Re: [Nea] Operations Directorate Review of draft-ietf-nea-pt-tls-05
Paul Sangster <Paul_Sangster@symantec.com> Thu, 14 June 2012 04:41 UTC
Return-Path: <Paul_Sangster@symantec.com>
X-Original-To: nea@ietfa.amsl.com
Delivered-To: nea@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50DAE11E8093; Wed, 13 Jun 2012 21:41:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rD8xr70QaAKW; Wed, 13 Jun 2012 21:41:43 -0700 (PDT)
Received: from tus1smtoutpex03.symantec.com (tus1smtoutpex03.symantec.com [216.10.195.243]) by ietfa.amsl.com (Postfix) with ESMTP id 2AD3321F852C; Wed, 13 Jun 2012 21:41:40 -0700 (PDT)
X-AuditID: d80ac3f3-b7fd26d00000349b-fd-4fd96b839cfd
Received: from tus1smtintpin01.ges.symantec.com (TUS1SMTINTPIN01.ges.symantec.com [192.168.215.101]) by tus1smtoutpex03.symantec.com (Symantec Brightmail Gateway out) with SMTP id D1.D1.13467.38B69DF4; Thu, 14 Jun 2012 04:41:39 +0000 (GMT)
Received: from [155.64.220.138] (helo=TUS1XCHHUBPIN02.SYMC.SYMANTEC.COM) by tus1smtintpin01.ges.symantec.com with esmtp (Exim 4.76) (envelope-from <Paul_Sangster@symantec.com>) id 1Sf1sG-0008SS-Qy; Thu, 14 Jun 2012 04:41:36 +0000
Received: from TUS1XCHEVSPIN35.SYMC.SYMANTEC.COM ([155.64.220.150]) by TUS1XCHHUBPIN02.SYMC.SYMANTEC.COM ([172.24.185.246]) with mapi; Wed, 13 Jun 2012 21:41:39 -0700
From: Paul Sangster <Paul_Sangster@symantec.com>
To: "Romascanu, Dan (Dan)" <dromasca@avaya.com>
Date: Wed, 13 Jun 2012 21:42:53 -0700
Thread-Topic: Operations Directorate Review of draft-ietf-nea-pt-tls-05
Thread-Index: Ac1H3UDULckBLm7vQhq8Xci7wLPg+wCB24dQ
Message-ID: <6E79D623502C70419A9EAB18E4D274252B8B061623@TUS1XCHEVSPIN35.SYMC.SYMANTEC.COM>
References: <EDC652A26FB23C4EB6384A4584434A0407B53813@307622ANEX5.global.avaya.com>
In-Reply-To: <EDC652A26FB23C4EB6384A4584434A0407B53813@307622ANEX5.global.avaya.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrFIsWRmVeSWpSXmKPExsVyYMX1VN3m7Jv+BhveiFp8/fmD1eLz2wqL 3qYlzBbT915jd2DxOLhyDrvH2u6rbB5LlvxkCmCO4rJJSc3JLEst0rdL4MpoXX+IreCdRkXD 1hssDYznFboYOTkkBEwk5rx5xQJhi0lcuLeerYuRi0NI4COjxOP2WUwQzmtGibnztrFAOKsY JaY8P8YK0sImYCCx88gpdhBbREBf4uOMNcwgNrNAucT2XZPYQGwWAVWJ0y3zmUBsYQE3iUlL fjBC1LtL3J6+ghXCNpL48HgFUD0HB69AlMSF3/ogYSGBYIk3r36CjecUCJE49Xc3mM0IdOn3 U2uYIFaJS9x6AjFeQkBAYsme88wQtqjEy8f/WCHqRSXutK9nhKjXkViw+xMbhK0tsWzha7B6 XgFBiZMzn7BMYBSfhWTsLCQts5C0zELSsoCRZRWjTElpsWFxbkl+aUlBaoWBsV5xZW4iMP6S 9ZLzczcxAmPwBtfhzzsYF/7QP8QowMGoxMObmXzTX4g1sQyo8hCjBAezkgjvMwWgEG9KYmVV alF+fFFpTmrxIUZpDhYlcd6E/Vv9hQTSE0tSs1NTC1KLYLJMHJxSDYzaoSHT2t77rMkNO5R/ N35nWKVIgviGqSuEJ0svOr6Mbadt5Pfl61XXx/nO+CqZ7J68ImrO+eX2vIx99/qud8p+uLj+ n8+3T9sPc3x+/OtPefv0aKX5M5z4K6uyasJa3qSaP1uR48uR9I338pRzMtrfr1WvKDgW1G8m aF2w9rGMj2Z5bS3n0VYlluKMREMt5qLiRADwbMUIvQIAAA==
Cc: "ops-dir@ietf.org" <ops-dir@ietf.org>, "nea@ietf.org" <nea@ietf.org>
Subject: Re: [Nea] Operations Directorate Review of draft-ietf-nea-pt-tls-05
X-BeenThere: nea@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Network Endpoint Assessment discussion list <nea.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nea>, <mailto:nea-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nea>
List-Post: <mailto:nea@ietf.org>
List-Help: <mailto:nea-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nea>, <mailto:nea-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jun 2012 04:41:44 -0000
Thanks for the review, comments are in-lined below... > -----Original Message----- > From: Romascanu, Dan (Dan) [mailto:dromasca@avaya.com] > Sent: Monday, June 11, 2012 7:20 AM > To: Paul Sangster; ncamwing@cisco.com; Joe Salowey > Cc: ops-dir@ietf.org; Stephen Farrell; nea@ietf.org; > shanna@juniper.net; sethompso@cisco.com > Subject: Operations Directorate Review of draft-ietf-nea-pt-tls-05 > > Hi, > > This is an OPS-DIR review for draft-ietf-nea-pt-tls-05. Although this > is > not an easy reading for a non-expert, it's a well written specification, > based upon wide field experience with proprietary protocols, and I do > not expect major obstacles in operational deployment. > > > A few issues triggered by the checklist in RFC 5706: > > 1. 