Re: [ppsp] Kathleen Moriarty's No Objection on draft-ietf-ppsp-base-tracker-protocol-11: (with COMMENT)

"Huangyihong (Rachel)" <rachel.huang@huawei.com> Thu, 17 December 2015 03:43 UTC

Return-Path: <rachel.huang@huawei.com>
X-Original-To: ppsp@ietfa.amsl.com
Delivered-To: ppsp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E61021AC429; Wed, 16 Dec 2015 19:43:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jSYNW5bToUiK; Wed, 16 Dec 2015 19:43:02 -0800 (PST)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1EF031AC42C; Wed, 16 Dec 2015 19:43:00 -0800 (PST)
Received: from 172.18.7.190 (EHLO lhreml405-hub.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CBR69162; Thu, 17 Dec 2015 03:42:59 +0000 (GMT)
Received: from LHREML707-CAH.china.huawei.com (10.201.5.199) by lhreml405-hub.china.huawei.com (10.201.5.242) with Microsoft SMTP Server (TLS) id 14.3.235.1; Thu, 17 Dec 2015 03:42:58 +0000
Received: from NKGEML410-HUB.china.huawei.com (10.98.56.41) by lhreml707-cah.china.huawei.com (10.201.5.199) with Microsoft SMTP Server (TLS) id 14.3.235.1; Thu, 17 Dec 2015 03:42:57 +0000
Received: from NKGEML513-MBX.china.huawei.com ([169.254.1.252]) by nkgeml410-hub.china.huawei.com ([10.98.56.41]) with mapi id 14.03.0235.001; Thu, 17 Dec 2015 11:42:50 +0800
From: "Huangyihong (Rachel)" <rachel.huang@huawei.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Thread-Topic: [ppsp] Kathleen Moriarty's No Objection on draft-ietf-ppsp-base-tracker-protocol-11: (with COMMENT)
Thread-Index: AQHRNvAAUVhaZeA6P0mZ5gruM113FJ7NLeUw///rs4CAAWxSAA==
Date: Thu, 17 Dec 2015 03:42:49 +0000
Message-ID: <51E6A56BD6A85142B9D172C87FC3ABBB86E765D1@nkgeml513-mbx.china.huawei.com>
References: <20151215022950.16440.50969.idtracker@ietfa.amsl.com> <51E6A56BD6A85142B9D172C87FC3ABBB86E76198@nkgeml513-mbx.china.huawei.com> <CAHbuEH4wTZia1Sye-Hhjf=UN1wXmOr81KtEF5atQcV_UKo0r_w@mail.gmail.com>
In-Reply-To: <CAHbuEH4wTZia1Sye-Hhjf=UN1wXmOr81KtEF5atQcV_UKo0r_w@mail.gmail.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.136.79.29]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020203.56722F43.0049, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.1.252, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 4fbb603b2ffcf20d96361a10ed70df1c
Archived-At: <http://mailarchive.ietf.org/arch/msg/ppsp/8ehq8-tA3zx-nhriexXtjI8Pf6M>
Cc: "ppsp-chairs@ietf.org" <ppsp-chairs@ietf.org>, "ppsp@ietf.org" <ppsp@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-ppsp-base-tracker-protocol@ietf.org" <draft-ietf-ppsp-base-tracker-protocol@ietf.org>
Subject: Re: [ppsp] Kathleen Moriarty's No Objection on draft-ietf-ppsp-base-tracker-protocol-11: (with COMMENT)
X-BeenThere: ppsp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: discussing to draw up peer to peer streaming protocol <ppsp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ppsp>, <mailto:ppsp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ppsp/>
List-Post: <mailto:ppsp@ietf.org>
List-Help: <mailto:ppsp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ppsp>, <mailto:ppsp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2015 03:43:05 -0000

Hi Kathleen,

I'll update it according to your suggestion. Thank you very much.

