.e., us= e of IPsec, to secure server and relay agent communications. (The document = misspells the protocol name.) "Furthermore, the manual configuration and st= atic keys are potential issue makers." IPsec does not require use of manual= key management or static keys, so this comment is inappropriate. 3. Secure DHCPv6 Overview The proposed mechanism calls for each DHCPv6 server to use a CGA for its ow= n address, and to digitally sign the messages it sends using the private ke= y corresponding to the public key linked to the DHCPv6 server address. This= mechanism counters DHCPv6 server spoofing, IF all clients are configured w= ith the CGAs of authorized DHCPv6 servers. This section of the document doe= s not describe this critical configuration requirement. Instead, this docum= ent cite draft-ietf-dhc-cga-config-dhcpv6. The cited document talks about h= ow to use DHCPv6 to control CGA generation on clients. It does not describe= configuring client with the CGAs of authorized DHCPv6 servers. Thus the ci= ted document does not address this issue. The text includes a curious statement "By using the signature option, the v= erification of data integrity and replay protections can also be achieved w= ithout the authentication option." It is true that if one were to verify a = signature on a received message, but not verify that the sending CGA is tha= t of an authorized DHCPv6 server, that connectionless message integrity is = achieved. However, it is not clear that this security function is useful, i= n isolation. Also, the text in this section provides no analysis to show wh= y use of the signature, by itself, provides replay protection. (One would n= eed to describe the context established by DHCP message exchanges to make s= uch an argument.) The section ends with a very confusing paragraph. The paragraph appears to = be discussing how to make use of the proposed CGA-based security mechanism = when a relay agent lies between the server and clients. The text is not cle= ar, and thus does not constitute a solid argument for why this works. 4.1 New Components In discussing how to extend DHCPv6 syntax to make use of the proposed CGA s= ecurity mechanism, the section includes a statement "The authority of a pub= lic key is established through the address ownership proof mechanism, by us= ing CGAs." This is not true, unless clients are configured to know the CGAs= of all authorized DHCPv6 servers with which the clients may interact. 4.2 Support for algorithm agility This section begins with a sloppy characterization of hash function require= ments, including a quote from RFC 4270 "The recent attacks have demonstrate= d that one of those security properties is not true." This quote is not use= ful on this context, since the authors fail to indicate which of the two ci= ted security properties is not true here. The section goes on to say that "= =A9our analysis shows none of these attacks are currently doable." The auth= ors provide no analysis to support this assertion, nor a cite to a document= that would do so. Thus, either this statement needs to be removed, or supp= ort for it needs to be provided. More importantly, it appears that algorithm agility support for Secure DHCP= v6 is based (in large part) on carrying the hash and signature algorithm ID= s in the Signature Option. That is different from the RFC 4270 analysis of = how to enable algorithm agility for the CGA itself. Moreover, a credible al= gorithm agility solution requires a system-level discussion of how communic= ating servers, relays, and clients know which algorithms can be used in dea= ling with each other. This document does not include such a discussion, nor= does it describe how to transition from one algorithm to another, within t= he context of a network. For example, do all servers have to be upgraded to= offer a new algorithm simultaneously? How about relays and clients? 5 Extensions for Secure DHCPv6 Since this section introduces a new DHCPv6 option, the document needs to st= ate that it updates RFC 3315. 5.1 CGA Parameters Option The description of this new option includes the following text: "Note that = a future extension MAY provide a mechanism allowing the owner of an address= and the signer to be different parties." First, this is a misuse of "MAY."= Second, this text is not appropriate for a syntax specification at this ti= me, i.e., what should an implementer do based on this statement? 5.2 Signature Option I question the soundness of the proposed design. The fact that the signatur= e option can be placed anywhere in the DHCPv6 message strikes me as dangero= us. It imposes a requirement on a receiver to treat the protected and unpro= tected portions of the message differently, for any possible placement of t= he signature option. This adds complexity to implementations, since the sec= urity checking would have to indicate to the rest of message processing whi= ch parts of a message were checked and which were not verified. Unless ther= e are DHCHv6 options that may be modified (or added) legitimately when a me= ssage traverses a relay, it is not clear why there needs to be a provision = to exclude any portions of a DHCPv6 message from the integrity/authenticat= ion check. "COULD" is not an RFC 2119-defined term. The option carries an explicit hash algorithm ID, which is good, but the te= xt says: "RSA signature [RSA] with SHA-1 [sha-1] is adopted. In order to pr= ovide hash algorithm agility, SHA-1 is assigned an initial value 0x0000 in = this document." Why is a signature algorithm part of this definition (vs. j= ust a hash algorithm), when there is a separate signature algorithm ID fiel= d? The text here is inconsistent with the latter IANA considerations. It a= ppears that the mention of RSA is an error, but it would be better to just = remove any mention of an initial algorithm value here. The description of i= nitial values for the signature algorithm ID, and the second hash algorithm= ID also should be removed from this text, and appear only in the IANA cons= iderations section. The discussion of the key hash field runs counter to the goal of algorithm = agility. The reference to SHA-1 should be removed, if the intent is to defi= ne the key hash algorithm via the previously-mentioned parameter. The key h= ash, if it is to be a fixed length, merely needs to be defined as the leftm= ost 128 bits of the hash value of the public key of the sender. The description of how to compute the signature field is wrong. The text de= scribes the fields over which the hash is to be computed. Instead the text = says "The signature constructed by using the sender's private key over the = following sequence of octets." The first value is a message type tag value, which is said to have been com= puted as a random value by the editor of the specification. The document ne= eds to explain why this value needs to be part of the input to the hash fun= ction, and how is was generated. The current text is inadequate. 6.1 Processing rules of sender The discussion of processing provided here is piecemeal. The text should pr= ovide comprehensive, step-by-step processing instructions. As noted in my comments above, authentication of an address, as provided by= CGA use, does not prevent spoofing attacks related to higher layer functio= nality. Thus, for example, unless a client knows the CGA of a server or rel= ay agent, authenticating the address of the purported server or relay agent= does not prevent spoofing, the type of attack cited at the beginning of th= is document as the primary rationale for the mechanisms proposed here. The text at the end of the introductory sentence says: "can be configured t= o send Secure DHCPv6 messages only if CGAs have been configured on it." It = is not clear whether this is saying that the sender has to have a "configur= ed" CGA (e.g., vs. a dynamically-generated CGA), or if the sender needs to = have a configured list of recipient CGAs, or something else. It probably is= feasible to configure clients with the CGAs of servers or relay agents, bu= t this document did not address that issue. If the authors envision client = use of CGAs for DHCPv6 security, they need to explain how this will be mana= ged. The management ought not undermine the anonymity features that are a h= allmark of client use of CGAs, and it must not include a circular dependenc= y. (For example, one of the documents cited in this document calls for usin= g DHCPv6 to supply CGA configuration parameters to client. That would not s= eem to be compatible with a client using DHCPv6 and CGAs to communicate wit= h a server, initially.) This section ends with the statement: "The CGA of DHCPv6 server will not lo= se during relaying so that the client can verify CGA address and signature.= " I presume this means that the CGA or the server will not be lost when it = passes through the relay, but the English is awkward, at best. 6.2 Receiver processing Here too the discussion of processing is piecemeal. The text should provide= comprehensive, step-by-step processing instructions. The "Minbits" discussion is NOT supportive of algorithm agility. It seems t= o refer to a minimum RSA key size, without mentioning RSA. This key size re= commendation would be inappropriate for DSA, ECDSA, etc. Also, the phrase = "SHOULD be 1024 bits" is inappropriate. If this were the default length, th= en it ought to be a MUST. Also, the text says: "Any implementation SHOULD f= ollow prudent cryptographic practice in determining the appropriate key len= gths." This might be reasonable (though ambiguous) advice for a site, but n= ot for an implementation. Protocol standards establish requirements for def= ault or mandatory to implement algorithms and key sizes, and ALL compliant = implementations support the cited algorithms. The guidance provided re messages that fail to include the CGA or Signature= options is not helpful, as it fails to say what behavior is required when = a receiver treats a message as unsecured? Saying that a receiver MAY discar= d the message is too vague, i.e., if the receiver processes it, what SHOULD= /MUST the receiver do differently, in the absence of either or both of thes= e options? This ambiguity seems to contradict the later statement that "Onl= y the messages that get through both CGA and signature verifications are ac= cepted as secured DHCPv6 messages and continue to be handled for their cont= ained DHCPv6 options." It is also runs counter to the later statement "Mess= ages that do not pass all the above tests MUST be silently discarded if the= host has been configured to accept only secured DHCPv6 messages." This dis= crepancy needs to be resolved. The text mandates verification of the Signature option using a public key t= hat is either acquired from the CGA option, or "one known by other means." = The latter phrase is too vague to be useful. It also contradicts the statem= ent in section 5.1: "This specification requires that the public key found = from the CGA Parameters field in the CGA option MUST be that referred by th= e Key Hash field in the Signature option." Later in this section there is a discussion of how to handle messages that = fail the requisite checks. The texts states "Messages that do not pass all = the above tests MUST be silently discarded if the host has been configured = to accept only secured DHCPv6 messages. The messages MAY be accepted if the= host has been configured to accept both secured and unsecured messages but= MUST be treated as an unsecured message. The receiver MAY also otherwise s= ilently discard packets." This last sentence is confusing, given the previo= us two sentences. Also, what are the security semantics of a receiver that = is configured to accept both secured and unsecured DHCPv6 messages? Does th= is makes sense for servers, clients, and relays? The document seems to be l= acking a system-level discussion of the issue of how Secure DHCPv6 can be d= eployed, incrementally, and whether a mixed mode of operation makes sense o= n a long term or only a transient basis. The text later in Section 6.1 states that the Signature option is the last = one in the message, hence all the prior options are covered by the signatur= e. That seems appropriate, but the text there does not restrict what option= s MAY be present (as opposed to the two options that MUST be present). Thus= this might create ambiguity for a receiver, e.g., how SHOULD/MUST a receiv= er deal with a secured messages that also contains unsigned options? Is thi= s something that needs to be configured for each server/relay/client? What = are the right configuration capabilities to deal with this, e.g., does the = configuration need to enumerate what unsigned options are allowed to be pro= cessed, etc? 6.3 Processing rules of Relay Agent Two more instances of "will not lose" in this section, that need to be fixe= d. 7. Security Considerations At the top of page 13 the discussion is confusing, at best. The authors see= m to suggest that the proposed mechanisms do not require use of a "pre-noti= fied DHCPv6 server address." But, absent such configuration info, the use o= f the proposed mechanisms do NOT prevent server spoofing. Then the text sug= gests that such configuration info may be needed, but that this creates pot= ential DoS vulnerabilities. The authors then punt on this question. This is= not acceptable. The authors cannot have it both ways. Either they are mand= ating use of fixed CGAs for servers, or not. The security properties of the= proposed mechanisms are greatly affected by this choice. There are several examples here of incorrect use of MAY, when referring to = future options that might be defined to deal with a mix of secured and unse= cured messages. As noted above, the current specification allows a node to = accept both secured and unsecured message, without discussing what behavior= is required, and without a specification of how such a node might be confi= gured to limit possible damage. There is also no system-level discussion of= whether it is necessary to configure some nodes, e.g., servers, to operate= in this mode because of an anticipated deployment model. The text here provides vague security advice "=A9when link-local CGAs are u= sed by the DHCPv6 clients, it is recommended to use a slightly higher Sec v= alue." The text then asserts that "When higher Sec values are used, the rel= ative advantage of attacking link-local addresses becomes insignificant." S= ince no specific Sec values are recommended, this latter statement is unsup= ported, at best. There is a typo in the ultimate paragraph for this section: "=A9used in th= e RSA signature in Secure." Should be "=A9used in the RSA signature in Secu= re DHCPv6." Since algorithm agility is emphasized here, why are only RSA-ba= sed signatures cited? --Boundary_(ID_1qSLGszScnzXsRNcb8ymdw) Content-type: text/html; charset=iso-8859-2 Content-transfer-encoding: quoted-printable review of draft-ietf-dhc-secure-dhcpv6-04.txt

