[secdir] SecDir review of draft-ietf-sidr-repos-struct-08
Yaron Sheffer <yaronf.ietf@gmail.com> Sun, 03 July 2011 19:14 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FA6D11E80A2; Sun, 3 Jul 2011 12:14:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.599
X-Spam-Level:
X-Spam-Status: No, score=-103.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QkvMSAX5F902; Sun, 3 Jul 2011 12:14:21 -0700 (PDT)
Received: from mail-ww0-f44.google.com (mail-ww0-f44.google.com [74.125.82.44]) by ietfa.amsl.com (Postfix) with ESMTP id B1B7C11E80A1; Sun, 3 Jul 2011 12:14:20 -0700 (PDT)
Received: by wwe5 with SMTP id 5so3036888wwe.13 for <multiple recipients>; Sun, 03 Jul 2011 12:14:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject :content-type:content-transfer-encoding; bh=1DQMgXc+OBiLMnEka7Z87guAA2v/4FRNrMjo7ANm7N0=; b=BegAuR3T2iSA+RP/sph+wMSCpwnjkhLHT8idT/91tW4xmRzCpKCCb6GukTsSOXawKc s3X982JGu231sIi+dtkNhS9Wiw8AUJRj/96B3LQx4laa4V47hS6QTvxl1U3Dz0h5GCCB BpDdrTul32KUB07oquzTmLOM5ag4NtecNeT5U=
Received: by 10.227.148.220 with SMTP id q28mr4820350wbv.29.1309720458573; Sun, 03 Jul 2011 12:14:18 -0700 (PDT)
Received: from [10.0.0.4] (bzq-79-177-192-201.red.bezeqint.net [79.177.192.201]) by mx.google.com with ESMTPS id d19sm3898721wbh.8.2011.07.03.12.14.16 (version=SSLv3 cipher=OTHER); Sun, 03 Jul 2011 12:14:17 -0700 (PDT)
Message-ID: <4E10BF86.6010003@gmail.com>
Date: Sun, 03 Jul 2011 22:14:14 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:5.0) Gecko/20110627 Thunderbird/5.0
MIME-Version: 1.0
To: Security Area Directorate <secdir@ietf.org>, The IESG <iesg@ietf.org>, draft-ietf-sidr-repos-struct.all@tools.ietf.org
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Subject: [secdir] SecDir review of draft-ietf-sidr-repos-struct-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Jul 2011 19:14:22 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments This draft describes the structure of the RPKI repositories. This is a dedicated, even more complex than usual PKI deployment. The security considerations are short, considering that the entire document is about the security underpinnings of a critical infrastructure. However they do make sense to me. I do have two comments: • The mandatory use or Rsync (vs. e.g. simple HTTP) in a one-way content retrieval context seems like a questionable security vs. operational cost trade-off. Rsync is complex and has seen various security vulnerabilities over the years: http://secunia.com/advisories/search/?search=rsync. BTW, the reference "to rsync" only defines the URI format. As to a formal specification of the protocol, guess what? http://lists.samba.org/archive/rsync/2008-October/021927.html. • The following sentence seems to require clarification, and hints at possible risks/mitigations: "However, even the use of manifests and CRLs will not allow a relying party to detect all forms of substitution attacks based on older (but not expired) valid objects." Thanks, Yaron
- [secdir] SecDir review of draft-ietf-sidr-repos-s… Yaron Sheffer