Re: [secdir] Review of draft-ietf-dime-diameter-api-08
Sean Turner <turners@ieca.com> Sun, 21 June 2009 17:21 UTC
Return-Path: <turners@ieca.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6DDE73A6CFD for <secdir@core3.amsl.com>; Sun, 21 Jun 2009 10:21:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A1CLwwBprPZU for <secdir@core3.amsl.com>; Sun, 21 Jun 2009 10:21:19 -0700 (PDT)
Received: from smtp110.biz.mail.re2.yahoo.com (smtp110.biz.mail.re2.yahoo.com [206.190.53.9]) by core3.amsl.com (Postfix) with SMTP id 554C33A6CF6 for <secdir@ietf.org>; Sun, 21 Jun 2009 10:21:19 -0700 (PDT)
Received: (qmail 33740 invoked from network); 21 Jun 2009 17:21:32 -0000
Received: from unknown (HELO thunderfish.local) (turners@71.191.10.138 with plain) by smtp110.biz.mail.re2.yahoo.com with SMTP; 21 Jun 2009 17:21:31 -0000
X-Yahoo-SMTP: qPTWNAeswBAtDTSn9GKlmmL3C90ke7grn_5n9To-
X-YMail-OSG: EfOZW3gVM1l.ei7SSrglkVO9T7we24cgzh5QXk9mWCQKLe2hqaFn9qGZ3uJg.ju8t21Uc45_tIZq3cIbrK4pkCDn2B9goDRF21uBGszy4dGYEpl8jLXBuv9gjwopSyO4SuV2JgjqnLtE5iD_gKFT0.ExLsyJadRiP_z2YNaZJSLfH79qRiTVAakGwTIzTRTZfK6QDFfdsGBdQMzSTo_bFP9DiytzP2F2fCeAJqD24v9daJETijjVCWY1IzPKdr8qOvGjrNhP2P0RYXZUWcT6D6P6AXjDhchtBTBFFbdBOssCNmvWMCnOdby63Xl8HYFBEcOgjkyvR2zg.W0Dzy36yFMOe5lfX_0tUy8eCL7rGA--
X-Yahoo-Newman-Property: ymail-3
Message-ID: <4A3E6C1B.2090907@ieca.com>
Date: Sun, 21 Jun 2009 13:21:31 -0400
From: Sean Turner <turners@ieca.com>
User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302)
MIME-Version: 1.0
To: "Romascanu, Dan (Dan)" <dromasca@avaya.com>
References: <4A37BDAA.50306@ieca.com> <EDC652A26FB23C4EB6384A4584434A04017D2C53@307622ANEX5.global.avaya.com> <4A37DDEB.7070402@ieca.com> <EDC652A26FB23C4EB6384A4584434A04017D2E01@307622ANEX5.global.avaya.com>
In-Reply-To: <EDC652A26FB23C4EB6384A4584434A04017D2E01@307622ANEX5.global.avaya.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
Cc: pacalhou@cisco.com, secdir <secdir@ietf.org>, dave@frascone.com, dime-chairs@ietf.org, draft-ietf-dime-diameter-api@tools.ietf.org, iesg@ietf.org, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, Victor Fajardo <vfajardo@tari.toshiba.com>
Subject: Re: [secdir] Review of draft-ietf-dime-diameter-api-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Jun 2009 17:21:20 -0000
Dan, If this is the case, then I'd suggest adding something to make it explicit that the API adds no additional security concerns. spt Romascanu, Dan (Dan) wrote: > Sean, > > I will let the authors infirm or confirm what I am saying, but my > understanding is that they take the position that the document describes > an internal API for applications to access the Diameter protocol, and > that there is no additional security threat involved in the definition > or implementation of such an API. > > Dan > > >> -----Original Message----- >> From: Sean Turner [mailto:turners@ieca.com] >> Sent: Tuesday, June 16, 2009 9:01 PM >> To: Romascanu, Dan (Dan) >> Cc: secdir; draft-ietf-dime-diameter-api@tools.ietf.org; >> iesg@ietf.org; dime-chairs@ietf.org; Hannes Tschofenig; >> Victor Fajardo; pacalhou@cisco.com; dave@frascone.com >> Subject: Re: Review of draft-ietf-dime-diameter-api-08 >> >> Dan, >> >> I sent the review to Pat and to Dave (and the iesg and >> secdir). I see that Victor was also added during the last go >> around so if he made the changes I'm not sure he would have seen them. >> >> My concern is that the document is for the Diameter API but >> the security considerations points to the Diameter Protocol. >> So, we don't have any security considerations at all if we >> just point to the protocol definition, which is what the >> document does now. >> >> spt >> >> Romascanu, Dan (Dan) wrote: >>> Sean, >>> >>> Was your review sent to the editors of the document? >>> >>> Can you please clarify why you believe that the API introduces >>> supplementary security concerns, which would make the >> reference to the >>> security considerations of RFC 5366 insufficient? >>> >>> Thanks and Regards, >>> >>> Dan >>> >>> >>>> -----Original Message----- >>>> From: iesg-bounces@ietf.org [mailto:iesg-bounces@ietf.org] >> On Behalf >>>> Of Sean Turner >>>> Sent: Tuesday, June 16, 2009 6:44 PM >>>> To: secdir; draft-ietf-dime-diameter-api@tools.ietf.org; >>>> iesg@ietf.org; dime-chairs@ietf.org >>>> Cc: Hannes Tschofenig >>>> Subject: Review of draft-ietf-dime-diameter-api-08 >>>> >>>> I have reviewed this document (twice now) as part of the security >>>> directorate's ongoing effort to review all IETF documents being >>>> processed by the IESG. These comments were written >> primarily for the >>>> benefit of the security area directors. Document editors and WG >>>> chairs should treat these comments just like any other last call >>>> comments. >>>> >>>> This version does not address the comments I made against the >>>> -07 version, notably: >>>> >>>> The document needs to discuss the security considerations >> surrounding >>>> the API in your document, as opposed to just pointing to RFC5388. >>>> >>>> Nits: >>>> - Sec 3.1.1: add "." to end of last sentence >>>> - Sec 3.4.3.1 and 3.4.3.2: r/- The NAI of the user./The NAI of the >>>> user. >>>> - Sec 3.4.5.7: Move description before C code. >>>> >>>> spt >>>> >
- [secdir] Review of draft-ietf-dime-diameter-api-08 Sean Turner
- Re: [secdir] Review of draft-ietf-dime-diameter-a… Romascanu, Dan (Dan)
- Re: [secdir] Review of draft-ietf-dime-diameter-a… Sean Turner
- Re: [secdir] Review of draft-ietf-dime-diameter-a… Romascanu, Dan (Dan)
- Re: [secdir] Review of draft-ietf-dime-diameter-a… Victor Fajardo
- Re: [secdir] Review of draft-ietf-dime-diameter-a… Sean Turner
- Re: [secdir] Review of draft-ietf-dime-diameter-a… David Frascone