Re: [secdir] SECDIR review of draft-ietf-netext-pmip6-qos-11

Jouni Korhonen <jouni.nospam@gmail.com> Wed, 26 March 2014 07:27 UTC

Return-Path: <jouni.nospam@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C69E41A02A8; Wed, 26 Mar 2014 00:27:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1
X-Spam-Level:
X-Spam-Status: No, score=-1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Tl8yVsgNB3eH; Wed, 26 Mar 2014 00:27:56 -0700 (PDT)
Received: from mail-la0-x22c.google.com (mail-la0-x22c.google.com [IPv6:2a00:1450:4010:c03::22c]) by ietfa.amsl.com (Postfix) with ESMTP id 1C14A1A008A; Wed, 26 Mar 2014 00:27:55 -0700 (PDT)
Received: by mail-la0-f44.google.com with SMTP id hr13so1181997lab.17 for <multiple recipients>; Wed, 26 Mar 2014 00:27:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Wehb/WqxFq0NZt0b7nQ8alTWc1KMs12dWEHIKEwGhuE=; b=qAz7YkxYUeAruYFcMhrwm2bwQQPREexB3oHOJpkyDwqazsRlXaCEurwxQdIQdoAya2 mHcNJDt7GwhdqMHcf+3UMIlGzIEg9Ygu8c1F4CFJkJCJhC3Lnn+2L/KtDFi7c0yUL+Bc EROq1O+K/CABQXEXLJ2tskgko+/kgmElGhyhwVfAGa4WN3M6iTUQDg2LDUGEz6nPd7oG 3MlaomfX1W4A+z28dw+Nc8+9p+LyN0tgWnLCsc8cynptR8ouy+U3xxj7Z5I4p2lH3SBF QEP1nhcgAWxOJQ0mC57TnC5IIJSBy4sMjblvHIeaEyHtCLX26jXgRgPA0K9SkBgbuAhd HiaQ==
X-Received: by 10.152.172.103 with SMTP id bb7mr160666lac.49.1395818874203; Wed, 26 Mar 2014 00:27:54 -0700 (PDT)
Received: from [188.117.15.107] ([188.117.15.107]) by mx.google.com with ESMTPSA id jm3sm4864238lbc.29.2014.03.26.00.27.50 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 26 Mar 2014 00:27:51 -0700 (PDT)
Content-Type: text/plain; charset="iso-8859-1"
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
From: Jouni Korhonen <jouni.nospam@gmail.com>
In-Reply-To: <CAF4+nEFH=KK_aOGfm_SLfhGOu+DjG10npCremtqQDC=SLvz4GA@mail.gmail.com>
Date: Wed, 26 Mar 2014 09:27:49 +0200
Content-Transfer-Encoding: 7bit
Message-Id: <1B841F73-3460-436D-AF64-19ED3901771D@gmail.com>
References: <CAF4+nEFH=KK_aOGfm_SLfhGOu+DjG10npCremtqQDC=SLvz4GA@mail.gmail.com>
To: Donald Eastlake <d3e3e3@gmail.com>
X-Mailer: Apple Mail (2.1510)
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/ZbaRyZS8r_DuJ3QIEKtIsUK27_o
Cc: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, draft-ietf-netext-pmip6-qos@tools.ietf.org
Subject: Re: [secdir] SECDIR review of draft-ietf-netext-pmip6-qos-11
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Mar 2014 07:27:58 -0000

Donald,

Thanks for the review. I agree what you say but I think an extra warning
is not necessary. If an operator deliberately turns off the signaling
security, he would probably do so regardless of any warning.

- Jouni



On Mar 26, 2014, at 6:15 AM, Donald Eastlake <d3e3e3@gmail.com> wrote:

> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  Document editors and WG chairs should treat these comments just
> like any other last call comments.
> 
> This draft specifies Quality of Service options for Proxy Mobile IPv6
> along with appropriate new status codes and other protocol
> considerations. These options are carried in Proxy Binding Update
> messages to which a Proxy Binding Acknowledgement is sent in response.
> 
> The Security Considerations section refers to earlier RFCs (5213 and
> 7077). There earlier RFCs do appear to provide adequate security for
> the messages involved. And, on thinking about it, I tend to agree with
> the assertion that "The quality of service option when included in
> these signaling messages does not require additional security
> considerations." If it were me, I would add a few words about how, if
> the Proxy Binding Update/Acknowledgement protocol is not secured, you
> can do worse things than change the quality of service. However, while
> the Security Considerations section feels quite minimal, it does
> appear to be adequate.
> 
> Thanks,
> Donald
> =============================
> Donald E. Eastlake 3rd   +1-508-333-2270 (cell)
> 155 Beaver Street, Milford, MA 01757 USA
> d3e3e3@gmail.com