[secdir] secdir review of draft-ietf-mif-mpvd-arch

Sean Turner <turners@ieca.com> Wed, 18 February 2015 14:17 UTC

Return-Path: <turners@ieca.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3F9A1A87ED for <secdir@ietfa.amsl.com>; Wed, 18 Feb 2015 06:17:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.567
X-Spam-Level:
X-Spam-Status: No, score=-1.567 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ysDmjs0NpbnT for <secdir@ietfa.amsl.com>; Wed, 18 Feb 2015 06:17:05 -0800 (PST)
Received: from gateway14.websitewelcome.com (gateway14.websitewelcome.com [69.93.179.25]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71FEB1A87BF for <secdir@ietf.org>; Wed, 18 Feb 2015 06:17:05 -0800 (PST)
Received: by gateway14.websitewelcome.com (Postfix, from userid 5007) id DA609D1D1AA32; Wed, 18 Feb 2015 08:17:04 -0600 (CST)
Received: from gator3286.hostgator.com (gator3286.hostgator.com [198.57.247.250]) by gateway14.websitewelcome.com (Postfix) with ESMTP id A8BB0D1D1A9C7 for <secdir@ietf.org>; Wed, 18 Feb 2015 08:17:04 -0600 (CST)
Received: from [96.231.221.128] (port=53853 helo=[192.168.1.7]) by gator3286.hostgator.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.82) (envelope-from <turners@ieca.com>) id 1YO5R1-0005MB-SP; Wed, 18 Feb 2015 08:17:03 -0600
From: Sean Turner <turners@ieca.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 18 Feb 2015 09:17:01 -0500
Message-Id: <79A24849-274F-4E45-BDED-1EE103D484B8@ieca.com>
To: draft-ietf-mif-mpvd-arch.all@tools.ietf.org
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
X-Mailer: Apple Mail (2.1878.6)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - gator3286.hostgator.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - ieca.com
X-BWhitelist: no
X-Source-IP: 96.231.221.128
X-Exim-ID: 1YO5R1-0005MB-SP
X-Source:
X-Source-Args:
X-Source-Dir:
X-Source-Sender: ([192.168.1.7]) [96.231.221.128]:53853
X-Source-Auth: sean.turner@ieca.com
X-Email-Count: 1
X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IzMjg2Lmhvc3RnYXRvci5jb20=
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/Oci5J98JPpYvm8VxsD99ZdWdztc>
Cc: The IESG <iesg@ietf.org>, secdir@ietf.org
Subject: [secdir] secdir review of draft-ietf-mif-mpvd-arch
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Feb 2015 14:17:06 -0000

Fear not as this is just the secdir review!

I have reviewed this document as part of the security directorate’s ongoing effort to review all IETF documents being processed by the IESG.  These comments were written with the intent of improving security requirements and considerations in IETF drafts. Comments not addressed in last call may be included in AD reviews during the IESG review.  Document editors and WG chairs should treat these comments just like any other last call comments.

Summary: Ready with nits.

Nits:

0. s1.1: This section can be removed because there’s no 2119-language in the draft, but that can be done by the RFC editor later.

1. s3.5: Somebody once suggested adding an IKEv2 payload for configuration data and got their head handed to them.  I guess it’s fine to leave the paragraph in the draft because this is just a possible solution, but I’d not count on it as a viable option.

2. s4.2: Makes me think of Fernado’s VPN leaks RFC: http://datatracker.ietf.org/doc/rfc7359/.

3. s5.2.1: Makes me hope that the if there’s two connections and one is a VPN that lookups meant for that connection is only done over that connection and not leaked out.  I think this is covered later in the section though.

spt