[Roll] Security threat analysis for applicability draft
peter van der Stok <stokcons@xs4all.nl> Thu, 13 March 2014 10:25 UTC
Return-Path: <stokcons@xs4all.nl>
X-Original-To: roll@ietfa.amsl.com
Delivered-To: roll@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com
(Postfix) with ESMTP id 3B98D1A0930 for <roll@ietfa.amsl.com>;
Thu, 13 Mar 2014 03:25:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.348
X-Spam-Level: **
X-Spam-Status: No, score=2.348 tagged_above=-999 required=5 tests=[BAYES_50=0.8,
HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, RCVD_IN_DNSWL_NONE=-0.0001,
RP_MATCHES_RCVD=-0.547] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1qwYvLPbcKzB for
<roll@ietfa.amsl.com>; Thu, 13 Mar 2014 03:25:47 -0700 (PDT)
Received: from smtp-vbr2.xs4all.nl (smtp-vbr2.xs4all.nl [194.109.24.22]) by
ietfa.amsl.com (Postfix) with ESMTP id 3AF351A03E2 for <roll@ietf.org>;
Thu, 13 Mar 2014 03:25:47 -0700 (PDT)
Received: from roundcube.xs4all.nl (roundcube5.xs4all.net [194.109.20.203]) by
smtp-vbr2.xs4all.nl (8.13.8/8.13.8) with ESMTP id s2DAPeub092832 for
<roll@ietf.org>;
Thu, 13 Mar 2014 11:25:40 +0100 (CET) (envelope-from stokcons@xs4all.nl)
Received: from a82-95-140-48.adsl.xs4all.nl ([82.95.140.48]) by
roundcube.xs4all.nl with HTTP (HTTP/1.1 POST); Thu, 13 Mar 2014 11:25:39 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Date: Thu, 13 Mar 2014 11:25:39 +0100
From: peter van der Stok <stokcons@xs4all.nl>
To: roll@ietf.org
Organization: vanderstok consultancy
Mail-Reply-To: consultancy@vanderstok.org
Message-ID: <9f0193e6f3e91387bbc90a10774d2260@xs4all.nl>
X-Sender: stokcons@xs4all.nl (zAwi6ZVwx1s5JgHrbNrR0VBXZbopQQMT)
User-Agent: XS4ALL Webmail
X-Virus-Scanned: by XS4ALL Virus Scanner
Archived-At: http://mailarchive.ietf.org/arch/msg/roll/D0emrHf5W8QOkMQ46hfnLxo-RA8
Subject: [Roll] Security threat analysis for applicability draft
X-BeenThere: roll@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: consultancy@vanderstok.org,
Routing Over Low power and Lossy networks <roll@ietf.org>
List-Id: Routing Over Low power and Lossy networks <roll.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/roll>,
<mailto:roll-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/roll/>
List-Post: <mailto:roll@ietf.org>
List-Help: <mailto:roll-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/roll>,
<mailto:roll-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Mar 2014 10:25:49 -0000
Hi Richard, Thanks for the security threats draft. It certainly provides a large part of the text needed in the applicability drafts. However, I am not sure I interpreted the text according to your intentions. Looking at section 7 in more detail, I tried to establish where the applicability draft can be complementary to the text of the security draft. From section 7.1 I understand that key length, encryption algorithm and key life time need to be specified. Unfortunately, much of this is still in progress and can change with DICE and ACE recommendations. Complementing section 7.2, link-layer security will probably be used today, but in 2 years time? Complementing section 7.3. Do I understand that using multiple paths for reliability reasons should be mentioned as increasing routing security? Complementing section 7.4. Writing down choices, as already provided by the threats draft, will be more realistic than writing down recommendations. Complementing section 7.5. Is this the place one should write down physical access constraints or recommend to provide filtering edge routers at the border of the system? In conclusion, I am very happy with the threats document and its recommendations, but I see little opportunity to improve on it in the applicability draft. Thanks for a reaction, Peter -- Peter van der Stok mailto: consultancy@vanderstok.org www: www.vanderstok.org tel NL: +31(0)492474673 F: +33(0)966015248
- [Roll] Security threat analysis for applicability… peter van der Stok
- Re: [Roll] Security threat analysis for applicabi… Michael Richardson