[secdir] Re: Secdir last call review of draft-ietf-opsawg-ipfix-tcpo-v6eh-11
mohamed.boucadair@orange.com Mon, 13 May 2024 16:39 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C558EC1CAF42; Mon, 13 May 2024 09:39:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nS9PEjVAlezC; Mon, 13 May 2024 09:39:54 -0700 (PDT)
Received: from smtp-out.orange.com (smtp-out.orange.com [80.12.126.237]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE082C1D4CF8; Mon, 13 May 2024 09:39:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; i=@orange.com; q=dns/txt; s=orange002; t=1715618393; x=1747154393; h=to:cc:subject:date:message-id:references:in-reply-to: mime-version:content-transfer-encoding:from; bh=0PlEMhZy8Kmkfp0OYdp+ttvA7lKT8djvJI9B2DyOMGo=; b=U2n17Tko7RiRIdds1tG27guSf0F+gIpjnxt25rf6e5MX3Oybtn/Rt/HZ QwwnDB5gwHIb5OLRdl8lD+r3FF4H7x5JPaA53EYLBSjpQCm6hqM0V8EiR oTKbtfP/Wj0FXZlHqzAZuiEaxH/VpSqMl7IS/1rqeHF9ohkj5ufgM2h0q 56hVgHaIUzrgKQhdfy3y6bx1kWl8Hrt0bB0QcPCIplBe8NX9+bo0IOEAd 8DsMaQ/x9B/iKVMVyArWYCXQSC0aLsA4NWrjO2PEAHBhKZ1XwW1xUDF55 GZZA/ILEBHfQmqKcWNHI8+guBnDoP1iw+Y6JbW9Y2OOFa2IOzIOrgCHE5 A==;
Received: from unknown (HELO opfedv1rlp0c.nor.fr.ftgroup) ([x.x.x.x]) by smtp-out.orange.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 May 2024 18:39:51 +0200
Received: from unknown (HELO opzinddimail5.si.fr.intraorange) ([x.x.x.x]) by opfedv1rlp0c.nor.fr.ftgroup with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 May 2024 18:39:51 +0200
Received: from opzinddimail5.si.fr.intraorange (unknown [127.0.0.1]) by DDEI (Postfix) with ESMTP id 887D01066586; Mon, 13 May 2024 18:39:50 +0200 (CEST)
Received: from opzinddimail5.si.fr.intraorange (unknown [127.0.0.1]) by DDEI (Postfix) with ESMTP id 6EB271062DD8; Mon, 13 May 2024 18:39:50 +0200 (CEST)
Received: from smtp-out365.orange.com (unknown [x.x.x.x]) by opzinddimail5.si.fr.intraorange (Postfix) with ESMTPS; Mon, 13 May 2024 18:39:50 +0200 (CEST)
Received: from mail-db8eur05lp2105.outbound.protection.outlook.com (HELO EUR05-DB8-obe.outbound.protection.outlook.com) ([104.47.17.105]) by smtp-out365.orange.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 May 2024 18:39:50 +0200
Received: from DU2PR02MB10160.eurprd02.prod.outlook.com (2603:10a6:10:49b::6) by AS8PR02MB6792.eurprd02.prod.outlook.com (2603:10a6:20b:250::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7544.55; Mon, 13 May 2024 16:39:48 +0000
Received: from DU2PR02MB10160.eurprd02.prod.outlook.com ([fe80::c9a1:d43c:e7c6:dce1]) by DU2PR02MB10160.eurprd02.prod.outlook.com ([fe80::c9a1:d43c:e7c6:dce1%6]) with mapi id 15.20.7544.052; Mon, 13 May 2024 16:39:48 +0000
From: mohamed.boucadair@orange.com
X-TM-AS-ERS: 10.218.35.125-127.5.254.253
X-TM-AS-SMTP: 1.0 c210cC1vdXQzNjUub3JhbmdlLmNvbQ== bW9oYW1lZC5ib3VjYWRhaXJAb 3JhbmdlLmNvbQ==
X-DDEI-TLS-USAGE: Used
Authentication-Results: smtp-out365.orange.com; dkim=none (message not signed) header.i=none; spf=Fail smtp.mailfrom=mohamed.boucadair@orange.com; spf=Pass smtp.helo=postmaster@EUR05-DB8-obe.outbound.protection.outlook.com
