[secdir] Secdir review of draft-ietf-dime-ovli
"Paul Hoffman" <paul.hoffman@vpnc.org> Fri, 24 July 2015 14:30 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 786AF1A1ABF for <secdir@ietfa.amsl.com>; Fri, 24 Jul 2015 07:30:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.053
X-Spam-Level:
X-Spam-Status: No, score=0.053 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HELO_MISMATCH_COM=0.553] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 43CCK-JBhS0Z for <secdir@ietfa.amsl.com>; Fri, 24 Jul 2015 07:30:27 -0700 (PDT)
Received: from hoffman.proper.com (Opus1.Proper.COM [207.182.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 963FD1A1A82 for <secdir@ietf.org>; Fri, 24 Jul 2015 07:30:27 -0700 (PDT)
Received: from [10.47.60.67] (chwl001.hbnet.cz [62.168.35.67] (may be forged)) (authenticated bits=0) by hoffman.proper.com (8.15.1/8.14.9) with ESMTPSA id t6OEUPrk019723 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <secdir@ietf.org>; Fri, 24 Jul 2015 07:30:26 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
X-Authentication-Warning: hoffman.proper.com: Host chwl001.hbnet.cz [62.168.35.67] (may be forged) claimed to be [10.47.60.67]
From: Paul Hoffman <paul.hoffman@vpnc.org>
To: secdir <secdir@ietf.org>
Date: Fri, 24 Jul 2015 16:30:25 +0200
Message-ID: <F9066F07-294E-4CD4-83C5-C59949D981DF@vpnc.org>
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"
X-Mailer: MailMate (1.9.1r5084)
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/2cyoWx9QzPm22Xvk0FNUvIEJKCA>
Subject: [secdir] Secdir review of draft-ietf-dime-ovli
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Jul 2015 14:30:29 -0000
Greetings again. This document, "Diameter Overload Indication
Conveyance", is a way for a Diameter server in a cluster to tell other
servers in the cluster "don't send so many requests to me". It is pretty
complex and fiddly, but seems sensible. The security considerations are
numerous, but fairly well covered in the extensive Security
Considerations section.
Note that there is not much that can really be done here to address the
biggest concern of spoofing. As the document says:
Diameter does not include features to provide end-to-end
authentication, integrity protection, or confidentiality. This may
cause complications when sending overload reports between non-
adjacent nodes.
(Nice use of "may" there...) So, there isn't much that can be demanded
of this document without some obvious controls. Still, the Security
Considerations section covers the likely attacks and problems.
--Paul Hoffman
- [secdir] Secdir review of draft-ietf-dime-ovli Paul Hoffman