Re: [ppsp] Kathleen Moriarty's No Objection on draft-ietf-ppsp-base-tracker-protocol-11: (with COMMENT)
"Huangyihong (Rachel)" <rachel.huang@huawei.com> Thu, 17 December 2015 03:43 UTC
Return-Path: <rachel.huang@huawei.com>
X-Original-To: ppsp@ietfa.amsl.com
Delivered-To: ppsp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E61021AC429; Wed, 16 Dec 2015 19:43:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jSYNW5bToUiK; Wed, 16 Dec 2015 19:43:02 -0800 (PST)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1EF031AC42C; Wed, 16 Dec 2015 19:43:00 -0800 (PST)
Received: from 172.18.7.190 (EHLO lhreml405-hub.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CBR69162; Thu, 17 Dec 2015 03:42:59 +0000 (GMT)
Received: from LHREML707-CAH.china.huawei.com (10.201.5.199) by lhreml405-hub.china.huawei.com (10.201.5.242) with Microsoft SMTP Server (TLS) id 14.3.235.1; Thu, 17 Dec 2015 03:42:58 +0000
Received: from NKGEML410-HUB.china.huawei.com (10.98.56.41) by lhreml707-cah.china.huawei.com (10.201.5.199) with Microsoft SMTP Server (TLS) id 14.3.235.1; Thu, 17 Dec 2015 03:42:57 +0000
Received: from NKGEML513-MBX.china.huawei.com ([169.254.1.252]) by nkgeml410-hub.china.huawei.com ([10.98.56.41]) with mapi id 14.03.0235.001; Thu, 17 Dec 2015 11:42:50 +0800
From: "Huangyihong (Rachel)" <rachel.huang@huawei.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Thread-Topic: [ppsp] Kathleen Moriarty's No Objection on draft-ietf-ppsp-base-tracker-protocol-11: (with COMMENT)
Thread-Index: AQHRNvAAUVhaZeA6P0mZ5gruM113FJ7NLeUw///rs4CAAWxSAA==
Date: Thu, 17 Dec 2015 03:42:49 +0000
Message-ID: <51E6A56BD6A85142B9D172C87FC3ABBB86E765D1@nkgeml513-mbx.china.huawei.com>
References: <20151215022950.16440.50969.idtracker@ietfa.amsl.com> <51E6A56BD6A85142B9D172C87FC3ABBB86E76198@nkgeml513-mbx.china.huawei.com> <CAHbuEH4wTZia1Sye-Hhjf=UN1wXmOr81KtEF5atQcV_UKo0r_w@mail.gmail.com>
In-Reply-To: <CAHbuEH4wTZia1Sye-Hhjf=UN1wXmOr81KtEF5atQcV_UKo0r_w@mail.gmail.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.136.79.29]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020203.56722F43.0049, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.1.252, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 4fbb603b2ffcf20d96361a10ed70df1c
Archived-At: <http://mailarchive.ietf.org/arch/msg/ppsp/8ehq8-tA3zx-nhriexXtjI8Pf6M>
Cc: "ppsp-chairs@ietf.org" <ppsp-chairs@ietf.org>, "ppsp@ietf.org" <ppsp@ietf.org>, The IESG <iesg@ietf.org>, "draft-ietf-ppsp-base-tracker-protocol@ietf.org" <draft-ietf-ppsp-base-tracker-protocol@ietf.org>
Subject: Re: [ppsp] Kathleen Moriarty's No Objection on draft-ietf-ppsp-base-tracker-protocol-11: (with COMMENT)
X-BeenThere: ppsp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: discussing to draw up peer to peer streaming protocol <ppsp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ppsp>, <mailto:ppsp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ppsp/>
List-Post: <mailto:ppsp@ietf.org>
List-Help: <mailto:ppsp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ppsp>, <mailto:ppsp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2015 03:43:05 -0000
Hi Kathleen, I'll update it according to your suggestion. Thank you very much. BR, Rachel > -----Original Message----- > From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com] > Sent: Wednesday, December 16, 2015 9:37 PM > To: Huangyihong (Rachel) > Cc: The IESG; ppsp-chairs@ietf.org; ppsp@ietf.org; > draft-ietf-ppsp-base-tracker-protocol@ietf.org > Subject: Re: [ppsp] Kathleen Moriarty's No Objection on > draft-ietf-ppsp-base-tracker-protocol-11: (with COMMENT) > > Hi Rachael, > > On Wed, Dec 16, 2015 at 2:12 AM, Huangyihong (Rachel) > <rachel.huang@huawei.com> wrote: > > Hi Kathleen, > > > > Thank you for all the valuable comments. Please see my replies inline. > > > > BR, > > Rachel > > > > > >> -----Original Message----- > >> From: ppsp [mailto:ppsp-bounces@ietf.org] On Behalf Of Kathleen > >> Moriarty > >> Sent: Tuesday, December 15, 2015 10:30 AM > >> To: The IESG > >> Cc: ppsp-chairs@ietf.org; ppsp@ietf.org; > >> draft-ietf-ppsp-base-tracker-protocol@ietf.org > >> Subject: [ppsp] Kathleen Moriarty's No Objection on > >> draft-ietf-ppsp-base-tracker-protocol-11: (with COMMENT) > >> > >> Kathleen Moriarty has entered the following ballot position for > >> draft-ietf-ppsp-base-tracker-protocol-11: No Objection > >> > >> When responding, please keep the subject line intact and reply to all > >> email addresses included in the To and CC lines. (Feel free to cut > >> this introductory paragraph, however.) > >> > >> > >> Please refer to > >> https://www.ietf.org/iesg/statement/discuss-criteria.html > >> for more information about