Received-SPF: Fail (smtp-in365b.orange.com: domain of mohamed.boucadair@orange.com does not designate 104.47.17.105 as permitted sender) identity=mailfrom; client-ip=104.47.17.105; receiver=smtp-in365b.orange.com; envelope-from="mohamed.boucadair@orange.com"; x-sender="mohamed.boucadair@orange.com"; x-conformance=spf_only; x-record-type="v=spf1"; x-record-text="v=spf1 include:spfa.orange.com include:spfb.orange.com include:spfc.orange.com include:spfd.orange.com include:spfe.orange.com include:spff.orange.com include:spf6a.orange.com include:spffed-ip.orange.com include:spffed-mm.orange.com -all"
Received-SPF: Pass (smtp-in365b.orange.com: domain of postmaster@EUR05-DB8-obe.outbound.protection.outlook.com designates 104.47.17.105 as permitted sender) identity=helo; client-ip=104.47.17.105; receiver=smtp-in365b.orange.com; envelope-from="mohamed.boucadair@orange.com"; x-sender="postmaster@EUR05-DB8-obe.outbound.protection.outlook.com"; x-conformance=spf_only; x-record-type="v=spf1"; x-record-text="v=spf1 ip4:40.92.0.0/15 ip4:40.107.0.0/16 ip4:52.100.0.0/14 ip4:104.47.0.0/17 ip6:2a01:111:f400::/48 ip6:2a01:111:f403::/49 ip6:2a01:111:f403:8000::/51 ip6:2a01:111:f403:c000::/51 ip6:2a01:111:f403:f000::/52 -all"
IronPort-Data: A9a23:CU5bPqI1mRf0n/iaFE+R/pIlxSXFcZb7ZxGr2PjKsXjdYENS0z0Bn DEcWjrUOviPZjT2fdsgPdix80JQvZSEnIBrTgRorCE8RH908seUXt7xwmUcns+xwm8vaGo9s q3yv/GZdJhcokf0/0vraP64xZVF/fngbqLmD+LZMTxGSwZhSSMw4TpugOdRbrRA2bBVOCvT/ 4uiyyHjEAX9gWIsbztPs/vrRC5H55wehhtJ5zTSWtgb5Dcyp1FNZLoDKKe4KWfPQ4U8NoZWk M6akdlVVkuAl/scIovNfoTTKyXmcZaLVeS6sUe6boD56vR0So7e5Y5gXBYUQR8/ZzxkBLmdw v0V3XC7YV9B0qEhBI3xXjEAexySM5Gq95fNLSKjg5yW/XeWMFavgNFrIFNtMqoHr7Mf7WFmr ZT0KRggUyrb2qea6uL+TeNhwMM+MMPsIYUT/Gl6yi3UBuonRpaFRLjW4dhf33E7gcUm8fT2P pJFL2YwKk2fJUQXZz/7C7pm9Ausrnz4czRdpV7Tr60q6GHfxQ1r+L/3Odzad5qBQsA9ckOw/ T2frj+nX01y2Nq3yCeq3CyPt6zz3nnxWYI9TL/h0NA7qQjGroAUIEZNDwfkyRWjsWa9WsxeL UES0istrO489SSDVdT2UxyiiH+JohBaXMBfe8U28giD1u/V7hqXQ28cVTdeZ5knrME3VXk23 UeO2s23CDwpubmRYXOQ6rnSqim9UQARJHQeICQNSQ8t4tT/rsc0lB2nZtF7C6eqgfX0FC3+h TeQo0ADa647iMcK0+C39wDKnij0+5zRFFdtu0PQQ36v6R5/aMi9fYu05FPH7PFGaoGEUl2Gu 3tCkM+bhAwTMX2TvCaBGvk/TLSb3abGHX6fpVtDDcIu0Cv4rhZPYrtsyD15IU5oNOMNdjnof FLftGttCHl7bCTCgUhfM9PZNig68ZUMA+gJQdj1Q7JzjnVZcQaG+GRibx6dwnq1zUw0y/hnZ NGcbNqmCmscBeJ/1j2qSuwB0LgtgCcj2WfUQpO9xBOiuVZ/WJJ3YeZbWLdtRrlihE9hnOkz2 4gBXydt40sBONASmgGNreYuwakidBDX/6zepc1NbfKkKQF7AmwnAPK56ep+ItE4xPQLyLiZo y/VtqpkJLzX1SKvxeKiOygLVV8Tdcoj9ChT0dEEYQj3hyNzOdbHAFk3LsFtIud8nACc8RKEZ 6JeIZnfahi+YjHG8C4adp7zsMRpcw6z7T9izAL0CAXTi6VIHlSTkve9JlWH3HBXUkKf65Fiy 5X+jVmzacRYGGxf4DP+M6/HI6WZ5iRGx4qfniLgfrFuRakb2NM0cH2v06dneJFkxNeq7mLy6 jt6yCww/YHly7LZOvGQ7UxYh+9F0teSH3a220H20IzuaGz21DrmxoVNFuGVYTraSWX4vr24Y vlYxO39N/tBm0tWt417EPBgyqdWCx7HuepB1go9dJnURw3DN1+iCiHuMQpzWmllwaVQvwS7H EmI/7G2/J2Xbdj9Hgd5yBUNMoy+6B3MpgTv0A==
