RE: Secdir last call review of draft-ietf-rtgwg-net2cloud-problem-statement-36
Linda Dunbar <linda.dunbar@futurewei.com> Tue, 05 March 2024 01:05 UTC
Return-Path: <linda.dunbar@futurewei.com>
X-Original-To: rtgwg@ietfa.amsl.com
Delivered-To: rtgwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9A5EC180B40; Mon, 4 Mar 2024 17:05:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=futurewei.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uQHF4wn4ZGY3; Mon, 4 Mar 2024 17:05:41 -0800 (PST)
Received: from NAM04-MW2-obe.outbound.protection.outlook.com (mail-mw2nam04on2106.outbound.protection.outlook.com [40.107.101.106]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2557BC1CAF24; Mon, 4 Mar 2024 17:05:40 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UXLKCLVPLkmMafCl8PsEtiDXktpHuMkjbduQ0JTsc2Y6qm7M5zuMFZueSLKzNUSqz8UJXdNTvlgBpb6LBL/cgk31Wbwjvm/Aq8XKy7nVRf/MsOkbCFVAH1AOyHyyaVP6zqFoxtA/kq7Wu0NVFPb5wWXityEeTsWsxR1F/h9yJSQ7BbLaWp9LIYjXrfuTIjk8YAUZziAbIWC3STeMn0xWrBQb/vjBKXP74w7sB4xCPhjV1ANd/tGnLrkAyoSVEQbse0ZQZOsjoEPmm6z+JV0noVAu0ru2FHKj2/w4ZltPwqF7bXIgxEicSpvN0DhVkYFrS65nMKv/aYjYw9aGGw+G6A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=RG/60FXnfgFAmmXudL6YZnZXnajL/ZF5NgceE2SzIds=; b=QwNOlYqQiY0BghdJ+jQ8joDy9Rt6xengAQKDnMYUHWYrcV7FUZE+Cni4JCafENwTZ2WK/scVR8qj9WGc+kLtLv0Ea8EscGiQrAqc+1VGmGE+Ik5H2b++7zf84gv1oGcshpQ7yJF2kQM7mEnmDukN8Js1ZJb/w/ytIFgo+Sqch4a+y6qcEuRKeFlHoJ4QAhe5gNowRFi7NX+op8Wa+h20j0gp97yQAdystYx8LOjaQ+PknzZEB4m4IEOFVrkrEF0m7lqbQwGylfukcFgMmg/XOeOZ7f5W67pRpRAAwGlR4rWhsaUtTcXXDPyAnQro3AN+kEe16OsBq1mL94DbqwYcNA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=futurewei.com; dmarc=pass action=none header.from=futurewei.com; dkim=pass header.d=futurewei.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Futurewei.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RG/60FXnfgFAmmXudL6YZnZXnajL/ZF5NgceE2SzIds=; b=HiW5IZzMdoghp8Ii0MKrZsUPhUYW0xBbK64QireIIft/dMhhbVmoOusdYJ9eEOt/nMfYX7jiTYZRRfiEQrXkHXrSLa36aU4MwjGSNtGaNKc4xHVT3Xy5+woawFxa2rGkxxuR+rVgA+w8pCZT7fu/ilI+8NkBJXCt81g+PVUsYNc=
Received: from CO1PR13MB4920.namprd13.prod.outlook.com (2603:10b6:303:f7::17) by BY5PR13MB3684.namprd13.prod.outlook.com (2603:10b6:a03:229::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7339.38; Tue, 5 Mar 2024 01:05:38 +0000
Received: from CO1PR13MB4920.namprd13.prod.outlook.com ([fe80::3964:b284:7035:fa48]) by CO1PR13MB4920.namprd13.prod.outlook.com ([fe80::3964:b284:7035:fa48%7]) with mapi id 15.20.7339.035; Tue, 5 Mar 2024 01:05:38 +0000
From: Linda Dunbar <linda.dunbar@futurewei.com>
To: Deb Cooley <debcooley1@gmail.com>, "secdir@ietf.org" <secdir@ietf.org>
CC: "draft-ietf-rtgwg-net2cloud-problem-statement.all@ietf.org" <draft-ietf-rtgwg-net2cloud-problem-statement.all@ietf.org>, "rtgwg@ietf.org" <rtgwg@ietf.org>
