Secdir review comments for draft-ietf-pim-bidir-08
"Joseph Salowey \(jsalowey\)" <jsalowey@cisco.com> Thu, 08 February 2007 05:14 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1HF1cI-0003f0-Bq; Thu, 08 Feb 2007 00:14:42 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1HF1cG-0003eO-9o; Thu, 08 Feb 2007 00:14:40 -0500
Received: from sj-iport-6.cisco.com ([171.71.176.117]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1HF1cE-0005V6-Vg; Thu, 08 Feb 2007 00:14:40 -0500
Received: from sj-dkim-4.cisco.com ([171.71.179.196]) by sj-iport-6.cisco.com with ESMTP; 07 Feb 2007 21:14:38 -0800
X-IronPort-AV: i="4.13,298,1167638400"; d="scan'208"; a="110257270:sNHT46410219"
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-4.cisco.com (8.12.11/8.12.11) with ESMTP id l185Ecqi022946; Wed, 7 Feb 2007 21:14:38 -0800
Received: from xbh-sjc-231.amer.cisco.com (xbh-sjc-231.cisco.com [128.107.191.100]) by sj-core-5.cisco.com (8.12.10/8.12.6) with ESMTP id l185EbUw003814; Wed, 7 Feb 2007 21:14:37 -0800 (PST)
Received: from xmb-sjc-225.amer.cisco.com ([128.107.191.38]) by xbh-sjc-231.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 7 Feb 2007 21:14:37 -0800
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 07 Feb 2007 21:14:35 -0800
Message-ID: <AC1CFD94F59A264488DC2BEC3E890DE50335D7F2@xmb-sjc-225.amer.cisco.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Secdir review comments for draft-ietf-pim-bidir-08
Thread-Index: AcdLQAZTpC1ig2GETYK+mM5PyPZ/hw==
From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
To: iesg@ietf.org, secdir@mit.edu, M.Handley@cs.ucl.ac.uk, "Isidor Kouvelas (kouvelas)" <kouvelas@cisco.com>, "Tony Speakman (speakman)" <speakman@cisco.com>, lorenzo@cisco.com, pim-chairs@tools.ietf.org, ietf@ietf.org
X-OriginalArrivalTime: 08 Feb 2007 05:14:37.0684 (UTC) FILETIME=[075C7B40:01C74B40]
DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=1275; t=1170911678; x=1171775678; c=relaxed/simple; s=sjdkim4002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=jsalowey@cisco.com; z=From:=20=22Joseph=20Salowey=20\(jsalowey\)=22=20<jsalowey@cisco.com> |Subject:=20Secdir=20review=20comments=20for=20draft-ietf-pim-bidir-08 |Sender:=20; bh=2XC7RGOUawK9fLgndXdzwepfPCAmos7oN8z3llWh0/o=; b=Ja90Y2hEPvHEOgYGnUMRWzZA6I7smO2pKN+tER0VdzdIvjP01ySZcBTdub8mjFVa9NdSr1Lu N7CQ71SKjffQPBp0Ps747K37Rc3ts9To7dEGy0k2FDIlctOICqQLB8zv;
Authentication-Results: sj-dkim-4; header.From=jsalowey@cisco.com; dkim=pass ( sig from cisco.com/sjdkim4002 verified; );
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 93238566e09e6e262849b4f805833007
Cc:
Subject: Secdir review comments for draft-ietf-pim-bidir-08
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Errors-To: ietf-bounces@ietf.org
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The security considerations section does a reasonable job of describing threats against the protocol. It seems also that RFC 4609 might also be relevant, if it is it should be referenced. In several cases the security considerations section suggests using source authentication to mitigate problems. The document does list IPSec AH as a way to achieve this, however this is not a mandatory to implement mechanism. In addition this document points to RFC 4601 for direction on how to use IPSec. RFC 4601 just specifies manual keying without any specific parameters. This leaves the pim-bidr draft (and RFC 4601) without an specified mandatory to implement interoperable security mechanism. This issue was discussed previously during the last call of RFC 4601. I would like to understand better why IPSec AH does not have a stronger requirement and why no automated key management is specified. Thanks, Joe _______________________________________________ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
- Re: [secdir] Secdir review comments for draft-iet… Steven M. Bellovin
- RE: [secdir] Secdir review comments for draft-iet… Joseph Salowey (jsalowey)
- Re: [secdir] Secdir review comments for draft-iet… Sam Hartman
- Secdir review comments for draft-ietf-pim-bidir-08 Joseph Salowey (jsalowey)