Re: [savi] Status of draft-ietf-savi-threat-scope

Stephen Farrell <> Wed, 15 June 2011 12:24 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 56EBB11E80F8 for <>; Wed, 15 Jun 2011 05:24:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -106.599
X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jW5M04KV3pJc for <>; Wed, 15 Jun 2011 05:24:27 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 41F7C11E80F0 for <>; Wed, 15 Jun 2011 05:24:26 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 07765171C1E; Wed, 15 Jun 2011 13:24:03 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;; h= content-transfer-encoding:content-type:in-reply-to:references :subject:mime-version:user-agent:from:date:message-id:received :received:x-virus-scanned; s=cs; t=1308140642; bh=d6giFMSy7xEFZT wUNh0AFc9UiiOF8JHZXkoJudkwOvU=; b=xazsnY8PSRnvQKDrslAeVfgfgHnPxn DYGycqZwLyOkRVGBcrxZesLCtlmqUOmMayMTPGcA9Vuj//w2RLpI3hB/CByv9QKo 9ySNYgapSVhvH57qCcm9Z8QJp2ejWUgKc3Ttyb8F3bdRg1jGKQdubbWB1G54oq5g jWmb/2/SB2AsioAdAXW9EDscXp6F8hVRpPywtIzcAG5JoNS/doP0M6Z2nGj82WPN CblGmBmiKeCLNky2BnQrYArHDSKYGZ6mcQvgV/QZKHGn3zmLF9K8aKYkK7rVIojd cW+Rn5aoHaAEZ32iJRk+nqHRJGcJHTQsGzaFTBSd2UW5UJ++Fp/N+zHA==
X-Virus-Scanned: Debian amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10027) with ESMTP id QeJbY-YuJYP0; Wed, 15 Jun 2011 13:24:02 +0100 (IST)
Received: from [] ( []) by (Postfix) with ESMTPSA id C54B1171BFE; Wed, 15 Jun 2011 13:23:59 +0100 (IST)
Message-ID: <>
Date: Wed, 15 Jun 2011 13:23:59 +0100
From: Stephen Farrell <>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20110424 Lightning/1.0b2 Thunderbird/3.1.10
MIME-Version: 1.0
To: Jean-Michel Combes <>
References: <> <> <> <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.1.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: SAVI Mailing List <>,
Subject: Re: [savi] Status of draft-ietf-savi-threat-scope
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mailing list for the SAVI working group at IETF <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 15 Jun 2011 12:24:28 -0000

Hi Jean-Michel,

On 08/06/11 18:28, Jean-Michel Combes wrote:
> Hi,
> At first sorry for the delayed reply.
> Please, see my comments inline.
> 2011/5/30 Jari Arkko <>et>:
>> Joel,
>>> As I have said, i am happy to make most of the changes.
>>> However, there are two changes requested by Ralph that change the scope in
>>> a way that I do not feel I (or you) can call for.
>>> I have been awaiting the Chair's review on these two substantive issues:
>>> 1) The issue of analysis of the effect of SAVI, and what threats remain
>>> after SAVI was requested by Stephen.  I pointed out that this is not in
>>> scope for the document, and he said that he wanted it anyway.  I punted to
>>> you and the chairs.  I believe it would take WG agreement, AD agreement on
>>> scope change, and chair direction, before I can make that change.
>> My opinion is that this document should NOT do that analysis or attempt to
>> find out precisely what residual threats are after some set of SAVI tools
>> have been implemented in a network. I think we touched upon it in the call,
>> but I  can talk to Stephen about it.
> I agree with Jari:
> (1) IMHO, this would be like to put the cart before the horse :)
> (2) to doing such an analysis you need a clear specification of a SAVI
> mechanism which is outside the scope of this document. BTW, during my
> review of FCFS SAVI for the ID Write-Up document, text about residual
> threats was added inside the Security Considerations section. I will
> carefully check that the DHCP SAVI, SEND SAVI and the Mix Scenario
> documents take into account this issue before requesting AD/IESG
> review.

So my question then is where will I go to find a description of
the residual threat for SAVI generally? Right now, it looks like
there's going to be no place for that.

The problem I see with that not being available is the following.

Each SAVI mechanism (FCFS etc.) is going to catch certain forms
of spoofing but inevitably leave others available and as you
say those mechanism-specific residual threats will need to be
documented in each SAVI spec.

But I think there are dangers inherent in deploying a network
with multiple SAVI mechanisms because of this - the issue being
that an innocent party might be blamed for some action on the
basis that a combination of SAVI mechanisms makes it "impossible"
that the action actually involved spoofing.

That kind of thing has happened in DRM-related cases so I
think its important that the residual threat when all the various
SAVI mechanisms are defined be properly documented somewhere.

In addition I would assume that vendors are likely to implement
more than one SAVI mechanism in some of their products, so
customers for those products should also be interested in the
residual threat for combinations of SAVI mechanisms.

And I think that only the SAVI WG will have the expertise
required to do that.

Would it make sense to try get someone to write a document
just on that towards the end of the process? (Assuming you
could get a volunteer? I can try see if some security area
type person would be willing to help as well if you like.)