Re: [Gen-art] Genart last call review of draft-ietf-perc-dtls-tunnel-08

"Paul E. Jones" <paulej@packetizer.com> Tue, 08 June 2021 02:49 UTC

Return-Path: <paulej@packetizer.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15A1A3A1D57; Mon, 7 Jun 2021 19:49:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=packetizer.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lZSXtSLXDWLe; Mon, 7 Jun 2021 19:49:45 -0700 (PDT)
Received: from dublin.packetizer.com (dublin.packetizer.com [IPv6:2600:1f18:24d6:2e01:e842:9b2b:72a2:d2c6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC1383A1D53; Mon, 7 Jun 2021 19:49:41 -0700 (PDT)
Received: from authuser (localhost [127.0.0.1])
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=packetizer.com; s=dublin; t=1623120574; bh=tFmEwqpuy9i6mvK0pScZFUB6tmDlzt7HkNlh7oSOi8Y=; h=From:To:Subject:Cc:Date:In-Reply-To:References:Reply-To; b=F1h3dmQJwVIpNcy0wDUS59BNA4pDwfnlPnPPcgpAscebsEoAlQ7HJSg42O3BCGTbe WrM18r4EB0PVAVPhtx/yCGQHkA0FfgwZ+7xcCGcKJ+44gik+o70Mj9z3Dv8JYhG3BL PDE19MrOos6FSWl/qvFSMEh7YtEbeKKVUKd0vDJw=
From: "Paul E. Jones" <paulej@packetizer.com>
To: "Russ Housley" <housley@vigilsec.com>, gen-art@ietf.org
Cc: draft-ietf-perc-dtls-tunnel.all@ietf.org, last-call@ietf.org, perc@ietf.org
Date: Tue, 08 Jun 2021 02:49:28 +0000
Message-Id: <em9ea9177b-4d17-4049-bec1-d31b4fa4874f@sydney>
In-Reply-To: <162221496687.14173.2319711463541729432@ietfa.amsl.com>
References: <162221496687.14173.2319711463541729432@ietfa.amsl.com>
Reply-To: "Paul E. Jones" <paulej@packetizer.com>
User-Agent: eM_Client/8.2.1237.0
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="------=_MB2B5A6E2A-E3C6-49A4-B822-ED1E31EF742E"
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/q2LjDDM0xIzVY0PrkZKHen_CQHw>
Subject: Re: [Gen-art] Genart last call review of draft-ietf-perc-dtls-tunnel-08
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Jun 2021 02:49:50 -0000

Russ,

Thanks for the review.  I have made changes as you (and Shawn) 
suggested.  Please see this diff which contains a rewritten security 
considerations section.  Please feel free to comment further since it's 
quite possible that I created more confusion.

I also tried to address your question about the mutual authentication in 
the security considerations section.

https://github.com/percwg/perc-wg/compare/paulej_ietf_lc

Paul

------ Original Message ------
From: "Russ Housley via Datatracker" <noreply@ietf.org>
To: gen-art@ietf.org
Cc: draft-ietf-perc-dtls-tunnel.all@ietf.org; last-call@ietf.org; 
perc@ietf.org
Sent: 5/28/2021 11:16:06 AM
Subject: Genart last call review of draft-ietf-perc-dtls-tunnel-08

>Reviewer: Russ Housley
>Review result: Almost Ready
>
>I am the assigned Gen-ART reviewer for this draft. The General Area
>Review Team (Gen-ART) reviews all IETF documents being processed
>by the IESG for the IETF Chair. Please wait for direction from your
>document shepherd or AD before posting a new version of the draft.
>
>For more information, please see the FAQ at
><http://wiki.tools.ietf.org/area/gen/trac/wiki/GenArtfaq>.
>
>Document: draft-ietf-perc-dtls-tunnel-08
>Reviewer: Russ Housley
>Review Date: 2021-05-28
>IETF LC End Date: unknown
>IESG Telechat date: unknown
>
>Summary: Almost Ready
>
>
>Major Concerns:
>
>Section 9:  The document has two different types of keying material:
>    (1) keys for hop-by-hop encryption and authentication; and
>    (2) keys for end-to-end encryption and authentication.
>The first two paragraphs of Section 9 talks about these two types of
>keying material.  I think that the discussion should be expanded by a
>sentence or two to explain the security consequences of disclosure of
>each of theses keying material types.
>
>In addition, a pointer to the very extensive Security Consideration in
>RFC 8871 would he helpful.
>
>
>Minor Concerns:
>
>Section 5.4 says: "Each TLS tunnel established between the media
>distributor and the key distributor MUST be mutually authenticated."
>Is this a requirement to use DTLS client authentication?  If so,
>please be explicit.  If not, what other mechanisms for authentication
>are expected?
>
>
>Nits:
>
>Section 5.1, paragraph 2:   s/[!@RFC4566]/[RFC4566]/
>
>Section 5.5, paragraph 1:
>   s/MUST utilize the same version/MUST contain the same version/
>
>Section 8, last paragraph:
>    s/section 4.8 if [!@RFC8126]/Section 4.8 of [RFC8126]/
>
>Section 9, paragraph 1:
>   s/keying material This does/keying material. This does/
>
>
>