[secdir] Secdir last call review of draft-ietf-dots-signal-channel-30

Stephen Farrell via Datatracker <noreply@ietf.org> Thu, 14 March 2019 15:33 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id E477C130E89; Thu, 14 Mar 2019 08:33:34 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Stephen Farrell via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
Cc: draft-ietf-dots-signal-channel.all@ietf.org, ietf@ietf.org, dots@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.94.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Message-ID: <155257761487.2625.10003476313108979036@ietfa.amsl.com>
Date: Thu, 14 Mar 2019 08:33:34 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/IgpVBAHUV7NKLl5GozcYNofGejw>
Subject: [secdir] Secdir last call review of draft-ietf-dots-signal-channel-30
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2019 15:33:35 -0000

Reviewer: Stephen Farrell
Review result: Has Issues


I think there's one issue with this draft that'd be well
worth discussion and/or fixing:

- p12: Why does the cuid need to be so static? I would
have thought that an identifier that can change more
often than a key pair would have been better, esp if this
could be used in a CPE. (Creating a new long-lived
identifier for a CPE seems like a bad plan if it's not
really needed.) For example, one could use both the SPKI
and a timestamp as input for a recommended way to generate
a cuid and that should be as unique, but much more easily
changed.  That could also mitigate the possible TLS1.2
client-cert snooping issue mentioned on p90.

nits:

- (Not really a nit, but probably too much to ask, so...)
The protocol here seems very complex. Has anyone 
tried to prove anything about the state machine, e.g.
that's it's safe in some senses? It'd be fair to say that
that is a good task to do after the initial RFC is
published in this case, I guess.  OTOH, could be some of
the theorem-proving tools used in the development of
TLS1.3 could be useful here. (And those tools usually
do turn up some issues worth fixing - I'd bet a beer they 
would in this case:-)

- p18: "Only single-valued 'cdid' are defined in this
document." That confused me given the text 3 paras
before about multiple cdid values. Maybe clarifying that
some could be useful?

- p77 has a few lowercase "should" and "must" statements.
Not sure if that's on purpose or by accident.

- p90: Is the mention of TCP-AO there for real? I'd be
happy it it were but if it's merely aspirational and you
don't think it'll be used, it'd be better to not pretend
it might get used.

- Couldn't a bad actor in control of an authorised DOTS
client colluding with the controller of a DDoS attack
use this to probe the system to see how their attack is
going and change the attack to be more effective?  I don't
think any protocol change could help there, but perhaps
you could give some guidance to implementers to try catch
such cases (e.g., if the probing DOTS client's local n/w
doesn't actually appear to be under attack).