RE: [secdir] Review of draft-ietf-l2vpn-oam-req-frmk-09
"Dinesh Mohan" <mohand@nortel.com> Thu, 13 December 2007 15:08 UTC
Return-path: <ietf-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1J2pgA-0006ba-Gg; Thu, 13 Dec 2007 10:08:50 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1J2pM0-0007iA-US; Thu, 13 Dec 2007 09:48:00 -0500
Received: from zrtps0kn.nortel.com ([47.140.192.55]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1J2pLt-0004dI-PX; Thu, 13 Dec 2007 09:48:00 -0500
Received: from zcarhxm1.corp.nortel.com (zcarhxm1.corp.nortel.com [47.129.230.97]) by zrtps0kn.nortel.com (Switch-2.2.6/Switch-2.2.0) with ESMTP id lBDElnh13616; Thu, 13 Dec 2007 14:47:50 GMT
X-MIMEOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Thu, 13 Dec 2007 09:47:48 -0500
Message-ID: <183DD1B052A11A40B76125E42F1CBAAB102C9DF2@zcarhxm1.corp.nortel.com>
In-Reply-To: <9162.1704.XFAIDVZHQ1c=.1197552483.squirrel@webmailer.hosteurope.de>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [secdir] Review of draft-ietf-l2vpn-oam-req-frmk-09
Thread-Index: Acg9jA695hr+6K0BT2S1MafP2HbNNgACl0dQ
References: <9162.1704.XFAIDVZHQ1c=.1197552483.squirrel@webmailer.hosteurope.de>
From: Dinesh Mohan <mohand@nortel.com>
To: Tobias Gondrom <tobias.gondrom@gondrom.org>, sajassi@cisco.com, sdelord@uecomm.com.au, philippe.niger@francetelecom.com
X-Spam-Score: -4.0 (----)
X-Scan-Signature: 48472a944c87678fcfe8db15ffecdfff
X-Mailman-Approved-At: Thu, 13 Dec 2007 10:08:46 -0500
Cc: l2vpn-chairs@tools.ietf.org, ietf@ietf.org, secdir@mit.edu, tgondrom@opentext.com, iesg@ietf.org, "W. Mark Townsley" <townsley@cisco.com>
Subject: RE: [secdir] Review of draft-ietf-l2vpn-oam-req-frmk-09
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Errors-To: ietf-bounces@ietf.org
Dear Tobias, First of all apologies for inadvertent delay in response due to various factors (vacation, travel and some sickness). However, the authors will work to address all the comments in a separate email to follow soon. Regards, ---- Dinesh -----Original Message----- From: Tobias Gondrom [mailto:tobias.gondrom@gondrom.org] Sent: Thursday, December 13, 2007 8:28 AM To: Mohan, Dinesh (CAR:NP02); sajassi@cisco.com; sdelord@uecomm.com.au; philippe.niger@francetelecom.com Cc: ietf@ietf.org; secdir@mit.edu; iesg@ietf.org; l2vpn-chairs@tools.ietf.org; tgondrom@opentext.com Subject: RE: [secdir] Review of draft-ietf-l2vpn-oam-req-frmk-09 Hello authors and WG chairs, On my review comments from Nov-10, 2007, I did not receive answers to my comments from you, yet. As this draft is planned to be discussed on the IESG telechat, could you please clarify how you intend to answer to these things (correct, reject or whether we shall raise a "DISCUSS" during the LC to halt the document process until the issues have been resolved). Best regards, Tobias Ps.: Please note: my main email address changed to: tobias.gondrom@gondrom.org _____________________________________________ From: Tobias Gondrom Sent: Saturday, November 10, 2007 12:02 AM To: secdir@mit.edu; iesg@ietf.org Cc: ietf@ietf.org; 'mohand@nortel.com'; 'sajassi@cisco.com'; 'sdelord@uecomm.com.au'; 'philippe.niger@francetelecom.com' Subject: [secdir] Review of draft-ietf-l2vpn-oam-req-frmk-09 Hello, I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. I studied the draft and a have the following COMMENTS and leave it at the discretion of the ADs whether they want to raise any DISCUSS based on these COMMENTS: 1. a few editorial: Section 1: s/relationship between two layered networks; Fault Detection at the server/ relationship between two layered networks, Fault Detection at the server s/associated Pseudowires (PWs)/ associated Pseudo Wires (PWs) unclear statements: Section 1: I found the following sentence imprecise and hard to understand: "Performance Management deals with mechanism(s) that allow determining and measuring the performance of network/services under consideration and notification of them." Section 1.1: I would suggest to add CE and PE to the terminology of this document. It can only be derived from following a two-step indirect reference (via RFC4664 and then the reference mentioned there, which is stated as "work in progress"). For improved convenience the terminology should be referred directly from the document, or even better and more simple just add those two (CE and PE) to its Terminology. 