[Nea] Operations Directorate Review of draft-ietf-nea-pt-tls-05
"Romascanu, Dan (Dan)" <dromasca@avaya.com> Mon, 11 June 2012 14:20 UTC
Return-Path: <dromasca@avaya.com>
X-Original-To: nea@ietfa.amsl.com
Delivered-To: nea@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7CC921F8599; Mon, 11 Jun 2012 07:20:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.399
X-Spam-Level:
X-Spam-Status: No, score=-103.399 tagged_above=-999 required=5 tests=[AWL=0.200, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GiaqeBM-IjbH; Mon, 11 Jun 2012 07:20:08 -0700 (PDT)
Received: from co300216-co-outbound.net.avaya.com (co300216-co-outbound.net.avaya.com [198.152.13.100]) by ietfa.amsl.com (Postfix) with ESMTP id 176DA21F8596; Mon, 11 Jun 2012 07:20:07 -0700 (PDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av4EAJH91U/GmAcF/2dsb2JhbABFtROBB4IaAQEDEh4KMQ4SARUVBgwMB1cBBAEaGodpmzWcUYs4hHVgA5sTigaCYoFU
X-IronPort-AV: E=Sophos;i="4.77,389,1336363200"; d="scan'208";a="352090165"
Received: from unknown (HELO co300216-co-erhwest.avaya.com) ([198.152.7.5]) by co300216-co-outbound.net.avaya.com with ESMTP; 11 Jun 2012 10:17:35 -0400
Received: from unknown (HELO 307622ANEX5.global.avaya.com) ([135.64.140.13]) by co300216-co-erhwest-out.avaya.com with ESMTP; 11 Jun 2012 10:18:32 -0400
X-MimeOLE: Produced By Microsoft Exchange V6.5
x-cr-hashedpuzzle: FEjk KtXO LVkZ M27l OVeo cyry iNCV vWxq 4tDB AB4tVQ== AC3Khg== ADXRLA== AEASOA== AEhGbA== AFducQ== AFhsPQ==; 8; agBzAGEAbABvAHcAZQB5AEAAYwBpAHMAYwBvAC4AYwBvAG0AOwBuAGMAYQBtAHcAaQBuAGcAQABjAGkAcwBjAG8ALgBjAG8AbQA7AG4AZQBhAEAAaQBlAHQAZgAuAG8AcgBnADsAbwBwAHMALQBkAGkAcgBAAGkAZQB0AGYALgBvAHIAZwA7AHAAYQB1AGwAXwBzAGEAbgBnAHMAdABlAHIAQABzAHkAbQBhAG4AdABlAGMALgBjAG8AbQA7AHMAZQB0AGgAbwBtAHAAcwBvAEAAYwBpAHMAYwBvAC4AYwBvAG0AOwBzAGgAYQBuAG4AYQBAAGoAdQBuAGkAcABlAHIALgBuAGUAdAA7AHMAdABlAHAAaABlAG4ALgBmAGEAcgByAGUAbABsAEAAYwBzAC4AdABjAGQALgBpAGUA; Sosha1_v1; 7; {E765DEDE-8763-4EFD-9F34-04ACAA28BE4A}; ZAByAG8AbQBhAHMAYwBhAEAAYQB2AGEAeQBhAC4AYwBvAG0A; Mon, 11 Jun 2012 14:19:46 GMT; TwBwAGUAcgBhAHQAaQBvAG4AcwAgAEQAaQByAGUAYwB0AG8AcgBhAHQAZQAgAFIAZQB2AGkAZQB3ACAAbwBmACAAZAByAGEAZgB0AC0AaQBlAHQAZgAtAG4AZQBhAC0AcAB0AC0AdABsAHMALQAwADUA
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
x-cr-puzzleid: {E765DEDE-8763-4EFD-9F34-04ACAA28BE4A}
Content-class: urn:content-classes:message
Date: Mon, 11 Jun 2012 16:19:46 +0200
Message-ID: <EDC652A26FB23C4EB6384A4584434A0407B53813@307622ANEX5.global.avaya.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Operations Directorate Review of draft-ietf-nea-pt-tls-05
Thread-Index: Ac1H3UDULckBLm7vQhq8Xci7wLPg+w==
From: "Romascanu, Dan (Dan)" <dromasca@avaya.com>
To: paul_sangster@symantec.com, ncamwing@cisco.com, Joe Salowey <jsalowey@cisco.com>
X-Mailman-Approved-At: Mon, 11 Jun 2012 07:33:33 -0700
Cc: ops-dir@ietf.org, nea@ietf.org, sethompso@cisco.com
Subject: [Nea] Operations Directorate Review of draft-ietf-nea-pt-tls-05
X-BeenThere: nea@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Network Endpoint Assessment discussion list <nea.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nea>, <mailto:nea-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nea>
List-Post: <mailto:nea@ietf.org>
List-Help: <mailto:nea-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nea>, <mailto:nea-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jun 2012 14:20:08 -0000
Hi, This is an OPS-DIR review for draft-ietf-nea-pt-tls-05. Although this is not an easy reading for a non-expert, it's a well written specification, based upon wide field experience with proprietary protocols, and I do not expect major obstacles in operational deployment. A few issues triggered by the checklist in RFC 5706: 1. 'Does the new protocol need supporting services (e.g., DNS or Authentication, Authorization, and Accounting - AAA) added to an existing network?' The protocol stacks atop of TLS. Section 3.4.3 (TLS requirements) includes a SHOULD requirement for TLS 1.2, but neither here nor in other parts of the document I could find a requirement that PT-TLS implementations MUST support TLS 1.0 and TLS 1.1. The authors may want to add this. I believe that mentioning the fact that the protocol is layered atop of TLS in the title and Abstract would make this key design issue more clear to the readers. 2. The protocol uses the Vendor PEN, but assumes it is limited to 24-bit. In Section 3.5 - Message Vendor ID - . Consistent with PA-TNC and PB- TNC, we depend on the PEN fitting in 24 bits, so if IANA were to register a wider PEN than that PEN could not be used with NEA. IETF namespace PT-TLS Message Types MUST use zero (0) in this field. However, discussions triggered by draft-liang-iana-pen-00 may end by that document recommending that new protocols define at least 32-bit PEN fields. Is this impossible in this case? What are the 8 bits preceding the Message Type Vendor ID Reserved for? 3. 'Have suggestions for verifying correct operation been discussed?' Not really. How are assessment results communicated to the operators? Are they public? Maybe they MUST NOT be public (because of privacy concerns for example)? The document says nothing about this. Same question about errors, authentication failures, or other error counts. 4. 'Has management interoperability been discussed?' As with many other security-related protocols this document offers little to none information about manageability, so interoperable management does not seem to be an issue, or maybe these aspects are discussed in another document. In any case, this could be explained in text. 5. Editorial observation - Readability could be improved if acronyms like MITM (Man-in-the Middle) would be expanded at their first occurrence. Regards, Dan
- [Nea] Operations Directorate Review of draft-ietf… Romascanu, Dan (Dan)
- Re: [Nea] Operations Directorate Review of draft-… Paul Sangster