Re: [Dime] I-D Action: draft-ietf-dime-e2e-sec-req-02.txt

[Steve Donovan <srdonovan@usdonovans.com>]

On 3/25/15 11:33 PM, Jouni Korhonen wrote:
> Steve,
>
> See inline..
>
> 3/24/2015, 2:05 PM, Steve Donovan kirjoitti:
>> A few comments on this document.
>>
>> I would suggest adding the following requirement -- The solution MUST
>> ensure that routing AVPs are always sent in the clear.
>
> By routing AVPs you refer to Router-Record and Proxy-Info as per 
> RFC6733, right? In that case I do not see a reason for the "are always 
> sent in the clear".
SRD> No, I mean Destination-Host, Destination-Realm, Origin-Host and 
Origin-Realm.
>
>> Requirement 5 does indicate that not all AVPs are covered by the "
>> cryptographic protection".  I think it would be better to be clear that
>> there is a set of AVPs that MUST NOT be encrypted.
>
> OK.
>
>> In addition, the following requirement might be useful -- The solution
>> MUST support the ability to identify other non routing AVPs that must
>> always be sent in the clear.
>
> I would assume the knowledge which AVPs are ciphered is up to a local 
> policy. If the policy is wrong, the receiver or intermediates will 
> reply with an error.
SRD> That makes sense.  My reason for bringing this up is to make sure 
that the solution allows for these AVPs being sent in the clear.  It 
won't work to arbitrarily encrypt all AVPs or even chunks of AVPs.
>
> - Jouni
>
>> This would be to cover overload, load, message priority and other AVPs
>> that need to be accessible by all nodes in the path of a transaction.
>>
>> Regards,
>>
>> Steve
>>
>> On 1/26/15 9:03 AM, internet-drafts@ietf.org wrote:
>>> A New Internet-Draft is available from the on-line Internet-Drafts 
>>> directories.
>>>   This draft is a work item of the Diameter Maintenance and 
>>> Extensions Working Group of the IETF.
>>>
>>>          Title           : Diameter AVP Level Security End-to-End 
>>> Security: Scenarios and Requirements
>>>          Authors         : Hannes Tschofenig
>>>                            Jouni Korhonen
>>>                            Glen Zorn
>>>                            Kervin Pillay
>>>     Filename        : draft-ietf-dime-e2e-sec-req-02.txt
>>>     Pages           : 9
>>>     Date            : 2015-01-26
>>>
>>> Abstract:
>>>     This specification discusses requirements for providing Diameter
>>>     security at the level of individual Attribute Value Pairs.
>>>
>>>
>>> The IETF datatracker status page for this draft is:
>>> https://datatracker.ietf.org/doc/draft-ietf-dime-e2e-sec-req/
>>>
>>> There's also a htmlized version available at:
>>> http://tools.ietf.org/html/draft-ietf-dime-e2e-sec-req-02
>>>
>>> A diff from the previous version is available at:
>>> http://www.ietf.org/rfcdiff?url2=draft-ietf-dime-e2e-sec-req-02
>>>
>>>
>>> Please note that it may take a couple of minutes from the time of 
>>> submission
>>> until the htmlized version and diff are available at tools.ietf.org.
>>>
>>> Internet-Drafts are also available by anonymous FTP at:
>>> ftp://ftp.ietf.org/internet-drafts/
>>>
>>> _______________________________________________
>>> DiME mailing list
>>> DiME@ietf.org
>>> https://www.ietf.org/mailman/listinfo/dime
>>>
>>
>>
>>
>> _______________________________________________
>> DiME mailing list
>> DiME@ietf.org
>> https://www.ietf.org/mailman/listinfo/dime
>>
>