BR,
Rachel


> -----Original Message-----
> From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com]
> Sent: Wednesday, December 16, 2015 9:37 PM
> To: Huangyihong (Rachel)
> Cc: The IESG; ppsp-chairs@ietf.org; ppsp@ietf.org;
> draft-ietf-ppsp-base-tracker-protocol@ietf.org
> Subject: Re: [ppsp] Kathleen Moriarty's No Objection on
> draft-ietf-ppsp-base-tracker-protocol-11: (with COMMENT)
> 
> Hi Rachael,
> 
> On Wed, Dec 16, 2015 at 2:12 AM, Huangyihong (Rachel)
> <rachel.huang@huawei.com>; wrote:
> > Hi Kathleen,
> >
> > Thank you for all the valuable comments. Please see my replies inline.
> >
> > BR,
> > Rachel
> >
> >
> >> -----Original Message-----
> >> From: ppsp [mailto:ppsp-bounces@ietf.org] On Behalf Of Kathleen
> >> Moriarty
> >> Sent: Tuesday, December 15, 2015 10:30 AM
> >> To: The IESG
> >> Cc: ppsp-chairs@ietf.org; ppsp@ietf.org;
> >> draft-ietf-ppsp-base-tracker-protocol@ietf.org
> >> Subject: [ppsp] Kathleen Moriarty's No Objection on
> >> draft-ietf-ppsp-base-tracker-protocol-11: (with COMMENT)
> >>
> >> Kathleen Moriarty has entered the following ballot position for
> >> draft-ietf-ppsp-base-tracker-protocol-11: No Objection
> >>
> >> When responding, please keep the subject line intact and reply to all
> >> email addresses included in the To and CC lines. (Feel free to cut
> >> this introductory paragraph, however.)
> >>
> >>
> >> Please refer to
> >> https://www.ietf.org/iesg/statement/discuss-criteria.html
> >> for more information about IESG DISCUSS and COMMENT positions.
> >>
> >>
> >> The document, along with other ballot positions, can be found here:
> >> https://datatracker.ietf.org/doc/draft-ietf-ppsp-base-tracker-protoco
> >> l/
> >>
> >>
> >>
> >> ---------------------------------------------------------------------
> >> -
> >> COMMENT:
> >> ---------------------------------------------------------------------
> >> -
> >>
> >> 1. Section 5.2.7
> >> Please make mention and reference to security provisions for SNMP and
> Syslog.
> >> RFC5424 is just for syslog, so a pointer for SNMP security
> >> considerations should be added in this section as well.  They use a
> >> boilerplate for the text and add considerations specific to a draft.
> >> Benoit - do you have a good reference for them to use?  A more
> >> generic SNMP draft might not be up-to-date with the latest
> >> boilerplate text.  If that's the case, the recent changes are small
> >> and could be stated with a pointer to an RFC with the older boilerplate text.
> >>
> >> - Thanks for adding an SNMP reference.  I would think there is a
> >> better, more recent one that could be used.  Moving to a comment for
> >> your AD to help you with and not hold up on this one.
> >
> > [Rachel]: Will referring to [RFC5590] be better?
> >
> >>
> >>
> >> 2. Are there any considerations for the statistics collected, can
> >> they be used in a malicious way?  I would think so and that this
> >> would be an important security consideration.  Mentioning possible
> >> issues would be helpful to the reader.
> >>
> >> - Thanks for adding in text about this one!
> >>
> >> 3. Section 6
> >> Reference to RFC2616 isn't enough for the security considerations of
> >> HTTP since that's a really old RFC.  If you want authentication
> >> options, you could point to the HTTPAuth documents, which include
> >> updated versions of HTTP basic (RFC7616) and digest (RFC7617).  While
> >> there are still lots of security issues with these options, the RFCs
> >> spell out what the actual considerations are, which are helpful to
> >> the reader.  This raises the need for TLS 1.2 as well to provide
> >> session protection for the session (passive and active attacks) as well as for
> the authentication used.
> >>
> >> You mention HTTPAuth's digest in 6.1, but there's no reference.  This
> >> is a little better, so I am moving this to a comment from discuss.
> >
> > [Rachel]: Yes. I propose following changes for the last paragraph of 6.1:
> >
> > OLD
> > "
> >    OAuth 2.0 Authorization [RFC6749] SHOULD be also considered when
> >    digest authentication and HTTPS client certificates are required.
> > "
> > NEW
> > "
> >    When peer (Client) authentication is desired at the tracker, HTTP Digest
> Authentication [RFC7616] MUST be supported.
> > "
> 
> I think what you had is better as it allowed for certificate based authentication
> as well.  HTTP Digest has it's problems, which are cited in RFC7616.  A MUST
> for that isn't a good idea.  Just include the reference for RFC7616 with the
> older text.
> 
> Thank you,
> Kathleen
> 
> >
> >>
> >> 4. Section 6.1
> >> Why isn't TLS a must here to protect the session data?
> >> If you are relying on OAuth Bearer tokens, they offer no security
> >> protection without TLS, so to rely on this, I'd say TLS really should
> >> be a MUST.  The authentication types to get a bearer token (at least
> >> in RFC documentation and in the registry) are all pretty weak and
> >> require TLS protection to have any level of security.
> >>
> >> With the TLS MUST, we are recommending TLS 1.2 as the minimum in drafts.
> >> It would be good to see a mention of TLS 1.2 as a minimum
> >> recommendation and a reference to the BCP for TLS 1.2 configurations
> >> RFC7525 (it even includes cipher suite recommendations).
> >>
> >> - Thanks for adding in the MUST for TLS and the reference to RFC7525.
> >>
> >> 5. Privacy
> >> I would have expected some discussion on the protection of the 2 ID
> >> types and the tracker capabilities and that session encryption (TLS)
> >> ought to be used when this is a consideration.  Is there a reason
> >> this isn't covered?  If it's not a concern, I'd like to understand why.
> >>
> >> -Thanks for adding in a privacy section!
> >>
> >>
> >> _______________________________________________
> >> ppsp mailing list
> >> ppsp@ietf.org
> >> https://www.ietf.org/mailman/listinfo/ppsp
> 
> 
> 
> --
> 
> Best regards,
> Kathleen