[Dime] Fwd: Gen-ART LC review of draft-ietf-dime-ikev2-psk-diameter-07
jouni korhonen <jouni.nospam@gmail.com> Tue, 07 June 2011 17:58 UTC
Return-Path: <jouni.nospam@gmail.com>
X-Original-To: dime@ietfa.amsl.com
Delivered-To: dime@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9EF421F85A3 for <dime@ietfa.amsl.com>; Tue, 7 Jun 2011 10:58:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.299
X-Spam-Level:
X-Spam-Status: No, score=-1.299 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, MANGLED_LIST=2.3, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SHETIG8ug-ue for <dime@ietfa.amsl.com>; Tue, 7 Jun 2011 10:58:16 -0700 (PDT)
Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id 0633F21F85A0 for <dime@ietf.org>; Tue, 7 Jun 2011 10:58:15 -0700 (PDT)
Received: by vws12 with SMTP id 12so4806145vws.31 for <dime@ietf.org>; Tue, 07 Jun 2011 10:58:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:from:content-type:content-transfer-encoding :subject:date:references:to:message-id:mime-version:x-mailer; bh=vNpDQYlDzdw48W5jNKiu5I35mZRWWOc8qhFZ+VV/Lt8=; b=XuMaLtK3IPpaEw0U1r4jU/qavDQUmGsxuD3W2YBZ3WJFMSEkZqPdPiclM1Twu1Yx1b bvblfjwvYh32NR2zYNFYjbZdBc8NxLlnlv0Be1l8dzWhQWEX5nUAVnJ4ALmE2KtptfkI 4vzqG0uOXxp+NPsLxoiWtc7WjCH9ruBCwLXRk=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=from:content-type:content-transfer-encoding:subject:date:references :to:message-id:mime-version:x-mailer; b=O42YFIcK6ueZY+WKx0Ar6t+nKUaBD+kOVhEkRnPAOF7LS9FqqJ0fA1bVOSEprYfA5T wFSOalEyh8UswrxD/jSUDaR2NqVS8NLgh/gDd3doXnxCa0/9VRPFfu1EfqosDLXotAFl ozuINf3Rw0NTr3aGRXCr4y966/PbU2CBtXA2E=
Received: by 10.52.177.70 with SMTP id co6mr79024vdc.92.1307469494951; Tue, 07 Jun 2011 10:58:14 -0700 (PDT)
Received: from [192.168.10.188] (user-12ld0fj.cable.mindspring.com [69.86.129.243]) by mx.google.com with ESMTPS id z5sm1828520vdv.16.2011.06.07.10.58.13 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 07 Jun 2011 10:58:14 -0700 (PDT)
From: jouni korhonen <jouni.nospam@gmail.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 07 Jun 2011 20:58:13 +0300
References: <5E434E92-2EB7-43B3-A29F-8410B1AC23AE@nostrum.com>
To: dime@ietf.org
Message-Id: <2986AAE8-6642-4568-B5A8-0522D6D6CF82@gmail.com>
Mime-Version: 1.0 (Apple Message framework v1084)
X-Mailer: Apple Mail (2.1084)
Subject: [Dime] Fwd: Gen-ART LC review of draft-ietf-dime-ikev2-psk-diameter-07
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dime>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Jun 2011 17:58:16 -0000
FYI to the WG as well. Begin forwarded message: > From: Ben Campbell <ben@nostrum.com> > Date: June 3, 2011 11:09:47 PM GMT+03:00 > To: draft-ietf-dime-ikev2-psk-diameter.all@tools.ietf.org, "gen-art@ietf.org Review Team" <gen-art@ietf.org> > Cc: The IETF <ietf@ietf.org> > Subject: Gen-ART LC review of draft-ietf-dime-ikev2-psk-diameter-07 > > I am the assigned Gen-ART reviewer for this draft. For background on Gen-ART, please see the FAQ at <http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>. > > Please resolve these comments along with any other Last Call comments you may receive. > > Document: draft-ietf-dime-ikev2-psk-diameter-07 > Reviewer: Ben Campbell > Review Date: 2011-06-03 > IETF LC End Date: 2011-06-03 > > > Summary: > > This draft is almost ready for publication as a proposed standard. I have a question concerning the procedure for generating PSKs, and a number of minor and editorial comments. > > > Major issues: > > The draft says that the procedure that the HAAA follows to generate the PSK is out of scope. But doesn't the IKE2 initiator need to understand the procedure? If the