[secdir] review of draft-ietf-geopriv-l7-lcp-ps-09.txt

Stephen Kent <kent@bbn.com> Thu, 09 July 2009 19:12 UTC

Mime-Version: 1.0
Message-Id: <p06240809c67bf10d01a0@[128.89.89.96]>
Date: Thu, 09 Jul 2009 15:13:18 -0400
To: secdir@core3.amsl.com
From: Stephen Kent <kent@bbn.com>
Content-Type: multipart/alternative; boundary="============_-964955696==_ma============"
Cc: hgs+ecrit@cs.columbia.edu, Hannes.Tschofenig@gmx.net
Subject: [secdir] review of draft-ietf-geopriv-l7-lcp-ps-09.txt
Precedence: list

I reviewed this document as part of the security directorate's 
ongoing effort to review all IETF documents being processed by the 
IESG.  These comments were written primarily for the benefit of the 
security area directors.  Document editors and WG chairs should treat 
these comments just like any other last call comments.

Draft-ietf-geopriv-l7-lcp-ps-09.txt is a problem statement and 
requirements and design decisions document dealing with the layer 7 
location configuration protocol (L7 LCP) being developed in the 
GEOPRIV WG. As stated in the abstract:

    This protocol aims to allow an end host to obtain
    location information, by value or by reference, from a Location
    Information Server (LIS) that is located in the access network.  The
    obtained location information can then be used for a variety of
    different protocols and purposes.

A protocol of this sort engenders significant privacy concerns. I was 
disappointed that the document does not do a good job of clearly 
stating these concerns and collecting them in one place, e.g., the 
Secruity Consideration section or the requirements section.

Section 3 of the document describes four types of network environments:
1.	DLS/cable nets and WiMax-like fixed access
2.	Airport, City, Campus Wireless Networks (e.g., 802.11/a/b/g and Wimax)
3.	3G
4.	Enterprise
At the top level, this seems to be an odd taxonomy, e.g., how are 
802.11 nets (2) different from enterprise nets (4) in general?  One 
has to read the detailed examples that follow to try to learn why 
these are meaningfully different environments re the L7 LCP. It 
doesn't help that the examples provided do not correspond directly to 
the four environments named above! This section could be improved in 
this regard.

Sections 4 & 5 document some of the issues that the L7 LCP design 
team has explored. There are some security-relevant observations in 
these sections, e.g.,  "The LIS discovery procedure raises deployment 
and security issues.  The access network needs to be designed to 
prevent man-in-the-middle adversaries from presenting themselves as a 
LIS to end hosts.  When an end host discovers a LIS, it needs to 
ensure [verify?] (and be able to ensure [verify?]) that the 
discovered entity is indeed an authorized LIS." Unfortunately, these 
are other comments are scattered throughout these sections and not 
collected in one place (anywhere in the document) where they are 
clearly identified as requirements.

Section 6 enumerates the requirements that the design team proposes 
for the L7 LCP. Unfortunately, several security-relevant observations 
that appear in sections 4 & 5 do not seem to appear as requirements 
in this section.

The Security Considerations section (7) is very brief and it does not 
capture many of the security-relevant "requirements" that were 
discussed in sections 4 & 5. Instead it notes that these are 
sprinkled throughout the document. I think it would be preferable if 
this info were collected here, especially because Sections 4 & 5 are 
not labeled as containing requirements, and Section 6 (which is the 
requirements list) does not seem to capture these security/privacy 
issues either. Finally, I note that the few security requirements 
listed in Section 7 are not quite accurate. For example, the client 
is required to be able to authenticate an LIS, but the real 
requirement would seem to be that the client can verify that the 
authenticated entity is an LIS!

[secdir] review of draft-ietf-geopriv-l7-lcp-ps-0… Stephen Kent