Re: [secdir] Secdir last call review of draft-ietf-mile-xmpp-grid-09
Matthew Miller <linuxwolf+ietf@outer-planes.net> Wed, 06 March 2019 01:28 UTC
Return-Path: <linuxwolf@outer-planes.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9D4A130DD3 for <secdir@ietfa.amsl.com>; Tue, 5 Mar 2019 17:28:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=outer-planes-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WEaAbKNSzlrz for <secdir@ietfa.amsl.com>; Tue, 5 Mar 2019 17:28:12 -0800 (PST)
Received: from mail-vs1-xe32.google.com (mail-vs1-xe32.google.com [IPv6:2607:f8b0:4864:20::e32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C6DF12F1A5 for <secdir@ietf.org>; Tue, 5 Mar 2019 17:28:09 -0800 (PST)
Received: by mail-vs1-xe32.google.com with SMTP id n14so1234376vsp.12 for <secdir@ietf.org>; Tue, 05 Mar 2019 17:28:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=outer-planes-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8zudjt73tXrpFrEPGKciRneIYnozOUoORewfhwnvB+c=; b=hRdkNMCfpx2GidQmCr3N0MInrXGKWrhcgWCqlnzw5X0LOqtejTY+KAPIbm8CGCLvip z3fWbFc/XukIcg6XIt5LLo8W//NYZR1ZKHIRh6t5k/jwVyiGZlFcJV7LZWeWDyV7m39Y kylA3gFBQw9hq9lhQVZOx1rO825y8O+q6Z4z+VKOvPzuprPpcsecfQBY9alYpog94hdX STq4H37H1nasyuOqZAp2Bb2bQ7HSsUfYIsRg2FipmfnEJqgPZc6MgHZWgdL3U5+KT4Tz i49Oj9P9KuMDBwSkqN/6BDSnV5Xwe8uj4sLwOAnmxA1YBaEAl9er8zpUutU0DxugADit FxJA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8zudjt73tXrpFrEPGKciRneIYnozOUoORewfhwnvB+c=; b=lgTO9y0UP2x4liJ4Oo4eFV+KIk7Wg7TPaHaSmF1MZFFq1505wn6kIGInsHMEsdq/fc j7Yb42a0x0agpVb1qMUi4pIeevF4uVMKWacYP7+UCm5xnVLmizvfRmtuu5eQSE+LkD7N Z/16oxaCVcl7RVvpR4zkVROMi5YUTLcwrqwA2YZDK2EO2Nv/RIQWYDr2HOyqvBU4Mzsa 0Rk+VpCVWnq/mi5CEKXtXj6QPkURUfHWL+BN0eUVaOoCg+wY7CMLPS0wXKaELkkzWB85 HP8/qYfWGzrhcsBFtNOFVSsWkjLrHOFHi/K+eSOPAtF9rHwKOerIAVESghNwIarOUWEe yIxA==
X-Gm-Message-State: APjAAAUSOHeKgu9PFVntpuL5ETyLQpe9ubw6T04Cp1Vi1OEbyxOZbiE/ BixumTPiCf8+JuTg7xAfZDOLJihyxVgyqKLMhGJXRA==
X-Google-Smtp-Source: APXvYqx3Gi6SzMKj22QZWnuafPvG7GZLteFAuYdMyBhFo9TSHSTdb3Ycwyu8RIkF//VplIedqkCLXKQzRZsl5SkkX18=
X-Received: by 2002:a05:6102:9a:: with SMTP id t26mr2786382vsp.178.1551835688075; Tue, 05 Mar 2019 17:28:08 -0800 (PST)
MIME-Version: 1.0
References: <154826649938.7505.11018194912932133243@ietfa.amsl.com> <5CFE429E-31EA-4261-B1CD-17181200F394@cisco.com> <8eaa83e6-5218-9584-ad4e-5e2e7f8e80ad@mozilla.com>
In-Reply-To: <8eaa83e6-5218-9584-ad4e-5e2e7f8e80ad@mozilla.com>
From: Matthew Miller <linuxwolf+ietf@outer-planes.net>
Date: Tue, 05 Mar 2019 18:27:57 -0700
Message-ID: <CAOgaonsCpgf9OW3yntThu==um4u5_RcL_nk_YQdctYpcWTY7Xg@mail.gmail.com>
To: Peter Saint-Andre <stpeter@mozilla.com>
Cc: "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>, "secdir@ietf.org" <secdir@ietf.org>, "mile@ietf.org" <mile@ietf.org>, "draft-ietf-mile-xmpp-grid.all@ietf.org" <draft-ietf-mile-xmpp-grid.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f019dd058362e602"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/6nwcfcQCy3HmRE2yYyV0a2gvQxc>
Subject: Re: [secdir] Secdir last call review of draft-ietf-mile-xmpp-grid-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Mar 2019 01:28:15 -0000
Thank you Nancy and Peter for your replies. I look forward to the next revision. On Mon, Mar 4, 2019 at 7:39 PM Peter Saint-Andre <stpeter@mozilla.com> wrote: > A few further thoughts from a co-author but not primary author. > > On 3/4/19 4:00 PM, Nancy Cam-Winget (ncamwing) wrote: > > Hi Matt, thanks for the review. Please see below for comments: > > > > On 1/23/19, 10:01, "Matthew Miller" <linuxwolf+ietf@outer-planes.net> > wrote: > > > > Reviewer: Matthew Miller > > Review result: Has Issues > > > > I have reviewed this document as part of the security directorate's > > ongoing effort to review all IETF documents being processed by the > > IESG. These comments were written primarily for the benefit of the > > security area directors. Document editors and WG chairs should > > treat these comments just like any other last call comments. > > > > Document: draft-ietf-mile-xmpp-grid-09 > > Reviewer: Matthew A. Miller > > Review Date: 2018-01-23 > > IETF LC End Date: 2019-01-14 > > IESG Telechat date: 2019-01-24 > > > > Summary: > > > > This