Hi, Stephen,

<= /p>

Thanks so much for your c= arefully reviewing. It is very helpful for us to improve this draft. I will= integrate your comments in next version and come back to you before submission (it will be early Feb, giving that we will start the= Chinese New Year holiday soon) .

<= /p>

Best regards,<= /span>

<= /p>

Sheng

<= /p>

From: Stephen = Kent [mailto:kent@bbn.com]
Sent: Friday, January 20, 2012 7:51 AM
To: secdir@ietf.org
Cc: shenshuo@cnnic.cn; Sheng Jiang; ted.lemon@nominum.com; john_brzo= zowski@cable.comcast.com; rdroms.ietf@gmail.com
Subject: review of draft-ietf-dhc-secure-dhcpv6-04.txt

I reviewed this document= (draft-ietf-dhc-secure-dhcpv6-04.txt) as part of the security directorate'= s ongoing effort to review all IETF documents being processed by the IESG.&= nbsp; These comments were written primarily for the benefit of the security area directors. Document editors and= WG chairs should treat these comments just like any other last call commen= ts.

This document needs sign= ificant work because:

-&nb= sp; numerous English language errors tha= t make it hard to read

- inconsistencies= between different sections of the document are present

- the incomplete = description of sender and receiver processing

- it contains a q= uestionable technical proposal for flexibility re

place= ment of the new sig option

- alg agility is = not correctly described for the sig option, and

examp= les are alg specific

- some examples a= re erroneous

The comments provided below are keyed to the sections of the document.

Abstract

"If not secured, DHCPv6 is vulnerable to various attacks, particularly= fake attack." Presumably the authors are referring to "spoofing&= quot; attacks. The commonly employed terminology should be used here.

1. Introduction

Same comment for 1st paragraph here.

The 2nd paragraph cites draft-ietf-csi-dhcpv6-cga-ps and says that it intro= duced "requirements of using CGA to secure DHCPv6." The cited doc= ument does not define requirements for using use CGAs to secure DHCP, contr= ary to what is stated here. The cited document analyzes how one might use DHCPv6 to configure CGA parameters in ho= st clients, and how one might use CGAs to counter spoofing attacks against = DHCPv6 servers. At the time this SECDIR review is being written, the = cited document has 6 DISCUSS votes, suggesting that it requires significant revision, and making it a questionable basis = for establishing "requirements" for CGA use in the DHCHv6 context= .

The following statement "=A9or where available security mechanisms are= not sufficient, =A9" is too vague, e.g., it fails to say what/why ava= ilable security mechanisms do no suffice.

2. Security Overview

It appears that this section is intended to describe the need for security = mechanisms that counter DHCPv6 server spoofing attacks. It does so very poo= rly. It is haphazard and redundant in its organization, and some of the tex= t is confusing, at best.

This section begins by stating "DHCPv6 is a client/server protocol tha= t provides managed and stateful configuration of devices." I question = the "stateful" part of this assertion. DHCP is designed to avoid = the need for hosts to manually configured, which is very "stateful." Since a DHCP server typically assigns an addres= s to a host from a pool, and only for the duration of a "lease" t= his behavior is not a great example of statefullness. SO, it is not clear w= hat aspects of "state" the authors have in mind here.

The text says "In the basic DHCPv6 specifications, regular IPv6 addres= ses are used." I presume the authors mean that the DHCP server uses a = "regular" IPv6 address for itself, but since DHCPv6 servers provi= de IPv6 addresses to their clients, this statement is ambiguous.

