Re: [Dime] SecDir review of draft-ietf-dime-rfc4005bis-11

Glen Zorn <glenzorn@gmail.com> Mon, 24 September 2012 08:10 UTC

Return-Path: <glenzorn@gmail.com>
X-Original-To: dime@ietfa.amsl.com
Delivered-To: dime@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 480A521F8540; Mon, 24 Sep 2012 01:10:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.351
X-Spam-Level:
X-Spam-Status: No, score=-3.351 tagged_above=-999 required=5 tests=[AWL=0.248, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jO4PgHNKTlOm; Mon, 24 Sep 2012 01:10:21 -0700 (PDT)
Received: from mail-pb0-f44.google.com (mail-pb0-f44.google.com [209.85.160.44]) by ietfa.amsl.com (Postfix) with ESMTP id 5413A21F8543; Mon, 24 Sep 2012 01:10:20 -0700 (PDT)
Received: by pbbro8 with SMTP id ro8so1198527pbb.31 for <multiple recipients>; Mon, 24 Sep 2012 01:10:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=jNKhBF1L8UGWd20NLhk1koARGrm9fmR4Y0K4edBFNlw=; b=IkLYi7DGTYNc41DDF/QqTxI7N+MkQCw4zowhfIEhM++L4UM4SJN/iehUGz+Db/X1wQ u7uF72TdW/Ktv384i8I3Ry12JVSBt+TPKpEPk+l32fspkp6I4dO5J1bGmqvK0Tx0wuGJ YhLcEdQHfp17FtUzGFN2FE7xSVgrhidW4SQdz6YaGMEjiVCGPKZwimNZV2qB6+ImlgK6 IrbMA8ov/hYF+dbLFLyMqBcIB5cRKRDCkg155ULrfVdkiS0rtUKflp+mFWRBoyzONiqM MaRM1Z5QGje5unsmROzE3aXoL3AxNZTPXiB6cx215AHermjHPc0hgbrF6uVknfxh5Zza Milw==
Received: by 10.66.74.100 with SMTP id s4mr30638227pav.27.1348474219820; Mon, 24 Sep 2012 01:10:19 -0700 (PDT)
Received: from [192.168.0.102] (ppp-58-11-133-109.revip2.asianet.co.th. [58.11.133.109]) by mx.google.com with ESMTPS id ho7sm9295503pbc.3.2012.09.24.01.10.16 (version=SSLv3 cipher=OTHER); Mon, 24 Sep 2012 01:10:19 -0700 (PDT)
Message-ID: <50601567.3010008@gmail.com>
Date: Mon, 24 Sep 2012 15:10:15 +0700
From: Glen Zorn <glenzorn@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120830 Thunderbird/15.0
MIME-Version: 1.0
To: "Moriarty, Kathleen" <kathleen.moriarty@emc.com>
References: <F5063677821E3B4F81ACFB7905573F24092B0179@MX15A.corp.emc.com>
In-Reply-To: <F5063677821E3B4F81ACFB7905573F24092B0179@MX15A.corp.emc.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: dime mailing list <dime@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-dime-rfc4005bis.all@tools.ietf.org" <draft-ietf-dime-rfc4005bis.all@tools.ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [Dime] SecDir review of draft-ietf-dime-rfc4005bis-11
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dime>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Sep 2012 08:10:22 -0000

On 09/22/2012 05:25 AM, Moriarty, Kathleen wrote:

> I have reviewed this document  as part of the security directorate's
 > ongoing effort to review all IETF documents being processed by the
 > IESG. These comments were written primarily for the benefit of the
 > security area directors. Document editors and WG chairs should treat
 > these comments just like any other last call comments.
 >
 > Summary: This document describes the extension of Diameter for the
 > NAS application.
 >
 > As such, should the abstract be updated to ensure the reader is aware
 > of the scope limitation in the first sentence?

I don't understand: the first sentence of the introduction is virtually 
identical to the first sentence of Section 1.  What do you want me to do?

>
 > In reading through the draft, I agree with the summary in the
 > Security considerations section. This document is limited in scope,
 > it extends the definition and doesn't go into the details of the
 > protocol and the associated security considerations. The base
 > protocol is defined in RFC3588bis along with the security
 > requirements.
 >
 > I think a reference to the authentication security
 > requirements/considerations defined in ietf-dime-rfc3588bis would be
 > very helpful so that the reader knows the extent of possible security
 > issues and solutions since they go beyond what is described in this
 > document. Having the reference either in Sections 4.3.1 and 4.5.6 or
 > the Security Considerations section would ensure the reader is aware
 > this is addressed elsewhere.

Since the reader must have read & understood RFC 3588bis to expect to be 
able to read & understand this doc (draft-ietf-dime-rfc3588bis is cited 
as a normative reference), presumably the reader is already aware of this.

Some issues are addressed in these
 > sections, but they do not go as far as the base protocol and there
 > could be issues as this document just relies on session encryption to
 > protect plaintext passwords, etc.

??

> The base protocol describes  other
 > mechanisms and risks.
 >
 > Editorial nit: Section 1.1, first sentence of last paragraph Change
 > from: "There are many other many miscellaneous" To: "There are many
 > other miscellaneous"

Fixed, thanks!