IronPort-HdrOrdr: A9a23:x+DKSaGz9lZUaZNvpLqFaZHXdLJyesId70hD6qkvc3Fom52j/f xGws5x6fatskdoZJkh8erhBEDyewKmyXcT2/hbAV7CZnivhILGFvAH0WKP+VPd8mjFh5dgPM RbAuJD4b/LfD9HZK/BiWHVfOrIguP3lpxA7t2urEuFODsaDp2ImD0JaDpzfHcWeCB2Qb4CUL aM7MtOoDStPV4NaN6gO3UDV+/f4/XWiZPPe3c9dlIawTjLqQntxK/xEhCe0BtbeShI260e/W /MlBG8zrm/ssu81gTX2wbonttrcZrau5V+7f63+4gowwbX+0WVjUNaKv+/VQUO0aCSAZAR4Z zxSlkbToBOAjjqDxuISFPWqnTdOXAVmjLfIBaj8ATeScCVfkNHN+NRwY1eaRfX8EwmoZV117 9KxXuQs95NAQrHhzmV3am+a/hGrDvAnZMZq59ms1VPFY8FLLNBp40W+01YVJ8GASLh8YgiVO 1jFtvV6vpaeU6TKymxhBgn/PW8GnAoWhuWSEkLvcKYlzBQgXBi1kMdgMgShG0J+p4xQ4RNo+ 7ELqNrnrdTSdJ+V9MKOM4RBc+sTmDdSxPFN2yfZVzhCaEcInrI74X65b0kjdvaCqDgDKFC66 gpfGkoxVLaIXied/Fm9Kc7gyzwfA==
X-Talos-CUID: 9a23:cxin+2CKylo4Kqr6EyNrrlImSsUXSC2e4TSTB0qUGz1mb6LAHA==
X-Talos-MUID: 9a23:sYOwjgZnTZa44eBTtiLDqm9BBYRUoP6kCUAiyZdfnefVHHkl
X-IronPort-AV: E=Sophos;i="6.08,158,1712613600"; d="scan'208";a="37193654"
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZqCdffnrzfSSezjTqjXkTfp7sOPm2dhPq83HkeYOwzFsVmXI7y6bnUjjsFQdHivJ0h0vYMV0LevXwRxMls1ptOaQ78X4L3KII4anmYpMtCvLBWEvDuI5j0qWFXD/N40usvAKmvsHsV/GqEZVXtNEhs87VuUecPU/PG18u4VueyY7er2VCfnmlUgrlOYwCQcS2+ehsoz2l0HtJGVP0idLxm5N3jKLSsGGziWZbysqOspvtyijfvwNcr46tH470KtUb90SQHWH+8pYhr9vkqB2AoLpl6NMO+4IIVSwZC4x7GdJxMDzibEZYgHzfFn2JnVqqy9SRDuV3OQIwc0po26Hww==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=n7T63G1akNYQUkDR1akhY15Z+ucBnbCX+ypBu1ncoOs=; b=OEEiFhutl9qunZsqvVdKebdKMw6FQRYyQYM3rINFBOeYpYLZDu3+iZoTwnEFfzry/SqEwc+OAwwfqQRrIluO310ulnb801wIEbDqmdUYkOtUy9rFJoPnC/1KWwXuDqyWIZpNjt9Ni+Qz2Emi6XVhMNYHybyS0OD7FRgw8G/P1HrTku8Nsv4iGjClqNtNcswC8cHtiVtLKVoUbC3bmF5h0sj+5zIN/+U6w+BDlh83D8Nmuw4U8FrR+MowLg8CACSKUE2jwbcIiq/iUH90e6PxeTqQmjKzTF9h2P7xiVZsfVafqLBYmu3Unwrm7Gh2+CPq/QOXUwJlx4IcW5KD8YDF9Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=orange.com; dmarc=pass action=none header.from=orange.com; dkim=pass header.d=orange.com; arc=none
To: Tero Kivinen <kivinen@iki.fi>, "secdir@ietf.org" <secdir@ietf.org>
Thread-Topic: Secdir last call review of draft-ietf-opsawg-ipfix-tcpo-v6eh-11
Thread-Index: AQHaoiZ7jiuyyF3HREOLvcM0nVPV+7GVWxjQ
Date: Mon, 13 May 2024 16:39:48 +0000
Message-ID: <DU2PR02MB101607CD2621FF2E93D18AF6688E22@DU2PR02MB10160.eurprd02.prod.outlook.com>
References: <171526890711.64710.8472349123140714328@ietfa.amsl.com>
In-Reply-To: <171526890711.64710.8472349123140714328@ietfa.amsl.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f47c794b-e3ab-43f0-9e0f-29fc3e503192_Enabled=true;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DU2PR02MB10160:EE_|AS8PR02MB6792:EE_
x-ms-office365-filtering-correlation-id: e6d6cfda-b459-41f1-7bc3-08dc736b4dec
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230031|376005|1800799015|366007|38070700009;
x-microsoft-antispam-message-info: XNaENEbIYLRM79tqbt/Ap8dXVhDDYsN9mkXA7bgTopH4ihkv4DaqboV83t0XWf1ur+AfbP8NrAou63EF4JmCcl5S/lar1msZREX7cnt1WvfEl5iKaPn0ziUgrvZt1LZdeSz3kjnrLLyE6SO4U15p930pM5KVHws3Q93LXktQCce/eDfp6Axrwd7LPcUFXSELKnV4uTfrXyG5m7kLpOWVHIAbbJn0MXnJSwRkakxtRtGPbKcueVHBe13Qd5fjaOH2B/u8cz5h8XqWcjKvwfvn4XMhpUDzpw0Uh8l4jTIGdIEjpIi/6wtB9FiDX1ZyJvNJrWzNBbjuSAHeiAl9tVuCumAROQGuYV6WZCdLwjDPzPrm8RKsMX8uGIMcYHL5sbt3vQQ8Wu1dfB6ubRj9CS8Xgi3pPYwITn2J69oSbYyYH2xqp/K4emo4m7Hae3eD6XwIn1GhLSHqJxLhkWDHclQAuimhX6ODCrQ9w+LURrFmDuOd0a+PL7FaMWP3X4QEpje+Vns7UeDTzoAKr9B2HYjxFH3DZ8A2Zp7/n7YihhAavq5Z84mFMVSHYdbSHN/cre+UYHB9YzI+uFDdPKzc5XMeE/s9bhGGTrc7O6GimteRf+iTrHbou9sddTsP0cKktxexcT3BFO34CBTVpPNzeQfApmygi5zS/0ttYJ+yApYB312ArvdnzLSqkbzmQEbEYSGSMbVnbow9Uax4JgER9z/YAV4CtwdkgqdOTRuiK/YMWGQ52HTyhUozlZpb+6iDxeAfCl1jHbb489iE4wyNelt3pFCDgJHbScEITe/pMuyhpqIeGxim52hcWYgmIPnDQuNqK2mXwzktv9f496JU4yBYtIjL7HcU/Ijxiz4DKcwS9zOQJymyEojgbS9Ls+KMwAEk33lUJouGShhSK7glc1OKZ9aoO2S6pr47TfwsH1cLbx78bAlmDzyKMZGQ3Fj8ayG0T8xJM3VfcxuMTz5wmP2nxTzMG0qlqtSeaoW5qDMKPmRBio3YlTCxVokihIJX87tbK9invT8Jpbl+EoUEJPxPX4S1h27BtNZxizGsA36nlj/eF87GXeD4Jl9/8Mo+dGQJMyr4HtLgHGTxJusfVbieyKJpY2kJrWUrVxnNZ9YrjGomVfFMcqf8U83fn4QOEr0nP5kQyiEKyan6baTdkP8K6uC12zAeVvtYzXhD/IQdor+REeAPTQqKHE4QLPQPzqACjViwN20KXIPUGQZAlPYGo0ED0M93d4Hw/E5yj4gP6BQAMRm/b5uR2pyNbRWO4wISwCV1c2it9FW7JMY3WDYUvw==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DU2PR02MB10160.eurprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(376005)(1800799015)(366007)(38070700009);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: aV8TGcj5arTnUoQrS/Bw7CK4C/shAgWUvZDeZ+BxPTN/roclQBi3eeeTPe7gUNgc94BlVehm7vjgcDoiQV7HybG9zo+Dm1cYHJjr5zUc8qB1s2feC+QPbwXZAgPca37amHqNgDMBzkM3hy2fFHR+DPd86AFR+6TPJPFfxjdOgJBqAW8dlkrsQizgHEZT+o2yNALIBLmYojqd2K9L67XTgXZiiCrSMDxdSd/Bf0JYMqPSpzVuBkoNZ62FBmZRTZN8CUtBEQ6vc4guMMG6Tffh67AMpfYvzTdCgpg159342aw27dgngUZdmfQFIaDwfrvCIrkp+K256xARQxZi08CZO/iidr5yJuU4oKPAFVJGRG0xOzf+iwF0kp8JPRxLDnPfprPO6ZE5WYhmaIZuv10aHHtaqBvCyC0uJD17IBGQJAdEnEAbTxDU+IN7M5MblLBhkaziAw0hoCnDgeEpPrTuOqlfMjaGpQ5Wh8eiDNBMOAX/HDfpO9bUG3jBhjLPPUs/EFMiOqZtOqvsv5UrJ3AcFNhAWq4wDesbpYLszfOy2lnTlZ7JtNtkxEnOAh2od6kb5UTiHgtYySgCUWXUfyR+JC2Wq2JQUqEG3aB6S1KeNSWXOHs8DtPStRSfrMKVMp7cDSK7qgscjk4KtzgAZ8WIwIoQC4G/LIhXqpkQ97oUevHRS724nfNfuxjhne/WZhOxIlw4NVpzHjGN4WxpzXOhlkVBa04NDlE63gyGnQqyipIceCfjOlBqlDtWkc4lraLsEQfKDb5wVm6WrvbP73kDo5sw7CORQmBZ2hWplxGAEVn6PnhY+c4nYi4L4KqgznwfVzlr7APc60V3hyTYX+FBPqh5LKoxzIOhLdghhFOLWro+GDPMjrrzHKKCJVYvmi6PKDv8iVp9GtcpCPLxxEqnFiQwlNrwxqu5GlS75gb48sZCTOmcx+0a1iNf2wmfbV//wkdV+Ky8qza9oT7sPV/zndkggTAmM8D0jfNMQuZBdS/8LLq2T3OrK4NJXggq/dLTd+iDQVKUqT6utWmVYvcwlz7sL9rF0dg+VIaGwgqAyd5DO0YEcfgcDXFUhM9aXmHffCjddcARmuFLLd92fr5Fs2glE9UJ5BRsP2Ve7n/VFboNtehqSQOBg1Nr5nq3BUkeaBCvX0jHXmKJ3PIPPw6Dnvgsxto+HevV/GNGcaBz0CTBfA3RO2RLvfRd5ee6GnwH/4e1J9OVyZ2Qoe0SXENOCBXz9QrsKpDpxBJOaPap9wNdJfXd49RvxFp8uEJeRHsdL7uZ/exsCV6n0py7+rADPi83kypkJw7jNFMZRddz5jxLH8WXlKc0pTu9lQ31R21i4oXpxT7spEHpavuLOXnQ3upgfN1J2ESnBzXWgpBCX+cbPcuyVG1jV4VBTbR0mCw4rrzCAUny1oUpTL7VCuLVK2i1j2/OyfKOoPyUp6QlH4VNYn7xZedxpvPOPVyc6KOngly1Ds5ekVZ78/CkvxaMds7GjyhW1PPjAAWAt4lWmfx8qsnZKHE1TDgzbmtjNg7quHJWkoClj0DWvRS7EKVYK1ToG8/7YSeM3rc5Gc3ocgcdRn243NR2IaGgG8BkDWF65Sxs635r/Q4XjNvv1mTRnQ==
Content-Type: text/plain; charset="iso-8859-1"
MIME-Version: 1.0
X-OriginatorOrg: orange.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DU2PR02MB10160.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e6d6cfda-b459-41f1-7bc3-08dc736b4dec
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 May 2024 16:39:48.5538 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 90c7a20a-f34b-40bf-bc48-b9253b6f5d20
