[secdir] secdir review of draft-ietf-dots-signal-call-home-11
Radia Perlman <radiaperlman@gmail.com> Sun, 01 November 2020 04:55 UTC
Return-Path: <radiaperlman@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01DCF3A0E63; Sat, 31 Oct 2020 21:55:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g4T-qIUld1PH; Sat, 31 Oct 2020 21:55:20 -0700 (PDT)
Received: from mail-ej1-x634.google.com (mail-ej1-x634.google.com [IPv6:2a00:1450:4864:20::634]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61DB73A0E62; Sat, 31 Oct 2020 21:55:20 -0700 (PDT)
Received: by mail-ej1-x634.google.com with SMTP id o9so11950301ejg.1; Sat, 31 Oct 2020 21:55:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=D37WCpLpjDlaib4cV0orkhqAZ3C2j41XQS1GucpNf1Y=; b=lC/d8p6vrVB7XTW3SQVKvhQZ8AQ3VMQHPogWVp19xqgTiyTV/4fBgWyE8LYPPsTGq2 w2nMMu6RsVtho7N7ynUD/tQ5ClQ5SoaEQzwUawN5P4OJh+Epp/HfRLMw841Of5TfegOa tcEI5bKBCsPGOk2rDbYmNAbiAXY4ZiSXrXrZTvT1bABS5V+VYUONpDspXzZPi0iKkatN /uroh0aOo7jtjCkXC5J3WOmmSqioFpYv19khRDCQjOivvOddIp+nZ6xIPrD/fBoKfCfF omM6gQfMEivPVPc+X6SWt6tgwQ2bnH/Mc6V/qVNfeWaa7dYUcwJWP1YwKcYGJdknj4rx f1EA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=D37WCpLpjDlaib4cV0orkhqAZ3C2j41XQS1GucpNf1Y=; b=Nxw6ZW1je0W8L0NTtljf1w9lG3P2BD8HKIb9bRkPq4setMihNhVdIOct830IN1QmhQ pUrTORbvq2Co6Ql4dWuMHNMdIHxelI4VOXR/Q2+c6H+McR/DPBmYt6ECh6ISnQ1JNW3J mnbX7YYpSCKIvanucURees4+ZxwrVjcgMtrYGr9y8Q8JdexCXphWaixIxGbezGvcsx9p 0Jqo+vUCVIxcPRvZMv0gbbo9Ou/QCZuyHa0yv8Wx8d63Q5gMkIbwGQcfnx4V0U+lKU6K am+ZMj3w9oMKpSeCzWEJ4Larr7GQYPQMaUyTu4jxJq3uHLuLjZXU2wAFg1pvXmGcCpaD qvFA==
X-Gm-Message-State: AOAM5329PNB0ucQW0cPoN622Y0aaL8wxPJrygOGhB9FjU7LkW2jvqZ+h 3ob3mFXf/iS7dlt4pprPOTPHFubTDrmLh7h2QXCp5N353vU=
X-Google-Smtp-Source: ABdhPJwyD37F7NrFsqy0kEZL5IvmqgwGU8RYBdo16hfsCxjJ4f1MG9mtBMDyEmBbeZApgUOvs8duDQJi07mr+R+n9Ys=
X-Received: by 2002:a17:906:f909:: with SMTP id lc9mr1079956ejb.439.1604206518598; Sat, 31 Oct 2020 21:55:18 -0700 (PDT)
MIME-Version: 1.0
From: Radia Perlman <radiaperlman@gmail.com>
Date: Sat, 31 Oct 2020 21:55:07 -0700
Message-ID: <CAFOuuo5q5VwVkHH_y2uSnbzwFpSxuoYXKM=uoyWx9Vq9e-sL9Q@mail.gmail.com>
To: secdir@ietf.org, The IESG <iesg@ietf.org>, draft-ietf-dots-signal-call-home.all@ietf.org
Content-Type: multipart/alternative; boundary="000000000000b0021205b3046f6b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/GYefaGRDxO5SagGukRu_9jTSNxY>
Subject: [secdir] secdir review of draft-ietf-dots-signal-call-home-11
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Nov 2020 04:55:22 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. I didn't find anything objectionable from a security point-of-view in this I-D. DOTS is a protocol for reporting denial of service attacks to someone closer to the source than you are in hopes they can block such attacks before they have wasted more network bandwidth. The agent reporting the DoS is the DOTS client and the agent receiving the report is the DOTS server. The DOTS protocol is described in other documents. There is a special case where a DOTS server is running in a "home" network where it is capable of initiating connections but not receiving incoming ones because of NAT or firewall. This document defines a variation of the DOTS protocol for such scenarios where the DOTS server initiates the connection to the DOTS client in order to receive notifications of DoS traffic originating inside the firewalled network. Since authentication uses client and server certificates with TLS or DTLS, little needs to be changed to support this role reversal. Found one typo: Section 5.3.2: depictes -> depicts
- [secdir] secdir review of draft-ietf-dots-signal-… Radia Perlman
- Re: [secdir] secdir review of draft-ietf-dots-sig… mohamed.boucadair