Re: [HOKEY] AD review of draft-ietf-hokey-rfc5296bis

Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 09 February 2012 10:01 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: hokey@ietfa.amsl.com
Delivered-To: hokey@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F90121F86D0 for <hokey@ietfa.amsl.com>; Thu, 9 Feb 2012 02:01:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.149
X-Spam-Level:
X-Spam-Status: No, score=-101.149 tagged_above=-999 required=5 tests=[AWL=-1.450, BAYES_00=-2.599, J_CHICKENPOX_73=0.6, MANGLED_LIST=2.3, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9dG2SFce+h2L for <hokey@ietfa.amsl.com>; Thu, 9 Feb 2012 02:01:14 -0800 (PST)
Received: from scss.tcd.ie (hermes.cs.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id 5814021F86C4 for <hokey@ietf.org>; Thu, 9 Feb 2012 02:01:14 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id BD7B9171D0B; Thu, 9 Feb 2012 10:01:13 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1328781673; bh=pNiNmKm+4EgqpQ DxIRqHHJzgikZ20XpBc9GuJ9zlCek=; b=WAXzxECOAH/wIB/UiY72EYPb3isF3+ PrtZ17ofPP0f3usdQaGl/jgfYvz0rq5DHRNkpg9xWaEfJHTWaSBcQ2lbwz9mUKXE 4swB3Dqf8I1GTKqcoV6SQ6Js+l7U//yVPQWfV3hw60gmZltnIQqAroVAcet4noig pDScnegs3lkCLhi9xC0kA94Fdk8RAyU/qBj30zF6Wo4E3TJEMGIUVoasIeDJHIE0 Z/uYZ5s//Er/aGwyBFDh/D2cJ+cc7duS+kmrpJ4ue6VSGVhzFnBQnXjN348O158/ fr00BYg1t5ANeifwEOJzjzZwmstnoPI/T3M/pWB2j2ZHRu07h8AcYYzQ==
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id N+oyJvJPiNFU; Thu, 9 Feb 2012 10:01:13 +0000 (GMT)
Received: from [IPv6:2001:770:10:203:a288:b4ff:fe9c:bc5c] (unknown [IPv6:2001:770:10:203:a288:b4ff:fe9c:bc5c]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 26463171C71; Thu, 9 Feb 2012 10:01:13 +0000 (GMT)
Message-ID: <4F33995F.10106@cs.tcd.ie>
Date: Thu, 09 Feb 2012 10:01:03 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:9.0) Gecko/20111222 Thunderbird/9.0.1
MIME-Version: 1.0
To: Glen Zorn <glenzorn@gmail.com>
References: <4F32C244.3020202@cs.tcd.ie> <4F3395DD.4070300@gmail.com>
In-Reply-To: <4F3395DD.4070300@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: "hokey@ietf.org" <hokey@ietf.org>
Subject: Re: [HOKEY] AD review of draft-ietf-hokey-rfc5296bis
X-BeenThere: hokey@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: HOKEY WG Mailing List <hokey.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/hokey>, <mailto:hokey-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hokey>
List-Post: <mailto:hokey@ietf.org>
List-Help: <mailto:hokey-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hokey>, <mailto:hokey-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2012 10:01:15 -0000

Hi Glen,

On 02/09/2012 09:46 AM, Glen Zorn wrote:
> On 2/9/2012 1:43 AM, Stephen Farrell wrote:
>>
>> Hi all,
>>
>> My review on this is below. All of those comments
>> can be handled along with any other IETF LC comments
>> received and none is a big deal. However there is one
>> thing to sort out before we go ahead.
>>
>> There is an IPR declaration for 5296 but none for this
>> document, which is very similar.
>>
>> We should get that sorted out before IETF LC one way or
>> another. Best is to get a new declaration from the folks
>> who declared about 5296.
>>
>> It may be that an additional short WGLC just to check
>> this would be useful for the record once the chairs
>> find out if a new IPR declaration will be forthcoming
>> in the near future. (I've asked Tina as shepherd to
>> handle this.)
>>
>> Thanks,
>> S.
>>
>> - Some references need updating, check ID-nits.
>
> OK.
>
>>
>> http://tools.ietf.org/idnits?url=http://tools.ietf.org/id/draft-ietf-hokey-rfc5296bis-06.txt
>>
>>
>> The next three comments are about stuff that didn't really
>> change since 5296, so consider them suggestions (i.e.
>> I won't insist on any changes being made).
>>
>> - 3.2, 1st para: "The peer uses the domain name..." is that
>> the home or visited domain name?  Same thing in the 3rd last
>> para of 3.2 and various other places. Which domain name
>> is used when could be clearer throughout I think.
>
> Just looking at 3.2, it really seems that the domain name in question is
> quite clear from the context(and the fact that the name is used in the
> computation of a DSRK, which only used in a roaming situation).

If you say so, I believe you. Maybe I needed to read it again
(or better:-) but I found it a bit confusing. I guess if I were
paying enough attention to write code it might be fine. I could
also buy an argument that specifying home/visited appropriately
every time you say "domain name" might end up worse as well.

>> - p18, last bullet is not quite clear on when a message is
>> considered fresh. I think it means that any sequence number
>> greater than the last one used is ok, and any less is
>> considered a replay but I'm not 100% sure from this text, but
>> 5.4 does seem to say that. Be good to be as clear here too.
>
> Sorry, but again I'm just not getting it :(.  The start of the bullet in
> question reads:
>
>        Upon receipt of an EAP-Initiate/Re-auth message, the home ER
>        server verifies whether the message is fresh or is a replay by
>        evaluating whether the received sequence number is equal to or
>        greater than the expected sequence number for that rIK.
>
> Whats not clear?

On p18, the expected sequence number is not (yet) explained.
It is later though, in 5.4, so this is just me being v. picky.

>> - 8, "confidentiality of identity" - does the use of some of
>> the channel bindings not expose identity? If so, noting that
>> here would be good.
>
> Excellent point!  How's this?
>
>        Confidentiality of identity
>
>           Deployments where privacy is a concern may find the use of
>           rIKname-NAI to route ERP messages serves their privacy
>           requirements.  Note that it is plausible to associate multiple
>           runs of ERP messages since the rIKname is not changed as part
>           of the ERP protocol.  There was no consensus for that
>           requirement at the time of development of this specification.
>           If the rIKname is not used and the Peer-ID is used instead, the
>           ERP exchange will reveal the Peer-ID over the wire.  The use of
>           channel bindings may compromise identity confidentiality, as
>           well, for example, if the Calling-Station-ID AVP is used and
>           contains a value that can be linked to a user (e.g., a
>           telephone number).

Lovely.

>> nits:
>>
>> - DSRK is not expanded before 1st use in section 2.
>
> True; neither is 'EMSK'.  That is because the acronyms are defined in
> RFC 5295 and RFC 3748, respectively, which are normative references
> cited before the first usage of either term.

Fair enough.

Cheers,
S.

>> - DS-rIK and DS-rRK are used with out expansion or
>> explanation. (last para before 3.1)
>
> OK.
>
>>
>> - 3.2, 1st para: s/out of home domain/out of the home domain/
>
> OK.
>
>>
>> - 5.1, 1st para: s/If ER capable.../If an ER capable.../
>
> OK, probably needs a hyphen, too.
>
>>
>> - 3.2 s/Figure 5shows/Figure 5 shows/
>
> OK.
>
>>
>> _______________________________________________
>> HOKEY mailing list
>> HOKEY@ietf.org
>> https://www.ietf.org/mailman/listinfo/hokey
>
>