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: mZL6l037WqPyBPnvW8l1btvho/HgfY1GPduVKCtPXznLiPQVBCMl+Q417seAl3so9uJ7zkgBs+VZHltaAsQQcWjAN/uX31PENuanfUHd92o=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR02MB6792
X-TM-AS-ERS: 10.218.35.125-127.5.254.253
X-TM-AS-SMTP: 1.0 c210cC1vdXQzNjUub3JhbmdlLmNvbQ== bW9oYW1lZC5ib3VjYWRhaXJAb 3JhbmdlLmNvbQ==
X-TMASE-Version: DDEI-5.1-9.1.1004-28384.001
X-TMASE-Result: 10--36.896100-10.000000
X-TMASE-MatchedRID: yebcs53SkkCkmOzIPyadd0EOfoWOrvuOOhJ9m53n4aARQQ4kFqjjJBwJ bAB37U2pBNyCmIook0e1BZ0auqML9ZkAyZFlv7VmDG/+epQxc0aY9QZkl7En9EPjje+gp5u5gKe r2q0Zy9W+puCvi0oJC7GWOVyNT4jAxPinAn+mfuiOjIrMSa2sR67YaZ2V2aJQ5OkG4vvYug/7Td r4xDxETVE80kYAlpo2pkw6v2yib3s7+jTxezEUmBvl7WIlp2J+mU/t0AE6+TIPyJBNuE5b6z0KC MSk4a7J7W67G7pmnNAxfzRy6VoheXDYIZTcfQ7FmurI20FxXdehxK8Q8oY758iCh8yBqE+tbc0Y RoReacDPmrVKltGy2GjSSIMkyz1MQHjTPfGyHozhuntKSqs2aQK0ZgbTOeKUhWq5VgXBcCa1h0u 6DrQdadwTaqscUUf9kJbj0GeOY0hqHNpR7JpnGoEdrUZVZEhzsxmxfL/bmMCdAuliTV06YmzTRl DGU3PzVUrCQFOwusAOzcdbxpWzJLtNPSWPyjN9rltvlARhKR0rYYq12IWZObXl40gTGJ5pJOhYd M+6Cfj/pGk7lmm8Wu/DVgrLCsKkC1Sj685fGvk7IjH9hIskdwXWJb8/Z1O/r0eoqAWVAMpdvdjb 5IwdblSZHlAHrcAQDZmEL9jt0nPoeJbTZsgVIaJVTu7sjgg1SExHL6o3BeARt1EvyOXA0aE/uyv SIE2X1QVuD6Pn+t/1C2tjXbqTqtcKXVdXcqjaO5SpM9N8NOuI6YVEewE/SZsoi2XrUn/JJ51KgE wAGdm6rRx267m9tnu1oypPLnSMdzO/yc8X33EWEwph9/6ZS/oLR4+zsDTthUfR2rvBju6nw52XV XCkJJRMZUCEHkRt
X-TMASE-SNAP-Result: 1.821001.0001-0-1-22:0,33:0,34:0-0
X-TMASE-INERTIA: 0-0;;;;
X-TMASE-XGENCLOUD: 47e75aec-6c5b-4708-be55-8ad565c113e0-0-0-200-0
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: 7L5WC567PITMDGURHF3J2ZJCMOSQOU34
X-Message-ID-Hash: 7L5WC567PITMDGURHF3J2ZJCMOSQOU34
X-MailFrom: mohamed.boucadair@orange.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdir.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "draft-ietf-opsawg-ipfix-tcpo-v6eh.all@ietf.org" <draft-ietf-opsawg-ipfix-tcpo-v6eh.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [secdir] Re: Secdir last call review of draft-ietf-opsawg-ipfix-tcpo-v6eh-11
List-Id: Security Area Directorate <secdir.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/1uCDq0zE8TP44LSsSj0nyIccFYA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Owner: <mailto:secdir-owner@ietf.org>
List-Post: <mailto:secdir@ietf.org>
List-Subscribe: <mailto:secdir-join@ietf.org>
List-Unsubscribe: <mailto:secdir-leave@ietf.org>
Hi Tero, Thank you for the review. Please see inline. Cheers, Med > -----Message d'origine----- > De : Tero Kivinen via Datatracker <noreply@ietf.org> > Envoyé : jeudi 9 mai 2024 17:35 > À : secdir@ietf.org > Cc : draft-ietf-opsawg-ipfix-tcpo-v6eh.all@ietf.org; last- > call@ietf.org; opsawg@ietf.org > Objet : Secdir last call review of draft-ietf-opsawg-ipfix-tcpo- > v6eh-11 > > Reviewer: Tero Kivinen > Review result: Has Issues > > I have reviewed this document as part of the security > directorate's ongoing effort to review all IETF documents being > processed by the IESG. These comments were written primarily for > the benefit of the security area directors. Document editors and > WG chairs should treat these comments just like any other last > call comments. > > This document