Re: [secdir] Review of draft-ietf-dime-diameter-api-08
Victor Fajardo <vfajardo@tari.toshiba.com> Wed, 17 June 2009 12:28 UTC
Return-Path: <vfajardo@tari.toshiba.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B128128C245; Wed, 17 Jun 2009 05:28:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.593
X-Spam-Level:
X-Spam-Status: No, score=-3.593 tagged_above=-999 required=5 tests=[AWL=-0.496, BAYES_00=-2.599, DATE_IN_PAST_12_24=0.992, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, RCVD_IN_DNSWL_MED=-4, UNPARSEABLE_RELAY=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uK+jzjHAoneH; Wed, 17 Jun 2009 05:28:55 -0700 (PDT)
Received: from imx12.toshiba.co.jp (imx12.toshiba.co.jp [61.202.160.132]) by core3.amsl.com (Postfix) with ESMTP id C00BC28C242; Wed, 17 Jun 2009 05:28:54 -0700 (PDT)
Received: from arc11.toshiba.co.jp ([133.199.90.127]) by imx12.toshiba.co.jp with ESMTP id n5HCShMQ025941; Wed, 17 Jun 2009 21:28:43 +0900 (JST)
Received: (from root@localhost) by arc11.toshiba.co.jp id n5HCShML018407; Wed, 17 Jun 2009 21:28:43 +0900 (JST)
Received: from ovp11.toshiba.co.jp [133.199.90.148] by arc11.toshiba.co.jp with ESMTP id XAA18406; Wed, 17 Jun 2009 21:28:43 +0900
Received: from mx2.toshiba.co.jp (localhost [127.0.0.1]) by ovp11.toshiba.co.jp with ESMTP id n5HCSgQM026708; Wed, 17 Jun 2009 21:28:42 +0900 (JST)
Received: from ivp1.toshiba.co.jp by toshiba.co.jp id n5HCSgvf003246; Wed, 17 Jun 2009 21:28:42 +0900 (JST)
Received: from ext-gw.toshiba.co.jp by ivp1.toshiba.co.jp with ESMTP id n5HCSf2o019561; Wed, 17 Jun 2009 21:28:41 +0900 (JST)
Received: from toshi17.tari.toshiba.com (tari-gw [172.30.24.10]) by ext-gw.toshiba.co.jp with ESMTP id n5HCSeaa003050; Wed, 17 Jun 2009 21:28:41 +0900 (JST)
Received: from [127.0.0.1] (toshi17.tari.toshiba.com [172.30.24.10]) by toshi17.tari.toshiba.com (8.13.1/8.13.1) with ESMTP id n5HCZDB5007870; Wed, 17 Jun 2009 08:35:13 -0400 (EDT) (envelope-from vfajardo@tari.toshiba.com)
Message-ID: <4A3811A7.2050708@tari.toshiba.com>
Date: Tue, 16 Jun 2009 17:41:59 -0400
From: Victor Fajardo <vfajardo@tari.toshiba.com>
User-Agent: Mozilla-Thunderbird 2.0.0.19 (X11/20090103)
MIME-Version: 1.0
To: "Romascanu, Dan (Dan)" <dromasca@avaya.com>
References: <4A37BDAA.50306@ieca.com> <EDC652A26FB23C4EB6384A4584434A04017D2C53@307622ANEX5.global.avaya.com> <4A37DDEB.7070402@ieca.com> <EDC652A26FB23C4EB6384A4584434A04017D2E01@307622ANEX5.global.avaya.com>
In-Reply-To: <EDC652A26FB23C4EB6384A4584434A04017D2E01@307622ANEX5.global.avaya.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Wed, 17 Jun 2009 05:41:13 -0700
Cc: pacalhou@cisco.com, secdir <secdir@ietf.org>, dave@frascone.com, dime-chairs@ietf.org, draft-ietf-dime-diameter-api@tools.ietf.org, iesg@ietf.org, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
Subject: Re: [secdir] Review of draft-ietf-dime-diameter-api-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jun 2009 12:28:56 -0000