The last paragraph on page 3 begins with double quotes, but this appears to= be a typo. This paragraph provides two examples of possible motivations fo= r attacker that spoofs DHCP responses. Do the authors assert that these the= most important motivations, the only ones, or what?

The document quotes from RFC 3315. It isn't clear if this is intended to ex= tend the description of adverse outcomes from spoofing a DHCPv6 server, or = if it is merely a restatement of the generic concern cited in the prior par= agraphs.

The next paragraph uses many words to describe a MITM attack, which the doc= ument already noted at the bottom of page 3. The paragraph then goes on to = say "This becomes important to detect and prevent when encrypted traff= ic is allowed to pass through firewalls." This is a confusing statement at best. If the traffic is encrypted, a MITM= attack does not provide an adversary with a lot of interesting info to col= lect via a MITM attack. It isn't clear what the authors were trying to comm= unicate here.

The document states "Once servers start updating DNS and other directo= ry services, attackers may spoof DHCP servers to register incorrect informa= tion in those services." Which "servers" are being cited as = the subject here? Who is updating them? This 1-sentence paragraph does not explain the role that DHCPv6 server spoofing plays in t= he cited concern.

The document states "Another possible attack is that attackers may be = able to gain unauthorized access to some resources, such as network access.= " Unauthorized network access is a valid security concern, but the aut= hors fail to explain how DHCP spoofing is related to this generic concern. One usually associates RADIUS, NEA and si= milar protocols as more relevant to network access control.

The authors discuss two key management mechanisms defined for DHCPv6, and c= onclude by saying "In either way, the security of key itself is in que= stion mark." Even if one deletes the last word to make the sentence re= adable, the assertion is not supported when discussing the first option, i.e., initial manual distribution of a symmet= ric key. Kerberos has made use of this approach for many years, with reason= able success. A better criticism is that manual key distribution runs count= er to the goal of minimizing the configuration data needed at each host, consistent with the goals of DHCP = use. Also, manual key distribution is viewed as less secure than automated = key distribution mechanisms.

This section ends with a paragraph citing another security option, i.e., us= e of IPsec, to secure server and relay agent communications. (The document = misspells the protocol name.) "Furthermore, the manual configuration a= nd static keys are potential issue makers." IPsec does not require use of manual key management or static keys, so thi= s comment is inappropriate.

3. Secure DHCPv6 Overview

The proposed mechanism calls for each DHCPv6 server to use a CGA for its ow= n address, and to digitally sign the messages it sends using the private ke= y corresponding to the public key linked to the DHCPv6 server address. This= mechanism counters DHCPv6 server spoofing, IF all clients are configured with the CGAs of authorized DHCPv6= servers. This section of the document does not describe this critical conf= iguration requirement. Instead, this document cite draft-ietf-dhc-cga-confi= g-dhcpv6. The cited document talks about how to use DHCPv6 to control CGA generation on clients. It does not = describe configuring client with the CGAs of authorized DHCPv6 servers. Thu= s the cited document does not address this issue.

The text includes a curious statement "By using the signature option, = the verification of data integrity and replay protections can also be achie= ved without the authentication option." It is true that if one were to= verify a signature on a received message, but not verify that the sending CGA is that of an authorized DHCPv6 server= , that connectionless message integrity is achieved. However, it is not cle= ar that this security function is useful, in isolation. Also, the text in t= his section provides no analysis to show why use of the signature, by itself, provides replay protection. (= One would need to describe the context established by DHCP message exchange= s to make such an argument.)

The section ends with a very confusing paragraph. The paragraph appears to = be discussing how to make use of the proposed CGA-based security mechanism = when a relay agent lies between the server and clients. The text is not cle= ar, and thus does not constitute a solid argument for why this works.

4.1 New Components

In discussing how to extend DHCPv6 syntax to make use of the proposed CGA s= ecurity mechanism, the section includes a statement "The authority of = a public key is established through the address ownership proof mechanism, = by using CGAs." This is not true, unless clients are configured to know the CGAs of all authorized DHCPv6 servers w= ith which the clients may interact.

4.2 Support for algorithm agility

This section begins with a sloppy characterization of hash function require= ments, including a quote from RFC 4270 "The recent attacks have demons= trated that one of those security properties is not true." This quote = is not useful on this context, since the authors fail to indicate which of the two cited security properties is not true he= re. The section goes on to say that "=A9our analysis shows none of the= se attacks are currently doable." The authors provide no analysis to s= upport this assertion, nor a cite to a document that would do so. Thus, either this statement needs to be removed, or supp= ort for it needs to be provided.

More importantly, it appears that algorithm agility support for Secure DHCP= v6 is based (in large part) on carrying the hash and signature algorithm ID= s in the Signature Option. That is different from the RFC 4270 analysis of = how to enable algorithm agility for the CGA itself. Moreover, a credible algorithm agility solution requir= es a system-level discussion of how communicating servers, relays, and clie= nts know which algorithms can be used in dealing with each other. This docu= ment does not include such a discussion, nor does it describe how to transition from one algorithm to another, with= in the context of a network. For example, do all servers have to be upgrade= d to offer a new algorithm simultaneously? How about relays and clients?

5 Extensions for Secure DHCPv6

Since this section introduces a new DHCPv6 option, the document needs to st= ate that it updates RFC 3315.

5.1 CGA Parameters Option

The description of this new option includes the following text: "Note = that a future extension MAY provide a mechanism allowing the owner of an ad= dress and the signer to be different parties." First, this is a misuse= of "MAY." Second, this text is not appropriate for a syntax specification at this time, i.e., what should an implementer = do based on this statement?

5.2 Signature Option

I question the soundness of the proposed design. The fact that the signatur= e option can be placed anywhere in the DHCPv6 message strikes me as dangero= us. It imposes a requirement on a receiver to treat the protected and unpro= tected portions of the message differently, for any possible placement of the signature option. This adds complexity t= o implementations, since the security checking would have to indicate to th= e rest of message processing which parts of a message were checked and whic= h were not verified. Unless there are DHCHv6 options that may be modified (or added) legitimately when a mes= sage traverses a relay, it is not clear why there needs to be a provision t= o exclude any portions of a DHCPv6 message from the integrity/authent= ication check. "COULD" is not an RFC 2119-defined term.

The option carries an explicit hash algorithm ID, which is good, but the te= xt says: "RSA signature [RSA] with SHA-1 [sha-1] is adopted. In order = to provide hash algorithm agility, SHA-1 is assigned an initial value 0x000= 0 in this document." Why is a signature algorithm part of this definition (vs. just a hash algorithm), when there = is a separate signature algorithm ID field? The text here is inconsis= tent with the latter IANA considerations. It appears that the mention of RS= A is an error, but it would be better to just remove any mention of an initial algorithm value here. The descrip= tion of initial values for the signature algorithm ID, and the second hash = algorithm ID also should be removed from this text, and appear only in the = IANA considerations section.

The discussion of the key hash field runs counter to the goal of algorithm = agility. The reference to SHA-1 should be removed, if the intent is to defi= ne the key hash algorithm via the previously-mentioned parameter. The key h= ash, if it is to be a fixed length, merely needs to be defined as the leftmost 128 bits of the hash value of t= he public key of the sender.

The description of how to compute the signature field is wrong. The text de= scribes the fields over which the hash is to be computed. Instead the text = says "The signature constructed by using the sender's private key over= the following sequence of octets."

The first value is a message type tag value, which is said to have been com= puted as a random value by the editor of the specification. The document ne= eds to explain why this value needs to be part of the input to the hash fun= ction, and how is was generated. The current text is inadequate.

6.1 Processing rules of sender

The discussion of processing provided here is piecemeal. The text should pr= ovide comprehensive, step-by-step processing instructions.
As noted in my comments above, authentication of an address, as provided by= CGA use, does not prevent spoofing attacks related to higher layer functio= nality. Thus, for example, unless a client knows the CGA of a server or rel= ay agent, authenticating the address of the purported server or relay agent does not prevent spoofing, the type= of attack cited at the beginning of this document as the primary rationale= for the mechanisms proposed here.