redefines the IPFIX IEs for IPv6 extension headers > and TCP options to allow more data to be exported. > > Issues: > > In section 7 the text claims that "This document does not add new > security considerations for exporting IES.", but as this document > allows more information to be exported, there is also possibility > that more data that was not available, thus there might be new > security considerations. [Med] Please note that we have this sentence right before the one you quoted to call out new threats: ipv6ExtensionHeadersChainLength and ipv6ExtensionHeadersLimit IEs can be exploited by an unauthorized observer as a means to deduce the processing capabilities of nodes. Section 8 of [RFC7012] discusses the required measures to guarantee the integrity and confidentiality of the exported information. > > For example this allows seeing multiple same extension headers, > etc, thus there should be additional considerations. > > Perhaps adding text saying that as this document allows more data > to be available and some of that data might be sensitive, the > implementations needs to take this into account when exporting > data". [Med] I think the text I quoted above is an example of what is sensitive. Unless there is a specific item to specifically list, the guards in the base specs are sufficient. > > -- > > In section 8.4 if the IANA is automatically allocating next bit > for each new IPv6 Extension Header, is there still separate > expert review done for this automatic allocation or not? [Med] No. The nominal mode won't involve a DE because mirroring will be sufficient to reflect (new, modification, deprecate, etc.). "otherwise" is a catchup to cover cases where modifications are local to the registry, not the parent one. For example, we do have two entries for fragments, while only one protocol number is used for fragments in the parent EH registry. Thanks. What > happens if the experts in new registry do not allow registration > for the extension header that was added to the IPv6 Extension > Headers registry? > > If implementation then sees that new IPv6 extension header that > was allocated by IANA, but which is not in the IPFIX subregistry, > how does it fill the bitfield? [Med] made this change to make the behavior explicit: OLD: If an implementation determines that an observed packet of a Flow includes an extension header that it does not support, then the exact observed code of that extension header MUST be echoed in the ipv6ExtensionHeaderTypeCountList IE (Section 3.4). NEW: If an implementation determines that an observed packet of a Flow includes an extension header (including an extension header that it does not support), then the exact observed code of that extension header MUST be echoed in the ipv6ExtensionHeaderTypeCountList IE (Section 3.4). > > Also when new IPv6 extension headers are added, all > implementations of IPFIX needs to be updated to map the protocol > number to the bit, thus they can't add new extension headers > until they are updated with the mapping. [Med] This is not required for