Re: [secdir] Security review of draft-ietf-tsvwg-behave-requirements-update-06
Ben Laurie <benl@google.com> Mon, 15 February 2016 12:44 UTC
Return-Path: <benl@google.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4897E1B32CC for <secdir@ietfa.amsl.com>; Mon, 15 Feb 2016 04:44:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.384
X-Spam-Level:
X-Spam-Status: No, score=-1.384 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.006, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 993NgHUW0EUj for <secdir@ietfa.amsl.com>; Mon, 15 Feb 2016 04:44:07 -0800 (PST)
Received: from mail-io0-x233.google.com (mail-io0-x233.google.com [IPv6:2607:f8b0:4001:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1894A1B32C9 for <secdir@ietf.org>; Mon, 15 Feb 2016 04:44:07 -0800 (PST)
Received: by mail-io0-x233.google.com with SMTP id z135so87691728iof.0 for <secdir@ietf.org>; Mon, 15 Feb 2016 04:44:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=RZZLQgPKPlBP1GZKNLT9OZNalGD5QHnEfoNJtK1uNmE=; b=j9akhTQ83UhptvmZci5mf6/WUJ9OVmT4/t+Dd1HjHAag1vxFzYl+Z/i0s1OUoROXie MAHNH2EF42RkZd3HTRbCBtSb0bc4hFEXXkMYjU8dO9XUrfW8J8N5C3864R0PVIVGdl2C 6DPy4Fyi5bd0wn8OkJW4QHzHfMc94ZGcxfys9Qq10BV5g6IZDGv6r5b8wxTnQ6PorAoZ ZzipOr/5AHRluRaEKUU5pOnfWNMqghkoF36KtetSdkWVLnh/2FiajO5PBh/HIk2qkvFE wS7vhqdYeYJpppz4OQVM9lC7rrYc/4yzYVQjFOCkOLV9QMIJUWM9/0zr8VYHD0BmJPgs mnmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=RZZLQgPKPlBP1GZKNLT9OZNalGD5QHnEfoNJtK1uNmE=; b=AiKA+OGzmXI1j38RxEWhWXT5VryyqPbx1Nvh7isrMDK7mwSr9zyXCHTP7bMDBQCtPc UuGQ4tiNSZ+WzI6xQtrt3vKYC6UvBCyJSi4/7uVP1Nq43ZLohX8seiHKI49pJFH3r7o5 94tTIQJIrF865Oh+EX2LSb7GP0azvrWv7ZvFLIwka6AHIYgf/J2+XCFjGCypPcPhUdC4 wD3DtoPskDtlxbAcKS6iYlcRGIeyDPGW4MVAkUOzeT4ntCwKpsxwgRwJI0CB1+nxjYke nWSwz7Pf40LBLew5hN66APc5C4lxiCF7LK/vRTV45XXQdFpCDDGH5NW/1nZ0lfhLVaq/ FtZw==
X-Gm-Message-State: AG10YOSI/oHVYujXziXZuNNcVZp3swskEb8UOk8W8HDIW9q4NQbYzkNhsK/dYWHZW4uA7bfsfa47I0aZLMPRfNKU
MIME-Version: 1.0
X-Received: by 10.107.16.17 with SMTP id y17mr20017165ioi.119.1455540246177; Mon, 15 Feb 2016 04:44:06 -0800 (PST)
Received: by 10.64.26.98 with HTTP; Mon, 15 Feb 2016 04:44:06 -0800 (PST)
In-Reply-To: <CABrd9SRpKZhxufKAFd331r6t9DAHS7XPVKerUoUeHKZPJqh3JA@mail.gmail.com>
References: <CABrd9SRpKZhxufKAFd331r6t9DAHS7XPVKerUoUeHKZPJqh3JA@mail.gmail.com>
Date: Mon, 15 Feb 2016 12:44:06 +0000
Message-ID: <CABrd9SSB3GU_KPJ=ucdzgsy13A+4Sk30f7ddMLEGm9mKHN4CFA@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, draft-ietf-tsvwg-behave-requirements-update.all@tools.ietf.org
Content-Type: multipart/alternative; boundary="001a113ff32854b9ec052bce5f96"
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/KnysFM80mQ4X2w4bbB_sja4qETE>
Subject: Re: [secdir] Security review of draft-ietf-tsvwg-behave-requirements-update-06
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Feb 2016 12:44:08 -0000
Resending to correct address: I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. Summary: ready with issues This document updates the behavioural requirements for NAT, and as noted in the very comprehensive (thankyou!) security considerations section, introduces at least two requirements that might have security consequences. The ADs should probably consider whether these new requirements are worth the additional risk. Also, "Hosts which require a restricted filtering behavior should enable security-dedicated features (e.g., access control list (ACL)) either locally or by soliciting a dedicated security device (e.g., firewall)." is concerning - how will hosts know that they need to update their policies? "security-dedicate features" is not very informative - it would be helpful to explain what new behaviour may need to be counteracted. Looking at sections 5 and 6, to which this text refers, they appear to make NAT more restrictive, not less, so its unclear why there might be security impact. BTW, small typo: "only if packets are to be sen to distinct destination addresses." sen -> sent
- [secdir] Security review of draft-ietf-tsvwg-beha… Ben Laurie
- Re: [secdir] Security review of draft-ietf-tsvwg-… Ben Laurie
- Re: [secdir] Security review of draft-ietf-tsvwg-… mohamed.boucadair