[secdir] Fwd: secdir review of draft-moriarty-post-inch-rid-transport-02

Brian Trammell <trammell@tik.ee.ethz.ch> Mon, 19 April 2010 12:49 UTC

Return-Path: <trammell@tik.ee.ethz.ch>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 769F03A68F6; Mon, 19 Apr 2010 05:49:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.999
X-Spam-Level:
X-Spam-Status: No, score=-3.999 tagged_above=-999 required=5 tests=[BAYES_50=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o-wrvU5509FC; Mon, 19 Apr 2010 05:49:28 -0700 (PDT)
Received: from smtp.ee.ethz.ch (smtp.ee.ethz.ch [129.132.2.219]) by core3.amsl.com (Postfix) with ESMTP id DD0D03A687E; Mon, 19 Apr 2010 05:49:27 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by smtp.ee.ethz.ch (Postfix) with ESMTP id 6F877D936B; Mon, 19 Apr 2010 14:49:17 +0200 (MEST)
X-Virus-Scanned: by amavisd-new on smtp.ee.ethz.ch
Received: from smtp.ee.ethz.ch ([127.0.0.1]) by localhost (.ee.ethz.ch [127.0.0.1]) (amavisd-new, port 10024) with LMTP id MdO5fU3dwzHr; Mon, 19 Apr 2010 14:49:17 +0200 (MEST)
Received: from pb-10072.ethz.ch (pb-10072.ethz.ch [82.130.103.195]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: briant) by smtp.ee.ethz.ch (Postfix) with ESMTPSA id 3367BD9373; Mon, 19 Apr 2010 14:49:17 +0200 (MEST)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Apple Message framework v1078)
From: Brian Trammell <trammell@tik.ee.ethz.ch>
Date: Mon, 19 Apr 2010 14:49:16 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <E61667A4-1BBA-47F0-B9A3-6F689ADC400E@tik.ee.ethz.ch>
References: <CC9B9AB3DE5792409076BB097B280FE603E09221@CORPUSMX50A.corp.emc.com>
To: barryleiba.mailing.lists@gmail.com
X-Mailer: Apple Mail (2.1078)
X-Mailman-Approved-At: Mon, 19 Apr 2010 16:57:59 -0700
Cc: secdir@ietf.org, iesg@ietf.org, Kathleen Moriarty <moriarty_kathleen@emc.com>
Subject: [secdir] Fwd: secdir review of draft-moriarty-post-inch-rid-transport-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Apr 2010 12:49:29 -0000

Hi, Barry,

Many thanks for your review! My response, in brief, would be, yes, we need to remove the 2119 language, but it is unclear what we should do instead of using HTTP as a substrate. Detailed responses inline, below.

Best regards,

Brian

> -----Original Message-----
> From: Barry Leiba [mailto:barryleiba.mailing.lists@gmail.com] 
> Sent: Thursday, April 15, 2010 10:10 AM
> To: draft-moriarty-post-inch-rid-transport.all@tools.ietf.org
> Cc: iesg@ietf.org; secdir@ietf.org
> Subject: secdir review of draft-moriarty-post-inch-rid-transport-02
> 
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
> 
> This document is going for Informational status, not Standards Track,
> and yet defines a protocol layered over HTTP, using normative
> language.

We've had the same issue when turning standards into guidelines in IPFIX
(when RFC5473 was first submitted to the IESG, it had a lot of 2119 language
in it). We presume that stripping 2119 refs and lowercasing everything
would be an acceptable solution here as well, but we've not done that
yet.

> I have some concern about that -- we know how much
> attention is often NOT paid to the distinction between Informational
> and Standards Track.  Further, HTTP seems particularly ill-suited to
> transporting this protocol... this seems another in the long line of
> "use HTTP for everything" cases, which BCP 56 has tried
> (unsuccessfully) to stave off.

We acknowledge as such, directly in the document. However, we cannot
ignore that for the types of data we're moving around, HTTP seems to be
pretty much the only base protocol we can extend that has the
implementation support and community understanding to get into
production quickly, in a way that's easy to integrate with the security
policies surrounding public-facing information services at most
organizations likely to be members of a RID consortium. 

BEEP was supposed to do this. It didn't. Shimming something like SOAP in
here is insanely complicated for what we're doing (indeed, the old
version of the document was SOAP based, and nobody liked it, least of
all the authors), and anyway still needs a transport binding. 

We could define something over bare sockets would end up for the most
part replicating what we've done with HTTP, but make the document much
longer and obscure the fact that we've taken most of the base
interaction from HTTP, thereby making it harder to implement. Given
these considerations, we consider HTTP the worst base protocol for RID,
except for all the others that have been implemented (more than once).

> The "callbacks", in particular, are
> worrisome -- the payload has to contain all the state information, the
> system doing the callback has to have the correct addresses of the
> system that originally contacted it, and the whole thing is vulnerable
> to asymmetry problems (firewalls, NAT, multi-homing, and so on; see
> http://tools.ietf.org/id/draft-iab-ip-model-evolution-01.txt and Dave
> Thaler's technical plenary presentation from IETF 73,
> http://www.ietf.org/proceedings/73/plenaryw.html ).

Given the arbitrary amount of time that a RID interchange might take
(minutes, hours, even days if there's human interaction involved and the
request is considered low-priority enough at the receiving end), any
transport for RID is going to have a callback mechanism anyway, unless
we want to force people to hold TCP sessions open for long periods,
which has its own problems. In a RID infrastructure, each consortium
member is expected to have a well-known, public-facing endpoint; getting
around the asymmetry problems is therefore considered a deployment-time
consideration. I suppose this could be made clearer in the document.