Comments on draft-ietf-ipdvb-sec-req-06 (editorial)
Gorry Fairhurst <gorry@erg.abdn.ac.uk> Sat, 17 May 2008 07:43 UTC
Return-Path: <owner-ipdvb@erg.abdn.ac.uk>
X-Original-To: ietfarch-ipdvb-archive@core3.amsl.com
Delivered-To: ietfarch-ipdvb-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C805628C355 for <ietfarch-ipdvb-archive@core3.amsl.com>; Sat, 17 May 2008 00:43:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vUFsFS0A1cl0 for <ietfarch-ipdvb-archive@core3.amsl.com>; Sat, 17 May 2008 00:43:45 -0700 (PDT)
Received: from erg.abdn.ac.uk (dee.erg.abdn.ac.uk [139.133.204.82]) by core3.amsl.com (Postfix) with ESMTP id AFFB528C353 for <ipdvb-archive@ietf.org>; Sat, 17 May 2008 00:43:43 -0700 (PDT)
Received: from dee.erg.abdn.ac.uk (localhost [IPv6:::1]) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id m4H6skke005023 for <ipdvb-subscribed-users@dee.erg.abdn.ac.uk>; Sat, 17 May 2008 07:54:46 +0100 (BST)
Received: (from majordomo.lists@localhost) by dee.erg.abdn.ac.uk (8.13.4/8.12.2/Submit) id m4H6skXD005022 for ipdvb-subscribed-users; Sat, 17 May 2008 07:54:46 +0100 (BST)
X-Authentication-Warning: dee.erg.abdn.ac.uk: majordomo.lists set sender to owner-ipdvb@erg.abdn.ac.uk using -f
Received: from Gorry-Fairhursts-Laptop.local (fgrpf.plus.com [212.159.18.54]) (authenticated bits=0) by erg.abdn.ac.uk (8.13.4/8.13.4) with ESMTP id m4H6sPFO004994 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Sat, 17 May 2008 07:54:26 +0100 (BST)
Message-ID: <482E8121.5080703@erg.abdn.ac.uk>
Date: Sat, 17 May 2008 07:54:25 +0100
From: Gorry Fairhurst <gorry@erg.abdn.ac.uk>
Organization: The University of Aberdeen is a charity registered in Scotland, No SC013683.
User-Agent: Thunderbird 2.0.0.14 (Macintosh/20080421)
MIME-Version: 1.0
To: ipdvb@erg.abdn.ac.uk
CC: "H.Cruickshank@surrey.ac.uk" <H.Cruickshank@surrey.ac.uk>, S.Iyengar@surrey.ac.uk, p.pillai@Bradford.ac.uk
Subject: Comments on draft-ietf-ipdvb-sec-req-06 (editorial)
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-ERG-MailScanner: Found to be clean, Found to be clean
Sender: owner-ipdvb@erg.abdn.ac.uk
Precedence: bulk
Reply-To: ipdvb@erg.abdn.ac.uk
X-ERG-MailScanner-From: owner-ipdvb@erg.abdn.ac.uk
Here are some editorial NiTs, which I'd like you to consider in preparing the next revision of the document. Best wishes, Gorry Fairhurst. ------ Overall NiTS: - The words /Receiver/ and /Receivers/ should be capitilised for consistency. - The words /ULE stream/ and /ULE streams/ should be capitilised for consistency. - The words /Header Extension/ should be changed to /Extension Header/ and all occurences should be capitilised for consistency with RFC5163. - The words /extension format/ should be changed to /Extension Header format/ - [ID-EXT] should be replaced by [RFC5163]. - I am confused about the difference between a ULE Stream (as defined in RFC4326, and a ULE link). If there is no difference, can we change all to /ULE Stream/? ======= Abstract: /... multicast transmission./ - Please add: /The analysis also describes applicability to the Generic Stream Encapsulation (GSE) defined by the Digital Video Broadcasting (DVB) Project./ --- Page 3. The scenarios are labeled 1,2,..., however in RFC 4259, these are labeled A,B,C,... Maintaining a consistent labeling could help cross-referencing. --- Page 3: /This can be typically satellite-based and star-based utilising a Hub station to deliver a common bit stream to medium-sized groups of receivers. / --- /Point-to-Point/ - Please add: /This connectivity may be provided using a pair of transmit and receive interfaces./ --- /This can be typically satellite-based and star-based utilising a Hub station to deliver a common bit stream to medium-sized groups of receivers. / - I think this "typically" could be disputed, and this should be an example place after the following sentence. --- /both unidirectional as well as bidirectional links for the scenarios mentioned above./ - Please clarify, e.g. /(A,B,C,D) and bidirectional (E,F) links for these scenarios./ --- Page 8: /like IPSec/ - change to /e.g. IPSec/ --- /rely on security assumptions as of wired links/ - can I suggest the following? /may make the same security assumptions as for wired links [RFC3819]/ --- / networks which are / ^^^^^ - please change /which/ to /that/ --- page 8: / ULE link security focuses only on the security between/ - change to /ULE Link Security only concerns the secuirty between/ --- page 8: /governmental users/ - please change to: /users requiring high assurance of security (e.g. government use)/ --- Page 8: / Hence for such cases the confidentiality and integrity of the user data will already be taken care of by / - English needs to be improved, suggest: / Hence for such cases, the requirements for confidentiality and integrity of the user