Re: [Dime] I-D Action: draft-ietf-dime-e2e-sec-req-02.txt
"Jouni.nosmap" <jouni.nospam@gmail.com> Fri, 27 March 2015 21:40 UTC
Return-Path: <jouni.nospam@gmail.com>
X-Original-To: dime@ietfa.amsl.com
Delivered-To: dime@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E41E91B2B0D for <dime@ietfa.amsl.com>; Fri, 27 Mar 2015 14:40:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ah93WaY53m5j for <dime@ietfa.amsl.com>; Fri, 27 Mar 2015 14:40:25 -0700 (PDT)
Received: from mail-oi0-x22d.google.com (mail-oi0-x22d.google.com [IPv6:2607:f8b0:4003:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EED1F1B2B0B for <dime@ietf.org>; Fri, 27 Mar 2015 14:40:24 -0700 (PDT)
Received: by oicf142 with SMTP id f142so77911988oic.3 for <dime@ietf.org>; Fri, 27 Mar 2015 14:40:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=1ELrXvv/sZXT6F9A8dv7fjPZIT6BpsjfYN2fSjCzhXc=; b=P71/ErHs8Z+zDwy09FZdpu2XuyBkdP4IoDVcjbq2yrZ8LHEAF/efrMiEqlCSeRGueZ jq+uOiVWXG9GoGvYJQuIFafpDQ2xK2tH2XHtpha1ycIgLLrEQwPunZg3WIlfW9/qg1dz a/xaWVf84mu59p/wIB60civRqGfHAvugd4T+chkwZ18OVi2L9Vxn/Pw4bBkmTFOwBjam ibjd5mxYBFgwYmVUSOck26R4y2C3bKCHnhiX1DHGA1rL3jT6yePQF/kE3ELUlr9k7Acn WLWzB7FRxSWaEUcDrmpn0cbImZJH2RZC9I1hS8JWRUNwBuDHNTWX5pJ5en6C6mDVgUE2 oRow==
X-Received: by 10.202.64.9 with SMTP id n9mr16783775oia.20.1427492424436; Fri, 27 Mar 2015 14:40:24 -0700 (PDT)
Received: from [10.127.115.218] ([166.177.122.97]) by mx.google.com with ESMTPSA id s206sm1708452oia.27.2015.03.27.14.40.22 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 27 Mar 2015 14:40:23 -0700 (PDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (1.0)
From: "Jouni.nosmap" <jouni.nospam@gmail.com>
X-Mailer: iPhone Mail (12D508)
In-Reply-To: <5515AAF0.8020502@usdonovans.com>
Date: Fri, 27 Mar 2015 16:40:21 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <40F74E87-BC08-4822-A29E-3D2BE026BF6C@gmail.com>
References: <20150126150303.15610.1562.idtracker@ietfa.amsl.com> <5511D1AA.40804@usdonovans.com> <55138C07.2070007@gmail.com> <5515AAF0.8020502@usdonovans.com>
To: Steve Donovan <srdonovan@usdonovans.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dime/TE0eV_erxY4L_j2LPSX8mfFhYAk>
Cc: "dime@ietf.org" <dime@ietf.org>
Subject: Re: [Dime] I-D Action: draft-ietf-dime-e2e-sec-req-02.txt
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dime/>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Mar 2015 21:40:27 -0000
Hi Steve, Inline.. Sent from a smart phone.. Mind the typos.. > Steve Donovan <srdonovan@usdonovans.com> kirjoitti 27.3.2015 kello 14.09: > > > >> On 3/25/15 11:33 PM, Jouni Korhonen wrote: >> Steve, >> >> See inline.. >> >> 3/24/2015, 2:05 PM, Steve Donovan kirjoitti: >>> A few comments on this document. >>> >>> I would suggest adding the following requirement -- The solution MUST >>> ensure that routing AVPs are always sent in the clear. >> >> By routing AVPs you refer to Router-Record and Proxy-Info as per RFC6733, right? In that case I do not see a reason for the "are always sent in the clear". > SRD> No, I mean Destination-Host, Destination-Realm, Origin-Host and Origin-Realm. Ok. Makes sense. However, integrity protecting above AVP should still be fine and allowed. At least the Origin-* AVPs. >> >>> Requirement 5 does indicate that not all AVPs are covered