The text at the end of the introductory sentence says: "can be configu= red to send Secure DHCPv6 messages only if CGAs have been configured on it.= " It is not clear whether this is saying that the sender has to have a= "configured" CGA (e.g., vs. a dynamically-generated CGA), or if the sender needs to have a configured list of recipient CGAs, = or something else. It probably is feasible to configure clients with the CG= As of servers or relay agents, but this document did not address that issue= . If the authors envision client use of CGAs for DHCPv6 security, they need to explain how this will be man= aged. The management ought not undermine the anonymity features that are a = hallmark of client use of CGAs, and it must not include a circular dependen= cy. (For example, one of the documents cited in this document calls for using DHCPv6 to supply CGA configuration = parameters to client. That would not seem to be compatible with a client us= ing DHCPv6 and CGAs to communicate with a server, initially.)

This section ends with the statement: "The CGA of DHCPv6 server will n= ot lose during relaying so that the client can verify CGA address and signa= ture." I presume this means that the CGA or the server will not be los= t when it passes through the relay, but the English is awkward, at best.

6.2 Receiver processing

Here too the discussion of processing is piecemeal. The text should provide= comprehensive, step-by-step processing instructions.

The "Minbits" discussion is NOT supportive of algorithm agility. = It seems to refer to a minimum RSA key size, without mentioning RSA. This k= ey size recommendation would be inappropriate for DSA, ECDSA, etc. Al= so, the phrase "SHOULD be 1024 bits" is inappropriate. If this were the default length, then it ought to be a MUST. Also, the tex= t says: "Any implementation SHOULD follow prudent cryptographic practi= ce in determining the appropriate key lengths." This might be reasonab= le (though ambiguous) advice for a site, but not for an implementation. Protocol standards establish requirements for d= efault or mandatory to implement algorithms and key sizes, and ALL complian= t implementations support the cited algorithms.

The guidance provided re messages that fail to include the CGA or Signature= options is not helpful, as it fails to say what behavior is required when = a receiver treats a message as unsecured? Saying that a receiver MAY discar= d the message is too vague, i.e., if the receiver processes it, what SHOULD/MUST the receiver do differently= , in the absence of either or both of these options? This ambiguity seems t= o contradict the later statement that "Only the messages that get thro= ugh both CGA and signature verifications are accepted as secured DHCPv6 messages and continue to be handled for the= ir contained DHCPv6 options." It is also runs counter to the later sta= tement "Messages that do not pass all the above tests MUST be silently= discarded if the host has been configured to accept only secured DHCPv6 messages." This discrepancy needs to be= resolved.

The text mandates verification of the Signature option using a public key t= hat is either acquired from the CGA option, or "one known by other mea= ns." The latter phrase is too vague to be useful. It also contradicts = the statement in section 5.1: "This specification requires that the public key found from the CGA Parameters field in the CG= A option MUST be that referred by the Key Hash field in the Signature optio= n."

Later in this section there is a discussion of how to handle messages that = fail the requisite checks. The texts states "Messages that do not pass= all the above tests MUST be silently discarded if the host has been config= ured to accept only secured DHCPv6 messages. The messages MAY be accepted if the host has been configured to accept bot= h secured and unsecured messages but MUST be treated as an unsecured messag= e. The receiver MAY also otherwise silently discard packets." This las= t sentence is confusing, given the previous two sentences. Also, what are the security semantics of a receiver that is= configured to accept both secured and unsecured DHCPv6 messages? Does this= makes sense for servers, clients, and relays? The document seems to be lac= king a system-level discussion of the issue of how Secure DHCPv6 can be deployed, incrementally, and whether= a mixed mode of operation makes sense on a long term or only a transient b= asis.

The text later in Section 6.1 states that the Signature option is the last = one in the message, hence all the prior options are covered by the signatur= e. That seems appropriate, but the text there does not restrict what option= s MAY be present (as opposed to the two options that MUST be present). Thus this might create ambiguity fo= r a receiver, e.g., how SHOULD/MUST a receiver deal with a secured messages= that also contains unsigned options? Is this something that needs to be co= nfigured for each server/relay/client? What are the right configuration capabilities to deal with this, e.g., doe= s the configuration need to enumerate what unsigned options are allowed to = be processed, etc?

6.3 Processing rules of Relay Agent

Two more instances of "will not lose" in this section, that need = to be fixed.

7. Security Considerations

At the top of page 13 the discussion is confusing, at best. The authors see= m to suggest that the proposed mechanisms do not require use of a "pre= -notified DHCPv6 server address." But, absent such configuration info,= the use of the proposed mechanisms do NOT prevent server spoofing. Then the text suggests that such configuration in= fo may be needed, but that this creates potential DoS vulnerabilities. The = authors then punt on this question. This is not acceptable. The authors can= not have it both ways. Either they are mandating use of fixed CGAs for servers, or not. The security properti= es of the proposed mechanisms are greatly affected by this choice.

There are several examples here of incorrect use of MAY, when referring to = future options that might be defined to deal with a mix of secured and unse= cured messages. As noted above, the current specification allows a node to = accept both secured and unsecured message, without discussing what behavior is required, and without a speci= fication of how such a node might be configured to limit possible damage. T= here is also no system-level discussion of whether it is necessary to confi= gure some nodes, e.g., servers, to operate in this mode because of an anticipated deployment model.

The text here provides vague security advice "=A9when link-local CGAs = are used by the DHCPv6 clients, it is recommended to use a slightly higher = Sec value." The text then asserts that "When higher Sec values ar= e used, the relative advantage of attacking link-local addresses becomes insignificant." Since no specific Sec values are re= commended, this latter statement is unsupported, at best.

There is a typo in the ultimate paragraph for this section: "=A9= used in the RSA signature in Secure." Should be "=A9used in the R= SA signature in Secure DHCPv6." Since algorithm agility is emphasized = here, why are only RSA-based signatures cited?

