Re: [secdir] secdir review of draft-ietf-tsvwg-port-use

Joe Touch <touch@isi.edu> Mon, 02 February 2015 18:30 UTC

Return-Path: <touch@isi.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2F971A8777; Mon, 2 Feb 2015 10:30:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.91
X-Spam-Level:
X-Spam-Status: No, score=-6.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7o_9LMVMV60S; Mon, 2 Feb 2015 10:30:43 -0800 (PST)
Received: from vapor.isi.edu (vapor.isi.edu [128.9.64.64]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86F4D1A1A20; Mon, 2 Feb 2015 10:30:43 -0800 (PST)
Received: from [128.9.176.28] (c1-vpn2.isi.edu [128.9.176.28]) (authenticated bits=0) by vapor.isi.edu (8.13.8/8.13.8) with ESMTP id t12ITZqu006076 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Mon, 2 Feb 2015 10:29:36 -0800 (PST)
Message-ID: <54CFC20E.9000701@isi.edu>
Date: Mon, 02 Feb 2015 10:29:34 -0800
From: Joe Touch <touch@isi.edu>
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: Dan Harkins <dharkins@lounge.org>, iesg@ietf.org, secdir@ietf.org, draft-ietf-tsvwg-port-use.all@tools.ietf.org
References: <950ad656ed2a0e36e24fd7dc0e2b60b1.squirrel@www.trepanning.net>
In-Reply-To: <950ad656ed2a0e36e24fd7dc0e2b60b1.squirrel@www.trepanning.net>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 7bit
X-ISI-4-43-8-MailScanner: Found to be clean
X-MailScanner-From: touch@isi.edu
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/2lqz0Cc1yLfMx7uBfrEebFcS9gQ>
Subject: Re: [secdir] secdir review of draft-ietf-tsvwg-port-use
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Feb 2015 18:30:44 -0000

Hi, Dan,

It should be easy to add DTLS where TLS is cited. IPsec is an 
interesting issue; I can add a few sentences to the security 
considerations area about that - e.g., that IPsec protects in a 
different way than TLS/DTLS, and that one key aspect of its 
configuration is port-specific parameters, which means it may be 
difficult to use separate IPsec policies on different services unless 
their port numbers are known and fixed in advance (even if using dynamic 
port numbers).

That latter is probably 2-3 short sentences, and I think would be 
worthwhile.

Joe

On 1/30/2015 4:04 PM, Dan Harkins wrote:
>
>    Hello,
>
>    I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
>
>    This draft provides some advice and recommendations on protocol
> port use to application and service designers. It has a nice, brief
> history of port usage and a nice list of guiding principles to help
> conserve port space. It will make a nice BCP. In my opinion it is Ready
> For Publication. With that said, I do have a small comment. In section
> 7.4 the draft says that TLS should be used to protect services that do
> not provide their own security directly. It might be worth while adding
> mention of DTLS and IPsec. And if the latter is not something that
> should be recommended then justification for that stance should be
> given.
>
>    regards,
>
>    Dan.
>