[OPSEC] Secdir last call review of draft-ietf-opsec-probe-attribution
tirumal reddy <kondtir@gmail.com> Tue, 20 June 2023 06:08 UTC
Return-Path: <kondtir@gmail.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9908C152575; Mon, 19 Jun 2023 23:08:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VPWUN5vXBNzl; Mon, 19 Jun 2023 23:08:30 -0700 (PDT)
Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA9C9C15108A; Mon, 19 Jun 2023 23:08:30 -0700 (PDT)
Received: by mail-lj1-x231.google.com with SMTP id 38308e7fff4ca-2b36116a7dbso9314681fa.1; Mon, 19 Jun 2023 23:08:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1687241308; x=1689833308; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=U/dBTH2pBGzwGlKMbh+1Ji4OJ66ZUVSlM7hOWNApXyM=; b=atuAOJFPOfE4Tkc36GSNgNXCj8P6UI9YOR0yY+ci5OzhRZP7zeiW13feasiwU1B8kw rVUDN/uFHpv2f1EJOamzpmLF2YNNvxzhdEg7KDLetBMVvgJPICeBcGuidhhfazD9wyS+ WAwbmrtpZftFSfAAORGYMtYf2omoP3xJLF4AFW+8wFB1L0SKWs9qwMEUoNqUThsW+F+i ocGO/wUPqC2BygXeeYkFZcTXWkSOsasIW/3xUIbW+mcngit/BNy02v4IN5ys2i9p3Y3G 8dfD4zP4d/691JeLOpgLM6Aud+vZ0y/6SnW3YQ9h2WCFLlrW+uDk60S+uitpssF/YEo8 wZ8w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687241308; x=1689833308; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=U/dBTH2pBGzwGlKMbh+1Ji4OJ66ZUVSlM7hOWNApXyM=; b=BNY60tBmRnLLCwz3gjqc2v+ZxsktDW259Av6NRwYOG7dgnH3H0SqOu2r0SZ+Lci1Dy j5dpSJ38UgRLPF1Dw7pk/FpFZbCzubIP6MN1JKQCzP5o/1+POTMz0UcyJPwn0xf2QlJT XdIn2lBkIbkPZARjPT9CKJ2Rs4yq2ijURvO1ZaFd/r8/bkPaahdu3Kj6LhRzMiIZgOA4 FoO8dspCJGU0JF82GmzB9Uxo4nUQtR0OtL3JdaPALm3sqZ28q085ES56EVHVHlXBI7kc TUBBbtLJNz3FTxtxbKXK6Iqa/FQpBPGu6tmfplVDPlucgKp3k33jPaAKxDF0d4Lm96Pm ZyQQ==
X-Gm-Message-State: AC+VfDyQVzUBVKNWW+KveX8JHZPmZpboBqNQaPKdOHYaE1Bbr8TPUwDE CXHlyd1G7nWgFiMNa+lOs6irtYY07wRiGieZRebtQAihBHo=
X-Google-Smtp-Source: ACHHUZ7+ewsIif3rK+StA/DOLu0F6IOwMuc0xTt1+txmDDyVsy5JILExzq/M+O6YN5d7309v+mNCanEG3lRdg6UDPA4=
X-Received: by 2002:a2e:a487:0:b0:2b4:6d6a:2e18 with SMTP id h7-20020a2ea487000000b002b46d6a2e18mr3550024lji.4.1687241307600; Mon, 19 Jun 2023 23:08:27 -0700 (PDT)
MIME-Version: 1.0
From: tirumal reddy <kondtir@gmail.com>
Date: Tue, 20 Jun 2023 11:38:16 +0530
Message-ID: <CAFpG3gf4yORu3ZBWq1NpQgOUWszDsBGSGcZzPJH9cWd0JLHW-g@mail.gmail.com>
To: secdir@ietf.org, last-call@ietf.org, draft-ietf-opsec-probe-attribution.all@ietf.org, opsec@ietf.org
Content-Type: multipart/alternative; boundary="000000000000ca398005fe897a07"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/oG15F44wPH4cGRrT5VNZ3TfqmH4>
Subject: [OPSEC] Secdir last call review of draft-ietf-opsec-probe-attribution
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Jun 2023 06:08:34 -0000
Reviewer: Tirumaleswar Reddy
Review result: Ready with issues
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.
The summary of the review is Ready with issues.
[1]
else (or in addition), the Probe Description URI is
"https://[2001:db8::dead]/.well-known/probing.txt". In this case,
there might be a certificate verification issue.
Comment> It is possible to get a certificate with IP address from a public
CA
(see https://datatracker.ietf.org/doc/html/rfc8738).
[2]
You may want to consider referring to
https://datatracker.ietf.org/doc/draft-ietf-6man-hbh-processing/,
It discusses HBH option processing by intermediate nodes and
recommendations to process new HBH options.
[3]
I suggest discussing the privacy implications that an eavesdropper will be
able to view the PII data in the Probe.
[4]
As a consequence, the recipient of this information cannot trust it
without confirmation. If a recipient cannot confirm the information
or does not wish to do so, it should treat the flows as if there were
no probe attribution.
Comment> How can the recipient of the probe information validate it is
authentic for confirmation ?
Cheers,
-Tiru
- [OPSEC] Secdir last call review of draft-ietf-ops… tirumal reddy
- Re: [OPSEC] Secdir last call review of draft-ietf… Eric Vyncke (evyncke)
- Re: [OPSEC] Secdir last call review of draft-ietf… tirumal reddy