2. the document does not state its intended status: based on its content and its relationship to the two other referred RFCs 4664 and 4665, I would assume it is Informational. If this assumption is wrong, the intended status should be clarified ASAP. 3. The document does not seem to use RFC-2119 coherently. Throughout the document there are numerous places where I do not understand why authors use "must" instead of "MUST". One example: Section 6.10: Security implies that an OAM domain must be capable of filtering OAM frames. => should be: "Security implies that an OAM domain MUST be capable of filtering OAM frames." And: "Also, OAM frames from outside the OAM domains should be either discarded (when such OAM frames belong to same or lower-level OAM domain) or transparently passed (when such OAM frames belong to a higher-level OAM domain)." => Should be at least: "Also, OAM frames from outside the OAM domains SHOULD be either discarded (when such OAM frames belong to same or lower-level OAM domain) or transparently passed (when such OAM frames belong to a higher-level OAM domain)." In the context of the sentence I even wonder if "MUST" isn't more precise, as it MUST either be the first or the second. Equivalent in Section 7.10.: "Security implies that an OAM domain must be capable of filtering OAM frames." => should become: ""Security implies that an OAM domain MUST be capable of filtering OAM frames." And: "Also,VPWS OAM frames from outside the OAM domains should be either discarded" => should become: "Also,VPWS OAM frames from outside the OAM domains MUST be either discarded" Please note, my personal opinion is that RFC-2119-language usage seems incoherently throughout large parts of the document and not only in these two sections. But maybe my personal expectation is not correct for an Informational Draft in the context of this area. 4. The security Considerations (section 11) states that it does not need further security considerations as it only imposes requirements to solutions but does not describe the solutions themselves. In fact I believe this statement to be wrong in even two ways: 1. the initial abstract declares this draft is about the requirements AND a framework 2. even if the document would only be talking about requirements (and not about any implications on a framework), it should still clearly include security considerations for the requirements as they are already partially done in section 6.10 and section 7.10. Last but not least, if the authors would still like to keep this section (11) as it is - which I would not recommend - they should consider to correct the following spelling errors: s/ For additional levels of security, the solutions may be required deploy to encrypt and/or authenticate OAM frames inside an OAM domain however solutions are out of the scope of this draft./For additional levels of security, the solutions may be required to deploy encryption and/or authentication of OAM frames inside an OAM domain, however solutions are out of the scope of this draft. 5. Question: as the draft is heavily based on RFC4664 and 4665, I wonder whether they should not better be normative references instead of informative ones? Best regards, Tobias __________________________________________ Tobias Gondrom Head of Open Text Security Team Director, Product Security Open Text Technopark 2 Werner-von-Siemens-Ring 20 D-85630 Grasbrunn Phone: +49 (0) 89 4629-1816 Mobile: +49 (0) 173 5942987 Telefax: +49 (0) 89 4629-33-1816 eMail: mailto:tobias.gondrom@opentext.com Internet: http://www.opentext.com/ Place of Incorporation / Sitz der Gesellschaft: Open Text GmbH, Werner-von-Siemens-Ring 20, 85630 Grasbrunn, Germany | Phone: +49 (0) 89 4629 0 | Fax: +49 (0) 89 4629 1199 | Register Court / Registergericht: München, Germany | Trade Register Number / HRB: 168364 | VAT ID Number /USt-ID: DE 114 169 819 | Managing Director / Geschäftsführer: John Shackleton, Walter Köhler _______________________________________________ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
- RE: [secdir] Review of draft-ietf-l2vpn-oam-req-f… Tobias Gondrom
- RE: [secdir] Review of draft-ietf-l2vpn-oam-req-f… Dinesh Mohan
- RE: [secdir] Review of draft-ietf-l2vpn-oam-req-f… Tobias Gondrom
- RE: [secdir] Review of draft-ietf-l2vpn-oam-req-f… Dinesh Mohan
- RE: [secdir] Review of draft-ietf-l2vpn-oam-req-f… Tobias Gondrom
- Re: [secdir] Review of draft-ietf-l2vpn-oam-req-f… Jeffrey Hutzelman
- [secdir] Review of draft-ietf-l2vpn-oam-req-frmk-… Tobias Gondrom