Re: APPSDIR review of draft-ietf-nea-pt-tls-04
Alexey Melnikov <alexey.melnikov@isode.com> Thu, 14 June 2012 21:01 UTC
Return-Path: <alexey.melnikov@isode.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99B0921F85AD; Thu, 14 Jun 2012 14:01:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.203
X-Spam-Level:
X-Spam-Status: No, score=-101.203 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cZfqMLYjE+Mu; Thu, 14 Jun 2012 14:01:12 -0700 (PDT)
Received: from statler.isode.com (statler.isode.com [62.3.217.254]) by ietfa.amsl.com (Postfix) with ESMTP id 725DB21F85A5; Thu, 14 Jun 2012 14:01:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1339707671; d=isode.com; s=selector; i=@isode.com; bh=Ih7jSg2aiSNcRKQWzAQPbbzQ5PN8yA8mUSNR074eHes=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=RlZqrq596aepScf9cAUNvnZ7xakXoSXYLzTry9gKS4eMrKI+sWSl0m1H3HMtqpI7MmcaDt X1Mo7sQe5175nkK+U0r2U4bIR3AgLemO4ww6gtXl2B5DxdN/XOMDH1k9l0dEiAR/vwEfQ0 +4gsUBoAbsyMCWlnIAs4um3A8dBZr6w=;
Received: from [188.29.2.53] (188.29.2.53.threembb.co.uk [188.29.2.53]) by statler.isode.com (submission channel) via TCP with ESMTPSA id <T9pRFgBjLKYP@statler.isode.com>; Thu, 14 Jun 2012 22:01:11 +0100
References: <4FCD0614.5050902@isode.com> <6E79D623502C70419A9EAB18E4D274252B8B061618@TUS1XCHEVSPIN35.SYMC.SYMANTEC.COM>
In-Reply-To: <6E79D623502C70419A9EAB18E4D274252B8B061618@TUS1XCHEVSPIN35.SYMC.SYMANTEC.COM>
Message-Id: <BBFCA866-ECF1-4F2F-9CE4-4BD3EB081B42@isode.com>
X-Mailer: iPad Mail (9B206)
From: Alexey Melnikov <alexey.melnikov@isode.com>
Subject: Re: APPSDIR review of draft-ietf-nea-pt-tls-04
Date: Thu, 14 Jun 2012 22:01:05 +0100
To: Paul Sangster <Paul_Sangster@symantec.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="us-ascii"
Cc: "draft-ietf-nea-pt-tls.all@tools.ietf.org" <draft-ietf-nea-pt-tls.all@tools.ietf.org>, "nea@ietf.org" <nea@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jun 2012 21:01:13 -0000
Hi Paul, On 14 Jun 2012, at 05:02, Paul Sangster <Paul_Sangster@symantec.com> wrote: >> -----Original Message----- >> From: Alexey Melnikov [mailto:alexey.melnikov@isode.com] >> Sent: Monday, June 04, 2012 12:02 PM >> To: apps-discuss@ietf.org; draft-ietf-nea-pt-tls.all@tools.ietf.org >> Cc: ietf@ietf.org >> Subject: APPSDIR review of draft-ietf-nea-pt-tls-04 >> >> I have been selected as the Applications Area Directorate reviewer for >> this draft (for background on APPSDIR, please see >> http://trac.tools.ietf.org/area/app/trac/wiki/ApplicationsAreaDirectora >> te ). >> >> Please resolve these comments along with any other Last Call comments >> you may receive. Please wait for direction from your document shepherd >> or AD before posting a new version of the draft. The review is not >> copied to the IESG as the Last Call has not been announced yet. >> >> Document: draft-ietf-nea-pt-tls-04 >> Title: PT-TLS: A TCP-based Posture Transport (PT) Protocol >> Reviewer: Alexey Melnikov >> Review Date: June 4, 2012 >> >> Summary: This document is almost ready for publication as a Proposed >> Standard, although some [mostly] SASL related issues remain. >> >> This document specifies PT-TLS, a TCP-based Posture Transport (PT) >> protocol. The PT-TLS protocol carries the Network Endpoint >> Assessment (NEA) message exchange under the protection of a Transport >> Layer Security (TLS) secured tunnel. >> >> (Note, I've reviewed -04, but I think all of this still applies to - >> 05.) >> >> >> Major: >> >> In 3.4.2.1: RFC 6125 use details are missing. You need to describe >> whether CN-IDs and SRV-IDs are allowed, whether wildcards are allowed, >> etc. I can suggest some details. > > [PS:] Since you weren't happy with our first attempt to address this comment, we would like to take you up on your kind offer to provide suggestions. Maybe we could do this off-line and included the text in -06? > Yes. >> Minor: >> >> In Section 3.2: This document is not yet Internet Standard, it will be >> Proposed Standard. Suggest saying "Publication on Standards Track" >> instead instead of "Internet Standard". The same issue in the IANA >> consideration section. > > [PS:] This sentence will be re-written to address the gen-art comment so the new text won't have this issue. > >> >> In 3.8.1: I think one instance of "SASL authentication messages" --> >> "SASL authentication mechanisms". Otherwise this sentence is out of >> place, as