[secdir] secdir review of draft-ietf-csi-sndp-prob
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 01 December 2009 01:25 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id D309C3A6AB2; Mon, 30 Nov 2009 17:25:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.835
X-Spam-Level:
X-Spam-Status: No, score=-1.835 tagged_above=-999 required=5 tests=[AWL=0.764,
BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T7jajQbvzVK5;
Mon, 30 Nov 2009 17:25:06 -0800 (PST)
Received: from relay.imagine.ie (dns1.dns.imagine.ie [87.232.1.40]) by
core3.amsl.com (Postfix) with ESMTP id EF2243A686E;
Mon, 30 Nov 2009 17:25:05 -0800 (PST)
Received: from mail2.int.imagine.ie (mail2 [87.232.1.153]) by relay.imagine.ie
(Postfix) with ESMTP id D705132886; Tue, 1 Dec 2009 01:24:57 +0000 (GMT)
Received: from [10.87.48.7] (dsl-102-234.cust.imagine.ie [87.232.102.234]) by
mail2.int.imagine.ie (8.13.4/8.13.4/Debian-3) with ESMTP id nB11OrJ2000761
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
Tue, 1 Dec 2009 01:24:54 GMT
Message-ID: <4B147060.4000207@cs.tcd.ie>
Date: Tue, 01 Dec 2009 01:24:48 +0000
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Thunderbird 2.0.0.23 (X11/20090812)
MIME-Version: 1.0
To: draft-ietf-csi-prob@tools.ietf.org, sec-ads@ietf.org, secdir@ietf.org
X-Enigmail-Version: 0.96.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Bayes-Prob: 0.0001 (Score 0)
X-Canit-Stats-ID: 58130340 - 690f3ab6f055 (trained as not-spam)
X-CanItPRO-Stream: outgoing
X-Scanned-By: CanIt (www . roaringpenguin . com) on 87.232.1.53
Subject: [secdir] secdir review of draft-ietf-csi-sndp-prob
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>,
<mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>,
<mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Dec 2009 01:25:06 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. The draft is a generally well-written description of some issues with securing neighbour discovery when proxies are involved. As a problem statement draft I find it just fine. I have two minor security comments and a few nits below. Stephen. 1. The suggestion at the end of 4.2 that certificate serial number or time field ordering be used to indicate relationships between end entities seems very hacky. I'd suggest either deleting that if its felt to be unlikely used, or else, if its actually likely to be used, then documenting how it could actually work 2. 7.2 mentions "signed, non-repudiable certificates" which is a horribly odd phrase. Hopefully that's just sloppy language. (s/signed, non-repudiable//), but if not, then its a concern (the concern being that non-repudiation in protocols is mythical). Nits: 1. 2nd last para of 3.1: fix word ordering in last sentence, think it ought say: Such a message would be valid according to the SEND specification, if the Target Address and the source IPv6 address of the Neighbor Advertisement weren't different [RFC3971]. 2. 2.2.4 1st para: similar word ordering, maybe: The router or CA may then be able to certify proxying for only a subset of the prefixes for which it is certified. 3. 1st sentence of 7.2: s/The certificagte delegation/Certificate delegation/
- [secdir] secdir review of draft-ietf-csi-sndp-prob Stephen Farrell
- Re: [secdir] secdir review of draft-ietf-csi-sndp… Stephen Farrell
- Re: [secdir] secdir review of draft-ietf-csi-sndp… Jean-Michel Combes