[Dots] Secdir telechat review of draft-ietf-dots-signal-channel-31
Stephen Farrell via Datatracker <noreply@ietf.org> Mon, 15 April 2019 12:21 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: dots@ietf.org
Delivered-To: dots@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 19865120170; Mon, 15 Apr 2019 05:21:22 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Stephen Farrell via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
Cc: draft-ietf-dots-signal-channel.all@ietf.org, ietf@ietf.org, dots@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.95.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Message-ID: <155533088202.10777.9128855796755282458@ietfa.amsl.com>
Date: Mon, 15 Apr 2019 05:21:22 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/cJWWV2lwCxDkSxD3MRtRGGLagoQ>
Subject: [Dots] Secdir telechat review of draft-ietf-dots-signal-channel-31
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2019 12:21:22 -0000
Reviewer: Stephen Farrell Review result: Has Issues I took a look at the changes between -30 and -31 and at the mail following my earlier review of -30. To explain the "has issues" status for this review: Generally, I think this is probably ok, but I (still) have the concerns listed below that the ADs might wanna think about. The authors already responded on each of these points, and made some corresponding changes, so I guess they reckon these are non-issues. (Which is of course fine - even if I don't quite agree, I'm often wrong:-) - p13: The cuid still seems to me to be too static (there's a SHOULD saying to tie it to the client certificate public key or an equivalent). I still think recommending a way to generate an identifier that isn't tied to a key pair would be better, esp if this could be used in a CPE. (Creating a new long-lived identifier for a CPE seems like a bad plan if it's not really needed.) For example, one could use both the SPKI and a timestamp as input for a recommended way to generate a cuid and that should be as unique, but without mapping 1:1 to possibly long-lived key pairs. (-31 does say some more about how to change cuid, but still has the same SHOULD/RECOMMENDED way to generate cuid values.) - I wondered if a bad actor in control of an authorised DOTS client colluding with the controller of a DDoS attack could use this protocol to probe the network to see how their attack is going and change the attack to be more effective. In mail, the authors stated that this isn't possible, and added text saying that to -31. That may be true, but I'm not sure (given the complexity of the protocol). A nit: - p91: The mention of TCP-AO seems to require suspension of disbelief (given the lack of deployment of TCP-AO). If we don't think it'll be used, it'd be better to not pretend it might get used.
- [Dots] Secdir telechat review of draft-ietf-dots-… Stephen Farrell via Datatracker
- Re: [Dots] Secdir telechat review of draft-ietf-d… mohamed.boucadair
- Re: [Dots] Secdir telechat review of draft-ietf-d… Stephen Farrell
- Re: [Dots] Secdir telechat review of draft-ietf-d… Konda, Tirumaleswar Reddy
- Re: [Dots] Secdir telechat review of draft-ietf-d… Stephen Farrell
- Re: [Dots] Secdir telechat review of draft-ietf-d… Konda, Tirumaleswar Reddy
- Re: [Dots] Secdir telechat review of draft-ietf-d… Benjamin Kaduk
- Re: [Dots] Secdir telechat review of draft-ietf-d… Konda, Tirumaleswar Reddy
- Re: [Dots] Secdir telechat review of draft-ietf-d… Benjamin Kaduk
- Re: [Dots] Secdir telechat review of draft-ietf-d… Konda, Tirumaleswar Reddy
- Re: [Dots] Secdir telechat review of draft-ietf-d… Benjamin Kaduk
- Re: [Dots] Secdir telechat review of draft-ietf-d… Konda, Tirumaleswar Reddy