IETF Logo Mail Archive

Re: [saag] should we revise rfc 3365?

"Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com> Tue, 29 May 2012 16:52 UTC

Return-Path: <hannes.tschofenig@nsn.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30B7D21F86BA for <saag@ietfa.amsl.com>; Tue, 29 May 2012 09:52:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.561
X-Spam-Level:
X-Spam-Status: No, score=-106.561 tagged_above=-999 required=5 tests=[AWL=0.038, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LmKh4GI2nsV0 for <saag@ietfa.amsl.com>; Tue, 29 May 2012 09:52:08 -0700 (PDT)
Received: from demumfd001.nsn-inter.net (demumfd001.nsn-inter.net [93.183.12.32]) by ietfa.amsl.com (Postfix) with ESMTP id 5126321F8503 for <saag@ietf.org>; Tue, 29 May 2012 09:52:08 -0700 (PDT)
Received: from demuprx016.emea.nsn-intra.net ([10.150.129.55]) by demumfd001.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id q4TGq67J007325 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 29 May 2012 18:52:06 +0200
Received: from demuexc022.nsn-intra.net (demuexc022.nsn-intra.net [10.150.128.35]) by demuprx016.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id q4TGq522032288; Tue, 29 May 2012 18:52:05 +0200
Received: from FIESEXC035.nsn-intra.net ([10.159.0.25]) by demuexc022.nsn-intra.net with Microsoft SMTPSVC(6.0.3790.4675); Tue, 29 May 2012 18:52:05 +0200
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 29 May 2012 19:53:59 +0300
Message-ID: <999913AB42CC9341B05A99BBF358718D017FDDE6@FIESEXC035.nsn-intra.net>
In-Reply-To: <4FC4F05B.2090907@cs.tcd.ie>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [saag] should we revise rfc 3365?
Thread-Index: Ac09stmUqcfCAK3FSHacGv5Ra4qEyQABsgUg
References: <4FBD6A78.2070204@cs.tcd.ie> <999913AB42CC9341B05A99BBF358718D017BA225@FIESEXC035.nsn-intra.net> <4FC4F05B.2090907@cs.tcd.ie>
From: "Tschofenig, Hannes (NSN - FI/Espoo)" <hannes.tschofenig@nsn.com>
To: ext Stephen Farrell <stephen.farrell@cs.tcd.ie>
X-OriginalArrivalTime: 29 May 2012 16:52:05.0833 (UTC) FILETIME=[60F30390:01CD3DBB]
X-purgate-type: clean
X-purgate-Ad: Categorized by eleven eXpurgate (R) http://www.eleven.de
X-purgate: clean
X-purgate: This mail is considered clean (visit http://www.eleven.de for further information)
X-purgate-size: 2424
X-purgate-ID: 151667::1338310326-00001F01-DA554308/0-0/0-0
Cc: saag@ietf.org
Subject: Re: [saag] should we revise rfc 3365?
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 May 2012 16:52:09 -0000

Regarding the text below I believe I am suggesting to investigate the
cases where the security deployment did not happen as planned. We are
jumping to conclusions far too quickly and the reasons for why things
did not work out as planned may have many reasons - many of them may not
be so obvious. For some reason we often believe another document will
fix the problem.

In the IAB, for example, we did some reviews of protocols (with respect
to privacy) and got some interesting insights as to what the problems
were with the way we approached privacy in the past. I would be
surprised if nobody had ever looked at the details of how the work on
security evolved for specific protocols. 

> > I also noticed that some protocols do not necessarily have a
realistic
> > security solution. The reasons are, however, often complex.
> >
> > SIP, for example, has taken quite a different deployment route than
> many
> > of us had thought and consequently security had been impacted by
this
> > development as well. I don't even know where to start when talking
> about
> > the challenges for SIP security. There is a huge mixture of business
> > models (e.g., SBCs, interconnection models), technical & user
> interface
> > challenges, the attempt to replicate the PSTN (with all it the
> features)
> > and the rise of the Web.
> >
> > It is difficult to say what the right time is to conclude that
> something
> > had gone wrong and needs to be fixed or whether the time for a
> specific
> > protocol just had not come yet. I have this discussions periodically
> > with the mobility guys (and there is plenty of exciting security
work
> > had been done with essentially zero deployment). Mobile IP is a
> > particularly interesting case since the security components are the
> > heaviest part in the protocol and the question arises whether the
> choice
> > of security technology has actually lead to the lack of deployment.
> 
> So are you arguing that we ought stage "compliance" with
> 3365 somehow? Even for standards track specs? I think I'd
> push back against that on the basis that it'd be hard to
> believe a load of WGs would properly consider security
> but not produce the goods until after their main work is
> done. It'd also be bolt-on security as well I guess, which
> often turns out badly. (Though fictional security is also
> maybe just as bad.)

v2.23.0 | Report a Bug | By Email