document defines an architecture for distributing security > > information using publish-subscribe semantics over XMPP. It is > > well written and addressed many (but not all) known concerns > > of a publish-subscribe > > > > This document has issues that should be addressed before it is > > ready to be published as a Proposed Standard. > > > > > > Major Issues: > > > > The document does not explicitly discuss the implications of the > > Controller and Broker having plaintext access and control of the > > published data. It seems to be implied in the section 8.2.3 for > > the Controller (and, for those proficient with XMPP, the Broker). > > I am not strongly recommending any sort of end-to-end protections > > be proscribed (since existing protections are likely unsuitable > > for this architecture). > > [NCW] We have added a sentence in 8.3.3 to address protection > > against controller/broker to employ end-to-end encryption. > > Matt's point about "this architecture" is relevant. We should make it > clearer in the document that the XMPP-Grid is not intended to be an open > system that any arbitrary entity can join; instead, it is a private > network (not connected to the public XMPP network) to which only > authorized entities are allowed access. > Thanks, I think both clarifications will be very helpful. > > The document does not have any real discussion around persistence > > of node items. if they are expected or desired to be persisted, > > then there should be some discussion about retention policies > > (meaning: deployments ought to have one), and behaviors when a > > Platform subscribes to the Topic (e.g., should or may automatically > > send the last published item to the recent subscriber). If not, > > then some discussion on the implications of existing/historic > > data being unavailable through this mechanism. > > [NCW] Fair point. We added the following statements to the document to > address this - > > Note that the control plane may optionally also implement XEP-0203 to > facilitate delayed > > delivery of messages to the connected consumer as described in XEP-0060. > Since information > > may be timely and sensitive, capability providers should communicate to > the controller > > whether its messages can be cached for delayed delivery during > configuration; such function > > is out of scope for this document. > > In addition, we should mention the "pubsub#last-published" configuration > option. > > Preservation or reconstruction of the history of messages sent to a > Topic strikes me as a service that a Broker isn't required to provide > (e.g., because the history might become quite large), just as a message > archive for an email discussion list might be provided by an entity > other than the delivery service. > I think all of that will help. > > > Minor Issues: > > > > XMPP pubsub is complex, and node configuration reflects that. > > Relying on XEP-0060 is something of a disservice to implementers, > > in my opinion. > > Given the generic publish-subscribe pattern required here, it felt more > appropriate to re-use an existing XMPP extension (of which there are > numerous implementations) than to invent something new. > I could have phrased this concern better; my intent was to try to pave the path for implementers a little better. I absolutely agree using pubsub is the right choice. > > I suggest that an addition Topic creation > > example be added that demonstrates the recommended configuration: > > * pubsub#access-authorize or access-whitelist > > * pubsub#persist_items = ?? (1 or 0) > > * pubsub#send_last_published_item = ?? (on_sub? never?) > > [NCW] That seems reasonable, I will add it as an option (as the current > section does state it is the minimal for topic creation). > > Yes, on_sub ('When a new subscription is processed') seems appropriate. > > Thanks for this. - m&m Matthew A. Miller
- [secdir] Secdir last call review of draft-ietf-mi… Matthew Miller
- Re: [secdir] Secdir last call review of draft-iet… Nancy Cam-Winget (ncamwing)
- Re: [secdir] Secdir last call review of draft-iet… Peter Saint-Andre
- Re: [secdir] Secdir last call review of draft-iet… Matthew Miller