by the " >>> cryptographic protection". I think it would be better to be clear that >>> there is a set of AVPs that MUST NOT be encrypted. >> >> OK. >> >>> In addition, the following requirement might be useful -- The solution >>> MUST support the ability to identify other non routing AVPs that must >>> always be sent in the clear. >> >> I would assume the knowledge which AVPs are ciphered is up to a local policy. If the policy is wrong, the receiver or intermediates will reply with an error. > SRD> That makes sense. My reason for bringing this up is to make sure that the solution allows for these AVPs being sent in the clear. It won't work to arbitrarily encrypt all AVPs or even chunks of AVPs. That was never the intention. We better clarify it if the text was not clear about that... Or there was no such text at all. - jouni >> >> - Jouni >> >>> This would be to cover overload, load, message priority and other AVPs >>> that need to be accessible by all nodes in the path of a transaction. >>> >>> Regards, >>> >>> Steve >>> >>>> On 1/26/15 9:03 AM, internet-drafts@ietf.org wrote: >>>> A New Internet-Draft is available from the on-line Internet-Drafts directories. >>>> This draft is a work item of the Diameter Maintenance and Extensions Working Group of the IETF. >>>> >>>> Title : Diameter AVP Level Security End-to-End Security: Scenarios and Requirements >>>> Authors : Hannes Tschofenig >>>> Jouni Korhonen >>>> Glen Zorn >>>> Kervin Pillay >>>> Filename : draft-ietf-dime-e2e-sec-req-02.txt >>>> Pages : 9 >>>> Date : 2015-01-26 >>>> >>>> Abstract: >>>> This specification discusses requirements for providing Diameter >>>> security at the level of individual Attribute Value Pairs. >>>> >>>> >>>> The IETF datatracker status page for this draft is: >>>> https://datatracker.ietf.org/doc/draft-ietf-dime-e2e-sec-req/ >>>> >>>> There's also a htmlized version available at: >>>> http://tools.ietf.org/html/draft-ietf-dime-e2e-sec-req-02 >>>> >>>> A diff from the previous version is available at: >>>> http://www.ietf.org/rfcdiff?url2=draft-ietf-dime-e2e-sec-req-02 >>>> >>>> >>>> Please note that it may take a couple of minutes from the time of submission >>>> until the htmlized version and diff are available at tools.ietf.org. >>>> >>>> Internet-Drafts are also available by anonymous FTP at: >>>> ftp://ftp.ietf.org/internet-drafts/ >>>> >>>> _______________________________________________ >>>> DiME mailing list >>>> DiME@ietf.org >>>> https://www.ietf.org/mailman/listinfo/dime >>> >>> >>> >>> _______________________________________________ >>> DiME mailing list >>> DiME@ietf.org >>> https://www.ietf.org/mailman/listinfo/dime >
- Re: [Dime] I-D Action: draft-ietf-dime-e2e-sec-re… Steve Donovan
- Re: [Dime] I-D Action: draft-ietf-dime-e2e-sec-re… Jouni Korhonen
- Re: [Dime] I-D Action: draft-ietf-dime-e2e-sec-re… Steve Donovan
- Re: [Dime] I-D Action: draft-ietf-dime-e2e-sec-re… Jouni.nosmap
- Re: [Dime] I-D Action: draft-ietf-dime-e2e-sec-re… Steve Donovan
- Re: [Dime] I-D Action: draft-ietf-dime-e2e-sec-re… Jouni Korhonen
- Re: [Dime] I-D Action: draft-ietf-dime-e2e-sec-re… Steve Donovan
- Re: [Dime] I-D Action: draft-ietf-dime-e2e-sec-re… Ben Campbell
- [Dime] I-D Action: draft-ietf-dime-e2e-sec-req-02… internet-drafts