[secdir] SecDir review of draft-ietf-dime-rfc4005bis-11

"Moriarty, Kathleen" <kathleen.moriarty@emc.com> Fri, 21 September 2012 22:28 UTC

Return-Path: <kathleen.moriarty@emc.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 94A6121E808F; Fri, 21 Sep 2012 15:28:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.248
X-Spam-Status: No, score=-2.248 tagged_above=-999 required=5 tests=[AWL=0.351, BAYES_00=-2.599]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id QWf3Ik+H0bVl; Fri, 21 Sep 2012 15:28:57 -0700 (PDT)
Received: from mexforward.lss.emc.com (hop-nat-141.emc.com []) by ietfa.amsl.com (Postfix) with ESMTP id E244E21E803A; Fri, 21 Sep 2012 15:28:56 -0700 (PDT)
Received: from hop04-l1d11-si02.isus.emc.com (HOP04-L1D11-SI02.isus.emc.com []) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id q8LMSnEc022177 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 21 Sep 2012 18:28:53 -0400
Received: from mailhub.lss.emc.com (mailhub.lss.emc.com []) by hop04-l1d11-si02.isus.emc.com (RSA Interceptor); Fri, 21 Sep 2012 18:28:32 -0400
Received: from mxhub08.corp.emc.com (mxhub08.corp.emc.com []) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id q8LMSUXU027132; Fri, 21 Sep 2012 18:28:31 -0400
Received: from mx15a.corp.emc.com ([]) by mxhub08.corp.emc.com ([]) with mapi; Fri, 21 Sep 2012 18:28:30 -0400
From: "Moriarty, Kathleen" <kathleen.moriarty@emc.com>
To: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-dime-rfc4005bis.all@tools.ietf.org" <draft-ietf-dime-rfc4005bis.all@tools.ietf.org>, "glenzorn@gmail.com" <glenzorn@gmail.com>
Date: Fri, 21 Sep 2012 18:25:15 -0400
Thread-Topic: SecDir review of draft-ietf-dime-rfc4005bis-11
Thread-Index: AQHNmEf5ogx3Rp/zS0qV+lA4m6/dcg==
Message-ID: <F5063677821E3B4F81ACFB7905573F24092B0179@MX15A.corp.emc.com>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: [secdir] SecDir review of draft-ietf-dime-rfc4005bis-11
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Sep 2012 22:28:57 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.

This document describes the extension of Diameter for the NAS application. 

As such, should the abstract be updated to ensure the reader is aware of the scope limitation in the first sentence?

In reading through the draft, I agree with the summary in the Security considerations section.  This document is limited in scope, it extends the definition and doesn't go into the details of the protocol and the associated security considerations. The base protocol is defined in RFC3588bis along with the security requirements.  

I think a reference to the authentication security requirements/considerations defined in ietf-dime-rfc3588bis would be very helpful so that the reader knows the extent of possible security issues and solutions since they go beyond what is described in this document.  Having the reference either in Sections 4.3.1 and 4.5.6 or the Security Considerations section would ensure the reader is aware this is addressed elsewhere.  Some issues are addressed in these sections, but they do not go as far as the base protocol and there could be issues as this document just relies on session encryption to protect plaintext passwords, etc.  The base protocol describes other mechanisms and risks.

Editorial nit:
Section 1.1, first sentence of last paragraph
Change from:
"There are many other many miscellaneous"
"There are many other miscellaneous"