data will be met by / --- Page 9: / are considered the major threats. An example of such a threat is/ could be simplified to: / are the major threats. One example is/ --- Page 9: /; an intruder can gain information by determining/ could be simplified to: /allowing an intruder to determine/ --- Page 10: /the security threat cases can be abstracted into three cases/ could be simplified to: /the security threats can be abstracted into three cases/ --- Page 11: / This is normally receiver to hub authentication and it could/ - "hub" - not sure what this word means here? - The document should be agnostic to the choice of physical layer. - Are we talking about the encapsulator, key management system, or what? --- /[ISO-8802, IEEE-802]./ - Please change to: /[ISO-8802], [IEEE-802]./ --- /GReq (g)/ - Add missing stop to end of sentence. --- Case 2: /to monitor most denial/ ^^^^ - delete most? or replace by "common"? --- /and apply to all the scenarios above, where appropriate./ - Either delete this, or explain what you mean (preferably before the start of the list). - At the moment this says it always applies, except when it does not. --- Page 13: /This would help in the design of the ULE Security extension header. For example this could help in the selection of security fields in the ULE Security extension Header design./ - please simplify to: /This may assist in selecting security fields for design of a ULE Security Extension Header/ --- Page 13: / Moreover the security services could also be grouped into profiles based on different security requirements. One example is to have a base profile which does payload encryption and identity protection. The second profile could do the above as well as source authentication. / - please simplify to: / Security services may be grouped into profiles based on the security requirements, e.g. base profile (with payload encryption and identity protection) and a second profile could that extends this to also provide source authentication./ --- DoS is used in table. but not previously defined (it looks like this should be defined on page 9). --- --- Section 6., page 14: / The [ID-EXT] document describes two new Header / ^^^^^^ ^^^^ - RFC 5136 defines three. --- /and specifically for DVB-S2 [ID-EXT]./ - delete above. --- /It might be desirable to authenticate some/all of the headers; such decision can be part of the security policy for the MPEG-2 transmission network./ - This seems rather vague. Are the headers you mention GSE headers? - which security policy? (note: this would not be a MPEG-2 one). --- Section 7: /It also defines/ - delete also. --- --- /between a ULE Encapsulation Gateway to Receivers/ ^^ change to: /between a ULE Encapsulation Gateway and the corresponding Receiver(s)/ --- /End-to-end security mechanism may then be used additionally and independently for providing strong authentication of the end-points in the communication. / - I suggest omitting this, since this seems covered by the first clause in the paragraph. --- Section 8: /(out of scope) such as:/ change to: /(i.e. are out of scope), e.g.:/ --- Section 10: /from University of Salzburg./ to: /(University of Salzburg)./ --- These words appear in Appendix A: / There could be other extension headers (either mandatory or optional). It is RECOMMENDED that these are placed after the security extension header. This permits full protection for all headers. It avoids situations where the SNDU has to be discarded on processing the security extension header, while preceding headers have already have been evaluated. One exception is the Timestamp extension which SHOULD precede the security extension header [ID- EXT]. When applying the security services for example confidentiality, input to the cipher algorithm will cover the fields from the end of the security extension header to the end of the PDU./ - I like them, and think they follow RFC5163, but I do not think you're allowed to use RFC 2119 keywords on requirements in an appendix. Could you consider moving these to follow the words in GReq (g)? --- Appendix B: /section compares the disadvantages when security functionalities are present in different layers./ Change to: /section compares the placement of security functionalities in different layers./ --- Please add a citation in section 6 to the following new informative reference: [GSE] TS 102 606 "Digital Video Broadcasting (DVB); Generic Stream Encapsulation (GSE) Protocol, "European Telecommunication Standards, Institute (ETSI), 2007. --- I suspect [RFC4326] is a normative reference (rather than informative). =================== -End- -- Dr Gorry Fairhurst, School of Engineering. The University of Aberdeen is a charity registered in Scotland No SC013683.
- Comments on draft-ietf-ipdvb-sec-req-06 (editoria… Gorry Fairhurst