Subject: RE: Secdir last call review of draft-ietf-rtgwg-net2cloud-problem-statement-36
Thread-Topic: Secdir last call review of draft-ietf-rtgwg-net2cloud-problem-statement-36
Thread-Index: AQHaa9HG9RDIlOpAVkOpC4+xTgM5u7EoTIjg
Date: Tue, 05 Mar 2024 01:05:37 +0000
Message-ID: <CO1PR13MB49202C23241E301DB62DEE9085222@CO1PR13MB4920.namprd13.prod.outlook.com>
References: <170929516566.22050.4912794500698236384@ietfa.amsl.com>
In-Reply-To: <170929516566.22050.4912794500698236384@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=futurewei.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CO1PR13MB4920:EE_|BY5PR13MB3684:EE_
x-ms-office365-filtering-correlation-id: 3e823aa0-6995-4068-4aae-08dc3cb05eb0
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: sQ8zF8sf5GeH7NpT37yPMtl3JNAgFaPIGO98nXkRjGOLC7RRAwFV4nevpdXYxDL0KJOfY8lU8P8GFJQJ5V92N9rREuUMgetiW9dnxh1lXa7AlLqUm9/8jGaqH1hDdF7urxiftgoca9De4TycrmYJUBA8ltzClF/I8VJ8hu7uQvvtZYAHOJTBSHVLUKq4XGGIFP5Iis9N+SbKkfFhQG7JlkOylsEOp1tERRf4sA2uRkTYr5V9x8h7ZzaNMY2V7O/yGhr9lhmwexOOnDBnisOdUwrhrnSzyJmlBLMu3XWUw+gZovM22v7qBo5uHKD9ZM6eSbccdUQMlTaApct0CRow/x8XvOxUZBup3YcOZL/cVjFB7nisPf2iIcOGYU9j8UOxRvHi//MJ1VaLK960H6HLOZ+/lP8aNUSXPucXStdBBPKGLFcKotKK5NjQsIN3E18i9wq9812N2CWtEljvp/h+XAASVlNdQGPKmA/0XN/6eAXoOkbtM5lhk8MxD8wLyyS2xj/kzNuFhPvsDEghwXGwq5ZyZhVnnWTjb2GN5rVrbkuA+Bssp5XWOQc+6bjexOOKGKPPzKn9v6mqv8Z37pWkV4fUsBtaFCLyeYmFjP/tj+/MOzekjqZcox8erfloInNYjg78CZ/GqbY3FcZs8yshAWfZICG9QpjQnfkV2J2svQaZPAhB85w3rSfsFrQykOq902jUHLXD4YyGaJ6ygeh42yAaHIlCEc8WJBxRfkOkZlo=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO1PR13MB4920.namprd13.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376005)(38070700009); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: enaiBHjHInb6HPUPoTiL8QVy719wNpY3wPTxoeKQWZ9IPMhiIk1xKoNJS2N3QYd1UTBD95fErT0OccJiVUQGhpsrbDHdyvBG8M5j+6QkEbVXFF5YquMfdCy4DEADWKeipbSBHwXHV7WvcNLcFiz2BA4zKeX6Ci3CI8D+xK5/W9zIqBfVQm8x21SWe0tBPUSTyco+PPbgSTsS3M30HvBMK4wqsCK/X8aGMquLKRQUL23HJZrUJDugxkY4wYp7s+Kj+/v4Bg7dlzK/W2OowGXFLGOD0duUxbJfJv0ysiNC6CxAY30PXMl672cS3mv3kKc3Fo3g1KcjFTLFgcFpMR7MIg3TwkiNX+mmYrmup81CNzNVLGE/CDHcIJ7/5soWH5OjgpZ5pibdtGU6gkgGR/EG5J5t2GlQxOPB67VlQQZZqht5p9JuqwhrzYz99kqwtreDWz7+5/UeUZb4t1j0vhmG83MMnYcAqP1oEEyXk9Xv2eALNrDy8XyV9We2IyjE5gj3SaAKSkAs6oJxzcAuyLq4tMwD96Gr1ShH9lZIL2wAgNxFf/7bkocHsgoKoMrZwVQXpawkkVypk0R9tNQkBizD5Bk+MZBVanB4jWR7M4QqSuQmK8zp8a/AUz9NjDjqnNnHcaYQUs78e1R65hDBmEbQn48FIeU1ExAOuYA0h7JVFg5tEOy3n0aVLQRpYvcWW496PT9Ebh5ALh8LmUh0Xd4TpNvUj0b7dRPEcNd+KKoiTAdlDP3AwFyZzZxP5nZk/yHjrzi/6YfJb0ZKLBhRT0O/tHOFqgU2KynE87m2iyTPvCmtLK7tiwMhpcwrK0iyD9YvPAd5E7i+FyTdGaMLNiMRsXaYfu/02xIXXnykq11HVRJnM8olL3/s/Ta+SqATYX8BT6+2gAggwZbmXtkvoOujKv0QeKt7t5p2YeAMar770alDHQkGnazZ+LyDVk1OcHSUPjOTuMWyJ1bXY3VhPExnDA40skSZ/O4Vt9dHUWPGpmmWMYbg+TMcTSWRX4c9hvS5FNqFT0W/LMowcPhth5G0YtKaA6wPTxXrF9de4XtQVZk80bZryYGlfBgCZdYQQMdrOFJ3kr70B+xoSKotjnN35o