Re: Secdir last call review of draft-ietf-rtgwg-net2cloud-problem-statement-36
Deb Cooley <debcooley1@gmail.com> Tue, 05 March 2024 11:19 UTC
Return-Path: <debcooley1@gmail.com>
X-Original-To: rtgwg@ietfa.amsl.com
Delivered-To: rtgwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 745BCC14F714; Tue, 5 Mar 2024 03:19:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.856
X-Spam-Level:
X-Spam-Status: No, score=-1.856 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tT-EGQIA2Mrg; Tue, 5 Mar 2024 03:19:25 -0800 (PST)
Received: from mail-il1-x12f.google.com (mail-il1-x12f.google.com [IPv6:2607:f8b0:4864:20::12f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5B08C14F713; Tue, 5 Mar 2024 03:19:25 -0800 (PST)
Received: by mail-il1-x12f.google.com with SMTP id e9e14a558f8ab-365169e0938so14040745ab.0; Tue, 05 Mar 2024 03:19:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1709637565; x=1710242365; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=m61Rrq82QdCUif399eUeaU72yNZ5rkJlxy8rsISWSF4=; b=PxCBdg434h5qxBzwspBzBz4uPliqWz9CTbYu2UD697nEJzK/zSb59GOwM4wfook10a iYIKHVAw923Ic3CD+LS/Njm7j8QFPGj6SHnieXIBqXFG9zsJfFCaUko7aaXeUuMbczLm ZLjTTgja+3yEuPWIX5oLDAYeao+jQsvZUFtcm2x3Jid78NToLUVN8W/cBEvt/Uesh+Af hj9u77YIzwGa+7WDFue1f3pmkAM5m5r9S415iJRjpINkAYGKulwVzu3kbofVxvmIVwEU i+XJgJD9j75TETSpvCCBy2Jemx8WZ6ZH463/VJfYzfP6emzCpdrhBf5ZBWxDPN/cBhbg OhGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709637565; x=1710242365; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=m61Rrq82QdCUif399eUeaU72yNZ5rkJlxy8rsISWSF4=; b=isuQ39JQiD09BVsz5+eYLZUGb4UQfLF5G+ka9KH9bnF8y54NMn2Kjbe1XIvcfcN6xv nN/YaKaBW4usgzI8AzdFJVOngmV3F1tgmxQXTgRdY0hm8O2/oPZqx0CX6KVpRqAoeWHB 7bY/T+p9zM6jwlPrFsiizWl0ue0mzbc0Thps+B5nYGC2nc5uxn2YitTHJfGfUhcTbEcK KaWxTi4NbK1cxW/ib/9VczHmIHnjF0/4PIklIGkWyb6bmmWYC05UOwEirNZHjTZSk9d/ YtanbRVpdeLGU3EzO7bnh3Zjg2eTJEqrPWKe7LfpAyUzAvCzKmFWulVXKfv09iffuM4c 3bTw==
X-Forwarded-Encrypted: i=1; AJvYcCUa1PjyICjFZjh13rm1xSzTCYAPJzp+BMkGrboU5adYPp9wHW2wmTyqZZS4xi5N4uXyyy7/fILSiwHSCM6ciR1qjntBLTPo00kqT8zutdcHLB5XygdIj23aVxs1RJmwDWrNGtVGGQMVEVpSzNxCepGcHRwEyj5fGi+r
X-Gm-Message-State: AOJu0YwfrtP4js+YJVvETxwLeHKnotwyoBWoKIJdLe9SbQD6ZBZOgrZE HgEG94iv6TXx3/n/OPILq22dsDe3NeBuMwBsJkrFC/YD3cz8C/VlgMqoZUs+VZe1iALcnMEbUk0 pAXNVUh+czJKOjSKCknbHPW44rV8NrnU=
X-Google-Smtp-Source: AGHT+IGjVVxkbXkbT+nOpRj0/ofwnOZ3JJzZ+kd2/Z5A6IyQU3V4Vn058aEH9I7h2DzvbTQ2ox9JPT5lHF44Dvwlzgs=
X-Received: by 2002:a05:6e02:b44:b0:365:3a5:f6a4 with SMTP id f4-20020a056e020b4400b0036503a5f6a4mr2052287ilu.16.1709637564934; Tue, 05 Mar 2024 03:19:24 -0800 (PST)
MIME-Version: 1.0
References: <170929516566.22050.4912794500698236384@ietfa.amsl.com> <CO1PR13MB49202C23241E301DB62DEE9085222@CO1PR13MB4920.namprd13.prod.outlook.com>
In-Reply-To: <CO1PR13MB49202C23241E301DB62DEE9085222@CO1PR13MB4920.namprd13.prod.outlook.com>
From: Deb Cooley <debcooley1@gmail.com>
Date: Tue, 05 Mar 2024 06:19:10 -0500
Message-ID: <CAGgd1Of_3KuOpg4G9Pf0N4Qm-g+a0ymrVUV36Q0RY93gc-9Tfg@mail.gmail.com>
Subject: Re: Secdir last call review of draft-ietf-rtgwg-net2cloud-problem-statement-36
To: Linda Dunbar <linda.dunbar@futurewei.com>
Cc: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-rtgwg-net2cloud-problem-statement.all@ietf.org" <draft-ietf-rtgwg-net2cloud-problem-statement.all@ietf.org>, "rtgwg@ietf.org" <rtgwg@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c0b7f60612e8034f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtgwg/egHo1n23lHuo_F1i0ijZloH-_rM>
X-BeenThere: rtgwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Routing Area Working Group <rtgwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtgwg/>
List-Post: <mailto:rtgwg@ietf.org>
List-Help: <mailto:rtgwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2024 11:19:27 -0000