IESG DISCUSS and COMMENT positions. > >> > >> > >> The document, along with other ballot positions, can be found here: > >> https://datatracker.ietf.org/doc/draft-ietf-ppsp-base-tracker-protoco > >> l/ > >> > >> > >> > >> --------------------------------------------------------------------- > >> - > >> COMMENT: > >> --------------------------------------------------------------------- > >> - > >> > >> 1. Section 5.2.7 > >> Please make mention and reference to security provisions for SNMP and > Syslog. > >> RFC5424 is just for syslog, so a pointer for SNMP security > >> considerations should be added in this section as well. They use a > >> boilerplate for the text and add considerations specific to a draft. > >> Benoit - do you have a good reference for them to use? A more > >> generic SNMP draft might not be up-to-date with the latest > >> boilerplate text. If that's the case, the recent changes are small > >> and could be stated with a pointer to an RFC with the older boilerplate text. > >> > >> - Thanks for adding an SNMP reference. I would think there is a > >> better, more recent one that could be used. Moving to a comment for > >> your AD to help you with and not hold up on this one. > > > > [Rachel]: Will referring to [RFC5590] be better? > > > >> > >> > >> 2. Are there any considerations for the statistics collected, can > >> they be used in a malicious way? I would think so and that this > >> would be an important security consideration. Mentioning possible > >> issues would be helpful to the reader. > >> > >> - Thanks for adding in text about this one! > >> > >> 3. Section 6 > >> Reference to RFC2616 isn't enough for the security considerations of > >> HTTP since that's a really old RFC. If you want authentication > >> options, you could point to the HTTPAuth documents, which include > >> updated versions of HTTP basic (RFC7616) and digest (RFC7617). While > >> there are still lots of security issues with these options, the RFCs > >> spell out what the actual considerations are, which are helpful to > >> the reader. This raises the need for TLS 1.2 as well to provide > >> session protection for the session (passive and active attacks) as well as for > the authentication used. > >> > >> You mention HTTPAuth's digest in 6.1, but there's no reference. This > >> is a little better, so I am moving this to a comment from discuss. > > > > [Rachel]: Yes. I propose following changes for the last paragraph of 6.1: > > > > OLD > > " > > OAuth 2.0 Authorization [RFC6749] SHOULD be also considered when > > digest authentication and HTTPS client certificates are required. > > " > > NEW > > " > > When peer (Client) authentication is desired at the tracker, HTTP Digest > Authentication [RFC7616] MUST be supported. > > " > > I think what you had is better as it allowed for certificate based authentication > as well. HTTP Digest has it's problems, which are cited in RFC7616. A MUST > for that isn't a good idea. Just include the reference for RFC7616 with the > older text. > > Thank you, > Kathleen > > > > >> > >> 4. Section 6.1 > >> Why isn't TLS a must here to protect the session data? > >> If you are relying on OAuth Bearer tokens, they offer no security > >> protection without TLS, so to rely on this, I'd say TLS really should > >> be a MUST. The authentication types to get a bearer token (at least > >> in RFC documentation and in the registry) are all pretty weak and > >> require TLS protection to have any level of security. > >> > >> With the TLS MUST, we are recommending TLS 1.2 as the minimum in drafts. > >> It would be good to see a mention of TLS 1.2 as a minimum > >> recommendation and a reference to the BCP for TLS 1.2 configurations > >> RFC7525 (it even includes cipher suite recommendations). > >> > >> - Thanks for adding in the MUST for TLS and the reference to RFC7525. > >> > >> 5. Privacy > >> I would have expected some discussion on the protection of the 2 ID > >> types and the tracker capabilities and that session encryption (TLS) > >> ought to be used when this is a consideration. Is there a reason > >> this isn't covered? If it's not a concern, I'd like to understand why. > >> > >> -Thanks for adding in a privacy section! > >> > >> > >> _______________________________________________ > >> ppsp mailing list > >> ppsp@ietf.org > >> https://www.ietf.org/mailman/listinfo/ppsp > > > > -- > > Best regards, > Kathleen
- [ppsp] Kathleen Moriarty's No Objection on draft-… Kathleen Moriarty
- Re: [ppsp] Kathleen Moriarty's No Objection on dr… Huangyihong (Rachel)
- Re: [ppsp] Kathleen Moriarty's No Objection on dr… Huangyihong (Rachel)
- Re: [ppsp] Kathleen Moriarty's No Objection on dr… Kathleen Moriarty