IETF Logo Mail Archive

Re: [secdir] SECDIR review of draft-ietf-lisp-crypto-07

Chris Lonvick <lonvick.ietf@gmail.com> Sat, 24 September 2016 14:41 UTC

Return-Path: <lonvick.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0140B12BD2C; Sat, 24 Sep 2016 07:41:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ew-FZlDyy3ES; Sat, 24 Sep 2016 07:41:56 -0700 (PDT)
Received: from mail-pa0-x231.google.com (mail-pa0-x231.google.com [IPv6:2607:f8b0:400e:c03::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7147B12BD05; Sat, 24 Sep 2016 07:41:53 -0700 (PDT)
Received: by mail-pa0-x231.google.com with SMTP id oz2so48899974pac.2; Sat, 24 Sep 2016 07:41:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to; bh=vCmSMvu34oiwsgWYdrNIYt1qdY+cYzDhqbJLO+jPqrw=; b=vhAkDy9Zh35Dx8XJmXGxsAZIWVBUl0dCVYP+nfug96+tvldZIu8fWas5CiinkQz0Gs My7+oFC5dn6M43gRn/z40OoC55FVMQ9juxVd6zF0cWPhMYVjFfVK4mLlHt+Ywk7/LVj3 xGz7P5FzCXtsYy6BIt0aIUGhytYMJ8sOHoOdiF7GVvw588Xc8TV1Jemmp6O0FK13Ttoo OzVpXsMcTCxTWhpm3yV9SxlL42AvZ9cqBN0luRz3Gk/78Igkq2WnV5gvcqO0e6JuovYS VdVuYIWSUdurhyJE6OsKtcDloTqo4pyC9HEgO2V9/Pc95nCYkH0P2ZWr71u6jwL5iAaR I3OQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to; bh=vCmSMvu34oiwsgWYdrNIYt1qdY+cYzDhqbJLO+jPqrw=; b=OWooPIovHQRG84cYejz6VB///wgUtJznZN4h6WzFWrqJxDPA5AJbRryq/yiigZSEB7 LC7G2WjSUEPoi1vQQSktg0AvvjDliDcpjlxg56gSENDwXl6RjWBGJvzF+JgGPpvt2XAS r+rQ30nFdHTq4ejbI532hGN5x2orjLZQrWq5hiPjKWiR0qDrrQDhT4sA1sY34WLaGmSD OIWiTiY/QMqSOfaYmESPSUzK4kTTtZlzk4O/GNw/XFcTzTaXJwtXwp4wTGtLqYarP5vF PPF6zLjMBxhqxYPsD8dCCQXO9UrvgoRY8QPjmgfmtsMJnzYpExHMpZqWWCFhcUo1JZ7S 6ZTA==
X-Gm-Message-State: AE9vXwNt29V5omkxSpwD4GnYfkALSj4Zza5HEmy5jCurmCGr1BsaOFwFbE3CxNQH83NkQQ==
X-Received: by 10.66.159.1 with SMTP id wy1mr22358904pab.20.1474728112781; Sat, 24 Sep 2016 07:41:52 -0700 (PDT)
Received: from Chriss-Air.attlocal.net ([2602:306:838b:1c40:5831:d12a:dde3:e542]) by smtp.googlemail.com with ESMTPSA id a137sm19124693pfa.72.2016.09.24.07.41.51 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 24 Sep 2016 07:41:52 -0700 (PDT)
To: "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, draft-ietf-lisp-crypto.all@ietf.org
References: <57E68FB7.10408@gmail.com>
From: Chris Lonvick <lonvick.ietf@gmail.com>
Message-ID: <57E690AD.2030207@gmail.com>
Date: Sat, 24 Sep 2016 09:41:49 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.7.2
MIME-Version: 1.0
In-Reply-To: <57E68FB7.10408@gmail.com>
Content-Type: multipart/alternative; boundary="------------040608090405050902030209"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/GOyVb5xX6qcuIPHwfs2bIcXd1Z0>
Subject: Re: [secdir] SECDIR review of draft-ietf-lisp-crypto-07
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Sep 2016 14:41:59 -0000

Cut-n-pasted wrong. Resending.
Thanks,
Chris

On 9/24/16 9:37 AM, Chris Lonvick wrote:
> Hi Dino, Brian, and All,
>
> I have reviewed this document as part of the security directorate's 
> ongoing effort to review all IETF documents being processed by the 
> IESG. These comments were written primarily for the benefit of the 
> security area directors. Document editors and WG chairs should treat 
> these comments just like any other last call comments.
>
> The document is acceptable for an Experimental RFC.
>
> I don't follow LISP so I'm not sure if there is an actual mechanism 
> for a device receiving a map request packet to decline an offered 
> cipher suite. If there is, I didn't see it explained in the draft. You 
> should address this in a future draft. This will be needed for when 
> new cipher suites are added and a receiving device does not have the 
> capability to handle the new cipher suite, or the case where an old 
> cipher suite has been administratively disabled; like if it's been 
> compromised and shouldn't be used. There are several ways to do this.
>
> There are a few nits in the draft you may want to take care of. First, 
> Section 6 talks about setting the R bit to 0.
> Current:
>     The 'R' bit is not used for this use-case of the Security Type LCAF
>     but is reserved for [LISP-DDT 
> <https://tools.ietf.org/html/draft-ietf-lisp-crypto-07#ref-LISP-DDT>] security.  Therefore, the R bit is
>     transmitted as 0 and ignored on receipt.
> Proposed:
>    The 'R' bit is not used for this use-case of the Security Type LCAF 
> but is
>    reserved for [LISP-DDT 
> <https://tools.ietf.org/html/draft-ietf-lisp-crypto-07#ref-LISP-DDT>] 
> security. Therefore, the R bit SHOULD be transmitted
>    as 0 and MUST be ignored on receipt.
>
> A few other things I found:
> s/assymmetric/asymmetric/
> s/Soon as an ETR or RTR/As soon as an ETR or RTR/
> s/followed by key-id 2, an finally key-id 3/followed by key-id 2, and 
> finally key-id 3/
>
> Best regards,
> Chris
>

v2.23.0 | Report a Bug | By Email