Re: [Dime] unexpected consequence of deprecating E2E security in RFC 3588 bis
Glen Zorn <glenzorn@gmail.com> Sat, 29 September 2012 12:33 UTC
Return-Path: <glenzorn@gmail.com>
X-Original-To: dime@ietfa.amsl.com
Delivered-To: dime@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6402A21F848B for <dime@ietfa.amsl.com>; Sat, 29 Sep 2012 05:33:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OaMzjPDNYBjO for <dime@ietfa.amsl.com>; Sat, 29 Sep 2012 05:33:36 -0700 (PDT)
Received: from mail-pb0-f44.google.com (mail-pb0-f44.google.com [209.85.160.44]) by ietfa.amsl.com (Postfix) with ESMTP id BCA3521F8467 for <dime@ietf.org>; Sat, 29 Sep 2012 05:33:36 -0700 (PDT)
Received: by pbbro8 with SMTP id ro8so6243010pbb.31 for <dime@ietf.org>; Sat, 29 Sep 2012 05:33:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=aQXoY77d+M2TTSoOvPtxUQQ7+CHiXt9cC2B9Fttk5YA=; b=iIKX9yFMH8xBNIkEYTrgegjh5FgTDpssSexhX3dsbnAfeCPLbgPLn+ZBXQcFyKhGBX CtBNZqR0INzr/awbtps7oxS/UBIlWh08ZH6NOMB1A5DAI/yyDWYxyKSa3Cwnlkt6K09x /Q2LqwsiI1v23w9LN/H3YWm2CFGy7zEWXTi0SFYGewq+tRmVacouK69ew9A5/QV3cKK8 vE/wJaZ3bED8zDeOmRsohVKboIM3wp02CxWnoEpK84UrEutGCsQvXclJP1T5BaGX/WA8 y3Mo4TGUqApK30PzSlUngupSv23bM9o9XOHb8tOCvn4McmZfJBhGcGDjkJl2nWBk5ucB X1rg==
Received: by 10.68.209.136 with SMTP id mm8mr27527454pbc.146.1348922015465; Sat, 29 Sep 2012 05:33:35 -0700 (PDT)
Received: from [192.168.0.102] (ppp-124-121-208-251.revip2.asianet.co.th. [124.121.208.251]) by mx.google.com with ESMTPS id my10sm6976184pbc.11.2012.09.29.05.33.31 (version=SSLv3 cipher=OTHER); Sat, 29 Sep 2012 05:33:34 -0700 (PDT)
Message-ID: <5066EA99.3020801@gmail.com>
Date: Sat, 29 Sep 2012 19:33:29 +0700
From: Glen Zorn <glenzorn@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20120914 Thunderbird/15.0.1
MIME-Version: 1.0
To: lionel.morand@orange.com
References: <5062DD0C.2080300@gmail.com> <27169_1348684002_506348E2_27169_14408_1_6B7134B31289DC4FAF731D844122B36E074A1A@PEXCVZYM13.corporate.adroot.infra.ftgroup> <5063CEC3.9080305@gmail.com> <1836CE1BA4F81F46921CA0334F7E4274583123AEA0@HE113456.emea1.cds.t-internal.com> <5064329D.40203@gmail.com> <20096_1348913297_5066C891_20096_2169_1_6B7134B31289DC4FAF731D844122B36E0758C4@PEXCVZYM13.corporate.adroot.infra.ftgroup> <5066CB47.1070807@gmail.com> <19603_1348915144_5066CFC8_19603_1305_1_6B7134B31289DC4FAF731D844122B36E0758E2@PEXCVZYM13.corporate.adroot.infra.ftgroup>
In-Reply-To: <19603_1348915144_5066CFC8_19603_1305_1_6B7134B31289DC4FAF731D844122B36E0758E2@PEXCVZYM13.corporate.adroot.infra.ftgroup>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: "draft-ietf-dime-rfc3588bis@tools.ietf.org" <draft-ietf-dime-rfc3588bis@tools.ietf.org>, "Stefan.Schroeder06@telekom.de" <Stefan.Schroeder06@telekom.de>, "dime@ietf.org" <dime@ietf.org>, "turners@ieca.com" <turners@ieca.com>, "stephen.farrell@cs.tcd.ie" <stephen.farrell@cs.tcd.ie>
Subject: Re: [Dime] unexpected consequence of deprecating E2E security in RFC 3588 bis
X-BeenThere: dime@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Diameter Maintanence and Extentions Working Group <dime.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dime>, <mailto:dime-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dime>
List-Post: <mailto:dime@ietf.org>
List-Help: <mailto:dime-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dime>, <mailto:dime-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Sep 2012 12:33:37 -0000
On 09/29/2012 05:39 PM, lionel.morand@orange.com wrote: > It is actually needed if we don't want to lose info. These AVPs > should be listed in a table in these sections with an indication that > is a list of AVPs that can be considered as security-sensitive, in > order to not start a discussion on which AVP is really sensitive and > which not. Anyway, designers will have to decide what they want to do > and this list is mainly for information. > OK, this is what I've got now: 13.3. AVP Considerations Diameter AVPs often contain security-sensitive data; for example, user passwords and location data, network addresses and cryptographic keys. The following AVPs defined in this document are considered to be security-sensitive: o Acct-Interim-Interval o Accounting-Realtime-Required o Acct-Multi-Session-Id o Accounting-Record-Number o Accounting-Record-Type o Accounting-Session-Id o Accounting-Sub-Session-Id o Class o Session-Id o Session-Binding o Session-Server-Failover o User-Name Diameter messages containing these AVPs MUST only be sent protected via mutually authenticated TLS or IPsec. In addition, those messages MUST NOT be sent via intermediate nodes unless there is end-to-end security between the originator and recipient or the originator has locally trusted configuration that indicates that end-to-end security is not needed. For example, end-to-end security may not be required in the case where an intermediary node is known to be operated as part of the same administrative domain as the endpoints so that an ability to successfully compromise the intermediary would imply a high probability of being able to compromise the endpoints as well. Note that no end-to-end security mechanism is specified in this document.
- [Dime] unexpected consequence of deprecating E2E … Glen Zorn
- Re: [Dime] unexpected consequence of deprecating … lionel.morand
- Re: [Dime] unexpected consequence of deprecating … Glen Zorn
- Re: [Dime] unexpected consequence of deprecating … dieter.jacobsohn
- Re: [Dime] unexpected consequence of deprecating … Glen Zorn
- Re: [Dime] unexpected consequence of deprecating … lionel.morand
- Re: [Dime] unexpected consequence of deprecating … Glen Zorn
- Re: [Dime] unexpected consequence of deprecating … lionel.morand
- Re: [Dime] unexpected consequence of deprecating … Glen Zorn
- [Dime] RE : Re: AW: unexpected consequence of dep… lionel.morand
- Re: [Dime] RE : Re: AW: unexpected consequence of… Stephen Farrell
- Re: [Dime] RE : Re: AW: unexpected consequence of… Glen Zorn
- Re: [Dime] RE : Re: AW: unexpected consequence of… Glen Zorn
- Re: [Dime] RE : Re: AW: unexpected consequence of… dieter.jacobsohn
- [Dime] unexpected consequence of deprecating E2E … dieter.jacobsohn
- Re: [Dime] unexpected consequence of deprecating … jouni korhonen