Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-sfc-serviceid-header-10
Robert Sparks <rjsparks@nostrum.com> Wed, 28 October 2020 14:27 UTC
Return-Path: <rjsparks@nostrum.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A16A63A09CF; Wed, 28 Oct 2020 07:27:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.651
X-Spam-Level:
X-Spam-Status: No, score=-1.651 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, KHOP_HELO_FCRDNS=0.275, NICE_REPLY_A=-0.247, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=nostrum.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LtWZ9s30oTpw; Wed, 28 Oct 2020 07:27:39 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 805513A0AE2; Wed, 28 Oct 2020 07:27:23 -0700 (PDT)
Received: from unescapeable.local ([47.186.30.41]) (authenticated bits=0) by nostrum.com (8.16.1/8.16.1) with ESMTPSA id 09SERLP2099905 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO); Wed, 28 Oct 2020 09:27:22 -0500 (CDT) (envelope-from rjsparks@nostrum.com)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nostrum.com; s=default; t=1603895243; bh=sdP1yJuhQYQ+wqiVsFUQfiOKQuLj+YvkMj7ji7Q5soY=; h=To:Cc:References:From:Subject:Date:In-Reply-To; b=ndyZbsWAfoFkCseXpb3+TvaduHCl8rQxHNdD09pPEJvlxik43arZVQLPJtzvK3mLo bUyrr2sIryeK4+uWoKMoK8lkUzMNcygn9W9jj7j4KhAgA6Jx1GB/eNUE6e8s+pnQ6O 4+z97EWy+u8n01R3l9zFMNf/VGsOvjjiDNxhzEhQ=
X-Authentication-Warning: raven.nostrum.com: Host [47.186.30.41] claimed to be unescapeable.local
To: mohamed.boucadair@orange.com, "secdir@ietf.org" <secdir@ietf.org>
Cc: "draft-ietf-sfc-serviceid-header.all@ietf.org" <draft-ietf-sfc-serviceid-header.all@ietf.org>, "sfc@ietf.org" <sfc@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>
References: <160375112449.28199.4653147392736464602@ietfa.amsl.com> <a8e254e6-377e-3825-4713-3acc33a77b55@nostrum.com> <31178_1603890732_5F996E2C_31178_123_1_787AE7BB302AE849A7480A190F8B9330315684D7@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
From: Robert Sparks <rjsparks@nostrum.com>
Message-ID: <948de6e7-d035-793b-9698-b28129b52a51@nostrum.com>
Date: Wed, 28 Oct 2020 09:27:21 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:78.0) Gecko/20100101 Thunderbird/78.4.0
MIME-Version: 1.0
In-Reply-To: <31178_1603890732_5F996E2C_31178_123_1_787AE7BB302AE849A7480A190F8B9330315684D7@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/NRCb-isXESvf7exBu7tpsIMr_xY>
Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-sfc-serviceid-header-10
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Oct 2020 14:27:42 -0000
Thanks Med - This sufficiently addresses my comments. Thanks for adding clarity with the edits. I do want to ask again, though, whether you're closing off an opportunity with the requirement that all the identifiers belong to a single subscriber, and that the group made that choice explicitly rather than just falling into it. I could see an alternative that looked like "allow multiple identities, and the use of them in inferred policies is 'is any of' ". Stretching a little into slightly different problem domains, consider, for example, the doctor that could be using his own phone number or the office phone number. I'm not suggesting that allowing such multiple identities is the right thing to do, but I want to verify that simple alternatives like that were considered and rejected, and that you have a way to do them in the future if you want. The text does imply that the group looked at the general problem of trying to capture arbitrary relationships between multiple identities, and decided not to solve that. If that's how it happened, you might consider explicitly saying that so future related work isn't guessing or making assumptions about the motivation here. RjS On 10/28/20 8:12 AM, mohamed.boucadair@orange.com wrote: > Hi Roberts, > > Many thanks for this useful review. Much appreciated! > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-sfc-serviceid-header-11 > > Cheers, > Med > >> -----Message d'origine----- >> De : Robert Sparks [mailto:rjsparks@nostrum.com] >> Envoyé : lundi 26 octobre 2020 23:45 >> À : secdir@ietf.org >> Cc : draft-ietf-sfc-serviceid-header.all@ietf.org; sfc@ietf.org; >> last-call@ietf.org >> Objet : Re: [Last-Call] Secdir last call review of draft-ietf-sfc- >> serviceid-header-10 >> >> Heh - one typo correction below (that might have been obvious, >> but...) >> >> On 10/26/20 5:25 PM, Robert Sparks via Datatracker wrote: >>> Reviewer: Robert Sparks >>> Review result: Has Nits >>> >>> I have reviewed this document as part of the security >> directorate's >>> ongoing effort to review all IETF documents being processed by the >>> IESG. These comments were written primarily for the benefit of the >>> security area directors. Document editors and WG chairs should >> treat >>> these comments just like any other last call comments. >>> >>> This document has nits that should be addressed before publication >> as >>> Proposed Standard RFC. >>> >>> Document reviewed: draft-ietf-sfc-serviceid-header-10 >>> >>> This document's security considerations rest on the premise that >> the >>> information it discusses will be added, transported, consumed, and >>> removed within a single administrative domain that is protected >> from >>> eavesdroppers and malicious on-path attackers through >> administrative >>> controls. It is quite upfront about that assumption, and the sfc >>> documents it relies on make the same assertions. >>> >>> This document introduces a mechanism that intentionally allows >>> identifiers >>> (addresses) that