[Nea] Operations Directorate Review of draft-ietf-nea-pt-tls-05
"Romascanu, Dan (Dan)" <dromasca@avaya.com> Mon, 11 June 2012 14:20 UTC
Return-Path: <dromasca@avaya.com>
X-Original-To: nea@ietfa.amsl.com
Delivered-To: nea@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7CC921F8599; Mon, 11 Jun 2012 07:20:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.399
X-Spam-Level:
X-Spam-Status: No, score=-103.399 tagged_above=-999 required=5 tests=[AWL=0.200, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GiaqeBM-IjbH; Mon, 11 Jun 2012 07:20:08 -0700 (PDT)
Received: from co300216-co-outbound.net.avaya.com (co300216-co-outbound.net.avaya.com [198.152.13.100]) by ietfa.amsl.com (Postfix) with ESMTP id 176DA21F8596; Mon, 11 Jun 2012 07:20:07 -0700 (PDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Av4EAJH91U/GmAcF/2dsb2JhbABFtROBB4IaAQEDEh4KMQ4SARUVBgwMB1cBBAEaGodpmzWcUYs4hHVgA5sTigaCYoFU
X-IronPort-AV: E=Sophos;i="4.77,389,1336363200"; d="scan'208";a="352090165"
Received: from unknown (HELO co300216-co-erhwest.avaya.com) ([198.152.7.5]) by co300216-co-outbound.net.avaya.com with ESMTP; 11 Jun 2012 10:17:35 -0400
Received: from unknown (HELO 307622ANEX5.global.avaya.com) ([135.64.140.13]) by co300216-co-erhwest-out.avaya.com with ESMTP; 11 Jun 2012 10:18:32 -0400
X-MimeOLE: Produced By Microsoft Exchange V6.5
x-cr-hashedpuzzle: FEjk KtXO LVkZ M27l OVeo cyry iNCV vWxq 4tDB AB4tVQ== AC3Khg== ADXRLA== AEASOA== AEhGbA== AFducQ== AFhsPQ==; 8; agBzAGEAbABvAHcAZQB5AEAAYwBpAHMAYwBvAC4AYwBvAG0AOwBuAGMAYQBtAHcAaQBuAGcAQABjAGkAcwBjAG8ALgBjAG8AbQA7AG4AZQBhAEAAaQBlAHQAZgAuAG8AcgBnADsAbwBwAHMALQBkAGkAcgBAAGkAZQB0AGYALgBvAHIAZwA7AHAAYQB1AGwAXwBzAGEAbgBnAHMAdABlAHIAQABzAHkAbQBhAG4AdABlAGMALgBjAG8AbQA7AHMAZQB0AGgAbwBtAHAAcwBvAEAAYwBpAHMAYwBvAC4AYwBvAG0AOwBzAGgAYQBuAG4AYQBAAGoAdQBuAGkAcABlAHIALgBuAGUAdAA7AHMAdABlAHAAaABlAG4ALgBmAGEAcgByAGUAbABsAEAAYwBzAC4AdABjAGQALgBpAGUA; Sosha1_v1; 7; {E765DEDE-8763-4EFD-9F34-04ACAA28BE4A}; ZAByAG8AbQBhAHMAYwBhAEAAYQB2AGEAeQBhAC4AYwBvAG0A; Mon, 11 Jun 2012 14:19:46 GMT; TwBwAGUAcgBhAHQAaQBvAG4AcwAgAEQAaQByAGUAYwB0AG8AcgBhAHQAZQAgAFIAZQB2AGkAZQB3ACAAbwBmACAAZAByAGEAZgB0AC0AaQBlAHQAZgAtAG4AZQBhAC0AcAB0AC0AdABsAHMALQAwADUA
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
x-cr-puzzleid: {E765DEDE-8763-4EFD-9F34-04ACAA28BE4A}
Content-class: urn:content-classes:message
Date: Mon, 11 Jun 2012 16:19:46 +0200
Message-ID: <EDC652A26FB23C4EB6384A4584434A0407B53813@307622ANEX5.global.avaya.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Operations Directorate Review of draft-ietf-nea-pt-tls-05
Thread-Index: Ac1H3UDULckBLm7vQhq8Xci7wLPg+w==
From: "Romascanu, Dan (Dan)" <dromasca@avaya.com>
To: paul_sangster@symantec.com, ncamwing@cisco.com, Joe Salowey <jsalowey@cisco.com>
X-Mailman-Approved-At: Mon, 11 Jun 2012 07:33:33 -0700
Cc: ops-dir@ietf.org, nea@ietf.org, sethompso@cisco.com
Subject: [Nea] Operations Directorate Review of draft-ietf-nea-pt-tls-05
X-BeenThere: nea@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Network Endpoint Assessment discussion list <nea.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nea>, <mailto:nea-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nea>
List-Post: <mailto:nea@ietf.org>
List-Help: <mailto:nea-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nea>, <mailto:nea-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jun 2012 14:20:08 -0000
Hi,
This is an OPS-DIR review for draft-ietf-nea-pt-tls-05. Although this is
not an easy reading for a non-expert, it's a well written specification,
based upon wide field experience with proprietary protocols, and I do
not expect major obstacles in operational deployment.
A few issues triggered by the checklist in RFC 5706:
1. 'Does the new protocol need supporting services (e.g., DNS or
Authentication, Authorization, and Accounting - AAA) added to
an existing network?'
The protocol stacks atop of TLS. Section 3.4.3 (TLS requirements)
includes a SHOULD requirement for TLS 1.2, but neither here nor in other
parts of the document I could find a requirement that PT-TLS
implementations MUST support TLS 1.0 and TLS 1.1. The authors may want
to add this.
I believe that mentioning the fact that the protocol is layered atop of
TLS in the title and Abstract would make this key design issue more
clear to the readers.
2. The protocol uses the Vendor PEN, but assumes it is limited to
24-bit.
In Section 3.5 - Message Vendor ID - .
Consistent with PA-TNC and PB-
TNC, we depend on the PEN fitting in 24 bits, so if IANA were to
register a wider PEN than that PEN could not be used with NEA.
IETF namespace PT-TLS Message Types MUST use zero (0) in this
field.
However, discussions triggered by draft-liang-iana-pen-00 may end by
that document recommending that new protocols define at least 32-bit PEN
fields. Is this impossible in this case? What are the 8 bits preceding
the Message Type Vendor ID Reserved for?
3. 'Have suggestions for verifying correct operation been discussed?'
Not really. How are assessment results communicated to the operators?
Are they public? Maybe they MUST NOT be public (because of privacy
concerns for example)? The document says nothing about this. Same
question about errors, authentication failures, or other error counts.
4. 'Has management interoperability been discussed?'
As with many other security-related protocols this document offers
little to none information about manageability, so interoperable
management does not seem to be an issue, or maybe these aspects are
discussed in another document. In any case, this could be explained in
text.
5. Editorial observation - Readability could be improved if acronyms
like MITM (Man-in-the Middle) would be expanded at their first
occurrence.
Regards,
Dan
- [Nea] Operations Directorate Review of draft-ietf… Romascanu, Dan (Dan)
- Re: [Nea] Operations Directorate Review of draft-… Paul Sangster