Re: [secdir] secdir review of draft-ietf-csi-dhcpv6-cga-ps-04.txt
Sheng Jiang <shengjiang@huawei.com> Sat, 09 October 2010 02:40 UTC
Return-Path: <shengjiang@huawei.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 49D4D3A679F; Fri, 8 Oct 2010 19:40:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.612
X-Spam-Level:
X-Spam-Status: No, score=-0.612 tagged_above=-999 required=5 tests=[AWL=-0.117, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LQidKQGPXRb9; Fri, 8 Oct 2010 19:40:12 -0700 (PDT)
Received: from szxga01-in.huawei.com (unknown [119.145.14.64]) by core3.amsl.com (Postfix) with ESMTP id 0BA173A677C; Fri, 8 Oct 2010 19:40:12 -0700 (PDT)
Received: from huawei.com (szxga01-in [172.24.2.3]) by szxga01-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0LA000LP24SJNN@szxga01-in.huawei.com>; Sat, 09 Oct 2010 10:41:07 +0800 (CST)
Received: from huawei.com ([172.24.2.119]) by szxga01-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0LA0006RI4SJDW@szxga01-in.huawei.com>; Sat, 09 Oct 2010 10:41:07 +0800 (CST)
Received: from j66104a ([10.110.98.46]) by szxml06-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTPA id <0LA000JDB4SION@szxml06-in.huawei.com>; Sat, 09 Oct 2010 10:41:07 +0800 (CST)
Date: Sat, 09 Oct 2010 10:41:08 +0800
From: Sheng Jiang <shengjiang@huawei.com>
In-reply-to: <AC6674AB7BC78549BB231821ABF7A9AE9068781869@EMBX01-WF.jnpr.net>
To: 'Stephen Hanna' <shanna@juniper.net>, ietf@ietf.org, iesg@ietf.org, secdir@ietf.org, draft-ietf-csi-dhcpv6-cga-ps@tools.ietf.org
Message-id: <005601cb675b$6dbe1610$2e626e0a@china.huawei.com>
MIME-version: 1.0
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.3664
X-Mailer: Microsoft Office Outlook 11
Content-type: text/plain; charset="us-ascii"
Content-transfer-encoding: 7bit
Thread-index: Acth3WZtFoUbk+23ReaFVG39Xm1qzwFeQ3IQ
X-Mailman-Approved-At: Sun, 10 Oct 2010 08:25:44 -0700
Subject: Re: [secdir] secdir review of draft-ietf-csi-dhcpv6-cga-ps-04.txt
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 09 Oct 2010 02:40:13 -0000
Hi, Stephen, Sorry for the late reply. We was in Chinese National Holiday. Please see my reply below. Best regards, Sheng > -----Original Message----- > From: Stephen Hanna [mailto:shanna@juniper.net] > Sent: Saturday, October 02, 2010 10:56 AM > To: ietf@ietf.org; iesg@ietf.org; secdir@ietf.org; > draft-ietf-csi-dhcpv6-cga-ps@tools.ietf.org > Subject: secdir review of draft-ietf-csi-dhcpv6-cga-ps-04.txt > > I have reviewed this document as part of the security > directorate's ongoing effort to review all IETF documents > being processed by the IESG. These comments were written > primarily for the benefit of the security area directors. > Document editors and WG chairs should treat these comments > just like any other last call comments. > > This document discusses several ways that DHCPv6 can be used > with Cryptographically Generated Addresses (CGA), pointing > out benefits and concerns. While the document does discuss > security issues in several places, it often lapses into vague > terminology like "one should carefully consider the impact on > security". Given that the primary benefit of using CGAs is to > improve security by providing address validation without > complex key distribution, carefully analyzing security issues > seems necessary for this document. > > On the other hand, the Document Shepherd Write-up for this > document says "The WG was not very energetic on this > document. The document describes possible applications of > CGAs and DHCP interaction and when the WG was asked whether > there was enough interest to work on solutions, the reply was > silence. As such, the consensus is based on most of the WG > being indifferent." So maybe this document is only intended > as a sketch of possible issues that can be explored later in > a more in-depth document if someone is interested in doing > so. If that's the case, maybe it's OK to not fully analyze > all the security implications. However, in that case, I think > the Security Considerations section should state clearly that > this document does not contain a complete security analysis > and any further work in this area should include such an > analysis. Nobody should implement the techniques described in > this document without conducting that more thorough analysis. I guess that's the case. I am fine to add the statement you suggested into the security considerations. > I noticed a few typos. On page 6, the word "certificated" > should be "certified". Three sentences later, "depend on > policies" should be "depending on policies". And the draft > names in the Change Log say "dhacpv6" instead of "dhcpv6". Thanks. We will fix it with other comments in the future version. Regards, Sheng > Thanks, > > Steve >
- [secdir] secdir review of draft-ietf-csi-dhcpv6-c… Stephen Hanna
- Re: [secdir] secdir review of draft-ietf-csi-dhcp… Russ Housley
- Re: [secdir] secdir review of draft-ietf-csi-dhcp… Sheng Jiang