IETF Logo Mail Archive

[NSIS] AD review: draft-ietf-nsis-nslp-auth-02.txt

Lars Eggert <lars.eggert@nokia.com> Fri, 11 June 2010 13:15 UTC

Return-Path: <lars.eggert@nokia.com>
X-Original-To: nsis@core3.amsl.com
Delivered-To: nsis@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4655C3A6820 for <nsis@core3.amsl.com>; Fri, 11 Jun 2010 06:15:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.888
X-Spam-Level:
X-Spam-Status: No, score=-4.888 tagged_above=-999 required=5 tests=[AWL=-0.889, BAYES_50=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GxF2MH-eL5vO for <nsis@core3.amsl.com>; Fri, 11 Jun 2010 06:15:30 -0700 (PDT)
Received: from mgw-mx06.nokia.com (smtp.nokia.com [192.100.122.233]) by core3.amsl.com (Postfix) with ESMTP id E1BC73A68F2 for <nsis@ietf.org>; Fri, 11 Jun 2010 06:15:26 -0700 (PDT)
Received: from esebh106.NOE.Nokia.com (esebh106.ntc.nokia.com [172.21.138.213]) by mgw-mx06.nokia.com (Switch-3.3.3/Switch-3.3.3) with ESMTP id o5BDFJqn010306; Fri, 11 Jun 2010 16:15:25 +0300
Received: from vaebh104.NOE.Nokia.com ([10.160.244.30]) by esebh106.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.4675); Fri, 11 Jun 2010 16:15:20 +0300
Received: from mgw-sa01.ext.nokia.com ([147.243.1.47]) by vaebh104.NOE.Nokia.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.4675); Fri, 11 Jun 2010 16:15:20 +0300
Received: from mail.fit.nokia.com (esdhcp030222.research.nokia.com [172.21.30.222]) by mgw-sa01.ext.nokia.com (Switch-3.3.3/Switch-3.3.3) with ESMTP id o5BDFKew018147 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 11 Jun 2010 16:15:20 +0300
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.96.1 at fit.nokia.com
Mime-Version: 1.0 (Apple Message framework v1078)
Content-Type: multipart/signed; boundary="Apple-Mail-3--545317990"; protocol="application/pkcs7-signature"; micalg="sha1"
From: Lars Eggert <lars.eggert@nokia.com>
In-Reply-To: <4C0CA940.7080000@tkk.fi>
Date: Fri, 11 Jun 2010 16:15:08 +0300
Message-Id: <99B779C7-3319-465A-8D5D-70FDC8DBA163@nokia.com>
References: <20100515224502.402743A6A97@core3.amsl.com> <4C0CA940.7080000@tkk.fi>
To: Jukka Manner <jukka.manner@tkk.fi>
X-Mailer: Apple Mail (2.1078)
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.5 (mail.fit.nokia.com); Fri, 11 Jun 2010 16:15:09 +0300 (EEST)
X-OriginalArrivalTime: 11 Jun 2010 13:15:20.0846 (UTC) FILETIME=[24C6FAE0:01CB0968]
X-Nokia-AV: Clean
Cc: "nsis@ietf.org" <nsis@ietf.org>
Subject: [NSIS] AD review: draft-ietf-nsis-nslp-auth-02.txt
X-BeenThere: nsis@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Next Steps in Signaling <nsis.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nsis>
List-Post: <mailto:nsis@ietf.org>
List-Help: <mailto:nsis-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jun 2010 13:15:36 -0000

Summary: Not ready, revision needed, see below.

Meta question: This document is very complex. Do we have any real experience with coupling NSLP authorization with X.500, Kerberos, PGP, etc.? Do any of the experimental implementations use this to authorize QoS NSLP or NATFW NSLP actions?



Section 1., paragraph 2:
>    Currently, this node would run either the QoS or
>    the NAT/FW NSLP service.

  Cite the two NSLP documents.


Section 2., paragraph 1:
>    The NSIS working group is specifying a suite of protocols for the
>    next generation in Internet signaling [RFC4080].

  Rephrase to omit mentioning the NSIS WG before publication as an RFC.


Section 2., paragraph 3:
>    The so far specified basic security architecture for NSIS is based on

  s/so far specified//   (there won't be any other, no?)


