Re: [secdir] secdir review of draft-ietf-rmt-pi-norm-revised-11
Brian Adamson <adamson@itd.nrl.navy.mil> Thu, 28 May 2009 16:33 UTC
Return-Path: <adamson@itd.nrl.navy.mil>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 052BD28C2F2 for <secdir@core3.amsl.com>; Thu, 28 May 2009 09:33:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.532
X-Spam-Level:
X-Spam-Status: No, score=-6.532 tagged_above=-999 required=5 tests=[AWL=0.067, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8FU5f-xV2eai for <secdir@core3.amsl.com>; Thu, 28 May 2009 09:33:50 -0700 (PDT)
Received: from s2.itd.nrl.navy.mil (s2.itd.nrl.navy.mil [132.250.83.3]) by core3.amsl.com (Postfix) with ESMTP id 6C33D28C2AC for <secdir@ietf.org>; Thu, 28 May 2009 09:32:30 -0700 (PDT)
Received: from smtp.itd.nrl.navy.mil (smtp.itd.nrl.navy.mil [132.250.86.3]) by s2.itd.nrl.navy.mil (8.13.8/8.13.8) with SMTP id n4SGXaSr011293; Thu, 28 May 2009 12:33:36 -0400
Received: from macsimus.itd.nrl.navy.mil ([132.250.92.151]) by smtp.itd.nrl.navy.mil (SMSSMTP 4.1.16.48) with SMTP id M2009052812333522300 ; Thu, 28 May 2009 12:33:35 -0400
Message-Id: <6939BED8-48A5-4B3D-B185-E882DE35CDC6@itd.nrl.navy.mil>
From: Brian Adamson <adamson@itd.nrl.navy.mil>
To: David Harrington <ietfdbh@comcast.net>
In-Reply-To: <05a401c9ccf6$67ac3550$0600a8c0@china.huawei.com>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v935.3)
Date: Thu, 28 May 2009 12:33:36 -0400
References: <05a401c9ccf6$67ac3550$0600a8c0@china.huawei.com>
X-Mailer: Apple Mail (2.935.3)
Cc: 'Magnus Westerlund' <magnus.westerlund@ericsson.com>, secdir@ietf.org, tim.polk@nist.gov, Pasi.Eronen@nokia.com, M.Handley@cs.ucl.ac.uk, cabo@tzi.org, 'Joe Macker' <macker@itd.nrl.navy.mil>, 'Lorenzo Vicisano' <lorenzo@vicisano.net>
Subject: Re: [secdir] secdir review of draft-ietf-rmt-pi-norm-revised-11
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2009 16:33:51 -0000
All, I have submitted an updated NORM draft that I hope fully addresses Dave's comments here. I actually took his recommendations on clarity of requirements language (SHOULDs, etc) throughout the whole document and not just the security issues section. There were a number of cases where there were lower-case "should", "must", etc that needed to be emphasized with upper case or alternative language used to make the requirements aspects clearer. This was a worthwhile exercise as I found a few more grammatical errors, etc as well. Brian Adamson adamson@itd.nrl.navy.mil On May 4, 2009, at 4:25 PM, David Harrington wrote: > Hi, > > I have reviewed this document as part of the security directorate's > ongoing effort to review all IETF documents being processed by the > IESG. These comments were written primarily for the benefit of the > security area directors. Document editors and WG chairs should > treat these comments just like any other last call comments. > > The document specifies a protocol (or an update to a protocol) that > provides end-to-end reliable transport of bulk data objects or streams > > over multicast routing and forwarding services. It also provides a > congestion control scheme. It is designed to permit different > upper layer services to utilize its services in different ways. > > I previousaly reviewed the -09- revision, where I asked that the > specification tighen up requirements, ala RFC2119, especially in the > Security Considerations. That was done to a degree. > > More should be done. There are places with text like "It is expected > that ..." > that might be better expressed as SHOULDs. There are lower case > must/should/may/require uses. > > Since this is a requested early review, let me also comment on > document clarity. > > I found some of the paragraphs have conditionals in them, often > following a > statement of MUST or SHOULD compliance. I think the "However ..." > conditionals > really hurt the clarity of the specification. For example: > Large NORM group sizes will necessitate some form of key management > that does rely upon shared secrets. The GDOI and GSAKMP protocols > mentioned here allow for certificate-based authentication. It is > RECOMMENDED these certificates use IP addresses for authentication > although it may alternatively possible to have authentication > associated with pre-assigned NormNodeId values. However, it is > likely that available group key management implementations will not > be NORM-specific. > > Is the information after "RECOMMENDED these certificates use IP > addresses for authentication" really needed here? > If I alternately have authentication associated with re-assigned > NormNodeId values, and do not support IP adresses for authentication, > am I still compliant? > > A pet peeve - "it should be noted that" is almost always not needed. > Just make the statement, > which effectively notes the point. Nothing "should" about it! > > The same pet peeve variations: unnecessary introductory phrases or > clauses in sentences: > > s/The principal issue is that configuration > and operation of IPsec typically requires privileged user > authorization./Configuration > and operation of IPsec typically requires privileged user > authorization./ > s/It is expected that additional specifications may/ > Additional specifications MAY/ > > Some words to look at whether they are really necessary: > Additionally > However > Thus > It is expected that > As previously noted, > Note that > also > as always > as mentioned in section x.x > as noted > > > > > > > David Harrington > dbharrington@comcast.net > ietfdbh@comcast.net > dharrington@huawei.com >
- [secdir] secdir review of draft-ietf-rmt-pi-norm-… David Harrington
- Re: [secdir] secdir review of draft-ietf-rmt-pi-n… Magnus Westerlund
- Re: [secdir] secdir review of draft-ietf-rmt-pi-n… Brian Adamson