IETF Logo Mail Archive

Re: [Dime] AD Evaluation of draft-ietf-dime-rfc4006bis-06

Yuval Lifshitz <yuvalif@yahoo.com> Wed, 14 February 2018 17:06 UTC

Return-Path: <yuvalif@yahoo.com>
X-Original-To: dime@ietfa.amsl.com
Delivered-To: dime@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D601512D77E for <dime@ietfa.amsl.com>; Wed, 14 Feb 2018 09:06:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tuur44ZvGNrD for <dime@ietfa.amsl.com>; Wed, 14 Feb 2018 09:06:48 -0800 (PST)
Received: from sonic312-21.consmr.mail.bf2.yahoo.com (sonic312-21.consmr.mail.bf2.yahoo.com [74.6.128.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 56C0D12D77A for <dime@ietf.org>; Wed, 14 Feb 2018 09:06:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1518628007; bh=yOANwa+UVFhW6Tc0RuFAXSMrZ8C8EEphQjpVa+Jkd8Q=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From:Subject; b=uHfhu438JMXgNAF3QvaIqXWKtfGVHM0s2VHKygsq4qMywpJkHDBt3dAv8ETMJRSq6zqmUyK3YLk2LO1Zl4+PFlp1wUYFLuLQ/OBkVzWNLLnwapZ2K68crLBpg+uXPVpaY/poFyQqLH+nQhBsJ/dINRSZ5iC2CqH5NUpa2kmsO1Uot80pWZJL5J7rFrLpmHnt/iDB9x95iItpP7O5xG47h6hzehIhEp5SIv/ZkUyZlPjUqJJ1yl3wFF3HkDuszjnwv9cvLQjM+tW2Tn6r4H2QWBcQzZl1Q0QbxN5dETyZGuLxtcJlO9MuglPxs9LoY5qG7KIKNujkBYvwvbgcBHxp7A==
X-YMail-OSG: 32zpmpEVM1n6UUErZj0Q2q3NdVj.yf5PExxm8IhMjq_C09EaJ7uXjFBhURRfai_ MnLqMD.yeGic5QP.m_6RXG8vX8TbwCsMCiqgY7kdcXjZwXbyOGTYKy86wPZHgE7NX78BghOLdtgd pgKoTefYHNUGmCJY5W_LL2Xn93EfKeb5zDt.txAQY.IiDCaCmM91S3PdLnEu8XPLSchu7Lu.kmf1 RFceXH82o.i3FstgFricWX6VxKszlJ2Zc9oRi_HOeaDVvdr0a64c3y5hNqggGqIYC40AeH.n7_e7 gPpMAEXKx3y7IFiRkqkB3Gu.M1y_Tu6SFaHC3K_tLnJJ7TsaNeSB7.Zf4oK4RRehjyu6tRDctvey fNWS1whslI3UZL3aZQmwcPWGZx4JFYTbukJG7YUueLyp0Oe1Lawj9moMTFnAxhJ6tipDaO4dk2jV plmxpnf1Yy0kHyEb2ISLF3xuHCEXz2jmcUjd3yTAZ4Qa28oTczKqiMHOkKmGW_Q0oFA--
Received: from sonic.gate.mail.ne1.yahoo.com by sonic312.consmr.mail.bf2.yahoo.com with HTTP; Wed, 14 Feb 2018 17:06:47 +0000
Date: Wed, 14 Feb 2018 17:06:44 +0000
From: Yuval Lifshitz <yuvalif@yahoo.com>
To: draft-ietf-dime-rfc4006bis.all@ietf.org, Ben Campbell <ben@nostrum.com>
Cc: ops-ads@ietf.org, dime@ietf.org
Message-ID: <868034109.936629.1518628004592@mail.yahoo.com>
In-Reply-To: <608352900.888044.1518623812177@mail.yahoo.com>
References: <3C03A895-53C5-44D9-905F-9DD5248D3675@nostrum.com> <608352900.888044.1518623812177@mail.yahoo.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_936628_1602665855.1518628004589"
X-Mailer: WebService/1.1.11419 YMailNorrin Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dime/UviT277fEfinNX3ZMMdHU0w8Kmw>
Subject: Re: [Dime] AD Evaluation of draft-ietf-dime-rfc4006bis-06
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dime/>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Feb 2018 17:06:52 -0000

Regarding "privacy considerations". Note that the base protocol RFC does not have that.Ideally, this is added to base Diameter first, as many of the sensitive AVPs come from there.Should we try to tackle that first (though this would delay the RFC4006bis process)?Should we cover only 4006 AVPs and issues?

