Re: [secdir] secdir review of draft-ietf-opsec-igp-crypto-requirements

"Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com> Wed, 15 September 2010 23:36 UTC

Return-Path: <manav.bhatia@alcatel-lucent.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8A4923A6AAB; Wed, 15 Sep 2010 16:36:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.166
X-Spam-Level:
X-Spam-Status: No, score=-2.166 tagged_above=-999 required=5 tests=[AWL=0.433, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o2LpmjiKc77G; Wed, 15 Sep 2010 16:36:07 -0700 (PDT)
Received: from ihemail2.lucent.com (ihemail2.lucent.com [135.245.0.35]) by core3.amsl.com (Postfix) with ESMTP id A4A3C3A6AAD; Wed, 15 Sep 2010 16:36:02 -0700 (PDT)
Received: from inbansmailrelay2.in.alcatel-lucent.com (h135-250-11-33.lucent.com [135.250.11.33]) by ihemail2.lucent.com (8.13.8/IER-o) with ESMTP id o8FNaCWL010552 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 15 Sep 2010 18:36:15 -0500 (CDT)
Received: from INBANSXCHHUB02.in.alcatel-lucent.com (inbansxchhub02.in.alcatel-lucent.com [135.250.12.35]) by inbansmailrelay2.in.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id o8FNaAPq024880 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Thu, 16 Sep 2010 05:06:11 +0530
Received: from INBANSXCHMBSA1.in.alcatel-lucent.com ([135.250.12.56]) by INBANSXCHHUB02.in.alcatel-lucent.com ([135.250.12.35]) with mapi; Thu, 16 Sep 2010 05:06:10 +0530
From: "Bhatia, Manav (Manav)" <manav.bhatia@alcatel-lucent.com>
To: Samuel Weiler <weiler@watson.org>, "ietf@ietf.org" <ietf@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-opsec-igp-crypto-requirements.all@tools.ietf.org" <draft-ietf-opsec-igp-crypto-requirements.all@tools.ietf.org>
Date: Thu, 16 Sep 2010 05:06:00 +0530
Thread-Topic: secdir review of draft-ietf-opsec-igp-crypto-requirements
Thread-Index: ActVAcwvbKYGmY2tSU+0WYRYVYCeRgALFctw
Message-ID: <7C362EEF9C7896468B36C9B79200D8350CF3916707@INBANSXCHMBSA1.in.alcatel-lucent.com>
References: <alpine.BSF.2.00.1009151357390.4814@fledge.watson.org>
In-Reply-To: <alpine.BSF.2.00.1009151357390.4814@fledge.watson.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.35
X-Scanned-By: MIMEDefang 2.64 on 135.250.11.33
X-Mailman-Approved-At: Fri, 17 Sep 2010 05:38:35 -0700
Subject: Re: [secdir] secdir review of draft-ietf-opsec-igp-crypto-requirements
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Sep 2010 23:36:23 -0000

Hi Samuel,

Thanks for the review.
 
> Is there a way to present this information more compactly?  I suggest 
> a table with routing protocol on one axis, crypto suite on another, 
> and requirement status in the elements (perhaps with a cite 
> to the doc 
> that sets the requirement).  You might separely say "MANDATORY to 
> implement, OPTIONAL to use, NOT SUGGESTED for use".

This is precisely what we were doing till the OPSEC WG members asked us to change the format to the current one.

> 
> You could also put suggestions and speculation about the 
> future in the 
> same table, though you may need to define some terms.  And it 

We were using extended 2119 terms like SHOULD+, MUST- and MAY+ originally and these were again removed because of the strong consensus in the WG in favor of the current text.

> needs to 
> be clear when this doc diverges from past ones or makes a new 
> statement.  I have not gone back through the previous docs to confirm 
> that this doc isn't changing anything.
> 
> I see a whole bunch of lower case "may" and "should", and I'm 
> wondering what to make of them.
> 
> In describing each routing protocol's authentication options, 
> it would 
> be helpful to say whether there's any in-band negotiation available. 

I am not sure I understand whats being meant by in-band negotiation here?

> If so, more needs to be said about that in the security 
> considerations.  If not, it should be documented here.
> 
> I don't need to hear three or four separate times that cleartext 
> passwords are bad.

Just making sure that folks don't miss this! :)

> 
> Minor: remove citations from the abstract (per rfc editor policy).

Sure, will do.

Cheers, Manav

> 
> -- Sam
> 
>