IETF Logo Mail Archive

[Dots] SEC-001: draft-ietf-dots-requirements

<mohamed.boucadair@orange.com> Tue, 02 May 2017 07:49 UTC

Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A280F13012B for <dots@ietfa.amsl.com>; Tue, 2 May 2017 00:49:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.999
X-Spam-Level:
X-Spam-Status: No, score=-3.999 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-2.8, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DttTE1r14UvW for <dots@ietfa.amsl.com>; Tue, 2 May 2017 00:49:27 -0700 (PDT)
Received: from relais-inet.orange.com (mta135.mail.business.static.orange.com [80.12.70.35]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7ABFF12EC81 for <dots@ietf.org>; Tue, 2 May 2017 00:44:22 -0700 (PDT)
Received: from opfednr00.francetelecom.fr (unknown [xx.xx.xx.64]) by opfednr26.francetelecom.fr (ESMTP service) with ESMTP id 25B3F20214; Tue, 2 May 2017 09:44:21 +0200 (CEST)
Received: from Exchangemail-eme3.itn.ftgroup (unknown [xx.xx.50.83]) by opfednr00.francetelecom.fr (ESMTP service) with ESMTP id E85601A0078; Tue, 2 May 2017 09:44:20 +0200 (CEST)
Received: from OPEXCNORMAD.corporate.adroot.infra.ftgroup ([fe80::f1a0:3c6b:bc7b:3aaf]) by OPEXCNORMAF.corporate.adroot.infra.ftgroup ([fe80::e1dd:62fe:d378:e3f8%21]) with mapi id 14.03.0339.000; Tue, 2 May 2017 09:44:20 +0200
From: mohamed.boucadair@orange.com
To: "Mortensen, Andrew" <amortensen@arbor.net>
CC: "dots@ietf.org" <dots@ietf.org>
Thread-Topic: SEC-001: draft-ietf-dots-requirements
Thread-Index: AdLDF+enKpBDbqwnQrGmOMdIQdKVGg==
Date: Tue, 02 May 2017 07:44:20 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B933009E5F447@OPEXCNORMAD.corporate.adroot.infra.ftgroup>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.168.234.5]
Content-Type: multipart/alternative; boundary="_000_787AE7BB302AE849A7480A190F8B933009E5F447OPEXCNORMADcorp_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/BRmLPCbeBNDPXjCqJO0CbJX02Oc>
Subject: [Dots] SEC-001: draft-ietf-dots-requirements
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 May 2017 07:49:29 -0000

Re-,

   SEC-001  Peer Mutual Authentication: DOTS agents MUST authenticate
      each other before a DOTS session is considered valid.  The method
      of authentication is not specified, but should follow current
      industry best practices with respect to any cryptographic
      mechanisms to authenticate the remote peer.

Shouldn't that mutual authentication be relaxed to not only mention cryptographic mechanisms, but to cover the case of trusted domains that may leverage on existing tools to authenticate/authorize DOTS clients?

Leveraging on existing tools is motivated by various reasons:

*         minimize provisioning data on the CPE because that data may be lost due to a system crash (and therefore lead to calls to the hotline).

*         If credentials to authenticate the DOTS server are provisioned anyway by the provider on the CPE, this biases the DOTS server authentication. Trusting the DOTS server provisioned by the provider + authenticate the DOTS client provides the same protection level.

Cheers,
Med

v2.23.0 | Report a Bug | By Email