Re: [secdir] Secdir review of draft-ietf-cdni-media-type-04

Kevin Ma J <kevin.j.ma@ericsson.com> Thu, 08 October 2015 14:33 UTC

Return-Path: <kevin.j.ma@ericsson.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 056451A1A0B; Thu, 8 Oct 2015 07:33:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iAww6ubAJQQg; Thu, 8 Oct 2015 07:33:07 -0700 (PDT)
Received: from usevmg21.ericsson.net (usevmg21.ericsson.net [198.24.6.65]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1EEF1A1A15; Thu, 8 Oct 2015 07:33:07 -0700 (PDT)
X-AuditID: c6180641-f792c6d00000686a-dc-5616129533f7
Received: from EUSAAHC007.ericsson.se (Unknown_Domain [147.117.188.93]) by usevmg21.ericsson.net (Symantec Mail Security) with SMTP id 48.41.26730.59216165; Thu, 8 Oct 2015 08:52:05 +0200 (CEST)
Received: from EUSAAMB103.ericsson.se ([147.117.188.120]) by EUSAAHC007.ericsson.se ([147.117.188.93]) with mapi id 14.03.0248.002; Thu, 8 Oct 2015 10:33:06 -0400
From: Kevin Ma J <kevin.j.ma@ericsson.com>
To: Tero Kivinen <kivinen@iki.fi>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-cdni-media-type.all@tools.ietf.org" <draft-ietf-cdni-media-type.all@tools.ietf.org>
Thread-Topic: Secdir review of draft-ietf-cdni-media-type-04
Thread-Index: AQHRAajHGzHszqzt8UW8Jlr5SC9Jo55hp+jQ
Date: Thu, 8 Oct 2015 14:33:05 +0000
Message-ID: <A419F67F880AB2468214E154CB8A556206B64CCD@eusaamb103.ericsson.se>
References: <22038.12816.208794.496704@fireball.acr.fi>
In-Reply-To: <22038.12816.208794.496704@fireball.acr.fi>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [147.117.188.9]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrCLMWRmVeSWpSXmKPExsUyuXRPrO5UIbEwgwOdshYfdx5htpjxZyKz xdHzz9ksPix8yOLA4rFkyU8mj8NfF7J4fLn8mS2AOYrLJiU1J7MstUjfLoErY8aHL0wF80Qq Ph2RaGCcK9DFyMkhIWAisePDIzYIW0ziwr31QDYXh5DAUUaJlZcvMEI4yxglvs99yQRSxSag JfH4618mkISIwDlGicbHy8ASwgLWEgtub2QFsUUEbCQmn3oPZRtJ9DfOAlvBIqAiseznbrB6 XgFfiS+HHjGC2EIC5hL922eD1XAKWEjc6PvNDmIzAp30/dQasHpmAXGJW0/mM0GcKiCxZM95 ZghbVOLl43+sELaixL7+6ewQ9ToSC3Z/YoOwtSWWLXzNDLFXUOLkzCcsExhFZyEZOwtJyywk LbOQtCxgZFnFyFFanFqWm25kuIkRGC3HJNgcdzAu+GR5iFGAg1GJhzeBTSxMiDWxrLgy9xCj NAeLkjjvvBn3Q4UE0hNLUrNTUwtSi+KLSnNSiw8xMnFwSjUwSnc3LTkh1NswPfRXYK6Sab8S i6djV/Axfn/HNy7Xzhlt51hVHMB66NF7gcwY83mJOj5/D0bUb48y3VJgtSM5v0lwB2/GtoYZ MbtfqB7+FR0rpD/ty8IZ5nWuiQyZ+6eKHryzMHv/jsqZnw87/mlkXFokMNnlUD1j3W/JdEHO 8Jnz1rizT4lSYinOSDTUYi4qTgQA5WySEXcCAAA=
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/BMDq8Z1K2sbsGYssrExTGaspPc4>
X-Mailman-Approved-At: Thu, 22 Oct 2015 07:18:03 -0700
Subject: Re: [secdir] Secdir review of draft-ietf-cdni-media-type-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Oct 2015 14:33:09 -0000

Hi Tero,

  Thank you for the review.

  I have fixed the ABNF.

  I have also added the following text to the security considerations:

    The application/cdni media type is a generic media type to be used	
    by multiple CDNI interfaces for transporting different types of	
    control and logging information.  Proper validation of message	
    data requires parsing and understanding the ptype parameter and	
    the associated data encoding.  Failure to properly validate	
    payloads may allow data extrusion under the auspices of the	
    application/cdni media type.

thanx!

--  Kevin J. Ma

> -----Original Message-----
> From: Tero Kivinen [mailto:kivinen@iki.fi]
> Sent: Thursday, October 08, 2015 5:06 AM
> To: iesg@ietf.org; secdir@ietf.org; draft-ietf-cdni-media-
> type.all@tools.ietf.org
> Subject: Secdir review of draft-ietf-cdni-media-type-04
> 
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
> 
> This document allocates new media type for genera purpose content
> delivery network interconnection protocol. It is general media type
> which can be used to transmit whatever between CDNs. The actual format
> of the content depends on the mandatory ptype parameter.
> 
> This document does not include separate Security considerations
> section, but there is security considerations part of the section 2.1
> which describes the media type itself.
> 
> As this is general purpose media type which can be used to transfer
> anything, the security considerations section is quite vague, just
> pointing out that the individual CDNI interface specifications need to
> specify the security considerations for the ptypes used. Perhaps the
> security considerations section could mention that as this is generic
> media type, it can easily used to transfer data out from the CDN
> network without anybody noticing as firewalls will most likely just
> see application/cdni, and do not look at the ptype itself.
> 
> Nits:
> 
> The ptype parameter defines ptype-char as follows:
> 
>         ptype-char = %x21 / %23-3A / %x3C / %x3E-7E
> 
> I think there is 'x' missing from the "%23-3A", i.e. it should be
> "%x23-3A".
> 
> I think this document is ready with nits.
> --
> kivinen@iki.fi