Re: [Gen-art] Gen-ART LC Review of draft-moriarty-post-inch-rid-11
<moriarty_kathleen@emc.com> Mon, 14 June 2010 19:34 UTC
Return-Path: <moriarty_kathleen@emc.com>
X-Original-To: gen-art@core3.amsl.com
Delivered-To: gen-art@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 802433A696E for <gen-art@core3.amsl.com>; Mon, 14 Jun 2010 12:34:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.274
X-Spam-Level:
X-Spam-Status: No, score=-5.274 tagged_above=-999 required=5 tests=[AWL=-1.274, BAYES_50=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WX7EoDKe-bQC for <gen-art@core3.amsl.com>; Mon, 14 Jun 2010 12:34:46 -0700 (PDT)
Received: from mexforward.lss.emc.com (mexforward.lss.emc.com [128.222.32.20]) by core3.amsl.com (Postfix) with ESMTP id 5CECA3A68CC for <gen-art@ietf.org>; Mon, 14 Jun 2010 12:34:45 -0700 (PDT)
Received: from hop04-l1d11-si02.isus.emc.com (HOP04-L1D11-SI02.isus.emc.com [10.254.111.55]) by mexforward.lss.emc.com (Switch-3.3.2/Switch-3.1.7) with ESMTP id o5EJYmbs030455 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 14 Jun 2010 15:34:48 -0400
Received: from mailhub.lss.emc.com (nagas.lss.emc.com [10.254.144.15]) by hop04-l1d11-si02.isus.emc.com (RSA Interceptor); Mon, 14 Jun 2010 15:34:42 -0400
Received: from corpussmtp3.corp.emc.com (corpussmtp3.corp.emc.com [10.254.169.196]) by mailhub.lss.emc.com (Switch-3.4.2/Switch-3.3.2mp) with ESMTP id o5EJYGsP023811; Mon, 14 Jun 2010 15:34:39 -0400
Received: from CORPUSMX50A.corp.emc.com ([128.221.62.39]) by corpussmtp3.corp.emc.com with Microsoft SMTPSVC(6.0.3790.4675); Mon, 14 Jun 2010 15:34:29 -0400
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Mon, 14 Jun 2010 15:34:28 -0400
Message-ID: <CC9B9AB3DE5792409076BB097B280FE6044FAC72@CORPUSMX50A.corp.emc.com>
In-Reply-To: <274D46DDEB9F2244B2F1EA66B3FF54BC06890497@de01exm70.ds.mot.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Gen-ART LC Review of draft-moriarty-post-inch-rid-11
Thread-Index: Acrf78G22SVoV2IfQA6xe+EQZOgmKwsBYtVQ
References: <274D46DDEB9F2244B2F1EA66B3FF54BC06890497@de01exm70.ds.mot.com>
From: moriarty_kathleen@emc.com
To: pete.mccann@motorola.com, gen-art@ietf.org, draft-moriarty-post-inch-rid.all@tools.ietf.org
X-OriginalArrivalTime: 14 Jun 2010 19:34:29.0368 (UTC) FILETIME=[9B313780:01CB0BF8]
X-EMM-EM: Active
X-Mailman-Approved-At: Mon, 14 Jun 2010 12:48:14 -0700
Subject: Re: [Gen-art] Gen-ART LC Review of draft-moriarty-post-inch-rid-11
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/gen-art>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Jun 2010 19:34:50 -0000
Peter, Thank you for your detailed review. I will provide answers inline and will adjust the editorial comments in the draft. Best regards, Kathleen -----Original Message----- From: McCann Peter-A001034 [mailto:pete.mccann@motorola.com] Sent: Monday, April 19, 2010 2:40 PM To: gen-art@ietf.org; draft-moriarty-post-inch-rid.all@tools.ietf.org Subject: Gen-ART LC Review of draft-moriarty-post-inch-rid-11 I have been selected as the General Area Review Team (Gen-ART) reviewer for this draft (for background on Gen-ART, please see http://www.alvestrand.no/ietf/gen/art/gen-art-FAQ.html). Please resolve these comments along with any other Last Call comments you may receive. Document: draft-moriarty-post-inch-rid-11 Reviewer: Pete McCann Review Date: 19 April 2010 IETF LC End Date: 21 April 2010 IESG Telechat date: unknown Summary: Needs work Major issues: To be effective, this protocol would need to be universally deployed and there would need to be a common global policy about which traffic is abusive and deserving of tracing. Otherwise, attackers could just hide on uncooperative networks. Unless we are willing to disconnect these networks from the Internet (i.e., a consortium of the willing) attack traffic will continue. The present document discusses the possibility of multiple regional or national consortia with different policies. This could quickly become unworkable or lead to balkanization. Anyway, this concern is probably not enough to stop the protocol itself from being published as Informational, but see numerous minor and editorial comments below. ------ Response: Attack traffic will continue, but at least this will enable a way to send definitions of know bad traffic types to participants who can then decide how to use that information. It can also provide a record of the new types of attacks along with new signatures that are emerging. The ability to communicate this type of information is important. It may start with groups that are willing to set up agreements, so the consortium approach may take time and may not be global at first. If it becomes harder to go undetected, it is harder for attackers to be successful. The protocol may have an incremental effect. Let's say governments start to adopt this first, even if that was just in one country, the coordination of information could be quite useful. ------ Minor issues: Section 3.2: The last paragraph of this section is confusing. It says "RID requires the first 28 bytes of an IP v4 packet" and justifies this by saying IP is 10 bytes, transport is 10 bytes, and 8 bytes of payload are needed. But, the IP header is 20 bytes, and even if you include just the unchanging fields that still leaves 17. TCP is also 20 bytes, and UDP is just 8. It's not clear what you meant to say here. ------- Response: ------- Section 4: A lot of the non-technical requirements described in Section 4 and 4.1 are un-enforceable. Why do you mention the FBI? What about other national law enforcement bodies? Why do you think there will be one CSIRT for the whole Internet? How will such consortiums be formed and managed? Suggest leaving this material out and focusing on the protocol definition. ------- Response: The FBI is an example of a group that people can reach out to for assistance. Should that be left out? Or should additional resources from other countries be listed as other examples? If you have some you would like added, please let me know and I will add them to the list. In the US, the FBI is very helpful when it comes to incident handling. Maybe this is true of other organizations that should also be listed? I am not sure where you are reading that I think there is one CSIRT? Several international CSIRTs were involved in this document while it was in the INCH working group. I see one reference that might lead you to that, but the others should lead you away from that thought... is it the third paragraph of section 4? The prior ones should have clarified that. I'll add a word or two to fix the sentence. The consortium addition was the request of Steve Bellovin. I think how they will be managed is out of scope and if this evolves to use a consortium, should be defined, but not in this specification. Should the use of a consortium be removed completely now? ------- Section 4.3.2: 4. Investigation. This message type is used when the source of the traffic is believed to be valid. Did you mean to say, "when the source IP address of the traffic is believed not to be spoofed?" That's slightly different. And how exactly would a target network go about determining this? ------- Response: Sure, I can change the phrase, no problem. I'd rather not expand the document to go into any detection techniques as they can evolve and is beyond the scope of the document. ------- A lot of the material in Section 6 looks like it really belongs in the Security Considerations (Section 7). ------- Response: Would you prefer to see section 6 be the security considerations and have section 7 as a sub-section? ------- Nits/editorial comments: ------- Response: Thank you, I will make the suggested updates - I appreciate the detailed review! ------- Abstract: mechanisms across for a complete incident SHOULD BE: mechanisms for a complete incident Section 1 should be titled Introduction. It would be ok to have a sub-section labeled "Normative and Informative Sections" but it should be at the end of the Introduction (and just before the Terminology sub-section). Section 1.2: In cases with SHOULD BE: In cases when Techniques, such SHOULD BE: Techniques such network, have been SHOULD BE: network have been necessary level SHOULD BE: a necessary level Section 1.3: without an action take SHOULD BE: without an action taken The acronym "NP" is used before definition. Section 2: HTTPS or or appropriate SHOULD BE: HTTPS or appropriate Section 3: mitigate the affects SHOULD BE: mitigate the effects leave a difficult SHOULD BE: leave the difficult Section 4: either the authority and expertise or the means SHOULD BE: the authority, expertise, and the means in which RID messaging SHOULD BE: for which RID messaging Routing Arbitor SHOULD BE: Routing Arbiter Also, should include a reference describing what this is. Section 4.1: a Investigation SHOULD BE: an Investigation Section 4.2: of deceasing SHOULD BE: of decreasing Section 4.4.3: listed is the NP, which located SHOULD BE: listed is the NP that located Section 4.4.4: This message type is used when the source of the traffic is believed to be valid. Again, did you mean, "source IP address is not spoofed?" Section 4.5.1: The originator or the request SHOULD BE: The originator of the request Section 4.5.1.3: This message types only SHOULD BE: This message type only Section 6.3: security functions, utilized in RID requires SHOULD BE: security functions utilized in RID require Section 6.5: read the contents The encryption SHOULD BE: read the contents. The encryption
- [Gen-art] Gen-ART LC Review of draft-moriarty-pos… McCann Peter-A001034
- Re: [Gen-art] Gen-ART LC Review of draft-moriarty… moriarty_kathleen
- Re: [Gen-art] Review of draft-moriarty-post-inch-… Peter Saint-Andre
- Re: [Gen-art] Review of draft-moriarty-post-inch-… Sean Turner