[secdir] secdir review of draft-groves-megaco-pkgereg-02
Catherine Meadows <catherine.meadows@nrl.navy.mil> Fri, 06 February 2009 16:35 UTC
Return-Path: <secdir-bounces@mit.edu>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6EB643A685F for <secdir@core3.amsl.com>; Fri, 6 Feb 2009 08:35:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.598
X-Spam-Level:
X-Spam-Status: No, score=-4.598 tagged_above=-999 required=5 tests=[AWL=2.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GgY3Xd6fxee6 for <secdir@core3.amsl.com>; Fri, 6 Feb 2009 08:35:23 -0800 (PST)
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by core3.amsl.com (Postfix) with ESMTP id 4CCE83A676A for <secdir@ietf.org>; Fri, 6 Feb 2009 08:35:23 -0800 (PST)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n16GZPOV022682 for <secdir@ietf.org>; Fri, 6 Feb 2009 11:35:25 -0500
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n16GZJok022646 for <secdir@PCH.mit.edu>; Fri, 6 Feb 2009 11:35:19 -0500
Received: from mit.edu (M24-004-BARRACUDA-3.MIT.EDU [18.7.7.114]) by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id n16GZDkG011229 for <secdir@mit.edu>; Fri, 6 Feb 2009 11:35:14 -0500 (EST)
Received: from fw5540.nrl.navy.mil (fw5540.nrl.navy.mil [132.250.196.100]) by mit.edu (Spam Firewall) with ESMTP id 0762712AD6E0 for <secdir@mit.edu>; Fri, 6 Feb 2009 11:34:52 -0500 (EST)
Received: from chacs.nrl.navy.mil (sun1.fw5540.net [10.0.0.11]) by fw5540.nrl.navy.mil (8.13.6/8.13.6) with ESMTP id n16GYM0B022352; Fri, 6 Feb 2009 11:34:22 -0500 (EST)
Received: from chacs.nrl.navy.mil (sun1 [10.0.0.11]) by chacs.nrl.navy.mil (8.13.6/8.13.6) with SMTP id n16GYLfj014497; Fri, 6 Feb 2009 11:34:21 -0500 (EST)
Received: (from [IPv6:::1] [10.0.0.13]) by chacs.nrl.navy.mil (SMSSMTP 4.1.16.48) with SMTP id M2009020611341814624 ; Fri, 06 Feb 2009 11:34:20 -0500
Message-Id: <8716AA45-149F-4E94-86DA-8953D4AA73C4@nrl.navy.mil>
From: Catherine Meadows <catherine.meadows@nrl.navy.mil>
To: secdir@mit.edu, Christian.Groves@nteczone.com, linyangbo@huawei.com, iesg@ietf.org, fluffy@cisco.com
Mime-Version: 1.0 (Apple Message framework v930.3)
Date: Fri, 06 Feb 2009 11:34:17 -0500
X-Mailer: Apple Mail (2.930.3)
X-Scanned-By: MIMEDefang 2.42
X-BeenThere: secdir@mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Content-Type: multipart/mixed; boundary="===============1801371386=="
Sender: secdir-bounces@mit.edu
Errors-To: secdir-bounces@mit.edu
Subject: [secdir] secdir review of draft-groves-megaco-pkgereg-02
X-BeenThere: secdir@ietf.org
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Feb 2009 16:35:24 -0000
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This draft concerns the H.248/MEGACO IANA Package Registration procedures. It updates the procedure so that a formal review step, since the IETF Megaco working group, which previously did an informal review, is now disbanded. Since this merely updates the package review process to include a formal review, the ID claims that this introduces no extra security concerns, other than to require that the requester of a review and registration of a package is authorized to do so. However, I wonder if it would be appropriate to include some language saying that the review process should address any potential security concerns a package may introduce. I am not an expert on this protocol, but packages appear to be fairly complex structures that support terminations, which are sources and/or sinks. Ambiguity in packages would be a security concern (possibly allowing spoofing, if I understand this correctly); this is already covered in the review process recommended in this ID. I would like to see more justification in the security concerns section that this is the *only* security concerned introduced by new packages before I feel comfortable with this. The ID says that security concerns for the H.248/MEGACO protocol are discussed in H.248.1 section 10. Note that this itself appears to be a draft . Also, it only discusses security in an IP setting. That should presumably not be a problem for the IETF, since that is what we are concerned about, but it should still be mentioned, so that the reader doesn't think that document covers security in general. Catherine Meadows Naval Research Laboratory Code 5543 4555 Overlook Ave., S.W. Washington DC, 20375 phone: 202-767-3490 fax: 202-404-7942 email: catherine.meadows@nrl.navy.mil
_______________________________________________ secdir mailing list secdir@mit.edu https://mailman.mit.edu/mailman/listinfo/secdir
- [secdir] secdir review of draft-groves-megaco-pkg… Catherine Meadows
- [secdir] Fwd: secdir review of draft-groves-megac… Catherine Meadows
- Re: [secdir] secdir review of draft-groves-megaco… Christian Groves