[secdir] Review of draft-melnikov-smtp-priority-tunneling-03

Shawn Emery <shawn.emery@oracle.com> Wed, 18 July 2012 07:00 UTC

Return-Path: <shawn.emery@oracle.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 63BEF11E814E; Wed, 18 Jul 2012 00:00:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.598
X-Spam-Status: No, score=-10.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id FruaIbcsVH2Z; Wed, 18 Jul 2012 00:00:51 -0700 (PDT)
Received: from acsinet15.oracle.com (acsinet15.oracle.com []) by ietfa.amsl.com (Postfix) with ESMTP id 0CCD911E8147; Wed, 18 Jul 2012 00:00:47 -0700 (PDT)
Received: from acsinet21.oracle.com (acsinet21.oracle.com []) by acsinet15.oracle.com (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with ESMTP id q6I71Zt5004055 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 18 Jul 2012 07:01:36 GMT
Received: from acsmt358.oracle.com (acsmt358.oracle.com []) by acsinet21.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id q6I71XOh020116 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 18 Jul 2012 07:01:34 GMT
Received: from abhmt103.oracle.com (abhmt103.oracle.com []) by acsmt358.oracle.com ( with ESMTP id q6I71VeH003004; Wed, 18 Jul 2012 02:01:32 -0500
Received: from [] (/ by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 18 Jul 2012 00:01:31 -0700
Message-ID: <50065F08.1090307@oracle.com>
Date: Wed, 18 Jul 2012 01:00:24 -0600
From: Shawn Emery <shawn.emery@oracle.com>
User-Agent: Mozilla/5.0 (X11; SunOS i86pc; rv:10.0.5) Gecko/20120703 Thunderbird/10.0.5
MIME-Version: 1.0
To: secdir@ietf.org
References: <4F8687DA.6020402@oracle.com>
In-Reply-To: <4F8687DA.6020402@oracle.com>
Content-Type: multipart/alternative; boundary="------------050201040202020207040401"
X-Source-IP: acsinet21.oracle.com []
Cc: iesg@ietf.org, draft-melnikov-smtp-priority-tunneling.all@tools.ietf.org
Subject: [secdir] Review of draft-melnikov-smtp-priority-tunneling-03
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Jul 2012 07:00:52 -0000

I have reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the IESG. 
These comments were written primarily for the benefit of the security 
area directors. Document editors and WG chairs should treat these 
comments just like any other last call comments.

This experimental draft describes a SMTP tunneling method to support 
priority message values for Mail Transfer Agents (MTA) that don't 
understand the MT-PRIORITY SMTP extension.

The security consideration section does exist and is quite detailed in 
listing the various attack scenarios and mitigating against these 
attacks.  It goes on to provide exceptions of when MT-Priority header 
values are not required to be stripped.  These have consequences such as 
breaking DKIM signatures, assuming subsequent MTAs are compliant with 
the new tunneling, or rejecting the messaging.  The document may clarify 
on when it is acceptable to break DKIM signatures and/or describe the 
environment.  On the other hand, if the MSA/MTA decides to alter the 
message and needs to resign the message then is there any ambiguity of 
what the message/fields would be when resigned?

General comments:

Thanks for providing the before and after examples as this was helpful 
in my understanding of the protocol.

Editorial comments:

s/Example of such/Examples of such/