Re: [privacydir] request for a SAVI doc review

Stephen Farrell <> Tue, 01 November 2011 11:30 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id E4D4E21F8E9C for <>; Tue, 1 Nov 2011 04:30:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uM5gVDBOpkFv for <>; Tue, 1 Nov 2011 04:30:57 -0700 (PDT)
Received: from ( [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by (Postfix) with ESMTP id E7BBE21F8E4F for <>; Tue, 1 Nov 2011 04:30:56 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4083A16FBCB; Tue, 1 Nov 2011 11:30:55 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1320147054; bh=vc6bT1HlnGjTjA r36Xun4iuTh7n5bfaSHW7OGaUaUh4=; b=nectjWpO8jtBAF1sz/FW+f74PqDmkn ulPT9+RZSVA1aae2SJ5GqV2p4YlnGhw3okePnWtYWsIGpN0Y3YJ0sRmt93wYOMo6 ZTOZLIEuPqVIbeXJ0Skucr6fwgcDJ8oEHZFUyBjGBLVl7VqZ38v2wo888MWUON4o eCvYmDe91feHjP3sYm7uLcaGCuEtAxF6ZKAOArGcwXLYSBgCqr/5BVPnuKrYf66u ZtBfqWK2ePHHDo09trG83Pns/orQ+YBSiTjjy4M/ksmybkym8S1PWHCRTQ/3apje 0j/5fU+SZeuWgMpceKoOoG74QmKw8+UttDVVonMlM0haWUNlA+hs42TQ==
X-Virus-Scanned: Debian amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10027) with ESMTP id kZICln0cLR9j; Tue, 1 Nov 2011 11:30:54 +0000 (GMT)
Received: from [IPv6:2001:770:10:203:a288:b4ff:fe9c:bc5c] (unknown [IPv6:2001:770:10:203:a288:b4ff:fe9c:bc5c]) by (Postfix) with ESMTPSA id 08FC1153633; Tue, 1 Nov 2011 11:30:52 +0000 (GMT)
Message-ID: <>
Date: Tue, 01 Nov 2011 11:30:41 +0000
From: Stephen Farrell <>
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: Ted Hardie <>
References: <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [privacydir] request for a SAVI doc review
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Privacy Directorate to develop the concept of privacy considerations for IETF specifications and to review internet-drafts for privacy considerations." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 01 Nov 2011 11:30:58 -0000

Hi Ted,

I've also had a read of this now and agree with you. I'm putting
in a discuss that says:

"This makes no mention at all of privacy which I think needs to
be there somewhere. Given that Joel is planning to add text on
that to savi-threats I'd be fine if that is just referenced from
here, or even if that text is moved from savi-threats to this
document, and savi-threats could refer to it here. But the
privacy implications of SAVI do need to be covered here too."

I think that ought be ok since I expect Joel to do a good
job on this in the savi-threats document. I also put in a link
to your mail as a comment.

Let me know if you think that more or something else is
likely to be needed.

Thanks again for the review,

On 10/31/2011 08:07 PM, Ted Hardie wrote:
> Hi Stephen,
> I've read through the framework document.  My baseline impression is that
> the document makes a presumption about the relationship between the host
> and the network employing SAVI that is true when it is the access network
> (that is, the network assigning the IP address to be verified).  In that
> deployment scenario, it is expected for the network to be able to associate
> layer two identifiers with the layer 3 identifier (after all, it must to be
> able to deliver return traffic).
> What's not clear to the naive reader (read: me) is how you prevent SAVI
> from operating from other parts of the network; that is, how does the
> overall framework guard against SAVI being used by some later network
> on-path getting access to these bindings? I assume that this is detailed
> elsewhere in the protocol documents, but I believe a short discussion of
> the privacy threat in framework, along with a pointer to the protocol
> mechanism would be valuable.
> If the expectation is that SAVI can operate from multiple places in the
> network (including, say, the destination network), then I believe there is
> a more serious privacy concern.
> regards,
> Ted Hardie
> On Thu, Oct 27, 2011 at 9:07 AM, Stephen Farrell
> <>wrote;wrote:
>> Hi,
>> There's a SAVI document [1] on the Nov 3 telechat. I'd appreciate
>> a review of that from a privacy perspective if someone has the
>> time in the next week. (Just reply to this if you've time.)
>> Previous SAVI documents have generated privacy related
>> DISCUSSes [2,3] which may be useful background.
>> Thanks in advance,
>> S.
>> [1]**doc/draft-ietf-savi-framework/<>
>> [2]**doc/draft-ietf-savi-fcfs/<>
>> [3]**doc/draft-ietf-savi-threat-**scope/<>
>> ______________________________**_________________
>> privacydir mailing list