Re: [mile] AD review of draft-ietf-mile-xmpp-grid-08
"Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com> Sun, 30 December 2018 02:28 UTC
Return-Path: <ncamwing@cisco.com>
X-Original-To: mile@ietfa.amsl.com
Delivered-To: mile@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF841130E41 for <mile@ietfa.amsl.com>; Sat, 29 Dec 2018 18:28:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.565
X-Spam-Level:
X-Spam-Status: No, score=-14.565 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.065, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RvuHiTV7IsIH for <mile@ietfa.amsl.com>; Sat, 29 Dec 2018 18:28:39 -0800 (PST)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D37C1130E3D for <mile@ietf.org>; Sat, 29 Dec 2018 18:28:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5162; q=dns/txt; s=iport; t=1546136918; x=1547346518; h=from:to:subject:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=intnVSx06hIpLqkRZtSfKSbOn1aFIPyKIlh8C9ikrrs=; b=gog+VOUGUX/UTHWnJ4qwaoVJNj8OUjs3JnDJpOdHfTjEqzfbES/VL/lO v+YlCYvOYhrYcf17pxzspe3JIieGafrTHkdqj6lpZkrnQOyLKJIn/10J9 suFIQXBirefo6iZr29uFJq+MCMUK7Zp+AZyBVuw8eWrQg+l9VOjeTXjaW 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AEAADFLChc/5pdJa1iGgEBAQEBAgEBAQEHAgEBAQGBUQUBAQEBCwGBVS5mgQInCoN0iBqNWJgIFIFnCwEBGAuESQIXgiwiNAkNAQMBAQIBAQJtHAyFSwIEAQEhETobAgEIGgImAgICJQsVEAIEARKDIgGCAQ+mU4EvhEFAQIRXBYELiGx2gVIXgX+BEScME4JMgx4BAQMBgUUYgwgxgiYCoUsJAocQg0WHEhiBYIUhgzGHNIlZhQGLKAIRFIEnHziBVnAVOyoBgg0BM4InF4hehT9BMYtTgR8BAQ
X-IronPort-AV: E=Sophos;i="5.56,416,1539648000"; d="scan'208";a="218722021"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 30 Dec 2018 02:28:37 +0000
Received: from XCH-RTP-011.cisco.com (xch-rtp-011.cisco.com [64.101.220.151]) by rcdn-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id wBU2Sbse001419 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Sun, 30 Dec 2018 02:28:37 GMT
Received: from xch-rtp-015.cisco.com (64.101.220.155) by XCH-RTP-011.cisco.com (64.101.220.151) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Sat, 29 Dec 2018 21:28:36 -0500
Received: from xch-rtp-015.cisco.com ([64.101.220.155]) by XCH-RTP-015.cisco.com ([64.101.220.155]) with mapi id 15.00.1395.000; Sat, 29 Dec 2018 21:28:36 -0500
From: "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>, "mile@ietf.org" <mile@ietf.org>
Thread-Topic: [mile] AD review of draft-ietf-mile-xmpp-grid-08
Thread-Index: AQHUjV5IiTQQfL3pKkSanvmwg12yRqWWgbOA
Date: Sun, 30 Dec 2018 02:28:36 +0000
Message-ID: <325006F0-2786-46C0-BA93-BE253E538D25@cisco.com>
References: <63dc7282-3db0-08c0-64db-bc3280665048@isode.com>
In-Reply-To: <63dc7282-3db0-08c0-64db-bc3280665048@isode.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.c.0.180410
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.24.126.148]
Content-Type: text/plain; charset="utf-8"
Content-ID: <85D823D656A9F345AB75C5342AEEAC78@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Outbound-SMTP-Client: 64.101.220.151, xch-rtp-011.cisco.com
X-Outbound-Node: rcdn-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/mile/MBH8mQnU4aAuH0TvlesQhAspSpA>
Subject: Re: [mile] AD review of draft-ietf-mile-xmpp-grid-08
X-BeenThere: mile@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Managed Incident Lightweight Exchange, IODEF extensions and RID exchanges" <mile.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mile>, <mailto:mile-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mile/>
List-Post: <mailto:mile@ietf.org>
List-Help: <mailto:mile-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mile>, <mailto:mile-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Dec 2018 02:28:41 -0000
Hi Alexey, Thank you for your careful review (and Happy Holidays!). Please see comments below (and the updates have been made to now version -09 draft https://datatracker.ietf.org/doc/draft-ietf-mile-xmpp-grid/): On 12/6/18, 04:21, "mile on behalf of Alexey Melnikov" <mile-bounces@ietf.org on behalf of alexey.melnikov@isode.com> wrote: Hi, This document reads well and I am grateful for the extensive Security Considerations section! Some specific comments, most of which are nits/minor things: The following references need to be Normative, as they describe documents that need to be read and understood in order to implement various requirements specified in this draft: [XEP-0060] [XEP-0030] (used in a SHOULD) [XEP-0004] (used in a SHOULD) [NCW] Updated in version -09 The following need to have References: SASL EXTERNAL - Normative reference to RFC 4422 DHCP - Informative reference [NCW] Updated in version -09 8.2.1. Network Attacks A variety of attacks can be mounted using the network. For the purposes of this subsection the phrase "network traffic" can be taken to mean messages and/or parts of messages. Any of these attacks can be mounted by network elements, by parties who control network elements, and (in many cases) by parties who control network-attached devices. o Network traffic can be passively monitored to glean information from any unencrypted traffic [snip] o A "Man In The Middle" (MITM) attack can be mounted where an attacker interposes itself between two communicating parties and poses as the other end to either party or impersonates the other end to either or both parties o Resist attacks (including denial of service and other attacks from XMPP-Grid Platforms) This seems out of place or not worded quite right. All other items describe various attacks. What exactly does this item mean? [NCW] It was meant to be a general statement that other attacks could be there, but as you note, It seemed out of place and didn't really add to the considerations so I've removed it. o Undesired network traffic can be sent in an effort to overload an architectural component, thus mounting a denial of service attack 8.3.6. Securing the Certification Authority As noted above, compromise of a Certification Authority (CA) trusted to issue certificates for the XMPP-Grid Controller and/or XMPP-Grid Platforms is a major security breach. Many guidelines for proper CA security have been developed: the CA/Browser Forum's Baseline Requirements, the AICPA/CICA Trust Service Principles, etc. The CA operator and relying parties should agree on an appropriately rigorous security practices to be used. Even with the most rigorous security practices, a CA can be compromised. I think it might be good to reference Certificate Transparency WG work here (informatively), see <https://datatracker.ietf.org/wg/trans/documents/ [NCW] As I was trying to figure out how to work it in, I added a reference to RFC6962 (the base draft from the trans WG) as another guideline....hopefully that satisfies your request? Best Regards, Alexey _______________________________________________ mile mailing list mile@ietf.org https://www.ietf.org/mailman/listinfo/mile
- [mile] AD review of draft-ietf-mile-xmpp-grid-08 Alexey Melnikov
- Re: [mile] AD review of draft-ietf-mile-xmpp-grid… Nancy Cam-Winget (ncamwing)
- Re: [mile] AD review of draft-ietf-mile-xmpp-grid… Peter Saint-Andre