Re: [dhcwg] Ben Campbell's Yes on draft-ietf-dhc-relay-server-security-04: (with COMMENT)

"Bernie Volz (volz)" <volz@cisco.com> Wed, 12 April 2017 22:31 UTC

Return-Path: <volz@cisco.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADC19129A91; Wed, 12 Apr 2017 15:31:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.523
X-Spam-Level:
X-Spam-Status: No, score=-14.523 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id anrzw5Dllxlb; Wed, 12 Apr 2017 15:31:20 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E1F53129AD0; Wed, 12 Apr 2017 15:31:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3544; q=dns/txt; s=iport; t=1492036278; x=1493245878; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=lWMKV3lKvO+3HTMXVW7WfHLaIXS5IMeCgwnVYfNv6Ug=; b=ZGndhVvTLk6H2roSRg5uGRnNhdYQqQG7p2xj1/TlXO4/b4j8/kRJ5Md1 9oa5j+T/5+LfB/iyLeKpoJ78Fnrdhnm4weNTswA08rViY4Dn2u2C2Hmgp FrYGrNboQ7hhem7sj9BxN7FlEoXp33Ea4QDMBjB2UezUFzAvjfXlblghK 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DgAQDnqe5Y/4gNJK1cGQEBAQEBAQEBA?= =?us-ascii?q?QEBBwEBAQEBg1NhgQsHg1+KE6ctgg8shXgCGoNnPxgBAgEBAQEBAQFrKIUWBiM?= =?us-ascii?q?RRRACAQgaAiYCAgIwFRACBAENBYoWDqlYgiaLEQEBAQEBAQEBAQEBAQEBAQEBA?= =?us-ascii?q?QEBARgFgQuHIyuBYoEKhCgRAQaDHC6CMQWJJ5NjAYcBi1+Bf4UuiheUAQEfOH0?= =?us-ascii?q?IWxVBEQGEfoFKdQGGc4EhgQ0BAQE?=
X-IronPort-AV: E=Sophos;i="5.37,191,1488844800"; d="scan'208";a="232234140"
Received: from alln-core-3.cisco.com ([173.36.13.136]) by rcdn-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 12 Apr 2017 22:31:16 +0000
Received: from XCH-RCD-005.cisco.com (xch-rcd-005.cisco.com [173.37.102.15]) by alln-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id v3CMVGo2019705 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 12 Apr 2017 22:31:17 GMT
Received: from xch-aln-003.cisco.com (173.36.7.13) by XCH-RCD-005.cisco.com (173.37.102.15) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Wed, 12 Apr 2017 17:31:16 -0500
Received: from xch-aln-003.cisco.com ([173.36.7.13]) by XCH-ALN-003.cisco.com ([173.36.7.13]) with mapi id 15.00.1210.000; Wed, 12 Apr 2017 17:31:16 -0500
From: "Bernie Volz (volz)" <volz@cisco.com>
To: Ben Campbell <ben@nostrum.com>, The IESG <iesg@ietf.org>
CC: "draft-ietf-dhc-relay-server-security@ietf.org" <draft-ietf-dhc-relay-server-security@ietf.org>, Tomek Mrugalski <tomasz.mrugalski@gmail.com>, "dhc-chairs@ietf.org" <dhc-chairs@ietf.org>, "dhcwg@ietf.org" <dhcwg@ietf.org>
Thread-Topic: Ben Campbell's Yes on draft-ietf-dhc-relay-server-security-04: (with COMMENT)
Thread-Index: AQHSs8zyj4ZKg6OMBEaSOILNFPwHs6HCYieA
Date: Wed, 12 Apr 2017 22:31:16 +0000
Message-ID: <D4BF03B4-792A-42A9-BDE6-5FA203D4D7F7@cisco.com>
References: <149202959436.15730.7482173620764260658.idtracker@ietfa.amsl.com>
In-Reply-To: <149202959436.15730.7482173620764260658.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.131.32.239]
Content-Type: text/plain; charset="utf-8"
Content-ID: <4A1EB0A24607C64794EAE301125F1B65@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/12aCKUheAMkEAoeOxE3766gqPIw>
Subject: Re: [dhcwg] Ben Campbell's Yes on draft-ietf-dhc-relay-server-security-04: (with COMMENT)
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Apr 2017 22:31:26 -0000

Hi:

For:

    -3, third paragraph: "MUST exchange messages securely"
    "Securely" is too ambiguous for a MUST. What specific protections are
    required?

I believe this also was the 4th paragraph?
I guess there are two choices here:
1. Drop “securely” as we are just specifying to use IPsec.
2. Replace “securely” with “encrypted and authenticated”.
Seems to be #1 might be better (as it should be unnecessary given that is what this document is about).


     -3, paragraph 4:
    The list starts with no context. A sentence or paragraph describing the
    purpose of the list would be helpful.

RFC 3315 had before this list:
   Relay agents and servers that support secure relay agent to server or
   relay agent to relay agent communication use IPsec under the
   following conditions:

But I’m not sure “conditions” is the best word? Not sure if there is a better word to use to describe these items?

Perhaps replacing the first sentence in that 4th paragraph with:

  Relay agents and servers MUST exchange messages using the
  IPsec mechanisms described in [RFC4301] with the conditions
  as follows:

And, move the remaining text in that 4th paragraph to the end of section 4 as a separate paragraph.

- Bernie

On 4/12/17, 4:39 PM, "Ben Campbell" <ben@nostrum.com> wrote:

    Ben Campbell has entered the following ballot position for
    draft-ietf-dhc-relay-server-security-04: Yes
    
    When responding, please keep the subject line intact and reply to all
    email addresses included in the To and CC lines. (Feel free to cut this
    introductory paragraph, however.)
    
    
    Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
    for more information about IESG DISCUSS and COMMENT positions.
    
    
    The document, along with other ballot positions, can be found here:
    https://datatracker.ietf.org/doc/draft-ietf-dhc-relay-server-security/
    
    
    
    ----------------------------------------------------------------------
    COMMENT:
    ----------------------------------------------------------------------
    
    I am balloting "Yes", but I share the curiosity about whether people will
    really do this.
    
    -3, third paragraph: "MUST exchange messages securely"
    "Securely" is too ambiguous for a MUST. What specific protections are
    required?
    
    -3, paragraph 4:
    The list starts with no context. A sentence or paragraph describing the
    purpose of the list would be helpful.