you are not talking about SASL messages. > > [PS:] Will make it more clear the relationship between SASL messages in PT-TLS and the SASL mechanism exchanges inside the messages. The sentence mentioned is about the PT-TLS client authentication messages. > >> >> In 3.8.4: in SASL the server doesn't return abort as an error code, it >> just fails the authentication exchange. I suggest removing it as a >> choice. > > [PS:] This text was attempting to support the abort as described in RFC4422 which says: > > 3.5. Aborting Authentication Exchanges > > A client or server may desire to abort an authentication exchange if > it is unwilling or unable to continue (or enter into). > > A client may abort the authentication exchange by sending a message, > the particulars of which are protocol specific, to the server, > indicating that the exchange is aborted. The server may be required > by the protocol to return a message in response to the client's abort > message. > > Likewise, a server may abort the authentication exchange by sending a > message, the particulars of which are protocol specific, to the > client, indicating that the exchange is aborted. > > [PS]: Is this an unacceptable way to do this? > Well, Ok, but nobody is sending a special message when a SASL server wants to abort the exchange. Existing open source API don't seem to support this either. I suppose the client can just treat this as an authentication failure, as it can't know what caused the abort. >> >> In 3.8.7: you define the Reserved field which I assume is used for >> padding? If yes, then you will not get proper alignment for the next >> field, as SASL mechanism names are variable length. (If you intended >> that they are always sent as 20 bytes, then this is missing from the >> document.) > > [PS:] Sure, word alignment would have been a good reason for doing this but we thought more about byte alignment. We also thought having these bits available could be useful later (e.g. for indicating preference or some other semantic that could impact the mechanism selection). Since we didn't need an entire byte for the Mech Len we thought it made sense to at least byte align the Mechanism Name and the cost of 3 bits for some future purpose made sense. Ok. Never mind. Just to confirm: SASL mechanism names are not padded with spaces or NULs? > >> >> In 3.8.10: >> >> The Abort choice is really not needed (as per above). >> >> Also, can you give me an example of when the Mechanism Failure will be >> returned instead of just Failure? > > [PS:] The document gives the example of authentication failure (incorrect credential) where mechanism failure is when the mechanism logic detects a failure in processing the authentication request that isn't related to the user's input (e.g. malloc error). > Ok. Having malloc failure as an example would help. >> In 3.9: Failed Authentication error code - how does this differ from >> SASL Authentication result with Failure code? > > [PS:] Hmm, I'm going to have to look into this more. One way they are different is the fact that the NEA Client is not allowed to send the SASL Result TLV so can't use the Failure code but it could send a Failed Authentication error code in the PT-TLS Error Message. Wouldn't the client just send Abort in this case? (Abort makes sense for clients) > >> >> In 4.1.2, second block, the first bullet: I think you meant "client" >> instead of the "server". > > [PS:] Thanks, good catch > >> >> >> Question (might not be an issue): >> >> In 6.2: is it possible to register a vendor specific value without a >> specification? > > [PS:] In order to be placed in the IANA registry a permanent specification is required (as mentioned in section 6.1). Of course vendors are free to use values in their name space without registering them with the IANA. This might be a bit heavyweight and might discourage registrations. But if that is what you want... > >> >> The same question for 6.3. >> >> >> Nits: None >
- APPSDIR review of draft-ietf-nea-pt-tls-04 Alexey Melnikov
- Re: [apps-discuss] APPSDIR review of draft-ietf-n… Alexey Melnikov
- RE: [apps-discuss] APPSDIR review of draft-ietf-n… Paul Sangster
- RE: APPSDIR review of draft-ietf-nea-pt-tls-04 Paul Sangster
- Re: APPSDIR review of draft-ietf-nea-pt-tls-04 Alexey Melnikov
- Re: [apps-discuss] APPSDIR review of draft-ietf-n… Alexey Melnikov