[secdir] Re: Secdir last call review of draft-ietf-add-split-horizon-authority-11

tirumal reddy <kondtir@gmail.com> Fri, 31 May 2024 05:16 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48E2FC14F600; Thu, 30 May 2024 22:16:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ECpf5UNn3ErA; Thu, 30 May 2024 22:16:00 -0700 (PDT)
Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com [IPv6:2a00:1450:4864:20::632]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BFA5C14F6A5; Thu, 30 May 2024 22:16:00 -0700 (PDT)
Received: by mail-ej1-x632.google.com with SMTP id a640c23a62f3a-a682d289591so3862266b.3; Thu, 30 May 2024 22:16:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1717132558; x=1717737358; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=yutk5Fk7snc/hpPtjk+wj7cpPYr72uaPYIO6rhcs2MM=; b=i4ytAUw1XosBf5guC+spw4JLNTFeENFW6883JQzTCa98S+BFui6HsuSxQe+s3JENxT Xt6nZLkU8kwTJNvSSAz6Blnn6Gg+5XbcVX/r4uigVU4ttAwWRTUVjiXz30BQp4U8i90K Kf09ZlowJKsSDEyuhiBaCVnB8gK4gNJyF+GJYgibGdLENRbZGOenaoQ9fKndD4sW70Yz USk+ewqj/opeOsqNPHhrzjKqp9AML9gkXhTOCFIU7uQMZbROR3lsnPKDFo+Gob8vsz5u R+PSSJIdASFu6p1ipSM4jDdMM/QtweRiHcBtLqwa0A2RWX9Xow0ZPFVtQJPYyXLz7Eo+ zY5A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1717132558; x=1717737358; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=yutk5Fk7snc/hpPtjk+wj7cpPYr72uaPYIO6rhcs2MM=; b=wMH8vIvCBZ2/9EliSRYpO+YYOms4OQbPA4WfLHh4Mvn8dnmdVT5r4efXbfvtF3VONU F628NwRvNBM4aDlBARFDH9E97gc+wMykmlgWq+x4CuYKZ7qDKmAWVrOnqndKjZxyJKTq oFuUMRcjnnAEr4/lXHhgbLAFSDXTOuSKRYB00olqhq500F1d328yLTo/YC4Ew0nzYGhU MfNFUEpqdVTzdAunaBxZ62KaOri3flJRCrMq4r7FakCQF8ccOKFeUMdSTgHQu7SzqKob ChYciMvZQ98cihXwKmq5ofDrewYw6q25WfiqyeeO9qM1J2xbZ/oamcW0oMPuiwc5/IZy ghAA==
X-Forwarded-Encrypted: i=1; AJvYcCUDnlx4lCxELgLo/00Mb8w4osWuaolscfGdxk/RJJ70/epTBDrvjR4FqIC/KB5fxHZ8ymxwGoTRPcq4cJoJiFNJ7bRVNj0IJnffwLLrb8cILtABIKVdcHVnxfDyVkM9S3CifYct9VBU2sYgYDnT0J6kdrlu3jClt2OQzI+7h/UUIWxXFoDj
X-Gm-Message-State: AOJu0YzSbqNzalo/gjl8dpp/jdVU+hMm6YAvHirGeMYQai8pVTLp1d9N tI+dZNrFd6Qa63oFJqO/9G9S3767x23HU58pC2MzSSV9WtvDsieJ2YlHuYx1wtls8KQ+NRlg2Kl WeqvofbSLUWThHLp8Hzq6nQJrvkFjveNksaU=
X-Google-Smtp-Source: AGHT+IEvEsD7rayYv7mQJiIwqIZFM8jmKiIYezebJ26Dq3WgSai01kSlxqD95WZOE5jj1vwgbsobend10S++jBlKM7c=
X-Received: by 2002:a50:d541:0:b0:578:6263:727b with SMTP id 4fb4d7f45d1cf-57a36472820mr453661a12.3.1717132557926; Thu, 30 May 2024 22:15:57 -0700 (PDT)
MIME-Version: 1.0
References: <171701079387.64031.6262088834086694940@ietfa.amsl.com>
In-Reply-To: <171701079387.64031.6262088834086694940@ietfa.amsl.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Fri, 31 May 2024 10:45:20 +0530
Message-ID: <CAFpG3gf3P2ENciVT0c13_qB9BQhypSKGeMwoUD8Kd44xc4XoXg@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000025c9840619b91433"
Message-ID-Hash: PLH6QWCUEZPHO5LMKEOALL6IXAVTV3JA
X-Message-ID-Hash: PLH6QWCUEZPHO5LMKEOALL6IXAVTV3JA
X-MailFrom: kondtir@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdir.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: secdir@ietf.org, add@ietf.org, draft-ietf-add-split-horizon-authority.all@ietf.org, last-call@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [secdir] Re: Secdir last call review of draft-ietf-add-split-horizon-authority-11
List-Id: Security Area Directorate <secdir.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/WEvtz82i5QkhOBhExXzT7Neejlo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Owner: <mailto:secdir-owner@ietf.org>
List-Post: <mailto:secdir@ietf.org>
List-Subscribe: <mailto:secdir-join@ietf.org>
List-Unsubscribe: <mailto:secdir-leave@ietf.org>

On Thu, 30 May 2024 at 00:56, Watson Ladd via Datatracker <noreply@ietf.org>
wrote:

> Reviewer: Watson Ladd
> Review result: Has Nits
>
> Dear IETFers,
>
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG. These comments were written primarily for the benefit of the
> security area directors. Document editors and WG chairs should treat
> these comments just like any other last call comments.
>
> The summary of the review is Ready With Nits.
>
> I found the document readable and didn't spot any security issues. However,
> the security considerations section neglects to explain the importance
> of the salt being high entropy and changed when a new authorization record
> is
> created.
>

Good point, I will add the following text to the security considerations
section:
The entropy of salt depends on a high-quality pseudo-random number
generator. For further discussion on random number generation, see RFC4086.
The salt MUST be regenerated whenever the authorization claim is updated.

-Tiru