Re: [ppsp] Kathleen Moriarty's No Objection on draft-ietf-ppsp-base-tracker-protocol-11: (with COMMENT)
"Huangyihong (Rachel)" <rachel.huang@huawei.com> Wed, 16 December 2015 07:12 UTC
Return-Path: <rachel.huang@huawei.com>
X-Original-To: ppsp@ietfa.amsl.com
Delivered-To: ppsp@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03B4A1A8825; Tue, 15 Dec 2015 23:12:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UHgBYl4A7vI4; Tue, 15 Dec 2015 23:12:29 -0800 (PST)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2489C1A01D6; Tue, 15 Dec 2015 23:12:28 -0800 (PST)
Received: from 172.18.7.190 (EHLO lhreml402-hub.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CBQ60066; Wed, 16 Dec 2015 07:12:26 +0000 (GMT)
Received: from nkgeml405-hub.china.huawei.com (10.98.56.36) by lhreml402-hub.china.huawei.com (10.201.5.241) with Microsoft SMTP Server (TLS) id 14.3.235.1; Wed, 16 Dec 2015 07:12:25 +0000
Received: from NKGEML513-MBX.china.huawei.com ([169.254.1.252]) by nkgeml405-hub.china.huawei.com ([10.98.56.36]) with mapi id 14.03.0235.001; Wed, 16 Dec 2015 15:12:21 +0800
From: "Huangyihong (Rachel)" <rachel.huang@huawei.com>
To: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>, The IESG <iesg@ietf.org>
Thread-Topic: [ppsp] Kathleen Moriarty's No Objection on draft-ietf-ppsp-base-tracker-protocol-11: (with COMMENT)
Thread-Index: AQHRNvAAUVhaZeA6P0mZ5gruM113FJ7NLeUw
Date: Wed, 16 Dec 2015 07:12:21 +0000
Message-ID: <51E6A56BD6A85142B9D172C87FC3ABBB86E76198@nkgeml513-mbx.china.huawei.com>
References: <20151215022950.16440.50969.idtracker@ietfa.amsl.com>
In-Reply-To: <20151215022950.16440.50969.idtracker@ietfa.amsl.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.136.79.29]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A0B0205.56710EDA.019C, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.1.252, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 4fbb603b2ffcf20d96361a10ed70df1c
Archived-At: <http://mailarchive.ietf.org/arch/msg/ppsp/RmIAp06hejClR7FNGxSRF8ud_v4>
Cc: "ppsp-chairs@ietf.org" <ppsp-chairs@ietf.org>, "ppsp@ietf.org" <ppsp@ietf.org>, "draft-ietf-ppsp-base-tracker-protocol@ietf.org" <draft-ietf-ppsp-base-tracker-protocol@ietf.org>
Subject: Re: [ppsp] Kathleen Moriarty's No Objection on draft-ietf-ppsp-base-tracker-protocol-11: (with COMMENT)
X-BeenThere: ppsp@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: discussing to draw up peer to peer streaming protocol <ppsp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ppsp>, <mailto:ppsp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ppsp/>
List-Post: <mailto:ppsp@ietf.org>
List-Help: <mailto:ppsp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ppsp>, <mailto:ppsp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Dec 2015 07:12:32 -0000
Hi Kathleen, Thank you for all the valuable comments. Please see my replies inline. BR, Rachel > -----Original Message----- > From: ppsp [mailto:ppsp-bounces@ietf.org] On Behalf Of Kathleen Moriarty > Sent: Tuesday, December 15, 2015 10:30 AM > To: The IESG > Cc: ppsp-chairs@ietf.org; ppsp@ietf.org; > draft-ietf-ppsp-base-tracker-protocol@ietf.org > Subject: [ppsp] Kathleen Moriarty's No Objection on > draft-ietf-ppsp-base-tracker-protocol-11: (with COMMENT) > > Kathleen Moriarty has entered the following ballot position for > draft-ietf-ppsp-base-tracker-protocol-11: No Objection > > When responding, please keep the subject line intact and reply to all email > addresses included in the To and CC lines. (Feel free to cut this introductory > paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-ppsp-base-tracker-protocol/ > > > > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > 1. Section 5.2.7 > Please make mention and reference to security provisions for SNMP and Syslog. > RFC5424 is just for syslog, so a pointer for SNMP security considerations should > be added in this section as well. They use a boilerplate for the text and add > considerations specific to a draft. > Benoit - do you have a good reference for them to use? A more generic SNMP > draft might not be up-to-date with the latest boilerplate text. If that's the > case, the recent changes are small and could be stated with a pointer to an > RFC with the older boilerplate text. > > - Thanks for adding an SNMP reference. I would think there is a better, more > recent one that could be used. Moving to a comment for your AD to help you > with and not hold up on this one. [Rachel]: Will referring to [RFC5590] be better? > > > 2. Are there any considerations for the statistics collected, can they be used in > a malicious way? I would think so and that this would be an important > security consideration. Mentioning possible issues would be helpful to the > reader. > > - Thanks for adding in text about this one! > > 3. Section 6 > Reference to RFC2616 isn't enough for the security considerations of HTTP > since that's a really old RFC. If you want authentication options, you could > point to the HTTPAuth documents, which include updated versions of HTTP > basic (RFC7616) and digest (RFC7617). While there are still lots of security > issues with these options, the RFCs spell out what the actual considerations > are, which are helpful to the reader. This raises the need for TLS 1.2 as well to > provide session protection for the session (passive and active attacks) as well > as for the authentication used. > > You mention HTTPAuth's digest in 6.1, but there's no reference. This is a little > better, so I am moving this to a comment from discuss. [Rachel]: Yes. I propose following changes for the last paragraph of 6.1: OLD " OAuth 2.0 Authorization [RFC6749] SHOULD be also considered when digest authentication and HTTPS client certificates are required. " NEW " When peer (Client) authentication is desired at the tracker, HTTP Digest Authentication [RFC7616] MUST be supported. " > > 4. Section 6.1 > Why isn't TLS a must here to protect the session data? > If you are relying on OAuth Bearer tokens, they offer no security protection > without TLS, so to rely on this, I'd say TLS really should be a MUST. The > authentication types to get a bearer token (at least in RFC documentation and > in the registry) are all pretty weak and require TLS protection to have any level > of security. > > With the TLS MUST, we are recommending TLS 1.2 as the minimum in drafts. > It would be good to see a mention of TLS 1.2 as a minimum recommendation > and a reference to the BCP for TLS 1.2 configurations RFC7525 (it even includes > cipher suite recommendations). > > - Thanks for adding in the MUST for TLS and the reference to RFC7525. > > 5. Privacy > I would have expected some discussion on the protection of the 2 ID types and > the tracker capabilities and that session encryption (TLS) ought to be used > when this is a consideration. Is there a reason this isn't covered? If it's not > a concern, I'd like to understand why. > > -Thanks for adding in a privacy section! > > > _______________________________________________ > ppsp mailing list > ppsp@ietf.org > https://www.ietf.org/mailman/listinfo/ppsp
- [ppsp] Kathleen Moriarty's No Objection on draft-… Kathleen Moriarty
- Re: [ppsp] Kathleen Moriarty's No Objection on dr… Huangyihong (Rachel)
- Re: [ppsp] Kathleen Moriarty's No Objection on dr… Huangyihong (Rachel)
- Re: [ppsp] Kathleen Moriarty's No Objection on dr… Kathleen Moriarty