Re: [Dime] Eric Rescorla's No Objection on draft-ietf-dime-rfc4006bis-08: (with COMMENT)

Yuval Lifshitz <yuvalif@yahoo.com> Thu, 24 May 2018 14:03 UTC

Return-Path: <yuvalif@yahoo.com>
X-Original-To: dime@ietfa.amsl.com
Delivered-To: dime@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 688BD12E048 for <dime@ietfa.amsl.com>; Thu, 24 May 2018 07:03:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yahoo.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RDj3GyjsqgO4 for <dime@ietfa.amsl.com>; Thu, 24 May 2018 07:03:17 -0700 (PDT)
Received: from sonic302-3.consmr.mail.bf2.yahoo.com (sonic302-3.consmr.mail.bf2.yahoo.com [74.6.135.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74DD2127863 for <dime@ietf.org>; Thu, 24 May 2018 07:03:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1527170594; bh=k3IOqo7/5jKqqD9ySx9uvwwaWL7iqUWagXiAI7XwPfc=; h=Date:From:To:Cc:In-Reply-To:References:Subject:From:Subject; b=uauxnp/017GgLUCwpGyosqSwHVu94m3q+Ti0hbCof6tnMJDVJv4m1O0eJr74ZbgdMoh/5SwWrPJSPyl1Blf7xaj7t/cXBzq1NcV20yOdGxndLzEeGcuUh1mehvY09tPHXvbzgEGJC8cVdxfGmOeJ7e250+X9ZcvTOJ74G8VK9yfAsw9GCm675+vdgvq38553mQbwvegYQrUhMKpRYHbU8eVjv0RPIbs+w8/xcGEEKiEPkySxv7fqzZoVACCFdR48R1EY+Yyv7QMvxWVzVpLI/ZulxIErc8lbJeSkDfM0LdM3A89gIDL8zOIwgsNJWgI7uo1UjVSjjCc/o/AzN8FI7A==
X-YMail-OSG: CzsoFsIVM1m_kDKe53SljwQn2SQoDxI_8IK08yDbgsw0KcG0Rw7lb2WIvLdqeln zCJnKTRkZb0wKMJPECDyfScYqLb.7Sfhy2AkLLt4_OYLuBbyi3hrmOkJl2NYUKPUZcvFvg5E5YWb EtzQiVg18q3AEovN9l8SXOLjColF_wr4Lu6MqvkMWr5cS_kmCkVD_Yjubcw_5XXZ3WQYmRZk3_WI uhstgLC9FY1iPFHuH1i3_MNokCK0dtPVDVH81Ytlq043nTOE7yjLA9NHGUWS_dnmtPIp4c5Co.4r 2ySHNPoQzqBgil3LQ5kgbgR8CyU6j7ZqznrOtyU0z4EycEHFzV7tO4xILPEyR_GaQpK3qe0I2ZW7 A4gEtzIkqAhk4svgav4AR_jLeHzrInoz3krMRYBWXgh6XNOtkDHDMl.z0d.XhfVfIL.S8r8GO.m4 zC5bnghfLvhLJJ8bDMhWAr7Nq1TNY8_xt8P8XctjlkmPaVHShNnERi9JkCfAG2oZURZIz2dGiqVY AdoqTk00HPe_H6dLkP1RlQfYCCPN0KlK39XxMRotTpFMXEV0Xr65LxDp8yRNL5MOWVdIp573jASh dXIH4IPd_D39CfQs1GYoPOkj3w.Qr0kothFKuQoECOrbaZSkUZp4Za..U9ZTvcj6Pm7EILWkdzWn 1FFOToOXtmkpmVFVQGwwb5ODcFA--
Received: from sonic.gate.mail.ne1.yahoo.com by sonic302.consmr.mail.bf2.yahoo.com with HTTP; Thu, 24 May 2018 14:03:14 +0000
Date: Thu, 24 May 2018 13:53:07 +0000
From: Yuval Lifshitz <yuvalif@yahoo.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: The IESG <iesg@ietf.org>, dime-chairs@ietf.org, dime@ietf.org, draft-ietf-dime-rfc4006bis@ietf.org
Message-ID: <1842664888.4936240.1527169987125@mail.yahoo.com>
In-Reply-To: <CABcZeBPC8ZUOpVEGwYoM=rgsBCngJs=wGtxt2UFwT_tJEzr1Kg@mail.gmail.com>
References: <152713326803.29850.11203075814656303164.idtracker@ietfa.amsl.com> <2012436261.4832236.1527143593730@mail.yahoo.com> <CABcZeBPC8ZUOpVEGwYoM=rgsBCngJs=wGtxt2UFwT_tJEzr1Kg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_4936239_362820500.1527169987119"
X-Mailer: WebService/1.1.11871 YMailNorrin Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36
Archived-At: <https://mailarchive.ietf.org/arch/msg/dime/YJk4VBFU7qnkpIenjSm_QZz_Rnk>
Subject: Re: [Dime] Eric Rescorla's No Objection on draft-ietf-dime-rfc4006bis-08: (with COMMENT)
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dime/>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 May 2018 14:03:21 -0000