--Boundary_(ID_1qSLGszScnzXsRNcb8ymdw)-- From clonvick@cisco.com Fri Jan 20 10:47:08 2012 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3E3121F8571; Fri, 20 Jan 2012 10:47:08 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.599 X-Spam-Level: X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kA0bxMSregRk; Fri, 20 Jan 2012 10:47:08 -0800 (PST) Received: from mtv-iport-4.cisco.com (mtv-iport-4.cisco.com [173.36.130.15]) by ietfa.amsl.com (Postfix) with ESMTP id 4410E21F8522; Fri, 20 Jan 2012 10:47:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=clonvick@cisco.com; l=2074; q=dns/txt; s=iport; t=1327085228; x=1328294828; h=date:from:to:subject:message-id:mime-version; bh=r/DsKDed+23qTwCACmmwGb8qF12Ect0nemiRIxSsMno=; b=LJcN6yNVk6g0IEb10YyycZtdlIdfMdaWAHbJPEajQ4ZO9jsW2E5Fi8iV 298HZVJjQrecv0Gaw/4wof4yGatYi1SiZSrvzKVyDqqUQomkMRWRVQTAJ HGBSM8gNerHLggnlwMkPskmzYsQqiRvx/6wh86U1js4M73VD0onQS34h2 Y=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AnwHAIq1GU+rRDoH/2dsb2JhbABDnXsBkA2BBYILASUCgX40oXsBnjuMJgSIPJ9J X-IronPort-AV: E=Sophos;i="4.71,544,1320624000"; d="scan'208";a="26228941" Received: from mtv-core-2.cisco.com ([171.68.58.7]) by mtv-iport-4.cisco.com with ESMTP; 20 Jan 2012 18:47:08 +0000 Received: from sjc-cde-021.cisco.com (sjc-cde-021.cisco.com [171.69.20.56]) by mtv-core-2.cisco.com (8.14.3/8.14.3) with ESMTP id q0KIl886001484; Fri, 20 Jan 2012 18:47:08 GMT Date: Fri, 20 Jan 2012 10:47:07 -0800 (PST) From: Chris Lonvick To: iesg@ietf.org, secdir@ietf.org, draft-ietf-v6ops-ipv6-discard-prefix.all@tools.ietf.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Subject: [secdir] SECDIR review of draft-ietf-v6ops-ipv6-discard-prefix-02 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 20 Jan 2012 18:47:08 -0000 Hi, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Overall, the document is very straightforward and the Security Considerations section is appropriate for the content. I do have one nit to pass along. I think that a paragraph break is in the wrong place in the Introduction. Current in Introduction: (end of first paragraph) manner which is efficient, scalable and straightforward to implement. For IPv4, some networks configure RTBH installations using [RFC1918] address space or the address blocks reserved for documentation in [RFC5737]. However RTBH configurations are not documentation, but operationally important features of many public-facing production networks. Furthermore, [RFC3849] specifies that the IPv6 documentation prefix should be filtered in both local and public contexts. On this basis, it is suggested that both private network address blocks and documentation prefixes described in [RFC5737] are inappropriate for the purpose of RTBH configurations. Suggested: manner which is efficient, scalable and straightforward to implement. For IPv4, some networks configure RTBH installations using [RFC1918] address space or the address blocks reserved for documentation in [RFC5737]. However RTBH configurations are not documentation, but operationally important features of many public-facing production networks. Furthermore, [RFC3849] specifies that the IPv6 documentation prefix should be filtered in both local and public contexts. On this basis, it is suggested that both private network address blocks and documentation prefixes described in [RFC5737] are inappropriate for the purpose of RTBH configurations. Regards, Chris From joelja@bogus.com Sat Jan 21 08:14:54 2012 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FFAB21F84A3; Sat, 21 Jan 2012 08:14:54 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8tpfgEI7G1An; Sat, 21 Jan 2012 08:14:53 -0800 (PST) Received: from nagasaki.bogus.com (nagasaki.bogus.com [IPv6:2001:418:1::81]) by ietfa.amsl.com (Postfix) with ESMTP id 8B14B21F84A5; Sat, 21 Jan 2012 08:14:53 -0800 (PST) Received: from Joels-MacBook-Pro.local (user-64-9-235-240.googlewifi.com [64.9.235.240]) (authenticated bits=0) by nagasaki.bogus.com (8.14.4/8.14.4) with ESMTP id q0LGEndp066271 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NOT); Sat, 21 Jan 2012 16:14:49 GMT (envelope-from joelja@bogus.com) Message-ID: <4F1AE479.2010704@bogus.com> Date: Sat, 21 Jan 2012 08:14:49 -0800 From: Joel jaeggli User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: Chris Lonvick References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.7 (nagasaki.bogus.com [147.28.0.81]); Sat, 21 Jan 2012 16:14:51 +0000 (UTC) Cc: draft-ietf-v6ops-ipv6-discard-prefix.all@tools.ietf.org, iesg@ietf.org, secdir@ietf.org Subject: Re: [secdir] SECDIR review of draft-ietf-v6ops-ipv6-discard-prefix-02 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Jan 2012 16:14:54 -0000 Not a big fan of the use of "however" I think this can be addressed at minimum by auth48. On 1/20/12 10:47 , Chris Lonvick wrote: > Hi, > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should treat > these comments just like any other last call comments. > > Overall, the document is very straightforward and the Security > Considerations section is appropriate for the content. > > I do have one nit to pass along. I think that a paragraph break is in > the wrong place in the Introduction. > > Current in Introduction: > (end of first paragraph) > manner which is efficient, scalable and straightforward to implement. > For IPv4, some networks configure RTBH installations using [RFC1918] > address space or the address blocks reserved for documentation in > [RFC5737]. > > However RTBH configurations are not documentation, but operationally > important features of many public-facing production networks. > Furthermore, [RFC3849] specifies that the IPv6 documentation prefix > should be filtered in both local and public contexts. On this basis, > it is suggested that both private network address blocks and > documentation prefixes described in [RFC5737] are inappropriate for > the purpose of RTBH configurations. > > Suggested: > manner which is efficient, scalable and straightforward to implement. > > For IPv4, some networks configure RTBH installations using [RFC1918] > address space or the address blocks reserved for documentation in > [RFC5737]. However RTBH configurations are not documentation, but > operationally important features of many public-facing production > networks. Furthermore, [RFC3849] specifies that the IPv6 documentation > prefix should be filtered in both local and public contexts. On this > basis, it is suggested that both private network address blocks and > documentation prefixes described in [RFC5737] are inappropriate for > the purpose of RTBH configurations. > > Regards, > Chris > From weiler+secdir@watson.org Mon Jan 23 06:12:25 2012 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55E6421F86B3 for ; Mon, 23 Jan 2012 06:12:25 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.065 X-Spam-Level: X-Spam-Status: No, score=-2.065 tagged_above=-999 required=5 tests=[AWL=0.534, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r4Lt6+NTJvXl for ; Mon, 23 Jan 2012 06:12:24 -0800 (PST) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by ietfa.amsl.com (Postfix) with ESMTP id 626BD21F86B0 for ; Mon, 23 Jan 2012 06:12:24 -0800 (PST) Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.4/8.14.4) with ESMTP id q0NECMa5058825 for ; Mon, 23 Jan 2012 09:12:22 -0500 (EST) (envelope-from weiler+secdir@watson.org) Received: from localhost (weiler@localhost) by fledge.watson.org (8.14.4/8.14.4/Submit) with ESMTP id q0NECMV3058818 for ; Mon, 23 Jan 2012 09:12:22 -0500 (EST) (envelope-from weiler+secdir@watson.org) X-Authentication-Warning: fledge.watson.org: weiler owned process doing -bs Date: Mon, 23 Jan 2012 09:12:22 -0500 (EST) From: Samuel Weiler X-X-Sender: weiler@fledge.watson.org To: secdir@ietf.org Message-ID: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (fledge.watson.org [127.0.0.1]); Mon, 23 Jan 2012 09:12:22 -0500 (EST) Subject: [secdir] Assignments X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: secdir-secretary@mit.edu List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jan 2012 14:12:25 -0000 Review instructions and related resources are at: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview Sandy Murphy is next in the rotation. For telechat 2012-02-02 Reviewer LC end Draft Hilarie Orman TR2011-12-13 draft-ietf-sidr-rpki-rtr-24 For telechat 2012-02-16 