Re: [DNSOP] Working Group Last Call - draft-ietf-dnsop-rfc5011-security-considerations

Warren Kumari <warren@kumari.net> Thu, 26 October 2017 15:12 UTC

Return-Path: <warren@kumari.net>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39B1E13F1EB for <dnsop@ietfa.amsl.com>; Thu, 26 Oct 2017 08:12:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pt2AFk-6vjTq for <dnsop@ietfa.amsl.com>; Thu, 26 Oct 2017 08:12:22 -0700 (PDT)
Received: from mail-wr0-x22d.google.com (mail-wr0-x22d.google.com [IPv6:2a00:1450:400c:c0c::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 949D813F0A8 for <dnsop@ietf.org>; Thu, 26 Oct 2017 08:12:22 -0700 (PDT)
Received: by mail-wr0-x22d.google.com with SMTP id r79so3486631wrb.13 for <dnsop@ietf.org>; Thu, 26 Oct 2017 08:12:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=nEryVILhK8ITDqTRGgXorhplG+1e5LjJAjQrikNmSw4=; b=urKJFcoWOCuRnPEhwmcFX+XpLURcUSjmRhaTf79gkOs+3/+zCenUiIr5soQot1R5bx d+cHdid9+9nTuzOUDdmFQlEkEWywSSt+vfbCREKXJTVsoKSs+GdvB8tNAt3HRSn6+ZoJ k62/qNpCg73lEV0idw7X5ADjNTFL4SU2TDZpUTYpStSTHIOozi4miHHR3PDTOwTlzpLH Rro6E7auLZdh01/5fSPcJRWXuxI1gQNaYXjnvV8ePyfEJrNfCy+Cr+mTFFD+H2og9gIp cwL8pEslT+RstevUYxqGaUu/OcqDHLWa0eGez+C8RddWA78OzY2S3bFMs0c8X0Pm1yhe h1pA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=nEryVILhK8ITDqTRGgXorhplG+1e5LjJAjQrikNmSw4=; b=HGZi7RZ1H3IcfL3MxUcXRqdvl6cotX2u33R/2mPTXBeoHyXvT3oBANEWVQJyy/bnqP 5EZGfILDKmvSK/L2mdY+Ywn7fAFFZQ/DdOznyEUFp/HoUUrPFDpgLwMlwy/kp3bwo4bI sEVD7+/52mFG4gyik1dN4K+2Vujx6hmUljYzJAfLFE9tHAr461r1Ul3bIrLr6750x3HZ lmHwKAEgtX/ms2ShwcPccU6xhqQ4h10mUXDP7AnWZ/7rZydFSSGJehOt4BqWk4Q51V4A E+317h/VKf+B/rOCye1pjKHA9Q2zXJb6RqkPxuakkGB2DoIVxCGrT/6gNwuV3xYAG175 rjaw==
X-Gm-Message-State: AMCzsaXl0ajCGRNe5KIf90Z8mx616ViiejIAYT/fRF5ewe+KfUgD1HoU 0TJ2RL/sT9IiRuqT4ONVIneSlytuVAnc++AFe/JjxO7P
X-Google-Smtp-Source: ABhQp+TBQekppxN5KpQehk/0mcvwXIAJMea1IeypvCBi9udIJI3K7tzXCZPxPxgNG7udJwwI+V9tzz3YyQcmR98bCUQ=
X-Received: by 10.223.151.198 with SMTP id t6mr5849705wrb.2.1509030737630; Thu, 26 Oct 2017 08:12:17 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.187.12 with HTTP; Thu, 26 Oct 2017 08:11:35 -0700 (PDT)
In-Reply-To: <04C3E53E-985F-49DD-A731-A2DE0911538B@vpnc.org>
References: <CADyWQ+FUOwrK5Qr0DRGopyqxu1ivsJqs3a0KVfrb8yf4-B_OBg@mail.gmail.com> <04C3E53E-985F-49DD-A731-A2DE0911538B@vpnc.org>
From: Warren Kumari <warren@kumari.net>
Date: Thu, 26 Oct 2017 11:11:35 -0400
Message-ID: <CAHw9_iLkLUWDVC_M6Not+Z4AqaEbTNreX4JksaBpYpJa5E+gYg@mail.gmail.com>
To: Paul Hoffman <paul.hoffman@vpnc.org>
Cc: dnsop <dnsop@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/a2ZSDqAnnF6JK3boP3a3eXQcGas>
Subject: Re: [DNSOP] Working Group Last Call - draft-ietf-dnsop-rfc5011-security-considerations
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Oct 2017 15:12:24 -0000

On Wed, Oct 25, 2017 at 4:16 PM, Paul Hoffman <paul.hoffman@vpnc.org>; wrote:
> On 18 Oct 2017, at 4:16, tjw ietf wrote:
>
>> This starts a Working Group Last Call for:
>> draft-ietf-dnsop-rfc5011-security-considerations
>
>
> I support the publication of
> draft-ietf-dnsop-rfc5011-security-considerations either as-is or with an
> additional section on looking at timing from a second perspective (as
> detailed by Mike StJohns).

Thank you, Paul.

Dear WG - I know that this document has a limited audience, is kind of
an annoying read, and is filled with maths (gasp!).
Wes and I do believe that this is an important document - getting
these timers wrong potentially has really bad security implications;
there was intended to be a companion document to RFC5011, but seeing
as that wasn't created, I think it is really importantt that we
address this.

So, pretty please, review this document and send feedback. We've tried
hard to make it readable, but the topic is unfortunately complex and
can only be simplified so far - it is also really hard to talk about
sliding windows of time.

So, again, please review and comment,
W



>
> --Paul Hoffman
>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf