Re: [Gen-art] Genart last call review of draft-ietf-perc-dtls-tunnel-08

"Paul E. Jones" <> Tue, 08 June 2021 02:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 15A1A3A1D57; Mon, 7 Jun 2021 19:49:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id lZSXtSLXDWLe; Mon, 7 Jun 2021 19:49:45 -0700 (PDT)
Received: from ( [IPv6:2600:1f18:24d6:2e01:e842:9b2b:72a2:d2c6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BC1383A1D53; Mon, 7 Jun 2021 19:49:41 -0700 (PDT)
Received: from authuser (localhost [])
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=dublin; t=1623120574; bh=tFmEwqpuy9i6mvK0pScZFUB6tmDlzt7HkNlh7oSOi8Y=; h=From:To:Subject:Cc:Date:In-Reply-To:References:Reply-To; b=F1h3dmQJwVIpNcy0wDUS59BNA4pDwfnlPnPPcgpAscebsEoAlQ7HJSg42O3BCGTbe WrM18r4EB0PVAVPhtx/yCGQHkA0FfgwZ+7xcCGcKJ+44gik+o70Mj9z3Dv8JYhG3BL PDE19MrOos6FSWl/qvFSMEh7YtEbeKKVUKd0vDJw=
From: "Paul E. Jones" <>
To: "Russ Housley" <>,
Date: Tue, 08 Jun 2021 02:49:28 +0000
Message-Id: <em9ea9177b-4d17-4049-bec1-d31b4fa4874f@sydney>
In-Reply-To: <>
References: <>
Reply-To: "Paul E. Jones" <>
User-Agent: eM_Client/8.2.1237.0
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="------=_MB2B5A6E2A-E3C6-49A4-B822-ED1E31EF742E"
Archived-At: <>
Subject: Re: [Gen-art] Genart last call review of draft-ietf-perc-dtls-tunnel-08
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 08 Jun 2021 02:49:50 -0000


Thanks for the review.  I have made changes as you (and Shawn) 
suggested.  Please see this diff which contains a rewritten security 
considerations section.  Please feel free to comment further since it's 
quite possible that I created more confusion.

I also tried to address your question about the mutual authentication in 
the security considerations section.


------ Original Message ------
From: "Russ Housley via Datatracker" <>
Sent: 5/28/2021 11:16:06 AM
Subject: Genart last call review of draft-ietf-perc-dtls-tunnel-08

>Reviewer: Russ Housley
>Review result: Almost Ready
>I am the assigned Gen-ART reviewer for this draft. The General Area
>Review Team (Gen-ART) reviews all IETF documents being processed
>by the IESG for the IETF Chair. Please wait for direction from your
>document shepherd or AD before posting a new version of the draft.
>For more information, please see the FAQ at
>Document: draft-ietf-perc-dtls-tunnel-08
>Reviewer: Russ Housley
>Review Date: 2021-05-28
>IETF LC End Date: unknown
>IESG Telechat date: unknown
>Summary: Almost Ready
>Major Concerns:
>Section 9:  The document has two different types of keying material:
>    (1) keys for hop-by-hop encryption and authentication; and
>    (2) keys for end-to-end encryption and authentication.
>The first two paragraphs of Section 9 talks about these two types of
>keying material.  I think that the discussion should be expanded by a
>sentence or two to explain the security consequences of disclosure of
>each of theses keying material types.
>In addition, a pointer to the very extensive Security Consideration in
>RFC 8871 would he helpful.
>Minor Concerns:
>Section 5.4 says: "Each TLS tunnel established between the media
>distributor and the key distributor MUST be mutually authenticated."
>Is this a requirement to use DTLS client authentication?  If so,
>please be explicit.  If not, what other mechanisms for authentication
>are expected?
>Section 5.1, paragraph 2:   s/[!@RFC4566]/[RFC4566]/
>Section 5.5, paragraph 1:
>   s/MUST utilize the same version/MUST contain the same version/
>Section 8, last paragraph:
>    s/section 4.8 if [!@RFC8126]/Section 4.8 of [RFC8126]/
>Section 9, paragraph 1:
>   s/keying material This does/keying material. This does/