Best Regards,
Yuval
 

    On Wednesday, February 14, 2018, 5:56:52 PM GMT+2, Yuval Lifshitz <yuvalif@yahoo.com> wrote:  
 
 Ben,First, thanks for the comments!
 Regarding the major comment, agree this should be added, it was already agreed in the meeting we had in IETF96, but somehow slipped :-(

Sections 12: all the AVPs mentioned in this section exists in RFC4006, and has values that are already registered. As part of RFC4006bis we did not add any AVP that requires values enumeration (this was actually one of the issue we tried to tackle). What would you like to see different in this section?What is the process for updating IANA with the references to the new doc? Can this happen before RFC4006bis is officially accepted?

Appendix B: the new AVPs do not impact the flows, therefore not added to the sample flows

8.34 agree, this is pretty bad. How about:If the Final-Unit-Action AVP is set to RESTRICT_ACCESS or REDIRECT
   and the classification of the restricted traffic cannot be expressed
   using IPFilterRule, or different actions (e.g., QoS) than just
   allowing traffic needs to be enforced, then the QoS-Final-Unit-
   Indication AVP SHOULD be used instead of the Final-Unit-Indication
   AVP.
14. agree we should simplify as you suggested
 
Best Regards,
Yuval
    On Tuesday, February 13, 2018, 1:33:22 AM GMT+2, Ben Campbell <ben@nostrum.com> wrote:  
 
 Hi,

This is my AD Evaluation of draft-ietf-dime-rfc4006bis-06. Thanks for the work on this; it’s overall a good update. However, I have one major comment and a few minor or editorial comments. I’d like to discuss the major comment prior IETF last call. The rest can be handled along with any last call feedback.

Note that for all but the major comment, I mostly reviewed the diff from RFC 4006.

Thanks!

Ben.

—————————————

Major Comment:

I strongly suggest that you add more privacy considerations. I realize that it inherits its existing privacy considerations from RFC 4006, but that was published in 2005. The IETF’s focus on privacy has evolved considerably since then, and I think this draft will get objections during IESG review without adding some more.

I suggest the following:
— Create a “Privacy Considerations” section separate from the security considerations.
— Enumerate the AVPs that you think contain user identifiable information, persistent identifiers, or other privacy sensitive data.
— Make some non-normative recommendations concerning data minimization. That is, add a few sentences recommending that clients and servers avoid capturing and/or log personal information beyond that needed for the application's purpose.

Minor Comments:

-Section 12 and subsections: Please clarify that many of these elements were already registered by RF 4006, and are not being “re-registered” here. ( It’s perfectly okay to pull the registration information forward into the bis draft; it just needs clarification.) Also, please consider wether existing registrations should be updated to point to this document rather than 4006.

Appendices: Would any of the example flows benefit from including one or more of the new AVPs?

Editorial and Nits:

-Section 8.34: “ If the Final-Unit-Action AVP is set to RESTRICT_ACCESS or REDIRECT
and the classification of the restricted traffic cannot be expressed
using IPFilterRule, or different actions (e.g., QoS) than just
allowing QoS needs to be enforced traffic, … “

I have trouble parsing the sentence.

-14: "Even without any modification to the messages, an adversary can
  invite a security threat by eavesdropping, as the transactions contain private information about the user.
”
I suggest “ … an adversary can eavesdrop on transactions that contain privacy-sensitive imformation”








_______________________________________________
DiME mailing list
DiME@ietf.org
https://www.ietf.org/mailman/listinfo/dime

v2.23.0 | Report a Bug | By Email