IETF Logo Mail Archive

Re: [manet] AD review of draft-ietf-manet-packetbb-sec

"Dearlove, Christopher (UK)" <Chris.Dearlove@baesystems.com> Tue, 10 January 2012 12:34 UTC

Return-Path: <Chris.Dearlove@baesystems.com>
X-Original-To: manet@ietfa.amsl.com
Delivered-To: manet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3202521F84B2 for <manet@ietfa.amsl.com>; Tue, 10 Jan 2012 04:34:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EbHTY6-D07JP for <manet@ietfa.amsl.com>; Tue, 10 Jan 2012 04:34:35 -0800 (PST)
Received: from ukmta3.baesystems.com (ukmta3.baesystems.com [20.133.40.55]) by ietfa.amsl.com (Postfix) with ESMTP id 05B7021F84AE for <manet@ietf.org>; Tue, 10 Jan 2012 04:34:34 -0800 (PST)
X-IronPort-AV: E=Sophos;i="4.71,486,1320624000"; d="scan'208";a="180819481"
Received: from unknown (HELO baemasodc004.greenlnk.net) ([10.108.36.11]) by Baemasodc001ir.sharelnk.net with ESMTP; 10 Jan 2012 12:34:33 +0000
Received: from glkms1102.GREENLNK.NET (glkms1102.greenlnk.net [10.108.36.193]) by baemasodc004.greenlnk.net (Switch-3.4.4/Switch-3.4.4) with ESMTP id q0ACYXAS029864; Tue, 10 Jan 2012 12:34:33 GMT
Received: from GLKMS2100.GREENLNK.NET ([10.15.184.93]) by glkms1102.GREENLNK.NET with Microsoft SMTPSVC(6.0.3790.4675); Tue, 10 Jan 2012 12:34:33 +0000
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 10 Jan 2012 12:34:32 -0000
Message-ID: <ABE739C5ADAC9A41ACCC72DF366B719D0503D925@GLKMS2100.GREENLNK.NET>
In-Reply-To: <00ef01cccd78$babc3d50$3034b7f0$@olddog.co.uk>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [manet] AD review of draft-ietf-manet-packetbb-sec
Thread-Index: AczNeKDyf5ob6IhDRUWPVDWWRlUFEgCGn0mQ
References: <00ef01cccd78$babc3d50$3034b7f0$@olddog.co.uk>
From: "Dearlove, Christopher (UK)" <Chris.Dearlove@baesystems.com>
To: adrian@olddog.co.uk, draft-ietf-manet-packetbb-sec.all@tools.ietf.org
X-OriginalArrivalTime: 10 Jan 2012 12:34:33.0359 (UTC) FILETIME=[34B999F0:01CCCF94]
Cc: manet@ietf.org
Subject: Re: [manet] AD review of draft-ietf-manet-packetbb-sec
X-BeenThere: manet@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mobile Ad-hoc Networks <manet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/manet>, <mailto:manet-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/manet>
List-Post: <mailto:manet@ietf.org>
List-Help: <mailto:manet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/manet>, <mailto:manet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Jan 2012 12:34:36 -0000

With regard to the experimental code points, I think one really is too low,
I can immediately see a requirement for two in something I may do, and
I can imagine more. I would suggest at least four, possibly more. Would
that be  more palatable by making these Private as well as (or instead of?)
Experimental use?

-- 
Christopher Dearlove
Technology Leader, Communications Group
Communications and Networks Capability
BAE Systems Advanced Technology Centre
West Hanningfield Road, Great Baddow, Chelmsford, CM2 8HN, UK
Tel: +44 1245 242194  Fax: +44 1245 242124

BAE Systems (Operations) Limited
Registered Office: Warwick House, PO Box 87,
Farnborough Aerospace Centre, Farnborough, Hants, GU14 6YU, UK
Registered in England & Wales No: 1996687

-----Original Message-----
From: manet-bounces@ietf.org [mailto:manet-bounces@ietf.org] On Behalf Of Adrian Farrel
Sent: 07 January 2012 20:13
To: draft-ietf-manet-packetbb-sec.all@tools.ietf.org
Cc: manet@ietf.org
Subject: [manet] AD review of draft-ietf-manet-packetbb-sec


                    *** WARNING ***

  This message has originated outside your organisation,
  either from an external partner or the Global Internet. 
      Keep this in mind if you answer this message.
  To report a suspicious email, follow the instructions 
  on the Global Intranet at "<How We Work> / <Security>"


 

Thanks for this draft. I have performed my AD review as usual and I 
don't have any major issues.

Before we start, one minor question to help me set my expectations...

Did you have any expert security input on this work? I only ask in 
order to try to work out what level of review we are likely to get
later in the process.

Otherwise I have a few nits and minor requests to polish the document.
I hope they are straight forward and you can quickly spin a new 
revision of the document which I can advance to IETF last call.

Thanks,
Adrian

---

The text file I downloaded has a couple of interesting characters at the
top.



---

Could you s/[RFC5444]/defined in RFC 5444/                 

(A piece of pettiness, but citations cannot be made from the stand-alone
Abstract)

---

Section 10.1 does not include the caveat about other signatures that may
already be present as found in 8.1 and 9.1. Is this intentional?

---

Section 11

Don't "propose" anything! This is an I-D you plan to have converted into
an RFC. You can "define" things if you feel the need for a word.

---

Section 12.1.1

   The rationale for separating the hash function and the cryptographic
   function into two octets instead of having all combinations in a
   single octet - possibly as TLV type extension - is twofold: First, if
   further hash functions or cryptographic functions are added in the
   future, the number space might not remain continuous.  More
   importantly, the number space of possible combinations would be
   rapidly exhausted.  As new or improved cryptographic mechanism are
   continuously being developed and introduced, this format should be
   able to accommodate such for the foreseeable future.

I accept the reasoning for the contiguity. I don't accept the reasoning
for number space exhaustion. Surely, you have the same number of bits
(16) and the same amount of information (#hashfuncs * #cryptofuncs).

Actually, in your method exhaustion is slightly more likely because you
only have 8 bits for each category and so one of them could become
exhausted independent of the other.

I suggest removing the second motivation.

Clarity of separation of function identifiers would serve as a second
reason if you must have one.

---

12.1.1

   The rationale for not including a field that lists parameters of the
   cryptographic signature in the TLV is, that before being able to
   validate a cryptographic signature, routers have to exchange or

s/TLV is, that/TLV is that,/

---

Section 13

Please remove the RFC2119 language from this part of the IANA
considerations section. It is typical to request IANA to perform actions.

---

Sections 13. through 13.6

The experimental ranges here are way too large unless you can give me a 
really good reason.

Understandable as MANET moves from experimental to standards track, but
once you are standards track it is normal to restrict the experimental
ranges to a very small (e.g. one) range of numbers. Have a look at 
RFC 3692. Consider whether it would be enough to have just one or two
code points reserved for experimentation.

_______________________________________________
manet mailing list
manet@ietf.org
https://www.ietf.org/mailman/listinfo/manet


********************************************************************
This email and any attachments are confidential to the intended
recipient and may also be privileged. If you are not the intended
recipient please delete it from your system and notify the sender.
You should not copy it or use it for any purpose nor disclose or
distribute its contents to any other person.
********************************************************************

v2.23.0 | Report a Bug | By Email