Re: [secdir] SecDir review of draft-ietf-6man-rfc1981bis-06
Bob Hinden <bob.hinden@gmail.com> Mon, 17 April 2017 17:43 UTC
Return-Path: <bob.hinden@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF1931316FF; Mon, 17 Apr 2017 10:43:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2tBI5oCN1sEC; Mon, 17 Apr 2017 10:43:00 -0700 (PDT)
Received: from mail-wr0-x22c.google.com (mail-wr0-x22c.google.com [IPv6:2a00:1450:400c:c0c::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED58F1316FB; Mon, 17 Apr 2017 10:42:59 -0700 (PDT)
Received: by mail-wr0-x22c.google.com with SMTP id c55so87267684wrc.3; Mon, 17 Apr 2017 10:42:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=OBJ2fnnlUGE7PpqsSRLPJUHRiMyNHPsXHZ1SFEe5dFc=; b=PwgBzpK5J/BtkWFPeUrqcrGNzaPuDHqwv/jyUUgodSixDBpTfKuKDoxXulV21D1Exl eyWFyJb10SuP1c8t4KbMRWaLsvU7uit7PdIZqpKToVUN1k1u9tT/aU1BtWS4K3XL3j3K 9AOS9t76uDf8CM+59Xp5iVXTfnetoFQWHkcPdBwdGI/oB8wreF3c8Ijh1PYkszDH51z0 t5aRqZ0QbFaY2YjVVtGY1UO9Rc7i19n1sZEFpFVFg5G5mLfDS6Wh25LnTSLfZQ69c/mt PZE/CuJS16W6hVENX4D7SkmHEft8tfvFApj3qgvH/HVXIm/AtTGeSjPlKH/39552QyJK yFoA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=OBJ2fnnlUGE7PpqsSRLPJUHRiMyNHPsXHZ1SFEe5dFc=; b=kN6UuYI/MRQdrW+R7QLuGT9xXJCYHiAxnrVgVIwbqLTBqd3JKoRbwKcElibf03vy9M 7IZ2KOg/1YX3eDkOSlE5gJ047G6kjbpQoZQgVPopikjytIDSKi5vemgqgBqz55pfU1hz vzfRwyQKTvx6wQEvUraUBnYPYPOyK9JfzSmTXkkNjXeBPAmAORdptzuQ4GOfTH9nx2Bl N1eo7Q+sBGxqU9g1gr79TD5kx5coKRHD/Y6PuPd9sCj6q9UjS/JuX1aWJxZUakBmphQJ f1LFIX332RQCO5hVn0phqMsXBFW5oVzkMOxMMeFDhLVsQZvHkrqmGacM/Apq8Dao1W3+ FjAw==
X-Gm-Message-State: AN3rC/4JvFyM+Wp1Ni6cXSnkISzRBqjalMyFV41nEnjiXPJjT7mui2h8 o4D0Rrt0eL3WGDOrei0=
X-Received: by 10.223.161.130 with SMTP id u2mr18717421wru.203.1492450978421; Mon, 17 Apr 2017 10:42:58 -0700 (PDT)
Received: from ?IPv6:2601:647:4d01:db10:7138:5797:ecde:70ca? ([2601:647:4d01:db10:7138:5797:ecde:70ca]) by smtp.gmail.com with ESMTPSA id u206sm11329189wmg.20.2017.04.17.10.42.56 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 17 Apr 2017 10:42:57 -0700 (PDT)
From: Bob Hinden <bob.hinden@gmail.com>
Message-Id: <31D1A9CD-FF14-4B24-B486-CE0C07C9F562@gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_453C0148-52D3-4E62-9317-0848C59380C5"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Mon, 17 Apr 2017 10:42:52 -0700
In-Reply-To: <CAGL6epJA2hhFWL=B-9e8hC8tn391SyhY_bdRw60UYxTeJHqLJw@mail.gmail.com>
Cc: Bob Hinden <bob.hinden@gmail.com>, draft-ietf-6man-rfc1981bis@ietf.org, secdir@ietf.org, IESG <iesg@ietf.org>
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
References: <CAGL6ep+W33u81eKahPTXypX1A=sObD_=g0cXg-sALoT6JdFfAw@mail.gmail.com> <BAC2B14B-1A12-4EB3-B510-C374AB29D4F4@gmail.com> <CAGL6epJA2hhFWL=B-9e8hC8tn391SyhY_bdRw60UYxTeJHqLJw@mail.gmail.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/1yYIQreHlGzprHr4774Kyb_FAdk>
Subject: Re: [secdir] SecDir review of draft-ietf-6man-rfc1981bis-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Apr 2017 17:43:02 -0000
Rifaat, > On Apr 17, 2017, at 10:31 AM, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> wrote: > > > > On Mon, Apr 17, 2017 at 12:22 PM, Bob Hinden <bob.hinden@gmail.com> wrote: > Rafaat, > > Thanks for the review. Comments below. > > Bob > > > On Apr 17, 2017, at 6:21 AM, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com> wrote: > > > > I have reviewed this document as part of the security directorate's > > ongoing effort to review all IETF documents being processed by the > > IESG. These comments were written primarily for the benefit of the > > security area directors. Document editors and WG chairs should treat > > these comments just like any other last call comments. > > > > Summary: Ready with issues > > > > > > The Security Considerations section describes the possible implications of > > a malicious party sending false ICMPv6 Packet Too Big messages and > > reasonable ways to mitigate their impact. > > > > The section also discusses the implication of filtering valid ICMPv6 > > Packet Too Big messages, which is one of the limitation of this mechanism, > > and points to a more robust alternative. > > > > > > Issues > > ====== > > > > Issue 1 - The Security Considerations section, page 14: > > > > The first paragraph is discussing the case of malicious party stopping a > > victim from receiving legitimate Packet Too Big messages. The second > > paragraph is discussing the filtering of such packets and implies the > > potential implication of "black holing". > > > > It seems to me that in both of these use cases "black holing" is possible, > > and should be clearly stated as such. > > How about if I add the following after the two indented paragraphs describing the attacks: > > Both of these attacks can cause a black hole connections, that is, the > TCP three-way handshake completes correctly but the connection hangs > when data is transferred. > > > Sounds reasonable. Good, I will include that in the next version. > > > > > > > > Issue 2 - Section 4, 5th paragraph: > > > > Should the term "near future" be clearly defined here? > > I think the text is clear given the sentences that follow. The text is trying not to be too descriptive given that implementations will differ. It could say things like “quickly” “as soon as possible”, etc., but I think that’s all about the same. > > > Yeah, I see what you mean, which makes sense. > > But I am still trying to make sense of the first sentence, especially the "MUST attempt" part. > Is the part from "a node MUST attempt" until "near future" needed? > > Anyway, this is a minor issue, because as you pointed out the following sentence clearly defines what must be done by the node. Right, it’s a lead in to: The node MUST reduce the size of the packets it is sending along the path. Thanks, Bob
- Re: [secdir] SecDir review of draft-ietf-6man-rfc… Bob Hinden
- [secdir] SecDir review of draft-ietf-6man-rfc1981… Rifaat Shekh-Yusef
- Re: [secdir] SecDir review of draft-ietf-6man-rfc… Bob Hinden
- Re: [secdir] SecDir review of draft-ietf-6man-rfc… Rifaat Shekh-Yusef
- Re: [secdir] SecDir review of draft-ietf-6man-rfc… Rifaat Shekh-Yusef