Hi Dan, > I will let the authors infirm or confirm what I am saying, but my > understanding is that they take the position that the document describes > an internal API for applications to access the Diameter protocol, and > that there is no additional security threat involved in the definition > or implementation of such an API. > Yes. This is our understanding as well. Defining functions and structures does not seem to introduce any security concerns to us. It is possible that implementors introduced security vulnerabilities when implementing internals of the API's (etc. bug in code, weak algorithms, data structures that will not scale etc.). However, these are outside the scope of the document. If this is something to be clarified then we can add text stating this. regards, victor > Dan > > > >> -----Original Message----- >> From: Sean Turner [mailto:turners@ieca.com] >> Sent: Tuesday, June 16, 2009 9:01 PM >> To: Romascanu, Dan (Dan) >> Cc: secdir; draft-ietf-dime-diameter-api@tools.ietf.org; >> iesg@ietf.org; dime-chairs@ietf.org; Hannes Tschofenig; >> Victor Fajardo; pacalhou@cisco.com; dave@frascone.com >> Subject: Re: Review of draft-ietf-dime-diameter-api-08 >> >> Dan, >> >> I sent the review to Pat and to Dave (and the iesg and >> secdir). I see that Victor was also added during the last go >> around so if he made the changes I'm not sure he would have seen them. >> >> My concern is that the document is for the Diameter API but >> the security considerations points to the Diameter Protocol. >> So, we don't have any security considerations at all if we >> just point to the protocol definition, which is what the >> document does now. >> >> spt >> >> Romascanu, Dan (Dan) wrote: >> >>> Sean, >>> >>> Was your review sent to the editors of the document? >>> >>> Can you please clarify why you believe that the API introduces >>> supplementary security concerns, which would make the >>> >> reference to the >> >>> security considerations of RFC 5366 insufficient? >>> >>> Thanks and Regards, >>> >>> Dan >>> >>> >>> >>>> -----Original Message----- >>>> From: iesg-bounces@ietf.org [mailto:iesg-bounces@ietf.org] >>>> >> On Behalf >> >>>> Of Sean Turner >>>> Sent: Tuesday, June 16, 2009 6:44 PM >>>> To: secdir; draft-ietf-dime-diameter-api@tools.ietf.org; >>>> iesg@ietf.org; dime-chairs@ietf.org >>>> Cc: Hannes Tschofenig >>>> Subject: Review of draft-ietf-dime-diameter-api-08 >>>> >>>> I have reviewed this document (twice now) as part of the security >>>> directorate's ongoing effort to review all IETF documents being >>>> processed by the IESG. These comments were written >>>> >> primarily for the >> >>>> benefit of the security area directors. Document editors and WG >>>> chairs should treat these comments just like any other last call >>>> comments. >>>> >>>> This version does not address the comments I made against the >>>> -07 version, notably: >>>> >>>> The document needs to discuss the security considerations >>>> >> surrounding >> >>>> the API in your document, as opposed to just pointing to RFC5388. >>>> >>>> Nits: >>>> - Sec 3.1.1: add "." to end of last sentence >>>> - Sec 3.4.3.1 and 3.4.3.2: r/- The NAI of the user./The NAI of the >>>> user. >>>> - Sec 3.4.5.7: Move description before C code. >>>> >>>> spt >>>> >>>> > > > >
- [secdir] Review of draft-ietf-dime-diameter-api-08 Sean Turner
- Re: [secdir] Review of draft-ietf-dime-diameter-a… Romascanu, Dan (Dan)
- Re: [secdir] Review of draft-ietf-dime-diameter-a… Sean Turner
- Re: [secdir] Review of draft-ietf-dime-diameter-a… Romascanu, Dan (Dan)
- Re: [secdir] Review of draft-ietf-dime-diameter-a… Victor Fajardo
- Re: [secdir] Review of draft-ietf-dime-diameter-a… Sean Turner
- Re: [secdir] Review of draft-ietf-dime-diameter-a… David Frascone