RE: secdir review of draft-ietf-dime-priority-avps-04

[Stephen Hanna <shanna@juniper.net>]

Thanks for your response, Ken.

Removing the last sentence that you quoted would make things worse.
Readers of this draft should definitely familiarize themselves with
the security considerations related to priority. We should make that
easier, not harder. The fact that those considerations also apply to
other RFCs does not remove the fact that they apply to this one also.

You cannot publish a document whose security considerations section
says (as this one effectively does today), "There are lots of security
considerations related to this document. To understand them, please
dig through all the referenced documents and figure it out yourself."
Doing that digging and analysis is the job of the document editors.

In order to ease the burden on you, I think a reasonable compromise
would be for YOU to review the documents referenced and decide which
have the most relevant security considerations. Then you could list
those explicitly in the last paragraph of the Security Considerations.

Thanks,

steve

> -----Original Message-----
> From: carlberg@g11.org.uk [mailto:carlberg@g11.org.uk]
> Sent: Tuesday, July 26, 2011 6:42 AM
> To: Stephen Hanna
> Cc: ietf@ietf.org; secdir@ietf.org; draft-ietf-dime-priority-
> avps.all@tools.ietf.org; lionel.morand@orange-ftgroup.com
> Subject: re: secdir review of draft-ietf-dime-priority-avps-04
> 
> Hi Steve,
> 
> Thanks for the review.
> 
> <snip>
> 
> > This standards track document defines Diameter AVPs that can be
> > used to convey a variety of priority parameters. While the Security
> > Considerations section of this document properly requires that
> > implementers review the Security Considerations section in the
> > Diameter protocol specification and consider the issues described
> > there, it does not include any analysis of the specific security
> > issues related to priority systems. The authors should review other
> > Security Considerations sections relating to priority systems
> > (e.g. the one in RFC 4412) and add text that describes the
> > special security issues that arise with priority systems and
> > the countermeasures that may be employed.
> 
> You raise an interesting issue and we actually had a discussion about
> this on the DIME list
> <http://www.ietf.org/mail-archive/web/dime/current/msg04773.html>
> 
> And just for the sake of completeness, here is the security
> considerations text of the dime-priority-avps draft in question:
> 
>     This document describes the extension of Diameter for conveying
> Quality
>     of Service information.  The security considerations of the
> Diameter
>     protocol itself have been discussed in [I-D.ietf-dime-rfc3588bis].
> Use
>     of the AVPs defined in this document MUST take into consideration
> the
>     security issues and requirements of the Diameter base protocol.
> 
>     The authors also recommend that readers should familiarize
> themselves
>     with the security considerations of the various protocols listed in
>     the Normative References listed below.
> 
> In a nutshell, the authors and the chair disagreed with the need for
> extending the security considerations to include an analysis with
> other protocols (eg, rfc-4412) because these protocols operate outside
> of the DIAMETER protocol.  The dime-priority-avps draft is an
> extension of I-D.ietf-dime-rfc3588bis, and thus is subject to the same
> security considerations to the bis draft.  And its also important to
> keep in mind that the dime-priority-avps draft does not inject
> prioritization into the exchange of DIAMETER messages.  It simply
> defines AVPs that correlate to some priority fields of other protocols.
> 
> If it was the last sentence (above) in the dime-priority-avps security
> considerations that has triggered your comment about further analysis,
> then I'd prefer just removing that text.
> 
> cheers,
> 
> -ken
>