ipv6ExtensionHeaderTypeCountList IE. > > ----------------------------------------------------------------- > ----- > > Nits: > > -- > In section 1.1 > > Write out the [RFC8200] in first bullet, i.e., change to: > > * Cover the full extension headers' range (Section 4 of IPv6 > Specification [RFC8200]). > [Med] I will keep the OLD. > -- > > In section 1.1 > > * Specify how to automatically update the IANA IPFIX registry > ([IANA-IPFIX]) when a new value is assigned in [IANA-EH]. > Only a > > I think the [IANA-EH] here should be properly spelled out, i.e., > change the text to "when a new value is assigned in the IANA IPv6 > extension header types registry [IANA-EH]". [Med] Done. > > Also the text: > > For example, the ipv6ExtensionHeaders IE > can't report some IPv6 EHs, specifically 139, 140, 253, and > 254. > > > should not use numbers, but instead of names of those extension > headers, i.e., it should say "specifically extension headers for > Host Identity and Shim6 Protocol, or extension headers for > experimentation and testing.". > > If numbers are needed they can be added in parenthesis after the > protocol name (i.e., "Shim6 Protocol (140)"). [Med] OK. > > -- > > In section 1.1 > > Write out 8883: > > (e.g., Section 1.1 of ICMPv6 Errors for Discarding Packets > Due > to Processing Limits [RFC8883]). > > -- > > In section 1.1 > > The text "Also, ipv6ExtensionHeaders IPFIX IE is deprecated in > favor of the new IEs defined in this document." makes it feel > like the deprecation is an aftertought. I think the whole idea of > this document is to deprecate the old IE and create new. Perhaps > say "This specification will deprecate ipv6ExtensionHeaders IPFIX > IE in favor of the new IEs defined in this document". > [Med] Deal. > Similar text is also in end of section 1.2. [Med] ACK. > > -- > > In section 1.2 write out 6994 properly, i.e., change: > > * Allow reporting the observed Experimental Identifiers > (ExIDs) that > are carried in shared TCP options (Kind=253 or 254) > [RFC6994]. > > to > > * Allow reporting the observed Experimental Identifiers > (ExIDs) > (Kind=253 or 254) that are carried in shared experimental > TCP > options [RFC6994]. > [Med] OK > -- > > In section 2 do use proper name instead of just reference. When > someone decideds that all references are changed to [1], [2], [3] > etc, the text should still be readable. Also requiring readers to > keep track of mapping from RFC numbers to actual specification > name is bad idea, and makes it harder for reader to understand > what the document is trying to change. > > Change > > > This document uses the IPFIX-specific terminology (Information > Element, Template Record, Flow, etc.) defined in Section 2 of > [RFC7011]. As in [RFC7011], these IPFIX-specific terms have > the > first letter of a word capitalized. > > > to > > This document uses the IPFIX-specific terminology (Information > Element, Template Record, Flow, etc.) defined in Section 2 of > IPFIX > specification [RFC7011]. As in that document, these IPFIX- > specific > terms have the first