Russ Mundy T 2012-02-14 draft-ishikawa-yrpunl-ucode-urn-01 For telechat 2012-03-15 Tina TSOU T 2012-02-14 draft-shin-augmented-pake-10 Last calls and special requests: Dave Cridland 2012-01-03 draft-os-ietf-sshfp-ecdsa-sha2-04 Warren Kumari 2012-01-24 draft-ietf-dime-pmip6-lr-06 Barry Leiba 2012-01-13 draft-ietf-pcn-signaling-requirements-07 Matt Lepinski 2012-01-26 draft-ietf-radext-radsec-10 Alexey Melnikov 2012-01-27 draft-ietf-payload-rtp-klv-02 Kathleen Moriarty 2012-02-03 draft-ietf-tsvwg-source-quench-04 From kathleen.moriarty@emc.com Mon Jan 23 07:35:14 2012 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4199E21F8687; Mon, 23 Jan 2012 07:35:14 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -9.5 X-Spam-Level: X-Spam-Status: No, score=-9.5 tagged_above=-999 required=5 tests=[AWL=1.099, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nwC8vmWe42I5; Mon, 23 Jan 2012 07:35:13 -0800 (PST) Received: from mexforward.lss.emc.com (mexforward.lss.emc.com [128.222.32.20]) by ietfa.amsl.com (Postfix) with ESMTP id 441B021F8683; Mon, 23 Jan 2012 07:35:12 -0800 (PST) Received: from hop04-l1d11-si02.isus.emc.com (HOP04-L1D11-SI02.isus.emc.com [10.254.111.55]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id q0NFZ4VV009818 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 23 Jan 2012 10:35:07 -0500 Received: from mailhub.lss.emc.com (mailhubhoprd03.lss.emc.com [10.254.221.145]) by hop04-l1d11-si02.isus.emc.com (RSA Interceptor); Mon, 23 Jan 2012 10:34:44 -0500 Received: from mxhub35.corp.emc.com (mxhub35.corp.emc.com [10.254.93.83]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id q0NFYhji028334; Mon, 23 Jan 2012 10:34:43 -0500 Received: from mx06a.corp.emc.com ([169.254.1.153]) by mxhub35.corp.emc.com ([::1]) with mapi; Mon, 23 Jan 2012 10:34:43 -0500 From: To: , , Date: Mon, 23 Jan 2012 10:34:41 -0500 Thread-Topic: Sec-dir review of draft-ietf-tsvwg-source-quench-04 Thread-Index: AczZ5IYpMliT8QTVT+uEN1JM0Ads+Q== Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-EMM-MHVC: 1 Cc: fernando@gont.com.ar Subject: [secdir] Sec-dir review of draft-ietf-tsvwg-source-quench-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jan 2012 15:35:14 -0000 Hello, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The document is straightforward and well written. I just have a couple of = nits, but think the document is ready otherwise. Suggest replacing 'must' with 'should' since the discussion is on interpret= ation. Change from: Receipt of an ICMP Source Quench message must not be interpreted as an atte= mpt to attack the receiver. To: Receipt of an ICMP Source Quench message should not be interpreted as an at= tempt to attack the receiver. It is already clear from the rest of the draft and this section, that there= is no risk by ignoring ICMP source quench messages, which is done by 'virt= ually all current implementations of TCP'. Should this say, virtually all= current implementations of 'IP' or 'TCP' and 'ICMP'? The discussion cove= rs source quench being deprecated (RFC1812) by router implementations 20 ye= ars ago and now formally deprecates this within TCP. Thank you, Kathleen From mnot@mnot.net Tue Jan 24 15:36:46 2012 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C9E021F84FC; Tue, 24 Jan 2012 15:36:46 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -105.266 X-Spam-Level: X-Spam-Status: No, score=-105.266 tagged_above=-999 required=5 tests=[AWL=-2.667, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id chVduA0TifiU; Tue, 24 Jan 2012 15:36:45 -0800 (PST) Received: from mxout-07.mxes.net (mxout-07.mxes.net [216.86.168.182]) by ietfa.amsl.com (Postfix) with ESMTP id 70EA321F84EA; Tue, 24 Jan 2012 15:36:32 -0800 (PST) Received: from mnot-mini.mnot.net (unknown [118.209.240.235]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id BC94922E1EB; Tue, 24 Jan 2012 18:36:30 -0500 (EST) Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=us-ascii From: Mark Nottingham In-Reply-To: Date: Wed, 25 Jan 2012 10:36:27 +1100 Content-Transfer-Encoding: 7bit Message-Id: <004F97D3-E825-4BD5-A761-1F047AAFB7AE@mnot.net> References: To: Stephen Hanna X-Mailer: Apple Mail (2.1251.1) Cc: "draft-nottingham-http-new-status@tools.ietf.org" , "ietf@ietf.org" , "secdir@ietf.org" Subject: Re: [secdir] secdir review of draft-nottingham-http-new-status-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Jan 2012 23:36:46 -0000 On 14/01/2012, at 6:59 AM, Stephen Hanna wrote: > I do have a question about the issues raised in Appendix B. > These are all legitimate issues. However, it seems to me > that having status code 511 should help with these. A > browser or non-browser application could recognize status > code 511 as an indication that a captive portal is in use > and avoid capturing favicons, looking for P3P files, and > doing other things that should wait until after the captive > portal is blocking access. When the original website stops > returning 511, such activities could resume. I may be wrong > in suggesting these ideas but if not it would be good to > note them here. I've added a note linking the issues to 511 more explicitly. Thanks, -- Mark Nottingham http://www.mnot.net/ From mnot@mnot.net Tue Jan 24 15:36:49 2012 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9F1A11E80A0; Tue, 24 Jan 2012 15:36:49 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -104.885 X-Spam-Level: X-Spam-Status: No, score=-104.885 tagged_above=-999 required=5 tests=[AWL=-2.286, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SmOL45xjf34N; Tue, 24 Jan 2012 15:36:49 -0800 (PST) Received: from mxout-07.mxes.net (mxout-07.mxes.net [216.86.168.182]) by ietfa.amsl.com (Postfix) with ESMTP id DF17911E809A; Tue, 24 Jan 2012 15:36:48 -0800 (PST) Received: from mnot-mini.mnot.net (unknown [118.209.240.235]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp.mxes.net (Postfix) with ESMTPSA id E2B2322E257; Tue, 24 Jan 2012 18:36:46 -0500 (EST) Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=us-ascii From: Mark Nottingham In-Reply-To: Date: Wed, 25 Jan 2012 10:36:45 +1100 Content-Transfer-Encoding: quoted-printable Message-Id: References: <4F109383.1090505@gmx.de> To: Stephen Hanna X-Mailer: Apple Mail (2.1251.1) Cc: Julian Reschke , "draft-nottingham-http-new-status@tools.ietf.org" , "ietf@ietf.org" , "secdir@ietf.org" Subject: Re: [secdir] secdir review of draft-nottingham-http-new-status-03 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Jan 2012 23:36:50 -0000 Sorry for the delay in responding; just back from holiday. On 14/01/2012, at 8:26 AM, Stephen Hanna wrote: > Julian, >=20 > I'm sure that in your view one sentence is adequate to explain > all the security implications of each status code. However, > you may want to consider that some readers may not have quite > the same deep grasp of the matter that you do. Therefore, > I think it would be wise to provide more explanation. Here's an > example for section 7.2 on status code 429 (Too Many Requests): >=20 > Section 7.2 429 Too Many Requests >=20 > While status code 429 can be helpful in figuring out why a > server is not responding to requests, it can also be harmful. > When a server is under attack or simply receiving a very > large number of requests from a single party, responding > to each of these requests with a 429 status code will consume > resources that could be better used in other ways. Therefore, > a server in such circumstances may choose to send a 429 status > code only the first time a client exceeds its limit and > ignore subsequent requests from this client until its limit > is no longer exceeded. Other approaches may also be employed. >=20 > As you can see, I described security problems that could occur > with this status code and explained how those problems can be > avoided or mitigated. While it's true that these problems > could occur when a more generic status code is used to handle > the case of "too many requests", that does not mean that they > are not relevant to this document. On the contrary, the fact > that this document is providing more detailed status codes > gives us the opportunity and one can argue the obligation to > provide more detailed security analysis relevant to these more > detailed status codes. I'm really not sure I agree; the original text is: Servers are not required to use the 429 status