 more inline
    On Thursday, May 24, 2018, 4:18:06 p.m. GMT+3, Eric Rescorla <ekr@rtfm.com> wrote:  
 
 

On Wed, May 23, 2018 at 11:33 PM, Yuval Lifshitz <yuvalif@yahoo.com> wrote:

 inline
    On Thursday, May 24, 2018, 6:41:17 a.m. GMT+3, Eric Rescorla <ekr@rtfm.com> wrote:  
 
 Eric Rescorla has entered the following ballot position for
draft-ietf-dime-rfc4006bis-08: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/ statement/discuss-criteria. html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/ doc/draft-ietf-dime- rfc4006bis/



------------------------------ ------------------------------ ----------
COMMENT:
------------------------------ ------------------------------ ----------

Rich version of this review at:
https://mozphab-ietf. devsvcdev.mozaws.net/D3353


I only gave this a light read. Some minor comments below.

COMMENTS
S 1.2.
>        deduction of credit from the end user account when service is
>        completed and refunding of reserved credit that is not used.
>  
>      Diameter Credit-control Server  A Diameter credit-control server acts
>        as a prepaid server, performing real-time rating and credit-
>        control.  It is located in the home domain and is accessed by

a definition of "home domain" would be useful

[yuval] base spec define "home realm" we should probably change to that

S 2.
>      credit-control application.
>  
>      When an end user requests services such as SIP or messaging, the
>      request is typically forwarded to a service element (e.g., SIP Proxy)
>      in the user's home domain.  In some cases it might be possible that
>      the service element in the visited domain can offer services to the

also define visited domain, or at least point to a reference.

[yuval] base spec defined "local realm" for that. will fix

S 3.1.
>                                  [ CC-Correlation-Id ]
>                                  [ User-Equipment-Info ]
>                                  [ User-Equipment-Info-Extension ]
>                                  *[ Proxy-Info ]
>                                  *[ Route-Record ]
>                                  *[ AVP ]

Please expand AVP on first use.

[yuval] it is in the base spec

I'm sure it is, but you should still expand it. 
[yuval] sure we can (it would be a bit awkward though, in the world of "Diameter" it will be like explaining what TCP stands for...)



S 4.
>      control client requests credit authorization from the credit-control
>      server prior to allowing any service to be delivered to the end user.
>  
>      In the first model, the credit-control server rates the request,
>      reserves a suitable amount of money from the user's account, and
>      returns the corresponding amount of credit resources.  Note that

Sorry, reserves the balance or the amount reserved?

[yuval] not sure what is not clear?

As I said above, do you return the balance or do you return the amount of credit that has been reserved.
[yuval] return the reserved amount




S 14.
>  
>      Even without any modification to the messages, an adversary can
>      eavesdrop on transactions that contain privacy-sensitive information
>      about the user.  Also, by monitoring the credit-control messages one
>      can collect information about the credit-control server's billing
>      models and business relationships.

I'm having trouble reading these two paragraphs. Are they about what
happens if TLS isn't used?

[yuval] will clarify. see here: https://github.com/ lbertz02/rfc4006bis/issues/51

This doesn't seem dramatically clearer. What sort of an adversary can do that?
[yuval] in some cases e2e security is not possible, this is what this section is addressing, the github issue is to clarify that

-Ekr






______________________________ _________________
DiME mailing list
DiME@ietf.org
https://www.ietf.org/mailman/ listinfo/dime