Re: [bfcpbis] Kathleen Moriarty's Discuss on draft-ietf-bfcpbis-rfc4582bis-13: (with DISCUSS and COMMENT)
Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com> Thu, 05 March 2015 16:24 UTC
Return-Path: <spencerdawkins.ietf@gmail.com>
X-Original-To: bfcpbis@ietfa.amsl.com
Delivered-To: bfcpbis@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2193A1A1BF6; Thu, 5 Mar 2015 08:24:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w4jlJRoUL4bs; Thu, 5 Mar 2015 08:24:10 -0800 (PST)
Received: from mail-lb0-x22c.google.com (mail-lb0-x22c.google.com [IPv6:2a00:1450:4010:c04::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32B4C1A1A7B; Thu, 5 Mar 2015 08:14:14 -0800 (PST)
Received: by lbvp9 with SMTP id p9so29415099lbv.8; Thu, 05 Mar 2015 08:14:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=SNEcgs1mjOUA+cHaSHoaOBxaaMBxjyuGAdBRwjPBSos=; b=i/P1VTMUBj4XoOnkOZBvB8+NPUfzEuN2/aPEnfvWJen5gx6Mm3ZFD4UU46g6Yf8va2 2C3RpHwxA8dKT/U/5QmK8lMbUZ0ufYROMiI0RMD3cdPV/wHWH0TWi5ldcmEGfIbm1dTt yvremkLDhEitURcCLP3n2u64ChrdonIE9KqImLce+4bIOyoiXKgSmo2DZQiB6webGKPU 4Rfmc9UcJlhfvmdbt2ZYv5RTAIUYRUJ7Eh4SjRXTr3+3Qjo9zNyaiGAkCdw0g/5KNSt5 Kiy8qe3pn7UCMA5TlNTxtCOGzpRu1LFquLzjDf8ikOA8wKfu1d3u8Otebj0+xBj/DvHa XktQ==
MIME-Version: 1.0
X-Received: by 10.152.45.1 with SMTP id i1mr8625097lam.61.1425572052639; Thu, 05 Mar 2015 08:14:12 -0800 (PST)
Received: by 10.152.22.100 with HTTP; Thu, 5 Mar 2015 08:14:12 -0800 (PST)
In-Reply-To: <20150305152202.28872.54032.idtracker@ietfa.amsl.com>
References: <20150305152202.28872.54032.idtracker@ietfa.amsl.com>
Date: Thu, 05 Mar 2015 10:14:12 -0600
Message-ID: <CAKKJt-eFwhiwa0qdAHVc7G=Q8rbqOV_kz2CLYynbJausi9OG2w@mail.gmail.com>
From: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
To: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="001a11c27c84cca35f05108cdb53"
Archived-At: <http://mailarchive.ietf.org/arch/msg/bfcpbis/BTHZk8xcYBryi7vas-dFjEKCY5I>
Cc: bfcpbis@ietf.org, draft-ietf-bfcpbis-rfc4582bis.all@ietf.org, Mary Barnes <mary.ietf.barnes@gmail.com>, The IESG <iesg@ietf.org>, bfcpbis-chairs@ietf.org
Subject: Re: [bfcpbis] Kathleen Moriarty's Discuss on draft-ietf-bfcpbis-rfc4582bis-13: (with DISCUSS and COMMENT)
X-BeenThere: bfcpbis@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: BFCPBIS working group discussion list <bfcpbis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/bfcpbis>, <mailto:bfcpbis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/bfcpbis/>
List-Post: <mailto:bfcpbis@ietf.org>
List-Help: <mailto:bfcpbis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/bfcpbis>, <mailto:bfcpbis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2015 16:24:13 -0000
Just continuing the trend of ADs talking to each other in ballot threads :-) On Thu, Mar 5, 2015 at 9:22 AM, Kathleen Moriarty < Kathleen.Moriarty.ietf@gmail.com> wrote: > Kathleen Moriarty has entered the following ballot position for > draft-ietf-bfcpbis-rfc4582bis-13: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to http://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > http://datatracker.ietf.org/doc/draft-ietf-bfcpbis-rfc4582bis/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > Thanks for your work on this draft, it was very well written which is > much appreciated. > > I just have one item I'd like to discuss that should be very easy to > resolve. > This should be considered with Spencer's question on what happens when > the fragments are larger or smaller than the path MTU. It's important to > state this to prevent fragmentation overlap attacks (unless you can > explain why we don't need to worry about that). > > In the second sentence on page 42, adding the ending clause may be > helpful: > The size of each of these N messages MUST be > smaller than the path MTU to help prevent fragmentation overlap > attacks. > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > > Spencer asked what happens when TLS/DTLS is not used, so perhaps > rewording of the intro to the security considerations section would help > to clear up his point. TLS/DTLS is the MTI with flexibility left in to > support some other undefined mechanism to secure the channel. Since no > MTU is set, but recommended, the first few sentences are a bit confusing. > The rest of the paragraph is clear in terms of MTI and recommendations > when TLD/DTLS is used as well as alternates options supporting the listed > desired security properties. I think what I was wondering, was whether it's obvious that it's easier to off-path attack UDP protocols than TCP protocols in general, since an attacker has to splice attack packets into the TCP sequence numbering, while UDP doesn't have the same ... I don't want to say "protection", but maybe "obstacle". So, DTLS is in some sense more helpful than TLS, in resisting off-path attacks. Kathleen being the security type that I'll never be, please pay more attention to her thoughts about this than mine! Spencer > Security Considerations > > BFCP uses TLS/DTLS to provide mutual authentication between clients > and servers. TLS/DTLS also provides replay and integrity protection > and confidentiality. > > >
- [bfcpbis] Kathleen Moriarty's Discuss on draft-ie… Kathleen Moriarty
- Re: [bfcpbis] Kathleen Moriarty's Discuss on draf… Spencer Dawkins at IETF
- Re: [bfcpbis] Kathleen Moriarty's Discuss on draf… Kathleen Moriarty
- Re: [bfcpbis] Kathleen Moriarty's Discuss on draf… Alissa Cooper
- Re: [bfcpbis] Kathleen Moriarty's Discuss on draf… Paul E. Jones
- Re: [bfcpbis] Kathleen Moriarty's Discuss on draf… Kathleen Moriarty
- Re: [bfcpbis] Kathleen Moriarty's Discuss on draf… Paul E. Jones
- Re: [bfcpbis] Kathleen Moriarty's Discuss on draf… Kathleen Moriarty