code; when limiting resource usage, it may be more appropriate to just drop connections, or take other steps. If someone implementing a server doesn't understand that, I don't know = that using more words really helps; it does, however, make it harder to = find the words in the spec that *will* help. -- Mark Nottingham http://www.mnot.net/ From new-work-bounces@ietf.org Wed Jan 25 12:18:01 2012 Return-Path: X-Original-To: secdir@ietf.org Delivered-To: secdir@ietfa.amsl.com Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E262811E8098; Wed, 25 Jan 2012 12:18:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1327522681; bh=yd2DTNMv76732ZlxD1xwOncJe6QsKCb7yBJ+yP0tgvc=; h=Mime-Version:From:In-Reply-To:Date:Message-Id:References:To: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=f+aA2sxVP3iACir46RGpD5sFQRxTOS45itPGsOR9YEt3H2XvzO+bwHvtFU+U1GJci iwFnUEBWxVpvWnoh2o+BwO0DOAtPdxwH2gDJvnntTLFaIo9FIHD0eDII2o9Rggbvel C9RSD2y7PNwZl0np/J+cYPM4J6ObkomVux/yhI+I= X-Original-To: new-work@ietfa.amsl.com Delivered-To: new-work@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEE2011E808F for ; Wed, 25 Jan 2012 12:18:00 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FOQv5MGHqJwO for ; Wed, 25 Jan 2012 12:18:00 -0800 (PST) Received: from mail.amsl.com (mail.amsl.com [IPv6:2001:1890:123a::1:14]) by ietfa.amsl.com (Postfix) with ESMTP id E537721F8448 for ; Wed, 25 Jan 2012 12:17:59 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by c8a.amsl.com (Postfix) with ESMTP id E244C12BF1D for ; Wed, 25 Jan 2012 12:17:59 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com Received: from c8a.amsl.com ([127.0.0.1]) by localhost (c8a.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j6pLqYDGGpvs for ; Wed, 25 Jan 2012 12:17:59 -0800 (PST) Received: from 149-166-25-70.dhcp-in.iupui.edu (unknown [149.166.24.15]) by c8a.amsl.com (Postfix) with ESMTPSA id 6773112BF15 for ; Wed, 25 Jan 2012 12:17:59 -0800 (PST) Mime-Version: 1.0 (Apple Message framework v1084) From: IETF Chair In-Reply-To: Date: Wed, 25 Jan 2012 15:17:55 -0500 Message-Id: <29EB437A-2329-47BF-A738-BDEABE94D3EA@ietf.org> References: To: new-work@ietf.org X-Mailer: Apple Mail (2.1084) X-BeenThere: new-work@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: new-work-bounces@ietf.org Errors-To: new-work-bounces@ietf.org X-Mailman-Approved-At: Wed, 25 Jan 2012 16:47:06 -0800 Subject: Re: [secdir] [new-work] Considering adding ONF to the new-work mail list X-BeenThere: secdir@ietf.org List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Jan 2012 20:18:02 -0000 ONF has been added to the new-work mail list. Welcome. This is the first message to the new-work mail list that ONF is receiving. Russ On Jan 9, 2012, at 2:38 PM, IETF Chair wrote: > We are considering adding ONF (https://www.opennetworking.org/) to the new-work mail list. Before doing so, we would like to know if any current members of the mail list would have any concerns regarding this action. If you have concerns, please let me know in the next week. > > Thanks, > Russ Housley > IETF Chair _______________________________________________ new-work mailing list new-work@ietf.org https://www.ietf.org/mailman/listinfo/new-work From charliek@microsoft.com Thu Jan 26 10:05:56 2012 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F13D021F86D9; Thu, 26 Jan 2012 10:05:55 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.598 X-Spam-Level: X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ctjDX7UCG4CX; Thu, 26 Jan 2012 10:05:54 -0800 (PST) Received: from TX2EHSOBE004.bigfish.com (tx2ehsobe002.messaging.microsoft.com [65.55.88.12]) by ietfa.amsl.com (Postfix) with ESMTP id 2A9DF21F86D1; Thu, 26 Jan 2012 10:05:54 -0800 (PST) Received: from mail164-tx2-R.bigfish.com (10.9.14.235) by TX2EHSOBE004.bigfish.com (10.9.40.24) with Microsoft SMTP Server id 14.1.225.23; Thu, 26 Jan 2012 18:05:53 +0000 Received: from mail164-tx2 (localhost [127.0.0.1]) by mail164-tx2-R.bigfish.com (Postfix) with ESMTP id 66CC03E0202; Thu, 26 Jan 2012 18:05:53 +0000 (UTC) X-SpamScore: 0 X-BigFish: VS0(zzc85fhzz1202hzz8275bh8275dhz2fhc1bhc31hc1ahc1bhc31hc1ah2a8h668h839h) X-Forefront-Antispam-Report: CIP:131.107.125.8; KIP:(null); UIP:(null); IPV:NLI; H:TK5EX14HUBC101.redmond.corp.microsoft.com; RD:none; EFVD:NLI Received-SPF: pass (mail164-tx2: domain of microsoft.com designates 131.107.125.8 as permitted sender) client-ip=131.107.125.8; envelope-from=charliek@microsoft.com; helo=TK5EX14HUBC101.redmond.corp.microsoft.com ; icrosoft.com ; Received: from mail164-tx2 (localhost.localdomain [127.0.0.1]) by mail164-tx2 (MessageSwitch) id 1327601151763658_11246; Thu, 26 Jan 2012 18:05:51 +0000 (UTC) Received: from TX2EHSMHS022.bigfish.com (unknown [10.9.14.254]) by mail164-tx2.bigfish.com (Postfix) with ESMTP id B6BCC80045; Thu, 26 Jan 2012 18:05:51 +0000 (UTC) Received: from TK5EX14HUBC101.redmond.corp.microsoft.com (131.107.125.8) by TX2EHSMHS022.bigfish.com (10.9.99.122) with Microsoft SMTP Server (TLS) id 14.1.225.23; Thu, 26 Jan 2012 18:05:49 +0000 Received: from TK5EX14MBXC117.redmond.corp.microsoft.com ([169.254.8.7]) by TK5EX14HUBC101.redmond.corp.microsoft.com ([157.54.7.153]) with mapi id 14.02.0247.005; Thu, 26 Jan 2012 10:05:41 -0800 From: Charlie Kaufman To: "secdir@ietf.org" , "iesg@ietf.org" , "draft-ietf-geopriv-deref-protocol.all@tools.ietf.org" Thread-Topic: Secdir review of draft-ietf-geopriv-deref-protocol-04 Thread-Index: AczcUlHhlR2Jyp4+QACa3zENEynQrQ== Date: Thu, 26 Jan 2012 18:05:40 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [157.54.51.79] Content-Type: multipart/alternative; boundary="_000_D80EDFF2AD83E648BD1164257B9B091241945C0DTK5EX14MBXC117r_" MIME-Version: 1.0 X-OriginatorOrg: microsoft.com Subject: [secdir] Secdir review of draft-ietf-geopriv-deref-protocol-04 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jan 2012 18:05:56 -0000 --_000_D80EDFF2AD83E648BD1164257B9B091241945C0DTK5EX14MBXC117r_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable I have reviewed this document as part of the security directorate's ongoing= effort to review all IETF documents being processed by the IESG. These co= mments were written primarily for the benefit of the security area director= s. Document editors and WG chairs should treat these comments just like an= y other last call comments. This document specifies a relatively trivial extension to the HELD protocol= to allow that protocol to be used to look up someone's (or something's) lo= cation. It's previous use was in connection with a device learning and/or s= etting its own location. It specifies an access control mechanism based on = keeping location URIs secret and leaves open the possibility of alternate a= ccess control mechanisms being added in the future. It recommends use of TL= S, but does not require it. The Security Considerations section addresses t= hese issues well. I see no security issues with this document. I found no typos. I have a few readability suggestions: The document is not very free-standing, in that it would be difficult for s= omeone outside the geopriv community to figure out what's going on in this = document without reading some others first. It would be helpful if the intr= oduction recommended some other RFC where such a context might be learned. Section 3.3 paragraph 1 says: "This document does not describe a specific a= uthentication mechanism. This means that authorization policies are unable = to specifically identify authorized Location Recipients." As is clarified l= ater in the section, what is really meant is that no mechanism for doing so= is specified in this document. It is explicitly intended that such functio= nality be addable later without invalidating this document. In particular, = paragraph 6 says: "Authentication of Location Recipients and use of identit= y-based authorization policy is not precluded." Clarifying that in the firs= t paragraph would avoid confusion. This last one is a real nit, but it bugged me... Section 4.1 paragraph 3 says: "The LS MUST ignore any parameters that it do= es not understand unless it knows the parameters to be invalid". I would cl= aim that you must understand something to know that it is invalid, and so w= ould leave off the "unless" clause. --_000_D80EDFF2AD83E648BD1164257B9B091241945C0DTK5EX14MBXC117r_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

