[radext] secdir review of draft-ietf-radext-ip-port-radius-ext-10
Carl Wallace <carl@redhoundsoftware.com> Mon, 15 August 2016 19:56 UTC
Return-Path: <carl@redhoundsoftware.com>
X-Original-To: expand-draft-ietf-radext-ip-port-radius-ext.all@virtual.ietf.org
Delivered-To: radext@ietfa.amsl.com
Received: by ietfa.amsl.com (Postfix, from userid 65534) id B7B4112D75C; Mon, 15 Aug 2016 12:56:15 -0700 (PDT)
X-Original-To: xfilter-draft-ietf-radext-ip-port-radius-ext.all@ietfa.amsl.com
Delivered-To: xfilter-draft-ietf-radext-ip-port-radius-ext.all@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9240C12D76B for <xfilter-draft-ietf-radext-ip-port-radius-ext.all@ietfa.amsl.com>; Mon, 15 Aug 2016 12:56:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=redhoundsoftware-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FyB_yBet-f4S for <xfilter-draft-ietf-radext-ip-port-radius-ext.all@ietfa.amsl.com>; Mon, 15 Aug 2016 12:56:13 -0700 (PDT)
Received: from mail-qt0-x229.google.com (mail-qt0-x229.google.com [IPv6:2607:f8b0:400d:c0d::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C95912D75C for <draft-ietf-radext-ip-port-radius-ext.all@ietf.org>; Mon, 15 Aug 2016 12:56:13 -0700 (PDT)
Received: by mail-qt0-x229.google.com with SMTP id x25so25866216qtx.2 for <draft-ietf-radext-ip-port-radius-ext.all@ietf.org>; Mon, 15 Aug 2016 12:56:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhoundsoftware-com.20150623.gappssmtp.com; s=20150623; h=user-agent:date:subject:from:to:cc:message-id:thread-topic :mime-version:content-transfer-encoding; bh=dJMhGiBB0rr3mnd78VeaRF++unrNucAp9WA1as42Tec=; b=sqm/cXeAu8NMX9Q55Vpu0MB97zSSA50kWlA9e2OqVTNfXQgMs4a1inF1GnMdnJ3RXO Nin8rHFnyEGsV3DqALDNcj+qpxuu+coSdRVszHkvBgY/hPr9ZrDEIUF56rVHlvQbABHk TVRBz4HYWD2GSasKmSjvKlDO+sf26eV9Qn8AchRIzJ5vbiQTLgihVxDJVdEoK/JbpZ67 zTEgw6J7howheiNqhEbJEChm8Zrf0lhFOwBuz3C3HUCJkryaU1qxh7+dhEGriyVpaj5V NfBBprpzNND7iLAXqt/+U9hSPYHT0QShWbcvRi3Og7NWqhgoJcgFEmotsQfU11Zt03py nGlA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:user-agent:date:subject:from:to:cc:message-id :thread-topic:mime-version:content-transfer-encoding; bh=dJMhGiBB0rr3mnd78VeaRF++unrNucAp9WA1as42Tec=; b=TEasD4XfZ8IAVzmPzXPG1+YY6BZ+ap8twc+i+ZsDMe5vqnuD02M60JY51BPeEIDlGG yBFugy2tvpA+A9S4oRg+c/SvMEdNNu3anm9SmWIZG7ezlmBA6dlRXBUZn335XuvuOHl6 LJolxMJbZhDdc7eK2oVPmASx3zUIdya6Djcg7ZokNkYoBrOShhz4ZLgPNB6JkH/TOwX0 8IVgL95OZOAl21sURKszPAO9ffmkAmhZghUSJlm1YvcQjHOMI8Bp8rx92XVePvb4jlHO ZKt7uYysvmm+5/DDiyzpiWooPm25ltrfpJBkZczXzKM+hA6M7JApMXSVNhjkx1stgoVO 9PUg==
X-Gm-Message-State: AEkoouuSQoLOae2Rcqcl+9+iisRMQyK/Zhfq83k7DuKAAWxnOS75Oz48ktEocIstosfhVg==
X-Received: by 10.200.46.25 with SMTP id r25mr34336892qta.114.1471290972081; Mon, 15 Aug 2016 12:56:12 -0700 (PDT)
Received: from [192.168.2.29] (pool-96-255-23-4.washdc.fios.verizon.net. [96.255.23.4]) by smtp.gmail.com with ESMTPSA id p2sm13249253qta.15.2016.08.15.12.56.09 (version=TLS1 cipher=AES128-SHA bits=128/128); Mon, 15 Aug 2016 12:56:11 -0700 (PDT)
User-Agent: Microsoft-MacOutlook/14.5.8.151023
Date: Mon, 15 Aug 2016 15:56:05 -0400
From: Carl Wallace <carl@redhoundsoftware.com>
To: draft-ietf-radext-ip-port-radius-ext.all@ietf.org
Message-ID: <D3D79695.6B471%carl@redhoundsoftware.com>
Thread-Topic: secdir review of draft-ietf-radext-ip-port-radius-ext-10
Mime-version: 1.0
Content-type: text/plain; charset="UTF-8"
Content-transfer-encoding: 7bit
Resent-From: alias-bounces@ietf.org
Resent-To: dean.cheng@huawei.com, jouni.nospam@gmail.com, mohamed.boucadair@orange.com, ssenthil@cisco.com, stefan.winter@restena.lu, lionel.morand@orange.com, bclaise@cisco.com, joelja@bogus.com, Kathleen.Moriarty.ietf@gmail.com, radext@ietf.org
Resent-Message-Id: <20160815195615.B7B4112D75C@ietfa.amsl.com>
Resent-Date: Mon, 15 Aug 2016 12:56:15 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/r0i961Y-_hMQUvhOp7tOFGjNP0o>
Cc: iesg@ietf.org, secdir@ietf.org
Subject: [radext] secdir review of draft-ietf-radext-ip-port-radius-ext-10
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2016 19:56:16 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document defines three new RADIUS attributes. For devices that implement IP port ranges, these attributes are used to communicate with a RADIUS server in order to configure and report TCP/UDP ports and ICMP identifiers, as well as mapping behavior for specific hosts. I've a few questions/comments: - The Security Considerations section currently references the security considerations from 2865 and 5176. Should 6887 be included to address considerations related to the forwarding attribute? - When the port limit attribute is used, does presentation of a new "global" setting undo previously established IP specific settings (or vice versa)? - Should the IP-Port-Range attribute require at least one of IP-Port-Ext-IPv4-Addr or IP-Port-Local-Id to be present? How is the attribute used when both are absent? - The summary statement associated with the attributes in section 1 might benefit from indicating the purpose of the attribute relative to each packet type in which it may appear (for example, the purpose of a port limit info attribute is different when included in an Access-Request than in an Access-Response). - Each attribute lists applicable packet types and indicates the attribute must not appear in any other packet type. It may be worth adding a note to clarify what should happen if the attribute does appear (assuming ignore). - The UE acronym on page 30 should be expanded. - In 3.1.2, change "are previously allocated" to "were previously allocated". - In 4.1.3, is "RADIUS associate" a commonly used term? This seems like a requirement on use with CoA-Requests that should be mentioned earlier.
- [radext] secdir review of draft-ietf-radext-ip-po… Carl Wallace
- Re: [radext] secdir review of draft-ietf-radext-i… mohamed.boucadair