[secdir] Review of draft-ietf-nsis-ext-06

Shawn M Emery <shawn.emery@sun.com> Sat, 20 March 2010 08:23 UTC

Return-Path: <shawn.emery@sun.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 63D5B3A68CE; Sat, 20 Mar 2010 01:23:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.469
X-Spam-Status: No, score=-5.469 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id 3eSlGywEgxch; Sat, 20 Mar 2010 01:23:20 -0700 (PDT)
Received: from acsinet11.oracle.com (acsinet11.oracle.com []) by core3.amsl.com (Postfix) with ESMTP id 2EEA63A68AD; Sat, 20 Mar 2010 01:23:20 -0700 (PDT)
Received: from rcsinet15.oracle.com (rcsinet15.oracle.com []) by acsinet11.oracle.com (Switch-3.4.2/Switch-3.4.2) with ESMTP id o2K8NHpr028813 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sat, 20 Mar 2010 08:23:33 GMT
Received: from acsmt354.oracle.com (acsmt354.oracle.com []) by rcsinet15.oracle.com (Switch-3.4.2/Switch-3.4.1) with ESMTP id o2K8NGau005198; Sat, 20 Mar 2010 08:23:16 GMT
Received: from abhmt009.oracle.com by acsmt353.oracle.com with ESMTP id 97197161269073300; Sat, 20 Mar 2010 01:21:40 -0700
Received: from [] (/ by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sat, 20 Mar 2010 01:21:39 -0700
Message-ID: <4BA48592.8040804@sun.com>
Date: Sat, 20 Mar 2010 02:21:38 -0600
From: Shawn M Emery <shawn.emery@sun.com>
User-Agent: Mozilla/5.0 (X11; U; SunOS i86pc; en-US; rv: Gecko/20100214 Lightning/1.0b1 Thunderbird/3.0.1
MIME-Version: 1.0
To: secdir@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Source-IP: acsmt354.oracle.com []
X-Auth-Type: Internal IP
X-CT-RefId: str=0001.0A090205.4BA485F5.00EE,ss=1,fgs=0
Cc: draft-ietf-nsis-ext.all@tools.ietf.org, iesg@ietf.org
Subject: [secdir] Review of draft-ietf-nsis-ext-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 Mar 2010 08:23:23 -0000

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments.

This draft describes is an informational document that provides an 
overview of the Next Steps in Signaling (NSIS) set of protocols, how to 
deploy said protocols, and how to extend the set of NSIS protocols.

The security considerations section does exist and gives guidance for 
any extensions to the NSIS protocol set.  It then talks about using 
authentication, integrity checks, and authorization for any NSIS 
supported routers.

The section continues guidance for extensions by making sure they 
leverage NSIS' lower layer transport authentication and that any new 
transport protocols created support NSIS' low layer authentication and 
integrity check capabilities.

I think this section should include a reference to RFC 4081 for the 
possible attack scenarios for NSIS when considering an extension to the 
NSIS protocol set.

General comments:


Editorial comments:

3. The General Internet Signaling Transport

s/in future/in the future/

8. Extending the Protocols

s/identified in future/identified in the future/