would normally be hidden/contained behind a nat >> to be >>> shared beyond that nat, but again, within that single >> administrative domain. >>> NITS: >>> >>> There are many places where the language in the document needs to >> be >>> simplified. There are also many places where 2119 language is >> being >>> used in a way that does not make sense. >>> >>> In document order: >>> >>> Introduction paragraph 2, sentence 1. What does it mean to infer >> enforcement? >>> Perhaps you mean "policies can be inferred"? Please simplify this >> sentence. >>> Break the example into a separate sentence and add detail if you >> can. >>> If possible, provide a reference to what you mean by "SFC-based >>> differentiated traffic policies" means. >>> >>> Introduction paragraph 3. This whole paragraph has complicated, >>> paragraph >> That last word should have been "comma" >>> separated, phrases that should be written more simply. The next to >>> last sentence (at 53 words) is particularly hard to follow. >>> >>> Introduction paragraph 4, last sentence. This sentence does not >> parse. >>> Please rework it. >>> >>> Introduction paragraph 5. This one sentence paragraph was the most >>> difficult in the document for me to read. Please break it into >> several simpler sentences. >>> Section 3: at "In order to prevent interoperability issues, the >> data >>> and their format to be injected in such header SHOULD be >> configured to >>> nodes authorized to inject such headers." This is not a 2119 >> SHOULD. >>> It's even not clear what "the data" is here. I suggest something >> like >>> "The identifiers carried in the Context Headers are opaque. Nodes >>> providing them and consuming them will be configured with the >> necessary information needed see into them." >>> Section 3, at "Failures to inject such headers SHOULD be logged >>> locally while a notification alarm MAY be sent to a Control >> Element. >>> The details of sending notification alarms (i.e., the parameters >>> affecting the transmission of the notification alarms depend on >> the >>> information in the Context Header such as frequency, thresholds, >> and >>> content of the alarm (full header, timestamp, etc.)) SHOULD be >>> configurable." None of these are correct use of 2119. Consider re- >> framing the paragraph without using these terms. >>> Section 3 at "That is, to strip such Context Headers." is not a >> sentence. >>> Section 3 at the paragraph beginning "Depending on local policy". >> The >>> structure of this paragraph is very odd. Doesn't base SFC say to >>> preserve NSH at intermediaries? I suggest replacing this paragraph >>> with something like "Normal SFC intermediary behavior preserves >>> Network Service Headers. Local policy can require a proxy to strip >> ..." >>> Section 3 at "NSH-aware SFs MUST be capable to run additional >>> validation checks". This isn't 2119. Perhaps you mean to say "Be >> aware >>> that local policies may require running additional validation >> checks >>> at NSH-aware SFs". The whole paragraph can be simplified. >>> >>> Section 3 at "Multiple Subscriber Identifier Context Headers MAY >> be >>> present in the NSH, each carrying a distinct opaque value but all >>> pointing to the same subscriber." This is a place where a 2119 >> MUST >>> _would_ make sense. Say "Such multiple headers MUST identify the >> same >>> subscriber". I wonder, though, if you're closing a door on >> carrying multiple identities that you'll regret later. >>> Section 4 first paragraph, first sentence: I suggest replacing >> "identifier is" >>> with "identifiers are" >>> >>> Section 4 fifth paragraph: "defined as optional" -> "defined as an >> optional" >>> Section 4 sixth paragraph. Similar to the section 3 paragraph I >> point >>> to above, the structure here is very odd. Again, I suggest >> something >>> like "Normal SFC intermediaries will preserve Context Headers, but >>> local policy may require a proxy to to strip one after processing >> it." >>> Section 4 seventh paragraph: "ocnlficting"->"conflicting". I >> assume >>> the default behavior described here is specified in the base NSH >> docs? >>> Security Considerations section paragraph 4: Consider "logging the >>> content of ... is not advised" rather than using 2119 here. The >>> paragraph would be better formulated if it explained the risk - >> SFs >>> that _did_ use the context might be better off not logging them in >> many cases as well. >>> >>> > _________________________________________________________________________________________________________________________ > > Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc > pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler > a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, > Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. > > This message and its attachments may contain confidential or privileged information that may be protected by law; > they should not be distributed, used or copied without authorisation. > If you have received this email in error, please notify the sender and delete this message and its attachments. > As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. > Thank you. >
- [secdir] Secdir last call review of draft-ietf-sf… Robert Sparks via Datatracker
- Re: [secdir] [Last-Call] Secdir last call review … Robert Sparks
- Re: [secdir] [Last-Call] Secdir last call review … mohamed.boucadair
- Re: [secdir] [Last-Call] Secdir last call review … Robert Sparks
- Re: [secdir] [Last-Call] Secdir last call review … mohamed.boucadair