These are fine resolutions. I'll check the draft once the publication window opens again. Deb On Mon, Mar 4, 2024 at 8:05 PM Linda Dunbar <linda.dunbar@futurewei.com> wrote: > Deb, > > Thank you very much for the second review and the comments. > The detailed resolutions are inserted below. > > Linda > > -----Original Message----- > From: Deb Cooley via Datatracker <noreply@ietf.org> > Sent: Friday, March 1, 2024 6:13 AM > To: secdir@ietf.org > Cc: draft-ietf-rtgwg-net2cloud-problem-statement.all@ietf.org; > rtgwg@ietf.org > Subject: Secdir last call review of > draft-ietf-rtgwg-net2cloud-problem-statement-36 > > Reviewer: Deb Cooley > Review result: Has Issues > > Reviewer: Deb Cooley > > Review result: Has Issues > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the IESG. > These comments were written primarily for the benefit of the security area > directors. > Document editors and WG chairs should treat these comments just like any > other last call comments. > > Document: draft-ietf-rtgwg-net2cloud-problem-statement-36 > > Reviewer: Deb Cooley > > Review Date: 2024-03-01 (sort of last call) > > The summary of the review is: > > 1. Section 5.1, paragraph 2: Certainly the principles and assumptions of > RFC > 4535* would apply to any group key management situation (note the word > change from 'group encryption' to 'group key management'). The specific > protocol addressed by that RFC isn't being used here (even though they > mention ISAKMP). > How about something like this: > > "The group key management protocol documented in [RFC4535] outlines the > relevant security risks for any group key management system in Section 3 > (Security Considerations). While this particular protocol isn't being > suggested, the drawbacks and risks of group key management are still > relevant." > [Linda] Thank you very much for the suggested wording. Changed in v-37 > > 2. Section 5.1, paragraph 3: The draft referenced here is expired and > the security of the methods would have to be reviewed. (that is listed in > Section > 7) > [Linda] removed the reference to SECURE-EVPN as the draft authors seem not > eager to move the draft forward. > > 3. Section 5.2: The draft referenced in this section is (currently) an > individual draft, and again the security of the methods would have to be > reviewed. (I see that WG adoption has been requested, and the draft is > listed in Section 7). > [Linda] Is it Okay? > > 4. Section 5.2, para 2: nit: Please spell out SRH and VxLAN. > [Linda] added. > > > 5. Section 7, second to last bullet: Please see my comments on Section > 5.1. > I would use the words 'group key management' vice 'group encryption'. It > is the key management of a group system that is tricky and problematic, not > the actual encryption per se. Something like this perhaps: > > "Group key management comes with security risks such as: keys being used > too long, single points of compromise (one compromise affects the whole > group), key distribution vulnerabilities, key generation vulnerabilities, > to name a few. > [RFC4535] outlines the security risks in Section 3 (Security > Considerations). > While this specific protocol isn't being suggested the risks and > vulnerabilities apply to any group key management system." > [Linda] Thank you very much for the suggested wording. Changed in v-37. > > 6. Section 7, last bullet: Change 'improved IPsec tunnel management' to > 'scaling IPsec tunnel management' to match the heading for Section 5.1. > [Linda] Changed. > > 7. Note: there are at least 3 expired drafts referenced as informational > by this draft (1 of them is suggested as a security improvement). It looks > unusual to my eye. Again, either the WG or the IESG should weigh in. > [Linda] all updated. > > * RFC 4535: Thanks for that blast from the past, it has been decades > since I've seen some of those authors names. > > > > >
- Secdir last call review of draft-ietf-rtgwg-net2c… Deb Cooley via Datatracker
- RE: Secdir last call review of draft-ietf-rtgwg-n… Linda Dunbar
- Re: Secdir last call review of draft-ietf-rtgwg-n… Deb Cooley
- Re: Secdir last call review of draft-ietf-rtgwg-n… Deb Cooley
- RE: Secdir last call review of draft-ietf-rtgwg-n… Linda Dunbar
- Re: Secdir last call review of draft-ietf-rtgwg-n… Deb Cooley
- RE: Secdir last call review of draft-ietf-rtgwg-n… Linda Dunbar
- Re: Secdir last call review of draft-ietf-rtgwg-n… Deb Cooley
- RE: Secdir last call review of draft-ietf-rtgwg-n… Linda Dunbar
- Re: Secdir last call review of draft-ietf-rtgwg-n… Deb Cooley
- RE: Secdir last call review of draft-ietf-rtgwg-n… Linda Dunbar