Section 3.1., paragraph 8:
>    flag cominbation is not used by all NSLPs, e.g., it is not used in

  Nit: s/cominbation/combination/


Section 3.2., paragraph 5:
>       Session authorization attribute type (X-Type) field is one octet.
>       IANA acts as a registry for X-Types as described in Section 7,
>       IANA Considerations.  Initially, the registry contains the
>       following X-Types:

  The IANA considerations are in Section 8. And that section doesn't
  define this new registry.


Section 3.2.1., paragraph 6:
>       The following sub-types for AUTH_ENT_ID are defined.  IANA acts as
>       a registry for AUTH_ENT_ID sub-types as described in Section 7,
>       IANA Considerations.  Initially, the registry contains the
>       following sub-types of AUTH_ENT_ID:

  The IANA considerations are in Section 8. And that section doesn't
  define this new registry.


Section 3.2.2., paragraph 6:
>       The following sub types for SOURCE_ADDR are defined.  IANA acts as
>       a registry for SOURCE_ADDR sub-types as described in Section 7,
>       IANA Considerations.  Initially, the registry contains the
>       following sub types for SOURCE_ADDR:

  The IANA considerations are in Section 8. And that section doesn't
  define this new registry.


Section 3.2.3., paragraph 3:
>    Length: Length of the attribute in number of octects, which MUST be >

  Nit: s/octects,/octets,/


Section 1., paragraph 0:
>    1.  1 NTP_TIMESTAMP NTP Timestamp Format as defined in RFC 1305.

  RFC1305 needs to be a normative reference.


Section 3.2.6., paragraph 2:
>    The creator of the this attribute lists every NSLP object type whose

  Nit: Maybe you need to remove the second determiner so that only 'the'
  or 'this' is left.


Section 3.2.6., paragraph 6:
>    | No of signed NSLP objects = n |  rsv  |  NSLP object type (1) |

  Nit: s/No/Nr./ (also elsewhere)


Section 3.2.6., paragraph 10:
>    SubType: No sub types for NSLP_OBJECT_LIST are currently defined.
>    This field MUST be set to 0.

  And ignored upon reception.


Section 3.2.6., paragraph 13:
>    rsv: reserved bits and must be set to 0 (zero).

  And ignored upon reception.


Section 3.2.6., paragraph 15:
>    padding: padding is required if the number of NSLP objects is even.
>    The padding field MUST be 16 bit set to 0.

  Ambiguous. You mean that the padding is REQUIRED when even and that it
  MUST NOT be added when odd.


Section 4.2., paragraph 3:
>    Another opton is to encapsulate the credentials in the AUTH_DATA

  Nit: s/opton/option/


Section 4.3.1.1., paragraph 5:
>    o  Certification Path Validation is performed as defined in Section 6
>       of RFC 3280.

  RFC3280 needs to be cited.


Section 4.3.1.2., paragraph 2:
>    o  AUTHENTICATION_DATA contains a Signature Packet as defined in
>       Section 5.2.3 of RFC 2440.  In summary:

  RFC2440 needs to be cited.


Section 6.2., paragraph 0:
> 6.2.  Processing within the QoS NSLP

  Does this mean that this document updates draft-ietf-nsis-qos-nslp?


Section 2., paragraph 0:
>        must contruct and send a RESPONSE message with the status of

  Nit: s/contruct/construct/


Section 6.3., paragraph 0:
> 6.3.  Processing with the NAT/FW NSLP

  Does this mean that this document updates draft-ietf-nsis-nslp-natfw?


Section 7., paragraph 2:
>    different network entities may not be in synch.  The start time is

  Nit: s/synch./sync./


Section 10.2., paragraph 4:
>    [RFC2396]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
>               Resource Identifiers (URI): Generic Syntax", RFC 2396,
>               August 1998.

  Obsolete informational reference (is this intentional?): RFC 2396
  (Obsoleted by RFC 3986)


Section 10.2., paragraph 7:
>    [RFC3852]  Housley, R., "Cryptographic Message Syntax (CMS)",
>               RFC 3852, July 2004.

  Obsolete informational reference (is this intentional?): RFC 3852
  (Obsoleted by RFC 5652)

v2.23.0 | Report a Bug | By Email