I have reviewed this document as part of the secu= rity directorate's ongoing effort to review all IETF documents being proces= sed by the IESG. These comments were written primarily for the benefi= t of the security area directors. Document editors and WG chairs should treat these comments just like any other last= call comments.

This document specifies a relatively trivial extensi= on to the HELD protocol to allow that protocol to be used to look up someon= e’s (or something’s) location. It’s previous use was in c= onnection with a device learning and/or setting its own location. It specifies an access control mechanism based on keeping lo= cation URIs secret and leaves open the possibility of alternate access cont= rol mechanisms being added in the future. It recommends use of TLS, but doe= s not require it. The Security Considerations section addresses these issues well.

I see no security issues with this document.

I found no typos.

I have a few readability suggestions:

The document is not very free-standing, in that it w= ould be difficult for someone outside the geopriv community to figure out w= hat’s going on in this document without reading some others first. It= would be helpful if the introduction recommended some other RFC where such a context might be learned.

Section 3.3 paragraph 1 says: “This document d= oes not describe a specific authentication mechanism. This means that autho= rization policies are unable to specifically identify authorized Location R= ecipients.” As is clarified later in the section, what is really meant is that no mechanism for doing so is specifi= ed in this document. It is explicitly intended that such functionality be a= ddable later without invalidating this document. In particular, paragraph 6= says: “Authentication of Location Recipients and use of identity-based authorization policy is not precluded= .” Clarifying that in the first paragraph would avoid confusion.=

This last one is a real nit, but it bugged me…=

Section 4.1 paragraph 3 says: “The LS MUST ign= ore any parameters that it does not understand unless it knows the paramete= rs to be invalid”. I would claim that you must understand something t= o know that it is invalid, and so would leave off the “unless” clause.

--_000_D80EDFF2AD83E648BD1164257B9B091241945C0DTK5EX14MBXC117r_-- From Tina.Tsou.Zouting@huawei.com Thu Jan 26 14:39:50 2012 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3255121F8630 for ; Thu, 26 Jan 2012 14:39:50 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.511 X-Spam-Level: X-Spam-Status: No, score=-6.511 tagged_above=-999 required=5 tests=[AWL=0.088, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JLZ9Qkb+y3FR for ; Thu, 26 Jan 2012 14:39:49 -0800 (PST) Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [119.145.14.64]) by ietfa.amsl.com (Postfix) with ESMTP id 951C921F8627 for ; Thu, 26 Jan 2012 14:39:49 -0800 (PST) Received: from huawei.com (szxga05-in [172.24.2.49]) by szxga05-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0LYF00NWMGA556@szxga05-in.huawei.com> for secdir@ietf.org; Fri, 27 Jan 2012 06:39:42 +0800 (CST) Received: from szxrg02-dlp.huawei.com ([172.24.2.119]) by szxga05-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0LYF001GRGA5J9@szxga05-in.huawei.com> for secdir@ietf.org; Fri, 27 Jan 2012 06:39:41 +0800 (CST) Received: from szxeml211-edg.china.huawei.com ([172.24.2.119]) by szxrg02-dlp.huawei.com (MOS 4.1.9-GA) with ESMTP id AGO08844; Fri, 27 Jan 2012 06:39:39 +0800 Received: from SZXEML415-HUB.china.huawei.com (10.82.67.154) by szxeml211-edg.china.huawei.com (172.24.2.182) with Microsoft SMTP Server (TLS) id 14.1.323.3; Fri, 27 Jan 2012 06:39:19 +0800 Received: from SZXEML526-MBS.china.huawei.com ([169.254.7.225]) by szxeml415-hub.china.huawei.com ([10.82.67.154]) with mapi id 14.01.0323.003; Fri, 27 Jan 2012 06:39:49 +0800 Date: Thu, 26 Jan 2012 22:39:32 +0000 From: Tina TSOU In-reply-to: <4F20D424.1060901@gmail.com> X-Originating-IP: [10.193.34.128] To: "secdir@ietf.org" Message-id: MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-language: en-US Content-transfer-encoding: 7BIT Accept-Language: en-US, zh-CN Thread-topic: SECDIR review of draft-shin-augmented-pake-10 Thread-index: AQHM3Htfakgv3SEVMEyWW1S7NY+DIA== X-MS-Has-Attach: X-MS-TNEF-Correlator: X-CFilter-Loop: Reflected References: <4F20D424.1060901@gmail.com> Cc: "draft-shin-augmented-pake@tools.ietf.org" Subject: [secdir] SECDIR review of draft-shin-augmented-pake-10 X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jan 2012 22:39:50 -0000 Hi, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. I found some editorial glitches and the use of "temporal" when "temporary" was intended, but someone else can catch those. Reference K11 is now RFC 6467. That means the Notify message type and the GSPM payload type have now been assigned (16424 and 49 respectively) and can be inserted into the document where it currently says "TBD". The request to IANA names the wrong registry. The correct name is "IKEv2 Secure Password Methods" registry, established by RFC 6467. The relationship between this document and RFC 6467 is odd. In the ordinary course of events this document would have a normative dependency on RFC 6467. It is obvious that the latter was written after the present document, and avoidance of the dependency was deliberate on both sides. Still, the authors of this document might reconsider, even though RFC 6467 would be a down-reference since it is Informational. Tina From ondrej.sury@nic.cz Fri Jan 27 02:25:08 2012 Return-Path: X-Original-To: secdir@ietfa.amsl.com Delivered-To: secdir@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 783A921F850D for ; Fri, 27 Jan 2012 02:25:08 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.7 X-Spam-Level: X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_23=0.6, MIME_8BIT_HEADER=0.3, NO_RELAYS=-0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RVEEh-uLrq9s for ; Fri, 27 Jan 2012 02:25:08 -0800 (PST) Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) by ietfa.amsl.com (Postfix) with ESMTP id C947A21F84CE for ; Fri, 27 Jan 2012 02:25:07 -0800 (PST) Received: from [IPv6:2001:1488:ac14:1400:e0b7:7a23:933c:691b] (unknown [IPv6:2001:1488:ac14:1400:e0b7:7a23:933c:691b]) by mail.nic.cz (Postfix) with ESMTPSA id 0AB322A3017 for ; Fri, 27 Jan 2012 11:25:07 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nic.cz; s=default; t=1327659907; bh=0fW8yppUteWOrAXNE4R7Modt6A1lLPKcR8Eh9aQh3R0=; h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date: Content-Transfer-Encoding:Message-Id:References:To; b=Xj9nn/VhFZdnxbgS7rMQyykqsiuy7FmbOtW5y/tQH8lLa9FSkkJznDy8Dj3Erh9xD 5rgQq1AKJncCJ5FSy/5SkwOeW+jGXKpU/Wak6EkNcaqAcnlhaA/7Ihf9JVs3pHALuJ UfDVdaNavSiaGpwxOrEXPcqdOW+WuOtB7p8z5Jeg= Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Apple Message framework v1251.1) From: =?utf-8?Q?Ond=C5=99ej_Sur=C3=BD?= In-Reply-To: Date: Fri, 27 Jan 2012 11:25:06 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <1610A494-DA56-4749-BAB2-E238C5C0DD2D@nic.cz> References: To: secdir@ietf.org X-Mailer: Apple Mail (2.1251.1) X-Virus-Scanned: clamav-milter 0.96.5 at mail X-Virus-Status: Clean Subject: Re: [secdir] Assignments X-BeenThere: secdir@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Directorate List-Unsubscribe: , List-Archive: List-Post: List-Help: