Re: [secdir] Review of draft-ietf-dime-diameter-api-08
David Frascone <dave@frascone.com> Mon, 22 June 2009 21:36 UTC
Return-Path: <frascone@gmail.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 022223A697B; Mon, 22 Jun 2009 14:36:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S+mx8B7KYX5T; Mon, 22 Jun 2009 14:36:21 -0700 (PDT)
Received: from mail-bw0-f213.google.com (mail-bw0-f213.google.com [209.85.218.213]) by core3.amsl.com (Postfix) with ESMTP id 617C43A6971; Mon, 22 Jun 2009 14:36:20 -0700 (PDT)
Received: by bwz9 with SMTP id 9so3515758bwz.37 for <multiple recipients>; Mon, 22 Jun 2009 14:36:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to:cc :content-type:content-transfer-encoding; bh=gPhbNKSkXFkvWgyZPY9qgTaRCNHX7qPJC7otAVVlNHg=; b=hWyiX+QVXrpNmCJF9PilbHqJw+fAB9gQ4jTZIGyk2op1iAaGkHdra9lKg30JCXvZNg sFuE+cn9iI3LAQMI3w1vmG36U53pMIu78JD8Cc848Q3ZBjUKiiLGKysCpFy+JnktPn5D oYNXEyjr5Ta8pI6ixD47UeQklhd6FF+wtYZGg=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:cc:content-type :content-transfer-encoding; b=NWnm1uphGixaqOREcM1KSv27gQSNazs80x1XpC6ptEup8XfRkwfBn/sAiOiKcVJN9L VkksBb7hVO8BGpjbJ6xrBdyv1nEAQ9DXTurBAPJg6s1aO2fPhyrGOCmopRf1QdKsjfyj hFlWuyAjBPg8Xe2+EpJ2dMk91K6+T866mHNM0=
MIME-Version: 1.0
Sender: frascone@gmail.com
Received: by 10.216.11.210 with SMTP id 60mr2266944wex.188.1245706592291; Mon, 22 Jun 2009 14:36:32 -0700 (PDT)
In-Reply-To: <4A3E6C1B.2090907@ieca.com>
References: <4A37BDAA.50306@ieca.com> <EDC652A26FB23C4EB6384A4584434A04017D2C53@307622ANEX5.global.avaya.com> <4A37DDEB.7070402@ieca.com> <EDC652A26FB23C4EB6384A4584434A04017D2E01@307622ANEX5.global.avaya.com> <4A3E6C1B.2090907@ieca.com>
Date: Mon, 22 Jun 2009 17:36:32 -0400
X-Google-Sender-Auth: 8e5836544e5e3739
Message-ID: <9cf5ced20906221436q4ad148c8kf4cc260c52275a03@mail.gmail.com>
From: David Frascone <dave@frascone.com>
To: Sean Turner <turners@ieca.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-Mailman-Approved-At: Wed, 24 Jun 2009 08:03:21 -0700
Cc: pacalhou@cisco.com, secdir <secdir@ietf.org>, "Romascanu, Dan (Dan)" <dromasca@avaya.com>, dime-chairs@ietf.org, draft-ietf-dime-diameter-api@tools.ietf.org, iesg@ietf.org, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, Victor Fajardo <vfajardo@tari.toshiba.com>
Subject: Re: [secdir] Review of draft-ietf-dime-diameter-api-08
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jun 2009 21:36:22 -0000
Ok. Will do. -Dave On Sun, Jun 21, 2009 at 1:21 PM, Sean Turner<turners@ieca.com> wrote: > Dan, > > If this is the case, then I'd suggest adding something to make it explicit > that the API adds no additional security concerns. > > spt > > Romascanu, Dan (Dan) wrote: >> >> Sean, >> >> I will let the authors infirm or confirm what I am saying, but my >> understanding is that they take the position that the document describes >> an internal API for applications to access the Diameter protocol, and >> that there is no additional security threat involved in the definition >> or implementation of such an API. >> Dan >> >> >>> -----Original Message----- >>> From: Sean Turner [mailto:turners@ieca.com] Sent: Tuesday, June 16, 2009 >>> 9:01 PM >>> To: Romascanu, Dan (Dan) >>> Cc: secdir; draft-ietf-dime-diameter-api@tools.ietf.org; iesg@ietf.org; >>> dime-chairs@ietf.org; Hannes Tschofenig; Victor Fajardo; pacalhou@cisco.com; >>> dave@frascone.com >>> Subject: Re: Review of draft-ietf-dime-diameter-api-08 >>> >>> Dan, >>> >>> I sent the review to Pat and to Dave (and the iesg and secdir). I see >>> that Victor was also added during the last go around so if he made the >>> changes I'm not sure he would have seen them. >>> >>> My concern is that the document is for the Diameter API but the security >>> considerations points to the Diameter Protocol. So, we don't have any >>> security considerations at all if we just point to the protocol definition, >>> which is what the document does now. >>> >>> spt >>> >>> Romascanu, Dan (Dan) wrote: >>>> >>>> Sean, >>>> >>>> Was your review sent to the editors of the document? >>>> Can you please clarify why you believe that the API introduces >>>> supplementary security concerns, which would make the >>> >>> reference to the >>>> >>>> security considerations of RFC 5366 insufficient? >>>> >>>> Thanks and Regards, >>>> >>>> Dan >>>> >>>> >>>>> -----Original Message----- >>>>> From: iesg-bounces@ietf.org [mailto:iesg-bounces@ietf.org] >>> >>> On Behalf >>>>> >>>>> Of Sean Turner >>>>> Sent: Tuesday, June 16, 2009 6:44 PM >>>>> To: secdir; draft-ietf-dime-diameter-api@tools.ietf.org; >>>>> iesg@ietf.org; dime-chairs@ietf.org >>>>> Cc: Hannes Tschofenig >>>>> Subject: Review of draft-ietf-dime-diameter-api-08 >>>>> >>>>> I have reviewed this document (twice now) as part of the security >>>>> directorate's ongoing effort to review all IETF documents being processed by >>>>> the IESG. These comments were written >>> >>> primarily for the >>>>> >>>>> benefit of the security area directors. Document editors and WG chairs >>>>> should treat these comments just like any other last call comments. >>>>> >>>>> This version does not address the comments I made against the >>>>> -07 version, notably: >>>>> >>>>> The document needs to discuss the security considerations >>> >>> surrounding >>>>> >>>>> the API in your document, as opposed to just pointing to RFC5388. >>>>> >>>>> Nits: >>>>> - Sec 3.1.1: add "." to end of last sentence >>>>> - Sec 3.4.3.1 and 3.4.3.2: r/- The NAI of the user./The NAI of the >>>>> user. >>>>> - Sec 3.4.5.7: Move description before C code. >>>>> >>>>> spt >>>>> >> >
- [secdir] Review of draft-ietf-dime-diameter-api-08 Sean Turner
- Re: [secdir] Review of draft-ietf-dime-diameter-a… Romascanu, Dan (Dan)
- Re: [secdir] Review of draft-ietf-dime-diameter-a… Sean Turner
- Re: [secdir] Review of draft-ietf-dime-diameter-a… Romascanu, Dan (Dan)
- Re: [secdir] Review of draft-ietf-dime-diameter-a… Victor Fajardo
- Re: [secdir] Review of draft-ietf-dime-diameter-a… Sean Turner
- Re: [secdir] Review of draft-ietf-dime-diameter-a… David Frascone