procedure is not defined somewhere, how you achieve any degree of interoperability? > > > Minor issues: > > -- section 4.1, 1st paragraph:"The IDi payload extracted from the IKE_AUTH message MUST contain an identity that is meaningful for the Diameter infrastructure, such as a Network Access Identifier (NAI), since it is used by the IKEv2 Server to populate the User-Name AVP in the Diameter message. " > > Do you mean that as a normative MUST, or a statement of fact? If normative, isn't that a requirement on the initiator? > > -- section 10: > > The security considerations should describe the threat models. We're talking about requesting an authentication key from a third party, which is tricky from a security perspective. Does the PSK have greater security concerns than for Diameter AVPs in general? In particular, what are the consequences if the PSK is disclosed or tampered with? > > -- section 10, 1st paragraph: "Furthermore, any agents that process IKEv2-PSK-Answer messages can see the contents of the Key AVP. For this reason, this specification strongly recommends avoiding Diameter agents when they cannot be trusted to keep the keys secret." > > Should that be normative? Is there no way to protect the PSK AVP from diameter agents? E.g. can it be encrypted? > > -- section 10, 2nd paragraph: "this specification also recommends the use of nonces included in IKEv2-PSK-Request." > > Actually, the spec requires it using a normative SHALL. > > > Nits/editorial comments: > > -- IDNits reports an out-of-date reference > > -- Section 1, general: > > It's probably worth elaborating that we are talking about a PSK used during the IKEv2 authentication process, which is distinct from any shared secrets negotiated by IKE for use in the resulting SA. > > -- Section 1, paragraph 1, 1st sentence: > > The use, and lack of, commas in this sentence is confusing. It's easy to parse as saying IKE2 is a protocol and a set of algorithms, when I think you meant to say that the resulting SA has a set of algorithms along with the shared secret. > > -- section 4.1, 2nd paragraph: "message is routed to the IKEv2 Peer’s HAAA." > > What routes it? ( be careful not to let passive voice obscure responsibilities) > > -- section 4.2, paragraph 1: "The HAAA may maintain state or may be stateless" > > What kind of state? I assume from the following sentences you mean Diameter session state, but it should be explicit. > > -- "indicated by presence or absence of the Auth-Session-State AVP." > > In what message(s)? > > -- section 4.2, paragraph 2: > > This sentence is long and hard to parse. Can it be broken up? > > -- section 5.1, last paragraph: "SHALL be used to identify the appropriate PSK." > > Shall be used by what? (passive voice obscures responsibility) > > -- 5.2, last paragraph: "associated key SHALL NOT be used if the lifetime has expired." > > SHALL NOT be used by what? > > -- section 8, first paragraph: "whether the AVP MAY be encrypted." > > I don't see anything about encryption in the table. > > -- section 8, AVP table: > > Are all the Key* AVPs intended to have the same code? I assume not, but mixing in TBD with the various TBD* placeholders is confusing. > > -- section 9: > > Consider a note to the RFC editor to change all occurances of TBD(x) with the IANA assignment throughout the entire document. Since these are scattered throughout the doc, the intent may not be obvious to them. > > > _______________________________________________ > Ietf mailing list > Ietf@ietf.org > https://www.ietf.org/mailman/listinfo/ietf
- [Dime] Fwd: Gen-ART LC review of draft-ietf-dime-… jouni korhonen