[Dime] Fwd: SecDir review of draft-ietf-dime-rfc4005bis-11

Benoit Claise <bclaise@cisco.com> Mon, 24 September 2012 06:55 UTC

Return-Path: <bclaise@cisco.com>
X-Original-To: dime@ietfa.amsl.com
Delivered-To: dime@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4475D21E803C for <dime@ietfa.amsl.com>; Sun, 23 Sep 2012 23:55:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.604
X-Spam-Level:
X-Spam-Status: No, score=-4.604 tagged_above=-999 required=5 tests=[AWL=-2.006, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3hl9BgNnBLdn for <dime@ietfa.amsl.com>; Sun, 23 Sep 2012 23:54:59 -0700 (PDT)
Received: from av-tac-bru.cisco.com (spooky-brew.cisco.com [144.254.15.113]) by ietfa.amsl.com (Postfix) with ESMTP id 4CE4321E8045 for <dime@ietf.org>; Sun, 23 Sep 2012 23:54:59 -0700 (PDT)
X-TACSUNS: Virus Scanned
Received: from strange-brew.cisco.com (localhost.cisco.com [127.0.0.1]) by av-tac-bru.cisco.com (8.13.8+Sun/8.13.8) with ESMTP id q8O6suHN021568; Mon, 24 Sep 2012 08:54:56 +0200 (CEST)
Received: from [10.60.67.84] (ams-bclaise-8913.cisco.com [10.60.67.84]) by strange-brew.cisco.com (8.13.8+Sun/8.13.8) with ESMTP id q8O6stH3001307; Mon, 24 Sep 2012 08:54:55 +0200 (CEST)
Message-ID: <506003BF.5050501@cisco.com>
Date: Mon, 24 Sep 2012 08:54:55 +0200
From: Benoit Claise <bclaise@cisco.com>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20120907 Thunderbird/15.0.1
MIME-Version: 1.0
To: Glen Zorn <glenzorn@gmail.com>
References: <F5063677821E3B4F81ACFB7905573F24092B0179@MX15A.corp.emc.com>
In-Reply-To: <F5063677821E3B4F81ACFB7905573F24092B0179@MX15A.corp.emc.com>
X-Forwarded-Message-Id: <F5063677821E3B4F81ACFB7905573F24092B0179@MX15A.corp.emc.com>
Content-Type: multipart/alternative; boundary="------------030309050602090207000908"
Cc: dime mailing list <dime@ietf.org>
Subject: [Dime] Fwd: SecDir review of draft-ietf-dime-rfc4005bis-11
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dime>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Sep 2012 06:55:00 -0000

Hi Glen,

The IETF LC is now finished.
Can you please answer/address Kathleen's points

Regards, Benoit.


-------- Original Message --------
Subject: 	SecDir review of draft-ietf-dime-rfc4005bis-11
Date: 	Fri, 21 Sep 2012 18:25:15 -0400
From: 	Moriarty, Kathleen <kathleen.moriarty@emc.com>;
To: 	secdir@ietf.org <secdir@ietf.org>;, iesg@ietf.org <iesg@ietf.org>;, 
draft-ietf-dime-rfc4005bis.all@tools.ietf.org 
<draft-ietf-dime-rfc4005bis.all@tools.ietf.org>;, glenzorn@gmail.com 
<glenzorn@gmail.com>;



I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.

Summary:
This document describes the extension of Diameter for the NAS application.

As such, should the abstract be updated to ensure the reader is aware of the scope limitation in the first sentence?

In reading through the draft, I agree with the summary in the Security considerations section.  This document is limited in scope, it extends the definition and doesn't go into the details of the protocol and the associated security considerations. The base protocol is defined in RFC3588bis along with the security requirements.

I think a reference to the authentication security requirements/considerations defined in ietf-dime-rfc3588bis would be very helpful so that the reader knows the extent of possible security issues and solutions since they go beyond what is described in this document.  Having the reference either in Sections 4.3.1 and 4.5.6 or the Security Considerations section would ensure the reader is aware this is addressed elsewhere.  Some issues are addressed in these sections, but they do not go as far as the base protocol and there could be issues as this document just relies on session encryption to protect plaintext passwords, etc.  The base protocol describes other mechanisms and risks.

Editorial nit:
Section 1.1, first sentence of last paragraph
Change from:
"There are many other many miscellaneous"
To:
"There are many other miscellaneous"