3I2KDsH9VrYU5siRQo8lGo7JH7KoJfWOW1bAFYE8/soLCsykpj4+TVvYrHEJbFuvyFwJL3yyysRllNmHjNuKLapZrLLr+WLMwpGcWJepqpa7ny8OqSfBnA3W0lS8Ql0TIJdPD2ZZCHwvE66eXRgY4E834/VS7dFHDgVR/Hdcpqzih10Faq2sAJXrp95WvJJjaDXoYFnNvV/yQZ46wLl3STizmKoSRZdCT2bHf+hvgfNcJHPPSAsGCUF4DlNCNT9NwGya36MJNL7/OEZpwHd3/k2dLKzpXQnGCBi24b4DdoTbY833nWlrGAyVHUUGg/rkdR+nnVfEy4Dq7D5F8GGWt19E698jmyc7MRY0lRCINIE3SS87I6kZuui4/KuQiLjxf3hDF2yi9VG4UAKmNjQbfL5gKjobFJBSq31Iobw/mEbcrMA9sr9xLLzzKv79n2YdZe3vy7ZoW39At915PEkkXy5VvS8BHrFQPaO3uZS4AK
Content-Type: multipart/alternative; boundary="_000_CO1PR13MB49202C23241E301DB62DEE9085222CO1PR13MB4920namp_"
MIME-Version: 1.0
X-OriginatorOrg: Futurewei.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO1PR13MB4920.namprd13.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3e823aa0-6995-4068-4aae-08dc3cb05eb0
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Mar 2024 01:05:37.9805 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0fee8ff2-a3b2-4018-9c75-3a1d5591fedc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: kYyVE96sL1fzMbS1ESWlD0e14v9hn4AphokOOxf+xUaF4VFnpAYwqIzY+eD3cdphmaXjkGUTnYW6nqRI1ntadA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY5PR13MB3684
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtgwg/ZHXuM7fFhe-3UvqdjRXzs9rUCR0>
X-BeenThere: rtgwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Routing Area Working Group <rtgwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtgwg/>
List-Post: <mailto:rtgwg@ietf.org>
List-Help: <mailto:rtgwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2024 01:05:45 -0000
Deb, Thank you very much for the second review and the comments. The detailed resolutions are inserted below. Linda -----Original Message----- From: Deb Cooley via Datatracker <noreply@ietf.org> Sent: Friday, March 1, 2024 6:13 AM To: secdir@ietf.org Cc: draft-ietf-rtgwg-net2cloud-problem-statement.all@ietf.org; rtgwg@ietf.org Subject: Secdir last call review of draft-ietf-rtgwg-net2cloud-problem-statement-36 Reviewer: Deb Cooley Review result: Has Issues Reviewer: Deb Cooley Review result: Has Issues I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Document: draft-ietf-rtgwg-net2cloud-problem-statement-36 Reviewer: Deb Cooley Review Date: 2024-03-01 (sort of last call) The summary of the review is: 1. Section 5.1, paragraph 2: Certainly the principles and assumptions of RFC 4535* would apply to any group key management situation (note the word change from 'group encryption' to 'group key management'). The specific protocol addressed by that RFC isn't being used here (even though they mention ISAKMP). How about something like this: "The group key management protocol documented in [RFC4535] outlines the relevant security risks for any group key management system in Section 3 (Security Considerations). While this particular