'Does the new protocol need supporting services (e.g., DNS or > Authentication, Authorization, and Accounting - AAA) added to > an existing network?' > > The protocol stacks atop of TLS. Section 3.4.3 (TLS requirements) > includes a SHOULD requirement for TLS 1.2, but neither here nor in > other > parts of the document I could find a requirement that PT-TLS > implementations MUST support TLS 1.0 and TLS 1.1. The authors may want > to add this. > > I believe that mentioning the fact that the protocol is layered atop of > TLS in the title and Abstract would make this key design issue more > clear to the readers. [PS:] This protocol certainly does need to be carried in TLS. As you mention, its discussed in the TLS Requirements section. The working group discussed how to word the TLS 1.1 and 1.2 requirements on numerous occasions and we settled on this approach (SHOULD for 1.2 since it's not widely deployed yet and pointing out that 1.0/1.1 are also good transports of this protocol without including a normative reference to a downgraded RFC). This approach parallels the way some other specs are handling this tricky issues (e.g. see OAuth at http://tools.ietf.org/html/draft-ietf-oauth-v2-26#section-1.6). > > 2. The protocol uses the Vendor PEN, but assumes it is limited to > 24-bit. > > In Section 3.5 - Message Vendor ID - . > > Consistent with PA-TNC and PB- > TNC, we depend on the PEN fitting in 24 bits, so if IANA were to > register a wider PEN than that PEN could not be used with NEA. > IETF namespace PT-TLS Message Types MUST use zero (0) in this > field. > > > However, discussions triggered by draft-liang-iana-pen-00 may end by > that document recommending that new protocols define at least 32-bit > PEN > fields. Is this impossible in this case? What are the 8 bits preceding > the Message Type Vendor ID Reserved for? [PS:] I believe we would rather stay consistent with the other protocols in the NEA stack. There are A LOT of numbers left in the PEN space before >24 bits is required unless for some reason the IANA started doing non-linear allocations. Changing the protocol would only fix 1/3 of the NEA stack so not really be of large benefit for interoperability and diverge from the existing NAC protocols in the field. > > 3. 'Have suggestions for verifying correct operation been discussed?' > > Not really. How are assessment results communicated to the operators? > Are they public? Maybe they MUST NOT be public (because of privacy > concerns for example)? The document says nothing about this. Same > question about errors, authentication failures, or other error counts. [PS:] This protocol is just the transport for the assessment. The assessment is the topic of PA-TNC and PB-TNC plus the NEA architecture RFCs. For items like authentication failures those can be passed up the stack to higher layers which make the policy decisions on how/whether to proceed and in some cases can display messages to the user or operator. These are more architectural issues for the higher layers then this simple transport protocol. > > 4. 'Has management interoperability been discussed?' > > As with many other security-related protocols this document offers > little to none information about manageability, so interoperable > management does not seem to be an issue, or maybe these aspects are > discussed in another document. In any case, this could be explained in > text. [PS:] Agreed, this would be a topic for another specification since this is just a transport protocol for the higher layer protocols in NEA. I'd expect higher level concepts like NEA policies would need a management framework and assessment statistics could be collected from the PB layer which knows more about the assessment data and results then the transport. > > 5. Editorial observation - Readability could be improved if acronyms > like MITM (Man-in-the Middle) would be expanded at their first > occurrence. [PS:] Thanks will expand the acronym on first use. Fortunately in this case MITM is used in a reference to the NEA Asokan attack spec which defines the MITM attack in great detail so should help the interested reader. > > Regards, > > Dan >
- [Nea] Operations Directorate Review of draft-ietf… Romascanu, Dan (Dan)
- Re: [Nea] Operations Directorate Review of draft-… Paul Sangster