letter of a word capitalized. > > -- > > In section 2 > > If would be nice to know what those documents 8200 and 9239 are > so changing the text "Also, the document uses the terms defined > in [RFC8200] and [RFC9293]." to > > This document uses the terms defined in IPv6 [RFC8200], and > TCP > [RFC9293] specifications. > [Med] OK. > -- > > In section 3 there is several cases where it says "Section xxx of > [RFC8200]", change that to "Section 4 of IPv6 specication > [RFC8200]". > > -- > > In section 3.6 change "As discussed in Section 1.2 of [RFC8883]," > to "As discussed in ICMPv6 Errors for Discarding Packets Due to > Processing Limits [RFC8883]," > > -- > > In section 5.1 change "Section 6.2 of [RFC7011]." to "Section 6.2 > of IPFIX specification [RFC7011].". > > -- > > In section 5.1 change "Section 2.2 of [RFC8883]" to "Section 2.2 > of > ICMPv6 Errors for Discarding Packets Due to Processing Limits > [RFC8883]". > > -- > > In section 5.2 change "Section 6.2 of [RFC7011]." to "Section 6.2 > of IPFIX specification [RFC7011]." > > -- > > In section 6.1 it would be good to have example where more than > one octet is needed, so it would clarify the byteorder of the > data. > > -- > > In section 7 change "Section 11 of [RFC7011]." to "Section 11 of > IPFIX specification[RFC7011]." > > -- > > In section 7 change "Section 8 of [RFC7012]" to "Section 8 of > Information Model for IPFIX [RFC7012]". > > -- > > In section 8.3 change > > This type MUST be encoded per > Section 6.1.1 of [RFC7011]. Reduced-Size encoding (Section > 6.2 of > [RFC7011]) applies to this data type. > > to > > This type MUST be encoded per > Section 6.1.1 of IPFIX specification [RFC7011]. Reduced-Size > encoding (Section 6.2 of IPFIX specification [RFC7011]) > applies to > this data type. > > -- [Med] This is a matter of editing taste. I'm not fun of expanding the ref title. > > Section 9.1 [IANA-EH] url is wrong, it points to the "Next Header > Types" registry, not to the "IPv6 Extension Header Types" > registry. [Med] This is on purpose because the RFC Editor does not cite the specific URLs, only the URL of the registry group. > Correct url is > https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2 > Fwww.iana.org%2Fassignments%2Fipv6-parameters%2Fipv6- > parameters.xhtml%23extension- > header&data=05%7C02%7Cmohamed.boucadair%40orange.com%7Ce04d445565 > be47dc729308dc703d9ca0%7C90c7a20af34b40bfbc48b9253b6f5d20%7C0%7C0 > %7C638508657119400747%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDA > iLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdat > a=sAElkvoUqJFN0K5eFgX%2F73LEbbqAWqerHq0IDzQsy%2Bo%3D&reserved=0 > > > ____________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
- [secdir] Secdir last call review of draft-ietf-op… Tero Kivinen via Datatracker
- [secdir] Re: Secdir last call review of draft-iet… Tero Kivinen
- [secdir] Re: Secdir last call review of draft-iet… Benoit Claise
- [secdir] Re: Secdir last call review of draft-iet… mohamed.boucadair
- [secdir] Re: Secdir last call review of draft-iet… Tero Kivinen