protocol isn't being suggested, the drawbacks and risks of group key management are still relevant." [Linda] Thank you very much for the suggested wording. Changed in v-37 2. Section 5.1, paragraph 3: The draft referenced here is expired and the security of the methods would have to be reviewed. (that is listed in Section 7) [Linda] removed the reference to SECURE-EVPN as the draft authors seem not eager to move the draft forward. 3. Section 5.2: The draft referenced in this section is (currently) an individual draft, and again the security of the methods would have to be reviewed. (I see that WG adoption has been requested, and the draft is listed in Section 7). [Linda] Is it Okay? 4. Section 5.2, para 2: nit: Please spell out SRH and VxLAN. [Linda] added. 5. Section 7, second to last bullet: Please see my comments on Section 5.1. I would use the words 'group key management' vice 'group encryption'. It is the key management of a group system that is tricky and problematic, not the actual encryption per se. Something like this perhaps: "Group key management comes with security risks such as: keys being used too long, single points of compromise (one compromise affects the whole group), key distribution vulnerabilities, key generation vulnerabilities, to name a few. [RFC4535] outlines the security risks in Section 3 (Security Considerations). While this specific protocol isn't being suggested the risks and vulnerabilities apply to any group key management system." [Linda] Thank you very much for the suggested wording. Changed in v-37. 6. Section 7, last bullet: Change 'improved IPsec tunnel management' to 'scaling IPsec tunnel management' to match the heading for Section 5.1. [Linda] Changed. 7. Note: there are at least 3 expired drafts referenced as informational by this draft (1 of them is suggested as a security improvement). It looks unusual to my eye. Again, either the WG or the IESG should weigh in. [Linda] all updated. * RFC 4535: Thanks for that blast from the past, it has been decades since I've seen some of those authors names.
- Secdir last call review of draft-ietf-rtgwg-net2c… Deb Cooley via Datatracker
- RE: Secdir last call review of draft-ietf-rtgwg-n… Linda Dunbar
- Re: Secdir last call review of draft-ietf-rtgwg-n… Deb Cooley
- Re: Secdir last call review of draft-ietf-rtgwg-n… Deb Cooley
- RE: Secdir last call review of draft-ietf-rtgwg-n… Linda Dunbar
- Re: Secdir last call review of draft-ietf-rtgwg-n… Deb Cooley
- RE: Secdir last call review of draft-ietf-rtgwg-n… Linda Dunbar
- Re: Secdir last call review of draft-ietf-rtgwg-n… Deb Cooley
- RE: Secdir last call review of draft-ietf-rtgwg-n… Linda Dunbar
- Re: Secdir last call review of draft-ietf-rtgwg-n… Deb Cooley
- RE: Secdir last call review of draft-ietf-rtgwg-n… Linda Dunbar